New European General Data Protection Regulation: A Practitioner’s Guide 9781509920594, 9783848732623

Citation preview

Foreword Digitalisation is advancing rapidly, and enterprises across Europe and the world are swiftly adapting their business processes and products to bring them into the new digital age. At the very heart of this business adaptation is the processing of personal data, which has increased significantly over recent decades and which has become one of the core assets of digital business. Data protection law is still fragmented across Europe under the current data protection Directive 95/46/EC and its various national implementations. To unify data protection law in Europe and to improve the protection of fundamental rights, the new European General Data Protection Regulation (“GDPR”) introduces uniform data protection legislation that will apply directly in all European Member States from 25 May 2018. The GDPR will also serve as a binding legal framework for countless companies outside the EU that do business in the Union. This handbook clearly and concisely addresses the legal pitfalls and compliance requirements resulting from the GDPR and explains in detail the new situation under the law. It was written to fully embrace the new European approach to data protection by focusing on the debate among legal professionals and on legal sources at European level. There is a wealth of expert legal commentary on national law, but the European debate, mandatory from 25 May 2018, still lacks comprehensive expert literature on the practical questions of data processing. Conceived as a guide for legal professionals in their day-to-day practice, this book is intended to help fill that gap using practical examples and scenarios to assist companies affected by the GDPR. Giving comprehensive insight into the GDPR, this handbook starts with a chapter on the regulatory background (Development and importance of the data protection reform) and the essential material and personal scope of the GDPR (Scope of application of the GDPR). Subsequently, the consequences of a strictly European legal framework and rules for a consistent and uniform interpretation of the GDPR are presented in detail. Another key issue is the fundamental principles of lawful data processing under the GDPR for any company (Lawful processing of personal data in companies under the General Data Protection Regulation), including the newly introduced compatibility test. The chapter General conditions for data processing in companies under the GDPR deals with particular legal requirements to be implemented by companies. The legal assessment also addresses subjects such as the increased duties towards the data subjects and their rights, including the right to be forgotten, data portability as well as the question of group privileges and the issue of drastically increased administrative fines and damages. Finally, the chapter on Practical examples addresses inevitable aspects of data management such as cloud computing, outsourcing and data transfer to third countries outside the EU. This chapter also provides general guidance to any business for successfully exploring data as an asset.

V

Foreword

This includes direct marketing as well as (user) profiling and compliance issues in app development. We would like to thank everyone involved in bringing this book into existence. We owe our deepest gratitude to our co-authors as well as to Charlotte Fischer, Patricia Gola, Stefanie Schneider, Sarina Schwake, Victoria Copeland and Patricia Cress for their contribution to this handbook. September 2017 Munich/Frankfurt

VI

Daniel Rücker Tobias Kugler

Contributors Sebastian Dienst Lawyer at Noerr LLP, Munich, Germany Chapter C: Lawful processing of personal data in companies Tobias Kugler Lawyer/Associated Partner at Noerr LLP, Frankfurt am Main, Germany Foreword Chapter E: Practical examples (1st Part) Dr. Daniel Rücker, LL.M. (University of New South Wales, Sydney) Lawyer/Partner at Noerr LLP, Munich, Germany Foreword Chapter A: Development and Importance of the Data Protection Reform Chapter B: Scope of application (1st Part) Professor Dr. Joachim Schrey Lawyer and Expert Lawyer in IT-Law/Partner at Noerr LLP, Frankfurt am Main, Germany Honorary professor at Goethe University Frankfurt am Main Chapter D: Data privacy in private companies (1st Part) Pascal Schumacher, Lawyer at Noerr LLP, Berlin, Germany Chapter B: Scope of application (2nd Part) Chapter D: Data privacy in private companies (2nd Part) Eva Irene Wille, LL.M. (UCLA) Judge at the Local Court Frankfurt am Main, Germany Chapter E: Practical examples (2nd Part)

XXV

List of Abbreviations AG art. BCR cf. CFI CJEU DPIA DPO EC ECHR ECLR ECR ed. EEA EDPL EFTA EJIL EJRR EJSL EJSS ELJ E.L.Rev. EP ePrivacy-Directive ESC et al. et seq. EU EuGRZ

Advocate General Article Binding Corporate Rules see, compare Court of First Instance Court of Justice of the European Union Data protection impact assessments Data protection officer European Community European Court of Human Rights European Competition Law Review European Court Reports Editor European Economic Area European Data Protection Law Review European Free Trade Association European Journal of International Law European Journal of Risk Regulation European Journal of Social Law European Journal of Social Security European Law Journal European Law Review European Parliament Directive 2002/58/EC European Social Charter and others following European Union Europäische Grundrechte-Zeitschrift

EULF EuZW GDPR IaaS ibid. ILO infra IR JCMS mn. NATO NJW NZS OJ OMC p.

The European Legal Forum Europäische Zeitschrift für Wirtschaftsrecht General Data Protection Regulation Infrastructure as a Service cited in preceding footnote International Labour Organization see below Implementing Regulation, Reg. No. 987/2009 Journal of Common Market Studies Margin Number (Randnummer) North Atlantic Treaty Organization Neue Juristische Wochenschrift Neue Zeitschrift für Sozialrecht Official Journal Open Method of Coordination page/s

XXVII

List of Abbreviations PaaS para. RAE RBSS RDSS REDS Reg. RISS RMC RSV RTDE SaaS SEW SGb supra SZS TEU TFEU ZD

XXVIII

Platform as a Service Paragraph Revue des Affaires Européennes Revue Belge de sécurité sociale (The same articles are published in Dutch by BTSZ) Revue de droit sanitaire et social Revue européenne du Droit Social Regulation Revue international de sécurité sociale Revue de l’Union Européenne (former Revue du marché commun) Rechtspraak Sociale verzekeringen (Case-law in social security) Revue trimestrielle de droit européen Software as a Service Tijdschrift voor Europees en economisch recht (Journal for European and economic law) Die Sozialgerichtsbarkeit see above Schweizerische Zeitschrift für Sozialversicherung und berufliche Vorsorge Treaty on European Union Treaty on the functioning of the European Union Zeitschrift für Datenschutz (Journal)

A. Development and Importance of the Data Protection Reform I. Legislative procedure and legal basis of the GDPR 1. Key steps within the legislative procedure

The rapid pace of technological innovations and globalisation has led to dras- 1 tic changes for collecting, processing, exchanging and using personal data. The almost unlimited technical possibilities of using and commercialising personal data and the growing importance and value of personal data for businesses on the one hand require a strong regime for protecting personal data on the other. The need for further harmonisation led to the first official draft for a new 2 General Data Protection Regulation (GDPR) which was issued by the Commission back in January 2012. After statements of the European Data Protection Supervisor and several Committees, a new GDPR found support of the European Parliament in March 2014 and of the Council of Ministers in June 2015. After further months of “trilogue” negotiations, the Commission, Parliament, and Council reached an agreement on the final text of the GDPR in December 2015 and finally adopted the Regulation in May 2016. The immense support is hardly surprising, considering the increasing frustration caused by the lack of harmonisation of national data protection laws in the Member States. The political agreement on the GDPR marks a milestone in the development of data protection laws in the EU. According to the Commission this Data Protection Reform “aim[s] to strengthen privacy rights and boost Europe’s digital economy. The Commission’s proposals update and modernise the principles enshrined in the 1995 Directive, bringing them into the digital age and building on the high level of data protection which has been in place in Europe since 1995.”1 2. Main objectives of the Data Protection Reform a) Harmonisation of the level of protection

Back in 1995, the European legislator already aimed at harmonising the level 3 of protection in context with processing personal data and adopted the Directive 95/46 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” in October 1995. However, the common rules provided by Directive 95/46 were not directly 4 applicable but had to be implemented by the Member States into their national data protection laws. Although the Member States adopted the rules of the Directive in similar terms, in practice, this implementation led to fairly significant divergences in the national interpretation and application of data protection 1 European Commission, Memo, Data Protection Day 2014: Full Speed on EU Data Protection Reform, 27.1.2014, 3.

Daniel Rücker

1

A. Development and Importance of the Data Protection Reform

rules and, consequently, to considerable differences in the level of protection throughout the Union. 5

“The lack of harmonisation is one of the main recurring problems raised by private stakeholders, especially economic operators, since it is an additional cost and administrative burden for them. This is particularly the case for data controllers established in several Member States, who are obliged to comply with the requirements and practices in each of the countries where they are established. Moreover, the divergence in the implementation of the Directive by Member States creates legal uncertainty not only for data controllers but also for data subjects, creating the risk of distorting the equivalent level of protection that the Directive is supposed to achieve and ensure.”2

Consequently, the European legislator decided to adopt a Regulation which is directly applicable (see section A.I.3.b, → mn. 27 et seqq.)) and does not require implementation into the national laws of the Member States. Divergences resulting from different understandings and interpretations in context with such implementation into national laws are to be avoided by such Regulation. The level of protection of rights and interests of data subjects is supposed to be further harmonised and legal certainty is supposed to be increased. 7 GDPR, recital 10, sentences 1 and 2 concretise: “In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union.” 8 GDPR, recital 13, sentence 1 adds: “In order […] to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.” 9 Although the GDPR is directly applicable, it provides quite a few opening clauses which allow the Member States to adopt further laws and to impose further specifications on particular topics, for example in context with tasks that the individual Member States carry out in the public interest and in context with national sovereignty. GDPR, recital 10, sentences 5 and 6 state in this regard: “This Regulation […] provides a margin of manoeuvre for Member States to specify its rules […]. To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, in6

2 European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 21 f.

2

Daniel Rücker

A. Development and Importance of the Data Protection Reform

cluding determining more precisely the conditions under which the processing of personal data is lawful.” Therefore, the GDPR is not supposed to fully harmonise the level of data pro- 10 tection throughout the Union. Where the Member States remain free to provide for national rules, some legal uncertainties and differences in the level of data protection resulting from different national laws may remain. b) Adaption to the technical progress

The Commission also recognised that rapid technological and business devel- 11 opments brought new challenges for the protection of personal data. The scale of data sharing and collecting dramatically increased and technology allows both, private companies and public authorities, to make use of personal data on an unprecedented scale. Furthermore, also individuals increasingly make available personal information publicly and globally. Technology has transformed both economy and social life. The legislator also aimed to adapt data protection law to the technical 12 progress. The new data protection law is supposed to efficiently deal with new technical possibilities of processing personal data and to ensure the required level of data protection also from that angle. c) Strengthening the rights of data subjects

In an evaluation, the Commission recognised a lack of control over personal 13 data by data subjects and fears that they cannot exercise their rights effectively. Especially in the online environment, it was found that it has become increasingly difficult for individuals to actually be aware of the processing of their personal data and of the risks associated with such processing.3 Therefore, as a third aspect, the Commission aimed at strengthening the rights of data subjects and thereby restoring trust in the lawful processing of personal data by companies.4 Such stronger rights for data subjects, for example, include extended information obligations (see section D.IV.2, → mn. 620) or an explicit “right to be forgotten” (see section D.IV.5, → mn. 648 et seqq.). d) Free movement of personal data

Besides its main objective of protecting fundamental rights of natural persons, 14 and same as the Directive 95/46,5 the GDPR also aims at facilitating the free movement of personal data within the Union: “This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and6 rules relating to the free movement of personal data.” Pursuant 3 European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 21 f. 4 European Commission, Memo, Data Protection Day 2014: Full Speed on EU Data Protection Reform, 27.1.2014, 3. 5 See Council Directive 95/46/EC, art. 1, para 2.

Daniel Rücker

3

A. Development and Importance of the Data Protection Reform

to GDPR, art. 1, para 3 “[t]he free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data”. 15 GDPR, recital 2, sentence 2 concretises: “This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the wellbeing of natural persons.” e) One-Stop-Shop-Principle 16

One further aim of the Regulation is to establish a “one-stop-shop” principle. Companies are supposed to have to deal with one single supervisory authority in order to make doing business in the EU simpler and cheaper. Also for data subjects, such “one-stop-shop” principle was supposed to make it easier to enforce protection of their personal data.7 (see section D.V.1, → mn. 713 et seqq.). 3. Legal basis of the GDPR and direct applicability

17

For a valid interpretation of the GDPR, it is primarily necessary to understand the legal basis of the GDPR, namely the protected fundamental rights and the formal legislative power for the adoption of a unified European data protection law. Furthermore, the rules for directly applying the GDPR in the Member States have to be considered (see section A.I.3.b), → mn. 27 et seqq.). a) Legal basis

Pursuant to GDPR, art. 1 this Regulation provides “rules relating to the protection of natural persons with regard to the processing of personal data and the free movement of personal data” (GDPR, art. 1, para 1) because it “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data” (GDPR, art. 1, para 2). 19 The formal legislative power for adopting the Regulation results from European primary law. Apart from that, European data protection law and especially the GDPR has its sources in fundamental rights, in particular the Charter and the ECHR. 18

aa) Legislative power and legal basis for adopting the GDPR 20

The legislative power for adopting the GDPR results from TFEU,8 art. 16, para 2, sentence 1. This art. 16, para 2, sentence 1 TFEU rules that the “European Parliament and the Council, acting in accordance with the ordinary legis6 Bold highlights in quotations were set by the author of the handbook. 7 European Commission, Memo, Data Protection Day 2014: Full Speed on EU Data Protection Reform, 27.1.2014, 4. 8 TFEU as newly introduced by the Lisbon Treaty in 2009.

4

Daniel Rücker

A. Development and Importance of the Data Protection Reform

lative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.” According to the Commission, this “provision allows the adoption of rules re- 21 lating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of Union law. It also allows the adoption of rules relating to the free movement of personal data, including personal data processed by Member States or private parties.”9 Therefore, based on this art. 16, the Regulation stipulates both, rules applica- 22 ble for public authorities of the Member States as well as rules for private parties such as companies for processing personal data. bb) Fundamental rights in context with data protection

The fundamental right of data subjects to protection of their personal data results from Charter, art. 810 and ECHR, art. 8. Charter, art. 8 provides for a “right to the protection of personal data” and names some basic conditions for their lawful processing. In the Charter, data protection is closely linked to rights to respect for private and family life protected by Charter, art. 7. ECHR, art. 8 assures a fundamental “right to respect for private and family life”. The right to protection of personal data is part of these rights assured by ECHR, art. 8. Additionally, all EU Member States ratified11 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) as of 28 January 1981 which provides for a specific right “to privacy, with regard to automatic processing of personal data relating to him” and references ECHR, art. 8. However, these fundamental rights do not provide unlimited protection. Instead, they have to be applied in the light of their social function, and weighed against other fundamental rights, considering the principle of proportionality.

23 24

25

26

b) Direct Applicability

With the GDPR, the EU changed its data protection law from a Directive, that 27 required implementation in the national laws of the Member States, to a directly applicable Regulation (TFEU, art. 288, para 3). Although Directive 95/46 already aimed at harmonising the level of data pro- 28 tection, it did not fully succeed (see section A.I.2.a), → mn. 3 et seqq.). With the 9 European Commission, COMMISSION STAFF WORKING PAPER, Explanatory Memorandum, Brussels, 25.1.2012, SEC(2012) 72 final, 5. 10 See GDPR, rec. 1, which explicitly relies on this art. 8 of the Charter. 11 Handbook on European data protection law, Council of Europe (ed), 2014, 15 f.

Daniel Rücker

5

A. Development and Importance of the Data Protection Reform

Regulation and its direct applicability, the legislator aims at removing legal uncertainties resulting from the implementation requirement of a directive. Direct applicability means that the GDPR does basically not require any further national law and that any party being subject to the GDPR (see section B.II., → mn. 44 et seqq.) directly has to apply and follow the rules of the GDPR itself, rather than only relying on national law of their Member State. Consequently, also the interpretation of the GDPR has to follow the broader EU-perspective rather than national interests and rules of the Member States (see section A.1.4, → mn. 30 et seqq.). 29 In the view of the Commission, this direct applicability of a unified European data protection law is able to “reduce legal fragmentation and provide greater legal certainty by introducing a harmonised set of core rules” in the field of data protection12 and contributes to the better functioning of the Internal market. 4. Rules for a consistent and uniform interpretation of the GDPR 30

Due to the objective of this handbook and the nature of the GDPR, which requires a uniform and consistent interpretation applicable and valid in all Member States, it is necessary to identify guidelines for such uniform interpretation. a) Need for a uniform European interpretation

31

Following the direct and uniform applicability of the GDPR in the whole EU, the GDPR has to be interpreted independent from the national ideas of particular Member States, especially independent from national laws which implemented the Directive 95/46. Consequently, statements of authors that interpret the rules of the GDPR from a mere national perspective and against the background of national laws that were supposed to implement the Directive 95/46, are not considered in this Handbook. In order to assure a mere European interpretation of the GDPR, also decisions of national courts on the interpretation are not considered for the interpretation of the Regulation. b) Guidelines for a uniform interpretation

32

First and foremost, the Regulation itself provides guidelines on its interpretation and concretisation. Besides that, only a limited number of other sources is suitable for interpreting the GDPR in the required consistent and uniform way. aa) Interpretation Guidelines provided by the GDPR itself (1) Actual wording of the GDPR

33

Naturally, the starting point of any interpretation of a new law has to be the actual wording of the law. As the text of the GDPR consists of 99 Articles and 12 European Commission, COMMISSION STAFF WORKING PAPER, Explanatory Memorandum, Brussels, 25.1.2012, SEC(2012) 72 final, 5.

6

Daniel Rücker

A. Development and Importance of the Data Protection Reform

173 Recitals, it already provides a quite comprehensive source for information and interpretation that has to be carefully considered before any other source will be applied. (2) Statements of supervisory authorities

Another source of interpretation referenced by the GDPR itself are guidelines 34 issued by supervisory authorities. The GDPR basically entrusts supervisory authorities also with the interpretation of the GDPR when it states in art. 51, para 2, sentence 1 that “each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union.” Besides that, the supervisory authorities shall contribute to the interpreting activities of the Board (GDPR, art. 57, para 1, subpara t)) (see section D.V.4.a, → mn. 743)). It remains to be seen to which extent supervisory authorities will contribute to such interpretation and how detailed their guidance will be. (3) Statements issued by the European Data Protection Board and the Art. 29 Working Party

Pursuant to GDPR, art. 70, para 1 the Board “shall ensure the consistent ap- 35 plication of this Regulation”. By way of summary, in particular, the board shall – advise the Commission on any issue related to the protection of personal data, – issue guidelines, recommendations and best practices on several issues for the controllers and processors, – examine the application of several rules, – draw up guidelines for the supervisory authorities and – specify requirements where the GDPR explicitly requires specification. The Board will replace the Art. 29 Working Party on the Protection of In- 36 dividuals with Regard to the Processing of Personal Data which was established by Directive 95/46, art. 29. The Statements of the Art. 29 Working Party should keep their validity as far as the GDPR does not change the rules and wording of the Directive 95/46 and as long as the new Board does not issue any new opinion or guidance on the application and interpretation of the relevant wording of the GDPR. The tasks of the Board (see GDPR, art. 70) are very extensive and much 37 broader than the tasks and powers of the Art. 29 Working Party (see Directive 95/46, art. 30). The statements of the Art. 29 Working Party were already a strong guidance and reflected the leading ways of interpretation. The extension of tasks and powers of the Board further strengthens its the role for an interpretation of the GDPR. As a consequence, leading guidelines for the interpretation and application of 38 the GDPR will not be issued by one of the European Institutions (Commission, Parliament or Council) but by a body which is “composed of the head of one Daniel Rücker

7

A. Development and Importance of the Data Protection Reform

supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives” (GDPR, art. 68, para 3). 39 Therefore, to the extent to which GDPR perpetuates the legal situation under the Directive, and until any deviating guidance is provided by the Board, businesses should consult guidelines issued by the Art. 29 Working Party for the interpretation of the GDPR. bb) Other suitable sources for interpreting the GDPR 40

Against the background of the required uniform and consistent European interpretation of the GDPR (see section A.I.4, → mn. 30 et seqq.), only a small number of other sources is suitable for interpreting the GDPR. Such suitable sources used in this Handbook mainly are: – Decisions of the ECJ as far as these decisions interpret rules of the Directive 95/46 which did not change in the GDPR; – Statements of other European institutions, especially the Commission, the European Data Protection Supervisor, the Council and the European Parliament, especially statements accompanying the legislative procedure. II. Importance of the GDPR for companies

The GDPR changes the data protection law at points that are truly crucial for businesses. These changes will not only have an impact on the work in the divisions of IT, Human Resources, Compliance, Revision, Law and Marketing but also on numerous other business divisions. 42 The reformed data protection provisions in the GDPR, will become directly applicable as of 25.5.2018, GDPR, art. 99, para 2. From this date on, any company has to obey all new rules in its daily operations. This requires a careful preparation until May 2018. From a business-perspective, it has to be assessed which changes actually apply for the relevant business and therefore have to be implemented. Transition and adjustment measures for companies will be necessary, in particular with regard to the above mentioned main changes. 43 The Regulation cannot be overridden by national data protection laws that contradict the GDPR. Contradicting national law remains in force but is not applicable. Therefore, one of the main tasks for the legislators of all Member States will be to revise their national data protection law and basically delete any wording which is now supplemented by the GDPR. Where the GDPR leaves room for national law (see section A.I.2.a), → mn. 3 et seqq.), the Member States should clarify as to what extent they make use of their right to issue national rules. Such revised laws of the Member States should bring further clarification as to what extent only the GDPR is relevant and to what extent national law remains relevant. 41

8

Daniel Rücker

B. Scope of application of the GDPR I. Material scope of application

Pursuant to GDPR, art. 2, para 1 and same as Directive 95/46, the Regulation applies to the processing of personal data. The interpretation of the key terms “personal data” and “processing” determine the material scope of application of the GDPR. Unless any exemptions apply (see section B.I.1.b), → mn. 59 et seqq.), the definition and interpretation of these key terms decides about what is within or out of the material scope of the GDPR. As shown below in more detail, the GDPR hardly amended the material scope of application of European data protection law. Same as in the Directive 95/46, also under the GDPR, the material scope depends on the definition of these two vague terms, which indicates that the GDPR is aiming for the same broad interpretation of what is within the scope of “processing personal data” as the Directive 95/46. Therefore, also under the GDPR, it is essential and decisive to clearly identify and analyse in depth what is covered by the terms “processing” (see section B.I.1.a)(aa), → mn. 51 et seqq.) and “personal data” (see section B.I.2., → mn. 66 et seqq.). A uniform interpretation of these terms should be based on two main pillars: Firstly, to the extent the wording of the GDPR is identical to the wording of Directive 95/46 and as long as there does not exist any guidance of the new Board or the ECJ, the existing guidance issued by the Art. 29 Working Party and the ECJ can be applied, in particular the Art. 29 Working Party opinion on the concept of personal data.1 Secondly, the ultimate purpose of the data protection rules to protect the fundamental rights and freedoms of natural persons and their right to privacy should be kept in mind. This “may play a substantive role in determining how to apply the provisions […] to a number of situations where the rights of individuals are not at risk” but may also warn to interpret these rules in a way that “would leave individuals deprived of protection of their rights”.2

44 45

46

47 48

49

1. “Processing” of personal data a) Processing subject to the GDPR

Pursuant to GDPR, art. 2, para 1 “[t]his Regulation applies to the processing 50 of personal data wholly or partly by automated means and to the processing oth-

1 WP 136. 2 WP 136, 4.

Daniel Rücker

9

B. Scope of application of the GDPR

er than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” aa) Definition of “Processing”

Similar to Directive 95/46, art. 2, para b), according to GDPR, art. 4, para 2 processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. This definition is supplemented by a non-exclusive list of examples for processing operations, namely the “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of personal data. 52 According to this wide definition, basically any use or handling of personal data is covered by the term “processing”, no matter how intensive or long personal data are actually processed. The terms “operation or set of operations” clarify that a uniform and integrated processing may consist of several steps. 53 The term “set of operations” is not further defined in the GDPR. According to the Art. 29 Working Party, operations which are part of a set of operations “may take place simultaneously or in different stages”.3 A “set of operations” may take place as well in a situation where only one actor (controller or processor) processes (a set of) personal data as well as in a situation where subsequently or simultaneously more than one actor processes the same (set of) personal data.4 54 However, basically each single step of processing has to be assessed separately with regard to its lawfulness (see section C.II., → mn. 358). 51

bb) Processing by manual means

Although, in practice, processing by automated means may form the major part of processing personal data, GDPR, art. 4, para 2 clarifies that also using data by non-automated means is covered by the terms processing. GDPR, art. 2, para 1 further clarifies that the Regulation also applies “to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” This scope is identical to Directive 95/46, art. 3, para 1. 56 Pursuant to GDPR, art. 4, para 6 a “filing system” is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. The structure referred to in that context requires at least two criteria for making the set of personal data accessible. By way of negative delimitation, GDPR, recital 15, sentence 3 clarifies: “Files or sets of files, as well as their cover pages, which 55

3 WP 169, 18. 4 Cf. WP 169, 18.

10

Daniel Rücker

B. Scope of application of the GDPR

are not structured according to specific criteria should not fall within the scope of this Regulation.” The reason for also protecting personal data which are not processed by auto- 57 mated means but only form part of a filing system is that “paper files can be structured in a way which makes finding information quick and easy; and storing personal data in structured paper files [would] make […] it easy to circumvent the restrictions laid down by law for automated processing.”5 Therefore, such processing is also able to threaten the rights and interests of data subjects which the GDPR aims to protect. This is further supported by GDPR, recital 15, sentence 1 which adds: “In or- 58 der to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.” b) Limits to the material scope of application of the GDPR

For the Directive 95/46, the Art. 29 Working Party stressed that “the mere fact 59 that a certain situation may be considered as involving ‘the processing of personal data’ in the sense of the definition does not alone determine that this situation is to be subject to the rules of the Directive”.6 The same applies for the GDPR which, same as Directive 95/46, provides for 60 several exemptions from its application. Besides the exemptions for processing personal data in the course of an activity which falls outside the scope of Union law (GDPR, art. 2, para 1, subpara a)), for processing of personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” (GDPR, art. 2, para 1, subpara d)) and for processing which is subject to the Common Foreign and Security Policy of the EU (GDPR, art. 2, para 2, subpara b)), GDPR, art. 2 establishes exemptions which “take into account the technical way of processing (in manual non-structured form) and the intention to use personal data for purely personal or household activities by a natural person)”.7 In detail: aa) Limits of applicability resulting from the technical way of processing

The above mentioned definitions allow the conclusion that every processing 61 other than by automated means which is not part of a filing system or is not intended to form part of a filing system, is not subject to the restrictions of the GDPR. In other words, any non-automated processing which does not reach and is not intended to reach a significant threshold of structure and therefore does

5 Handbook on European data protection law, Council of Europe (ed), 2014, 47. 6 WP 136, 4. 7 WP 136, 4.

Daniel Rücker

11

B. Scope of application of the GDPR

not bear the aforementioned risks, falls outside the material scope of application of the GDPR. 62 However, from a business-perspective, unless there is sufficient evidence for the application of an exception, it should be assumed by default that any treating of personal data within a company is processing of personal data in the meaning of the GDPR and therefore is subject to the protection and the restrictions of the GDPR. In practice, cases of non-structured processing are rare. Even if the relevant processing of personal data does in fact not form part of a filing system, it has to be considered whether such processing is at least intended to form part of a filing system because this suffices to open the applicability of the GDPR. bb) Household exemption

As a further limitation of its scope, GDPR, art. 2, para 2, subpara c) excludes “processing of personal data by a natural person in the course of a purely personal or household activity” from the protection of the GDPR. 64 Pursuant to GDPR, recital 18 this means processing “with no connection to a professional or commercial activity”. Therefore, “personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities” (GDPR, recital 18, sentence 2). The GDPR does not specify the meaning of “commercial activity” which leaves quite some room for interpretation. As the household exemption is an exception rather than a rule, it should be interpreted restrictively. 65 GDPR, recital 18, sentence 3 further clarifies: “However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.” For example, the household exemption does not exclude social network providers to follow data protection rules but only excludes users of such platforms from being liable in the meaning of the GDPR.8 63

2. Personal data 66

Almost identical to Directive 95/46, art. 2, para 2, subpara a), GDPR, art. 4, para 1 defines personal data as – – – –

“any information relating to an identified or identifiable natural person;”

8 Cf. for the Council Directive 95/46/EC: European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 11 f.: “In practice, in most Member States the Data Protection Authorities focused on the responsibility of the service providers, without dealing with the question of whether users of such sites, who make personal data available to others, become subject to the law as controllers.”

12

Daniel Rücker

B. Scope of application of the GDPR

Due to the almost identical definition of the term personal data in both the Directive 95/46 and the GDPR, the guidance available regarding Directive 95/46 for assessing whether a particular piece of information actually constitutes personal data in a legal sense still plays an important role for assessing the term under the Regulation. The question whether a particular piece of information actually is personal data or not is decisive for whether or not that information is subject to the restrictions of data protection law. Therefore, of course there has been quite some discussion on this question and the relevant criteria for qualifying information as personal data. In practice, data controllers often seek to argue why particular information does not constitute personal data, with the consequence that they do not have to comply with restrictions resulting from data protection law. In its evaluation of the implementation of the concept of personal data under Directive 95/46, the Commission states, that the “deliberate technique to define “personal data” used by the legislator […] has the advantage of providing a high degree of flexibility and the possibility to adapt to various situations and future developments affecting fundamental rights.”9 That mainly refers to flexibility in the sense of a broad definition that does not refer to technical terms which may be subject to change in the course of further technical development. It is clearly not supposed to provide flexibility as to interpreting the broad term “personal data” in a narrow way in order to limit the scope of application of data protection law. However, the Commission recognised significant divergences in the practical application of the definitions of personal data and data subject under the Directive 95/46.10 Due to the practical importance of the definition of the term “personal data” and said divergences in its practical application, especially under the further harmonised data protection regime of the GDPR, it is important to come to a consistent application in order to create the required legal certainty for all stakeholders concerned. Both the GDPR and the Directive 95/46 are clearly aiming for the same broad interpretation of what is within the scope of “personal data”. According to the concept of personal data outlined by the Art. 29 Working Party in its 2007 opinion on the concept of personal data11 the question whether any data processed is personal data within the meaning of the GDPR should be assessed in three 9 European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 6. 10 “[A]lthough the definition of “personal data” and “data subjects” are almost literally transposed by the majority of the Member States into their national laws, this broad and flexible definition leads to some diversity in the practical application of these provisions. In particular, the issue of objects and items (“things”) linked to individuals, such as IP addresses, unique RFIDnumbers, digital pictures, geo-location data and telephone numbers, has been dealt with differently among Member States.”, see European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 6. 11 WP 136.

Daniel Rücker

13

67

68

69

70

71

B. Scope of application of the GDPR

steps. Firstly, there is the presumption that basically any kind of information is suitable to be information within the meaning of the definition of personal data (see section B.I.2.a), → mn. 72 et seqq.). Secondly, the scope of personal data has to be limited to information with a sufficiently close link to a natural person (see section B.I.2.b), → mn. 75 et seqq.). Third and ultimately, it is decisive based on this information and its relationship to a natural person, whether a particular data subject is identified or at least identifiable (see section B.I.2.c), → mn. 82 et seqq.). The evaluation whether a particular piece of information has to be qualified as personal data has to be determined on a case-bycase basis. a) “Any information” suitable for potentially being personal data

The first part of the above mentioned definition reflects the intent of the legislator that basically every information is suitable to be information within the meaning of the definition “personal data”. This broad interpretation is supported by the ECHR12 who also defines the term “private life” in a fairly broad way and confirmed by the ECJ13 on the definition of “personal data”. 73 “From the point of view of the nature of the information, the concept of personal data includes any sort of statements about a person.”14 This includes both objective information about a person, such as its age, as well as subjective information, for example opinions or assessments on that person. Furthermore, it does not matter whether such information is true or proven.15 74 Also with regard to the actual content of the information, the concept of personal data includes any sort of information, no matter whether it is very private or even sensitive information or whether it is more general information only. 75 Finally, “[c]onsidering the format or the medium on which that information is contained, the concept of personal data includes information available in whatever form, be it alphabetical, numerical, graphical, photographical or acoustic, for example. It includes information kept on paper, as well as information stored in a computer memory by means of binary code, or on a videotape, for 72

12 Judgement of the European Court of Human Rights in the case Amann v. Switzerland of 16.2.2000, § 65:“(…) the term “private life“ must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings: furthermore, there is no reason of principle to justify excluding activities of a professional or business nature from the notion of „private life“ (see the Niemietz v. Germany judgment of 16 December 1992, Series A no. 251-B. pp. 33-34, § 29, and the Halford judgment cited above, pp. 1015-16, § 42). That broad interpretation corresponds with that of the Council of Europe’s Convention of 28 January 1981(…)“. 13 Judgment of the European Court of Justice C-101/2001 of 6.11.2003 (Lindqvist), § 24: „The term personal data used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a) thereof, any information relating to an identified or identifiable natural person. The term undoubtedly covers the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies.“ 14 WP 136, 6. 15 WP 136, 6.

14

Daniel Rücker

B. Scope of application of the GDPR

instance. […] In particular, sound and image data qualify as personal data from this point of view, insofar as they may represent information on an individual.”16 b) Relationship required between the information and the data subject

The second part of the definition of “personal data” requires the information to relate to an individual. The Art. 29 Working Party noted that “data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated”.17 GDPR, art. 4, para 1 further clarifies that it protects any information that relates to “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of a specific natural person. According to the Art. 29 Working Party, the relation to an individual as a prerequisite for information being qualified as personal data requires alternatively either a content element or a purpose element or a result element which establishes the required close link between the information and the individual. Therefore, information providing at least one of these elements is information that relates to a natural person and is basically suitable for being personal data.18 A content element is to be understood in its common and obvious meaning. Information fulfils the content element if it is about an individual. The Art. 29 Working Party provided examples of information fulfilling the content element: results of medical analysis that clearly relate to the patient, or information contained in a company’s folder under the name of a certain client clearly relates to that client. Moreover, the information contained in a RFID tag or bar code incorporated in an identity document of a certain individual relates to that person, as in passports with RFID chips.19 The purpose element is fulfilled if information is used or is likely to be used with the specific purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual.20 An illustrative example is a call log for a telephone which provides information on both outgoing and incoming calls which can be brought in relation with different data subjects. If a particular phone set is made available to a particular employee, the call log will then provide information about the employee’s cellular activities and therefore information about the persons behaviour at the workplace.21 The result element is satisfied when the use of information is likely to have an impact on a certain person’s rights and interests. An example of the type of information affecting such an impact is the information gathered by monitoring

16 17 18 19 20 21

WP 136, 7. WP 105, 8. WP 136, 11. WP 136, 10. WP 136, 10. WP 136, 11.

Daniel Rücker

15

76

77

78

79

80

B. Scope of application of the GDPR

taxi positions in order to optimise service efficiency. In such case, the information gathered by way of satellite location for determining the position of available taxis in real time aims at providing better service. However, although such system is designed to process data relating to the car and its position, as a side effect and although this is not intended, it may be used to evaluate the performance of taxi drivers, e.g. whether they use appropriate routes and whether they are actually driving or resting in a parking position. Therefore, by way of result and independent of whether such potential surveillance of the drivers is actually intended or not, the actual processing of the data will have a considerable impact on the individual drivers. Therefore, the data collected through such system would relate to a natural person and are subject to data protection rules.22 81 The relation of information to a particular person may either be direct or indirect. Even if, in the first instance, an information seems to be related to an object only rather than to a person, it may at least indirectly refer to a person. An example of such indirect relation is the value of a house which, in a first instance, relates to an object. However, considering that the house is an asset of the owner, it also allows conclusions on the owner, e.g. the wealth of the owner or even tax obligations of the owner resulting from that asset.23 As another example, in a first instance, car service records in the service register of a car contain information about the car as an object, e.g. mileage, dates of service checks, technical problems and material condition. However, if this information is associated in the record with a vehicle identification number, it can be used to identify the owner.24 c) Requirements for identifiability of the data subject 82

Finally, GDPR, art. 4, para 1 requires not only information relating to any natural person, but information relating to an “identified or identifiable natural person.” Therefore, an information related to persons only qualifies as personal data, if a particular natural person is or may be identified to whom that information refers. aa) Identified natural person

83

“In general terms, a natural person can be considered as ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of the group.”25 A natural person is identified through one or several pieces of information that relate to a specific individual and clearly identify that particular individual. In practice, the most common identifier is the name of a person. Where this information alone does not suffice for identifying a particular person, e.g. in case of very common names, a combination of the name with other infor22 23 24 25

16

WP 136, 11. WP 136, 9. WP 136, 9. WP 136, 12.

Daniel Rücker

B. Scope of application of the GDPR

mation may allow the identification of the particular data subject, for instance a combination with date of birth, names of parents, address or a photo of the face.26 bb) Identifiability of a natural person – relevant criteria and threshold

The natural person is “identifiable” if, although it has not yet been identified, it is possible to identify that particular person (as it is expressed by the suffix “-able”).”27 If the processing of “information only makes sense if it allows identification of specific individuals and treatment of them in a certain way”,28 it is likely that such information constitutes personal data. However, in corporate practice, especially if data processing does not aim at identifying particular persons, identifiability is very often the decisive question to determine whether particular information is considered personal data. If such identification may at least be possible, the relevant information basically is personal data and subject to the restrictions of data processing law. In the following, the background, criteria and threshold for determining identifiability will be further illustrated. Very similar to Directive 95/46, art. 2, para a), GDPR, art. 4, para 1 defines that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This list of identifiers is not comprehensive and, different to Directive 95/46, the list of identifiers under the GDPR also includes inter alia “online identifiers” which play an important role in corporate practice. GDPR, recital 30 provides some examples for online identifiers: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

84

85

86

87

(1) Direct or indirect identifiability

By allowing a direct or indirect identification, the GDPR makes clear that 88 “the extent to which certain identifiers are sufficient to achieve identification is something dependent on the context of the particular situation”.29 According to the Commission “a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport 26 27 28 29

Cf. WP 136, 13. WP 136, 12. WP 136, 16. WP 136, 13.

Daniel Rücker

17

B. Scope of application of the GDPR

number or by a combination of significant criteria which allows him to be recognised by narrowing down the group to which he belongs (age, occupation, place of residence, etc.)”.30 89 Whether a natural person actually is identifiable depends on the sort of information processed and on its information value. “Some characteristics are so unique that someone can be identified with no effort (“present Prime Minister of Spain”), but a combination of details on categorical level (age category, regional origin, etc.) may also be pretty conclusive in some circumstances, particularly if one has access to additional information of some sort.”31 (2) Criteria for determining indirect identifiability

This leads to the question who has to be able to identify a particular natural person and how much effort this person may require for identifying this particular natural person. Same as Directive 95/46, the GDPR does not provide a clear answer to this question but only provides guidelines and criteria for determining whether a sufficient identifiability exists or not. 91 According to GDPR, recital 26, sentences 3 and 4, to “determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”32 Individual abilities of a certain controller should therefore be irrelevant. The evaluation has to take place with regard to the time of processing, however, future technical developments have to be taken into account. 92 Besides these criteria, the Art. 29-Working Party provided further examples for factors to be taken into account, namely “the advantage expected by the controller, the interests at stake for the individuals, as well as the risk of organisational dysfunctions (e.g. breaches of confidentiality duties) and technical failures.”33 Furthermore, it was clarified that “this test is a dynamic one and should consider the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed. Identification may not be possible today with all the means likely reasonably to be used today. If the data are intended to be stored for one month, identification may not be anticipated to be possible during the ‘lifetime’ of the 90

30 COM (92) 422 final, 15.10.1992, Commentary on the Amended proposal for a Council Directive, 9. 31 WP 136, 13. 32 This wording is almost identical to Council Directive 95/46/EC, rec. 26, sentence 2, whereas in the GDPR the wording of “singling out” a particular person was added. 33 WP 136, 15.

18

Daniel Rücker

B. Scope of application of the GDPR

information, and they should not be considered as personal data. However, it they are intended to be kept for 10 years, the controller should consider the possibility of identification that may occur also in the ninth year of their lifetime, and which may make them personal data at that moment. The system should be able to adapt to these developments as they happen, and to incorporate then the appropriate technical and organisational measures in due course.”34 (3) Decision of the European Court of Justice on IP addresses

This actual criteria and threshold for identifiability of a natural person was 93 relevant in legal proceedings at the ECJ on the following question submitted by the German Federal Court of Justice: “Must Article 2(a) of Directive 95/46/EC […] be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”35

94

Firstly, the ECJ clarified that in so far as recital 26 of Directive 95/46 “refers 95 to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’ […], it is not required that all the information enabling the identification of the data subject must be in the hands of one person.”36 With regard to IP-addresses, based on the criteria described above (see sec- 96 tion B.I.2.c)(bb), → mn. 84 et seqq.), the ECJ concluded that although “German law does not allow the internet service provider to transmit directly to the online media services provider the additional data necessary for the identification of the data subject, […] legal channels exist […] to obtain that information from the internet service provider […]” and that, subject to existence of such legal channels, IP-addresses constitute personal data.37 d) Anonymous and anonymised data

Anonymous information does not relate to an identified or identifiable data 97 subject. In other words, anonymous data is the counterpart to personal data and is not subject to the restrictions of the GDPR. Therefore, where the above described test of whether a data subject is identifiable (see section B.I.2.c)(bb), → mn. 84 et seqq.) shows a negative result, the GDPR does not apply. GDPR, recital 26, sentences 5 and 6 confirm that anonymous information is 98 “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data 34 WP 136, 15. 35 ECJ, Case C-582/14, 12 May 2016, Patrick Breyer v. Bundesrepublik Deutschland, Opinion of Advocate General Campos Sánchez-Bordona, para. 26. 36 ECJ, Case C‑582/14, 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, para. 43. 37 ECJ, Case C‑582/14, 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, para. 47, 48.

Daniel Rücker

19

B. Scope of application of the GDPR

subject is not or no longer identifiable” and that the GDPR does not “concern the processing of such anonymous information, including for statistical or research purposes.” e) Pseudonymisation

Pseudonymisation is the process of disguising identities.38 Different to Directive 95/46, now GDPR, art. 4, para 5 defines the term pseudonymisation when it states that “pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. 100 The crucial conditions for a complete pseudonymisation are therefore, that the information required for the identification of the data subject is kept separately and that technical and organisation measures prevent the (re-)identification of the data subject, e.g. by way of authorisation schemes which are restricting access to information required for (re-)identification. GDPR, recital 29 adds in this regard that in “order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.” 101 Additionally, and again different to Directive 95/46,39 GDPR, recital 26, sentence 2 now makes absolutely clear, that pseudonymised data remains personal data in the meaning of GDPR, art. 4, para 1. 102 Consequently, also under the GDPR, pseudonymisation at least reduces risks of being identified by unauthorised persons and is therefore a way of designing data processing in a less invasive and therefore data protection friendly way. Pseudonymisation reduces the risks for data subjects (which, for instance, is relevant in the process of balancing interests: see section C.I.3.b), → mn. 320), increase data security and helps controllers and processors to meet their data protection obligations.40 For the effectiveness of the pseudonymisation procedure, for example, it is decisive at what stage it is used, how secure it is against reverse tracing and what the size of the population is in which the individual is concealed.41 99

38 39 40 41

20

WP 136, 18. The Council Directive 95/46/EC does not address the term “pseudonymisation” at all. Cf. GDPR, rec. 28. WP 136, 18.

Daniel Rücker

B. Scope of application of the GDPR

f) Encrypted data

Encrypted data, or in other words key-coded data, “are a classical example 103 of pseudonimisation. Information relates to individuals that are earmarked by a code, while the key making the correspondence between the code and the common identifiers of the individuals (like name, date of birth, address) is kept separately.”42 However, as also encrypted data may still be linked to a natural person, they still constitute personal data. 3. Data subjects – natural persons

The last part of the definition of “personal data” requires that the information 104 relates to and identifies a natural person, which is consequently defined to be the “data subject” (GDPR, art. 4, para 1, sentence 1). This simply means that the information has to refer to a living human being, which results from the fact that data protection results from the right to respect private life.43 Pursuant to GDPR, recital 14, sentence 1 the “protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. a) Dead persons

Pursuant to GDPR, recital 27 the Regulation does basically not apply to personal information of deceased persons. However, such personal information may still benefit from data protection law or otherwise be subject to legal protection: Firstly, pursuant to GDPR, recital 27 “Member States may provide for rules regarding the processing of personal data of deceased persons”. Secondly, in practice, a data controller may not always be able to ascertain whether the natural person the data relates to is still living or already dead. Therefore, in practice, it may often be easier “to process also the data on the dead in the way imposed by the data protection rules, rather than to separate the two sets of data.”44 Thirdly, businesses should always consider rules other than data protection law which may protect personal information of deceased persons. “[I]nformation on deceased persons may be subject to specific protection granted by sets of rules other than data protection legislation, drawing the lines of what some call “personalitas praeterita”. For example, the obligation of confidentiality of medical staff may not necessarily end with the death of the patient. National legislation on the right to one’s own image and honour may also protect the memory of the dead.”45

42 43 44 45

WP 136, 18. Cf. Handbook on European data protection law, Council of Europe (ed), 2014, 37. WP 136, 22. WP 136, 22.

Daniel Rücker

21

105

106 107

108

B. Scope of application of the GDPR 109

Fourth, information on dead individuals may also refer to living persons, because many sorts of information refer to more than one person.46 For instance, the information that a parent, who already died, suffered from a certain hereditary disease may also refer to their child. “Thus, where the information which is data on the dead can be considered to relate at the same time also to the living […], the personal data of the deceased may indirectly enjoy the protection of data protection rules.”47 b) Legal persons aa) No protection under the GDPR

110

Similar to but more explicit than Directive 95/46, recital 24, GDPR, recital 14 states: “This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”. Therefore, legal persons do not enjoy the protection of the GDPR. bb) Indirect protection and protection under national law

Furthermore, in practice and similar as for “information on dead people, practical arrangements by the data controller may also result in data on legal person being subject de facto to data protection rules. Where the data controller collects data on natural and legal persons indistinctly and includes them in the same sets of data, the design of the data processing mechanisms and the auditing system may be set up so as to comply with data protection rules. In fact, e.g. in case of a B2B customer database that includes information on both, legal entities and business operated by a sole proprietorship, it may be easier for the controller to apply the data protection rules to all sorts of information in his files than to try to sort out what refers to natural and what to legal persons.”48 112 Finally, under Directive 95/46 “the ECJ has made clear, nothing prevents Member States from extending the scope of the national legislation implementing the provisions of the Directive to areas not included within the scope thereof, provided that no other provision of community law precludes it.”49 Therefore, also under the GDPR, Member States must at least be free to establish national rules for the protection of data relating to legal entities, although this would need to be a national scheme of protection rather than the regime of the GDPR. 111

46 47 48 49

22

WP 136, 22. WP 136, 22. WP 136, 24. WP 136, 24; cf. Judgment of the European Court of Justice C-101/2001 of 6.11.2003, Lindqvist, para. 98.

Daniel Rücker

B. Scope of application of the GDPR

4. Consequences of inapplicability of the GDPR

If an information does not constitute personal data and is therefore not subject 113 to the protection and the restrictions of the GDPR, protection may still result from other sources of law. For example, where “data protection rules do not apply, certain activities may still constitute an interference with Article 8 of the European Convention on Human Rights, which protects the right to private and family life, in the light of the far-reaching jurisprudence of the ECHR.”50 Furthermore, other “sets of rules, such as torts law, criminal law or anti-discrimination law may also provide protection to individuals in those cases where data protection rules do not apply and various legitimate interests may be at stake.”51 II. Personal scope of application of the GDPR

Apart from the material scope of application of the GDPR, for determining 114 the particular rights and obligations of businesses under the GDPR, it is also decisive to assess the personal scope of application of the GDPR, in particular whether an entity is a data controller, joint controller, mere processor or even a third party only. Directive 95/46 established “controllers” as opposed to “processors” as the 115 two bodies which are both bound by data protection law, however, with different roles and responsibilities. These concepts, especially the definition of their different roles and the system of their interaction, are crucial as they determine who shall be responsible to what extent, what the applicable law is, which body is supposed to be addressed by data subjects for exercising their rights, and how effectively Data Protection Authorities can operate.52 As a counterpart, Directive 95/46 established the “third party” which, also under the GDPR, as such is neither bound nor authorised to exercise any rights. In its evaluation of the implementation of Directive 95/46, also with regard to 116 the relevant distinction of roles and responsibilities, the Commission, deplored quite considerable discrepancies between the interpretations of Directive 95/46 in the Member States: “These divergences run counter to the objective of the Directive to ensure the free flow of personal data within the internal market. […] Different interpretations and a lack of clarity of certain aspects of these concepts has led to uncertainties with regard to responsibility and liability of controllers, co-controllers and processors, the actual or legal capacity to control processing, and the scope of applicable national laws, causing negative effects on the effectiveness of data protection.”53

50 WP 136, 24. 51 WP 136, 24. 52 Cf. European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 8. 53 European Commission, COMMISSION STAFF WORKING PAPER, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 8 f.

Daniel Rücker

23

B. Scope of application of the GDPR

The GDPR continues to apply the established concepts of controller, processor and third party. As far as the wording of the GDPR is identical to the wording of Directive 95/46 and the Regulation does not provide further specification and until the new Board issues any new opinion or guidance, also under the GDPR, it seems reasonable to interpret the concept of controller and processor along the common position and practical guidelines issued by the Art. 29 Working Party in its 2010 opinion on the concepts of controller and processor.54 118 Basically, the data controller carries the main responsibility for data protection compliance. However, although the differentiation between controllers and processors did not really change under the GDPR, the responsibility of processors was increased. Pursuant to GDPR, art. 82, para 4, data subjects can not only sue the controller but also the processor for breaches of the GDPR, because “[w]here more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.” (see section D.VII, → mn. 802 et seqq.). 119 Also in practice, the distinction between controllers and processors is still decisive for determining responsibilities and for avoiding legal uncertainties resulting from unclear roles. However, the developments in corporate practice towards organisational differentiation, on-going corporate diversification, matrix structures and delivery chains and service delivery across organisations as well as the use of multiple outsourcing and service providers including their subcontractors make it increasingly difficult to determine responsibilities of the different stakeholders involved. Therefore, it is even more important to have a closer look at the definitions of controllers as opposed to processors and to be able to clearly distinguish between these different roles and their different responsibilities. 117

1. Controller 120

The controller is the main body bound by the rules of the GDPR and has the main responsibility and liability for data protection compliance. Identical to Directive 95/46, art. 2, para d), GDPR, art. 4, para 7 defines the controller as – “the natural or legal person, public authority, agency or any other body – which alone or jointly with others – determines the purposes and the means of the processing of personal data”.

121

In particular the differentiation between controllers and processors is essential for determining responsibility under the GDPR. Therefore, in the following, the

54 WP 169.

24

Daniel Rücker

B. Scope of application of the GDPR

relevant elements of that definition are assessed in further detail as they provide fairly clear criteria for the required differentiation. a) Determination of the responsible body – natural person, legal person or any other body

This definition of the term “controller” clearly reflects that both natural and 122 legal persons as well as any other body can be a controller under the GDPR. Also under the GDPR, the controller is the body primarily responsible (see 123 section D.IV., → mn. 602 et seqq., concerning the details of the responsibilities of a controller). The necessary clear identification of the responsible body for each single processing has to be performed on a case-by-case basis. The main question in that context is whether the controller is supposed to be the company or body as such or a specific person within that company or body. As the controller is supposed to provide data subjects with an adequate reli- 124 able reference entity for the exercise of their rights, “preference should be given to consider as controller the company or body as such rather than a specific person within the company or body.”55 This is also supported by the fact that the data subject may have a contract or other relationship with the whole company or body rather than with the particular natural person or employee working in that company. However, exceptionally, instead of the company, a natural person within the company may be qualified as a data controller if such natural person uses data controlled by the company for their own purposes rather than for the purposes of the company.56 b) Power to determine “purposes and means” of data processing – distinguishing controllers and processors

The question, who actually “determines the purposes and means of the pro- 125 cessing of personal data” is decisive for (a) distinguishing between data controllers and mere processors and for (b) identifying the responsible controller within a group of undertakings involved in the processing of personal data.57 aa) Criteria for “determining” the relevant purposes and means

The determination of the relevant purposes and means may either take place 126 by law or, as more often in practice, may depend on who actually has the factual influence on determining the relevant purposes and means for processing personal data.

55 Cf. WP 169, 15. 56 Cf. WP 169, 16. 57 WP 169, 8.

Daniel Rücker

25

B. Scope of application of the GDPR

(1) Determination by law

As referred to in the second part of the definition of the term “controller”, in some cases “the purposes and means of such processing are determined by Union or Member State law”, with the consequence that “the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (GDPR, art. 4, para 7, sentence 2). 128 This will usually be cases in which national law assigns certain tasks and purposes to a particular entity which may even include guidance on the means of how to fulfil such purposes. In any case and in particular under the GDPR as a regulation, it has to be assured that although other external legal sources may help identifying who is a data controller, finally the question of who is the data controller must only be answered by the GDPR rather than by external legal sources of Member State law.58 127

(2) Determination by way of factual influence

The Art. 29 Working Party clarified that the “concept of controller is a functional concept, intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis.”59 The wording of the definition in GDPR, art. 4, para 7, sentence 1 “which […] determines” instead of “which […] lawfully determines”60 reflects the intention of the GDPR that the way of distinguishing shall principally be based on a factual rather than on a formal evaluation of the circumstances. Consequently it is possible to be a controller irrespective of either a specific competence or formal power to control data conferred by law.61 130 Such factual influence may be supported by implicit competence (e.g. employers in relation to their employees) or other circumstances (e.g. the terms of a contract) which assign certain rights and control to a particular person or entity.62 Therefore, all relevant circumstances that may create the relevant factual influence are supposed to be considered. Legal obligations, legal competence or established legal practices63 should primarily be analysed, because they could define obligations to determine the purposes and means of a certain processing.64 129

58 See also WP 169, 9 on autonomy of data protection law in context with Council Directive 95/46/EC. 59 Cf. WP 169, 9. 60 Cf. WP 169, 9. 61 Cf. WP 169, 8. 62 Cf. WP 169, 10 f. 63 For example: the employer in relation to data on his employees; the publisher in relation to data on subscribers; the association in relation to data on its members or contributors. 64 Cf. WP 169, 10.

26

Daniel Rücker

B. Scope of application of the GDPR

bb) “Purposes and means” of data processing

Being a data controller requires that, mainly based on its factual influence, a 131 body determines the “purposes and means” of data processing. By contrast, the processor only processes personal data “on behalf” of the controller (GDPR, art. 4, para 8; see section B.II.2, → mn. 152) and is bound to the instructions of the data controller, in particular with regard to the “purposes and means” of such data processing. Determining the “purposes and means” amounts to determining the “why” 132 and the “how” of certain processing activities.65 Whereas, the term “purposes” may be translated in the “why”, the term “means” may be understood as the “how” of certain processing activities. Therefore, the level of influence on the “why” and “how” of data processing 133 is decisive for the differentiation between controllers and processors. It has to be assessed to which level of details a body can decide about the purposes and means in order to be considered as a controller or, by way of contrast, how little influence an entity has to have in order to be a processor only. The “crucial question is therefore to which level of details somebody should determine purposes and means in order to be considered as a controller. And in correlation to this, which is the margin of manoeuvre”66 that the law allows for a data processor. cc) Determination of the “purposes”/“why” of processing

Against the background of the principle of purpose limitation (see section 134 C.I.2, → mn. 261 et seqq.), only the controller may define the purposes of processing. In other words, the body which defines what the processing should finally lead to, namely which results are supposed to be achieved, is the body who defines the purposes and therefore is the controller.67 In other words, to the extent a body defines the “purposes”/“why” of data processing, it may never be a processor only. dd) Determination of the “means”/“how” of processing

By contrast, the determination of the “means”/“how” of processing may at 135 least partly be delegated to the processor without losing the role of being a controller. Under Directive 95/46 “determining the means” required control at least on the essential elements of the processing68 which are decisive for the lawfulness of a certain processing.69 The body which at least has leading control over the

65 66 67 68 69

WP 169, 13. WP 169, 13. Cf. WP 169, 14. Cf. GDPR, art. 32, para 1; WP 169, 14. WP 169, 15.

Daniel Rücker

27

B. Scope of application of the GDPR

lawfulness of the relevant processing is the primarily responsible body, namely the controller. 136 Consequently, non-essential elements of the means of processing may also be determined by a data processor. For example, “it is well possible that the technical and organisational means are determined exclusively by the data processor.”70 137 The means of processing may comprise several aspects, in particular technical and organisational measures which provide for an appropriate level of security, the choice on the categories of personal data to be processed, the duration of processing, rules for accessing personal data within the body and many more aspects.71 For instance, where a processor is entrusted to decide which hardware or software it uses for a certain processing, this processor is entrusted with the determination of technical and organisational measures but not with essential elements. On the contrary, the decision about which data shall be processed, how long shall these data be processed, who shall have access to these data are clearly essential elements of a processing and therefore reserved for the controller.72 138 By way of conclusion, the “determination of the ‘means’ of processing can be delegated by the controller, as far as technical or organisational questions are concerned. Substantial questions which are essential to the core of lawfulness of processing are reserved to the controller.”73 c) Joint controllers – joint responsibility

The responsibility imposed on a controller may not only be allocated to one particular body but may also be allocated to more than one bodies which cooperate with regard to processing such personal data. A “joint determination” of purposes and means requires that two bodies cooperate in that context rather than acting alone and independently.74 140 In practice, many different kinds of “pluralistic control” may exist. Different to Directive 95/46, the GDPR stipulates in a separate art. 26 the conditions for joint controllership. 139

aa) Requirements for joint control under the GDPR

GDPR, art. 26, para 1, sentence 1 states: “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.” 142 The “assessment of joint control should mirror the assessment of “single” control and “also in assessing joint control a substantive functional approach should be taken, as illustrated above, focusing on whether the purposes and 141

70 71 72 73 74

28

Cf. GDPR, art. 32, para 1; WP 169, 14. WP 169, 14. WP 169, 14. WP 169, 15. WP 169, 18.

Daniel Rücker

B. Scope of application of the GDPR

means are determined by more than one party.”75 Therefore, “contractual arrangements can be useful in assessing joint control, but should always be checked against the factual circumstances of the relationship between the parties.”76 Furthermore, for actually assessing joint control, the participation of the par- 143 ties to joint determination of purposes and means has to be evaluated. In that context, the parties cooperating “may have a very close relationship (sharing, for example, all purposes and means of a processing) or a more loose relationship (for example, sharing only purposes or means, or a part thereof).”77 However, the mere fact that two parties cooperate in processing personal data, 144 does not automatically mean that they can be qualified as joint controllers. Instead, a joint controllership in the meaning of the GDPR requires that the controllers share purposes and/or means of processing to a sufficient extent, as in finally deciding on the “why and how” of the processing together to a sufficient extent. Jointly determining the purposes and means of processing does on the other 145 hand not require that all actors decide to the same extent. Furthermore, such common control does not have to refer to both, purposes and the means of the shared processing. Instead, it is sufficient if the actors share at least the determination of either the purposes or the means of processing. In other words, a joint controllership even exists where different actors pursue no common purpose but jointly define the means of processing. For example, different actors may “decide to set up a shared infrastructure to pursue their own individual purposes. When in setting up this infrastructure these actors determine the essential elements of the means to be used, they qualify as joint data controllers – in any case to that extent – even if they do not necessarily share the same purposes.”78 bb) Consequences of a joint controllership (1) No privilege for transferring personal data between joint controllers

The GDPR does not establish any privilege for the exchange of personal data 146 between joint controllers. Instead, joint controllers remain separate natural or legal persons and any exchange of data between joint controllers remains processing in the meaning of the GDPR and therefore has to follow the same principles and rules for lawful processing as any other processing. In particular, joint controllership does not create a privilege for groups of undertakings, although this was highly demanded during the process of the Data Protection Reform. A legal justification of exchanging personal data between joint controllers 147 and using such data also by the other joint controller for particular purposes may 75 76 77 78

WP 169, 18. WP 169, 18. WP 169, 19. WP 169, 19 f.

Daniel Rücker

29

B. Scope of application of the GDPR

derive from GDPR, art. 6, in particular from GDPR, art. 6, para 1, subpara f) which requires a balance of interests of the joint controller and possibly contradicting interests of the affected data subjects (see for the rules of such a balance of interests see section C.II.2.e)(cc), → mn. 405 et seqq.). (2) Transparent allocation of responsibilities

Therefore, joint controllership mainly leads to joint responsibility (see section D.I.2.e), → mn. 508). GDPR, art. 26, para 1, sentences 2 and 3 require that joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.” 149 Irrespective of such an agreement, GDPR, art. 26, para 3 allows that “the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers”. This applies even in cases where the joint controllers designate a particular contact point. 148

(3) Joint liability

Finally, joint responsibility results in full liability of each joint controller involved: GDPR, art. 82, para 2 states: “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation.” GDPR, art. 82, para 4 even establishes a joint and several liability, also for infringements committed by the other joint controller: “[…] each controller […] shall be held liable for the entire damage in order to ensure effective compensation of the data subject.” (see section D.I.2.e), → mn. 508, and C.II.2.d), → mn. 387). 151 From a business perspective, when considering joint controllership, the consequence of joint liability has to be taken into account and should be reflected in the above mentioned agreement between the controllers, also with regard to the allocation of responsibilities and liability within the internal relationship between the joint controllers. 150

2. Processor 152

Identical to the definition in Directive 95/46, art. 2, para e), the definition of “processor” in GDPR, art. 4, para 8 is a set of two main elements: – “a natural or legal person, public authority, agency or other body” – “which processes personal data on behalf of the controller”.

30

Daniel Rücker

B. Scope of application of the GDPR

Same as for the definition of controllers, processors may be natural or legal persons, public authorities, agencies of other bodies. The decisive element for distinguishing a processor from a controller is that the processor does not process personal data in its own interest in order to fulfil own purposes but only “on behalf of the controller” and therefore in the interest of the controller in context with fulfilling purposes of the controller according to the strict instructions of the controller. Using a processor and transferring or otherwise making available personal data to a processor in that context is legally privileged compared to a controller to control transfer of personal data (for details see B.II.2.d)). The main reason for such privilege is that the processor is strictly bound by the instructions of the data controller, is supposed to have no or only very little room for taking own decisions and therefore factually only acts as an extended arm of the controller. As the definition of “processor” in GDPR, art. 4, para 8 does not restrict the scope of delegating the processing of personal data, the activities entrusted to a processor may be limited to a very specific purpose but may alternatively also be quite general and comprehensive.79

153 154

155

156

a) Processing personal data “on behalf of a controller”

A prerequisite for being a processor is to not determine the purposes and 157 means of the relevant data processing oneself but to depend on the data controller who determines the purposes and means of data processing and instructs and steers the processor. aa) No factual influence of the processor on determining the purposes and means of processing

Also from the angle of defining and identifying a mere processor, the distinc- 158 tion will mainly depend on the factual influence on determining the relevant purposes and means for processing personal data which must not be in the hands of the processor. Also in this case “a functional approach shall be applied, analysing the factual 159 elements of the relations between the different subjects and the way purposes and means of the processing are determined. In case a controller/processor relation appears to exist, these parties are obliged to conclude a contract according to the law […].”80 bb) Processor subject to the instructions of the data controller

According to GDPR, art. 29 the “processor and any person acting under the 160 authority of the controller or of the processor, who has access to personal data, 79 WP 169, 25; Cf. Handbook on European data protection law, Council of Europe (ed), 2014, 52. 80 WP 169, 26.

Daniel Rücker

31

B. Scope of application of the GDPR

shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.” Therefore, being bound by the instructions of the data controller is a decisive element for qualifying as a data processor. cc) Factual compliance with the instructions of the data controller 161

Furthermore, a processor has to act in accordance with these instructions received from the data controller. The “lawfulness of the processor’s data processing activity is determined by the mandate given by the controller. A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor.”81 A processor who uses data received as a processor beyond the instructions of the data controller and for its own purposes, will be qualified as a data controller for these own purposes (GDPR, art. 29, para 10). b) Requirements for engaging a processor aa) Mandate of the processor

162

“Acting on behalf” does not only imply that the processor has to serve the interests of the controller but also that a processor requires a mandate from the controller with regard to a particular scope of processing personal data on behalf of the controller. The processor has to act within the scope of such mandate and to comply with the instructions received from the controller within that mandate (GDPR, art. 29). bb) Choice of the right processor – provision of sufficient guarantees by the processor

The controller is obliged to choose carefully the right processor. According to GDPR, art. 28, para 1 “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” 164 GDPR, recital 81, sentence 1 further clarifies that such guarantees should be granted “in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.” The controller has to assure that the processor actually provides the relevant guarantees. One measure of assuring such guarantees is to implement the relevant obligations of the processor in the contract to be concluded between the controller and the processor. 163

81 Cf. WP 169, 25.

32

Daniel Rücker

B. Scope of application of the GDPR

According to GDPR, art. 28, para 5 adherence “of a processor to an approved 165 code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article”. However, this also clarifies that adherence to an approved code of conduct or an approved certification mechanism is only one of several elements in context with assuring sufficient guarantees of the processor and that additional other measures need to be taken. cc) Processing contract

Where the required mandate exists, controller and processor are obliged to 166 sign a binding contract in order to properly document and specify the mandate and its scope, in particular “the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller” (GDPR, art. 28, para 3, sentence 1).82 Such contract can be an individual agreement between controller and proces- 167 sor or it may be based on standard contractual clauses laid down by the Commission or adopted by a supervisory authority, GDPR, art. 28, paras 6, 7 and 8. It serves the purpose of securing a lawful processing of personal data.83 With regard to the legal form of such contract, Directive 95/46, art. 17, para 4 168 was quite open and only provided that such contract should be concluded “in writing or in another equivalent form”. In that context, GDPR, art. 28, para 9 is stricter and requires that the processing contract or other legal act “shall be in writing, including in electronic form.” As the term “electronic form” is not defined, so far, it remains unclear what the actual requirements of such electronic form are supposed to be. It remains to be seen which positions the data protection authorities will take on this and to what extent national law requirements on the concept of “electronic form” will be held relevant. dd) Necessary content of a processing contract

Different to Directive 95/46, art. 17, in GDPR, art. 28, para 2, sentence 3 the 169 key requirements of processing contracts for commissioned data processing are now defined. Furthermore, the term “in particular” used in that context also clarifies that this is not supposed to be understood as an exclusive list of requirements but that in an individual case further requirements may apply. In a nutshell, and subject to further details described in the list in GDPR, art. 170 28, para 2, sentence 3, the processing contract must include rules on the following issues:

82 As an alternative to such contract, another legal act available under Union or Member State law may be used to govern the processing by a processor (GDPR, art. 28, para 3). 83 Cf. WP 169, 26 f.

Daniel Rücker

33

B. Scope of application of the GDPR

– – – – –

subject-matter, nature and purposes of the processing type of personal data covered categories of data subjects concerned duration of the processing obligations and rights of the controller.

Furthermore, the mandate shall stipulate, in particular, that the processor: – processes data only on the documented instructions from the controller; – ensures, that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; – takes all measures required pursuant to GDPR, art. 32; – respects the conditions for engaging another (sub-)processor; – assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights; – assists the controller in ensuring compliance with the obligations concerning data security, data protection impact assessment, notifications of data breaches, etc.; – at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing; – makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. c) Further explicit obligations of processors 171

Apart from the general role of the processor and the contractual obligations of the processor, the GDPR also provides for further explicit obligations of the processor, some of which are new under the GDPR and were not mentioned in Directive 95/46. aa) Appropriate technical and organisational measures

The obligation of the data processor to provide for appropriate technical and organisational measures already results from the instructions received from the controller who in its role as a data controller is primarily responsible for security of processing. 173 However, besides the controller, GDPR, art. 32, para 1 now also directly obliges the processor to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […].” 172

34

Daniel Rücker

B. Scope of application of the GDPR

bb) Data protection officer

Same as a controller pursuant to GDPR, art. 37, para 1, also the processor 174 may be obliged to designate a data protection officer (see section D.VI.1., → mn. 761 et seqq.). cc) Records of processing activities

According to GDPR, art. 30, para 2, besides the controller, also each “proces- 175 sor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller”. The minimum content of such records are detailed in GDPR, art. 30, para 2. In order to make sure that these details are properly documented and on request may easily be made available to the authority (GDPR, art. 30, para 3), the records shall be “in writing, including electronic form” (GDPR, art. 30, para 4). Same as in context with the form requirement for the data processing contract (see section B.II.2.b)(cc), → mn. 166 et seqq.), it remains unclear what particular kind of electronic form is required. d) Lawfulness of a data transfer to a data processor

There arises the question whether also a transfer of personal data from the da- 176 ta controller to the data processor requires a specific legal ground which may result from GDPR, art. 6. However, if one would follow such approach, a processing of special categories of personal data would only be possible under the very strict requirements of GDPR, art. 9. However, there are good arguments against the need of such specific legal 177 ground. According to GDPR, art. 4, no. 10, a data processor is not considered a third party. Therefore, using a data processor does not require any further specific legal ground as long as the relevant processing would be justified if it was performed by the controller himself and if the strict requirements of GDPR, art. 28 are met. e) Consequenceach of the contractual relationship for the processor

Due to the fact that the distinction between controller and processor mainly 178 results from the factual influence on the processing, GDPR, art. 28, para 10 makes clear that if “a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing”. In other words, the role of a body may switch from being a processor to becoming a controller, where the processor extends its influence by defining purposes and/or means of a certain processing, even if this infringes its contractual obligations towards the controller. Would a contractor in its role as a processor factually use personal data for its 179 own benefit and purposes rather than for the benefit of the data controller only, “for example by using personal data received with a view to generate valueDaniel Rücker

35

B. Scope of application of the GDPR

added services, it would be a controller (or possibly a joint controller) for another processing activity and therefore subject to all the obligations of the applicable data protection law.”84 180 Therefore, GDPR, art. 28, para 10 may be interpreted in the way that being a processor or controller is not a natural characteristic of a legal entity but a role that stems from the concrete activities in a specific context.85 Consequently, the role may change in case of increasing activity and influence. f) How to handle former mandates

With regard to existing mandates of processors, upon May 25, 2018, these mandates have to comply with the requirements of the GDPR. The actual gap between the requirements under former local law of each relevant Member State and the requirements of the GDPR depends on how in detail the relevant Member State implemented the requirements of Directive 95/46 into their national law. 182 In practice, in particular existing data processing agreements have to be assessed and updated in order to get them compliant with GDPR, art. 28, in particular with regard to the compulsory content of such contracts according to GDPR, art. 28, para 3. 181

3. Micro, small and medium-sized enterprises

Other than Directive 95/46, at several points GDPR mentions the need to consider particularities of so called micro, small and medium-sized enterprises when applying its provisions. Pursuant to GDPR, recital 13, sentence 4 “the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.” 184 Regarding the definition of this term, GDPR, recital 13, sentence 5 refers to Article 2 of the Annex to Commission Recommendation 2003/361/EC: 183

“1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. 2. Within the SME category, a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. 3. Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.”86

84 WP 169, 14. 85 Cf. WP 169, 25.

36

Daniel Rücker

B. Scope of application of the GDPR

The GDPR explicitly requests the consideration of special requirements of 185 micro, small and medium-sized enterprises when it comes to establishing – Codes of Conduct, GDPR, art. 40, para 1 (see section D.II.1., → mn. 567 et seqq.); and / or – Certification, GDPR, art. 42, para 1 (see section D.III.4., → mn. 592 et seqq.) Moreover, the GDPR addresses supervisory authorities and the Commission 186 to turn their attention to the specific needs of these types of enterprises at – “Awareness-raising activities by supervisory authorities addressed to the public” (GDPR, recital 132) as one of the tasks of supervisory authorities pursuant to GDPR, art. 57, para 1, subparas b) and d); and – the “implementation of this Regulation” regarding the conferral of implementing powers on the Commission (GDPR, recital 167). However, the GDPR does not define or provide examples as to what can be 187 considered as “specific needs” of micro, small and medium-sized enterprises. Therefore, so far it remains open which particular potential facilitations may be granted to micro, small and medium-sized enterprises and how they may be supported in complying with the GDPR. III. Territorial scope of application of the GDPR – Change from the principle of territoriality to effects doctrine

Introducing the effects doctrine was one of the key political signals attached 188 to EU data protection reform. In its final version the scope provision in GDPR, art. 3 now contains three different points of reference for the territorial applicability of the GDPR. First, the Regulation applies if a controller or processor processes personal data in the context of activities of its establishment in the EU (GDPR, art. 3, para 1). Second, if a controller or processor not established in the EU processes personal data of data subjects in the Union to offer them goods or services or monitor their behaviour (GDPR, art. 3, para 2). And third, if a controller not established in the EU processes personal data in a place where Member State law applies by virtue of public international law (GDPR, art. 3, para 3). 1. Companies with an establishment in the EU (GDPR, art. 3, para 1)

Under GDPR, art. 3, para 1 any processing of personal data in the context of 189 the activities of an establishment in the EU is subject to the GDPR. This is regardless of whether the processing itself takes place inside or outside the EU. GDPR, art. 3, para 1 applies to both data controllers and processors.

86 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, p. 36.

Pascal Schumacher

37

B. Scope of application of the GDPR

Under Directive 95/46,87 companies are already considered having an establishment in a Member State if they have a representative or a bank account in that Member State.88 It is, in this context, irrelevant whether the company is registered in that place.89 In addition, according to GDPR, recital 22, an establishment implies the effective and real exercise of activity through stable arrangements. The legal form of the establishment, whether in form of a mere branch or a legal entity, is irrelevant in this respect. Likewise GDPR, art. 3, para 1 does not require that the “main establishment” is located in the EU. In case the controller has several establishments in the EU, the supervisory authority of the main establishment will be competent to act as lead authority (see section D.V.1.a), → mn. 718 et seqq.). The concept of a “main establishment” is defined in GDPR, art. 4, para 16. 191 The wording of GDPR, art. 3, para 1 and recital 22 is practically identical with former Directive 95/46, art. 4, para 1 and recital 19. This suggests that the question whether e.g. letterbox companies or server locations suffice to constitute an establishment will continue to be debated controversially.90 190

2. Companies without any establishment in the EU (GDPR, art. 3, para 2) 192

GDPR, art. 3, para 3 expands the scope of the GDPR to the processing of personal data by controllers and processors outside the EU in the context of offering goods or services to, or monitoring the behaviour (within the Union) of, EU data subjects. a) Offering of goods or services to data subjects in the EU

First, GDPR, art. 3, para 2, subpara a) states that data processing is subject to the GDPR where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, i.e. even if offered free of charge. 194 The rationale behind this is laid down in GDPR, recital 23. According to said recital, applicability of the GDPR is intended to ensure that natural persons are not deprived of the protection under the GDPR. Further, such approach lays the ground for a level playing field for companies competing for customers in the EU. In practice, this means that a company seated outside the Union and which targets EU-consumers will be governed by the GDPR. This is currently not the case. 195 With respect to the former legal framework under Directive 95/46 the ECJ had already led the way to such an approach for the territorial scope of application in its Google Spain decision.91 There, the Court stated that it is not decisive 193

87 88 89 90 91

38

Directive 95/46, 31. ECJ, decision of 1 October 2015, C-230/14 – Weltimmo, recital 33. ECJ, decision of 1 October 2015, C-230/14 – Weltimmo, recital 29. Cf. Wieczorek, in Taeger (ed.) Law as a service, vol. 1, 2013, pages 5, 12. ECJ, decision of 13 Mai 2014, C-131/12 – Google/AEPD.

Pascal Schumacher

B. Scope of application of the GDPR

whether the establishment in the EU actually processes data itself as long as the establishment promotes the services of the data processing establishment and orientates its activities towards the inhabitants of Member States of the EU. The EU legislator has now implemented and further developed this case law in the Regulation thereby levelling the playing field in respect of data protection requirements for all companies competing for European customers. The decisive legal test is whether goods or services are offered to EU data 196 subjects, i.e. to data subjects in one or more EU Member States. The term “goods” refers to tangible property while “services” means any self-employed economic activity.92 The recitals provide helpful guidance as to whether such goods and services 197 qualify as being “offered to EU data subjects” and, therefore, suffice to establish the required link to the EU. This requires more than merely providing access to a website or publishing an email address. Where a company provides EU consumers the possibility of ordering the goods or services, a sufficient link might be established by use of language or currency generally used in EU Member States (cf. GDPR, recital 23). In particular, with respect to online services, further details may be drawn from the ECJ’s case law regarding the notion of “directing commercial activities” to a Member State in consumer contracts.93 Due to the thematic similarity, it may be considered appropriate to use some indications as provided in that decision also in the present context: In particular, the presentation of an offer (local vs. international) can serve as 198 an overarching reference test. Services offered from outside the EU must have an “international character” at least, and not be local in scope only. Otherwise they may not be considered targeting EU users from the outset. Clearly, such foreign offers target EU users if they are provided on a European top-level domain (for example “.de” or “.fr” or “.eu”). Use of such domains by the service provider demonstrates that its commercial activities target consumers of the respective EU Member States.94 If, on the other hand, a service is provided on a “.com” website only, or on another top level domain specific to foreigners (e.g. “.cn”) the EU nexus is problematic. Such websites and platforms apparently do not target EU users via their web address. Nonetheless, such offers may qualify as targeting EU users based on additional factors.

92 Cf. the general definition in Article 4 1) of Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market, OJ L 376, 27.12.2006, p. 36. 93 Cf. ECJ, decision of 7 December 2010, C-585/08 and C-144/09 – Pammer and Alpenhof. 94 Cf. ECJ, decision of 7 December 2010, C-585/08 and C-144/09 – Pammer and Alpenhof.

Pascal Schumacher

39

B. Scope of application of the GDPR 199

On that note, the following criteria are relevant in assessing whether an online service offering targets EU citizens: Language, currency, bank details

Advertising and referencing services Country-specific presentation Reference to EU regulations Provider and business directories 200

The fact that a service uses a language that is different from the provider’s language or shows payment amounts in a currency of potential customers (e.g. Euro) is an indication that the website is directed to a country specific customers group. Furthermore, the information of European bank details can be significant. The placement of a country specific advertisement or of a reference service for search engines on a website, in order to reach a prominent place in the search results of European users. Special categories and download options that are marked by flags of European Member States or similar signs are presented on the homepage of the provider. Links to regulations of the EU or other Member States, e.g. in general terms and conditions. Appearance on public service provider directories published by authorities in an EU Member State.

In the particular case, it can be an indication against a European direction if a provider points out explicitly that the service is excluded for the use in Europe or for European customers. Additionally, there must not be contradicting indications that the provider serves European customers nevertheless. The individual criteria must be considered in the respective context and an overall assessment. b) Monitoring the behaviour of subjects in the EU

The GDPR further applies to data processing for the purpose of behaviour monitoring of EU data subjects by controllers and processors outside the EU. However, the behaviour that is being monitored must take place within the EU (GDPR, art. 3, para 2, subpara b)). 202 Such behavioural monitoring includes, for instance, the tracking of individuals on the internet including profiling techniques aimed at enabling decisions or predicting personal preferences, behaviours and attitudes (GDPR, recital 24). This includes all forms of web tracking (e.g. by way of cookies or social plugins such as like buttons etc.), profiling, targeted / programmatic advertising etc. GDPR, art. 3, para 2, subpara b), therefore, likely covers almost all internet services as far as EU data subjects are concerned. 201

3. Application by virtue of public international law (GDPR, art. 3, para 3) 203

Finally, the GDPR also applies to data processing by a controller without an establishment in the EU, but in a place where Member State law applies by virtue of public international law, such as in a Member State’s diplomatic mission or consular post (GDPR, art. 3, para 3). 4. Summary assessment on changed scope of application

204

By expanding the territorial scope of the Regulation in the ways described above, the EU aims at setting a global standard for data processing in the context 40

Pascal Schumacher

B. Scope of application of the GDPR

of online and internet services. Hopes are that for many companies there will be no point in aligning their business activities with different levels of data protection but that they will rather implement the most stringent data protection regime (as provided by the GDPR). IV. Limits of the scope of application 1. Basic principle: direct application of the Regulation irrespective of many opening clauses

Directive 95/46 already is meant to provide for a “generally complete”95 level 205 of harmonisation of Member States’ data protection regimes; nonetheless some differences between the Member States remained (cf. GDPR, recital 9). To eliminate these differences, “ensure a consistent and high level of protection” (GDPR, recital 10) and to promote the free movement of personal data within the EU (GDPR, art. 1, para 3) the EU legislator adopted the new data protection regime in the form of a Regulation. According to TFEU, art. 288 Regulations have general application. They are binding in their entirety and directly applicable in all Member States. Unless explicitly catered for in the Regulation, no national legislation is required to transpose the Regulation into national law. Conflicting and, in principle, also identical national statutory law must, therefore, be withdrawn by the Member States or will otherwise cease to be applicable. 2. Remaining scope and amendments of national data protection laws and relevant examples for application of national data protection laws

Despite this basic principle for a direct application of the GDPR, the Regu- 206 lation leaves an important number of areas for specification by the Member States: It includes approx. 50-60 so-called “opening clauses” that allow the Member States to enact more specific or deviating regulations at national level. While some oblige the Member States to become active, others give them the freedom to enact more specific or derogating national requirements (e.g. GDPR, art. 88). Since the GDPR, in principle, prevails over all existing national data protec- 207 tion laws, but at the same time leaves significant leeway for specific rules on the level Member States’ legislation, there would be a high level of legal uncertainty and lack of transparency if the Member States did not adapt their data protection laws to clarify the order of preference. This relates, in particular, to the following items: a) Data processing in employment contexts, GDPR, art. 88

Many activities performed within employment relationships entail the pro- 208 cessing of personal data of employees, sometimes of very sensitive information 95 Cf. ECJ, decision of 6 November 2003, C-101-01 – Lindquist.

Pascal Schumacher

41

B. Scope of application of the GDPR

(e.g. trade union membership, health, criminal offences etc.). In fact, employers collect personal data from their employees for a number of purposes since the very beginning of the employment relationship or even before. Already during the recruitment process, individuals applying for a job have to provide personal data to their potential employer who, at the same time, usually processes this personal data in order to assess the merits of the candidates. The collection and further processing of employees’ personal data continues during the employment relationship (including surveillance and monitoring, e.g. of emails and internet use, carried out electronically). While the processing of most employee data normally stops at the end of the employment relationship, some data processing by the former employer continues for a certain period (the employer may, e.g. keep an employment record during the applicable retention period). 209 Any processing of information about employees by electronic means falls within the scope of the GDPR. However, under GDPR, art. 88, rules on data protection concerning personal data of employees remain predominantly in the sovereignty of the Member States. More specifically, Member States may, by law or by collective agreements enact “specific rules on the processing of employees’ personal data in the employment context” (GDPR, recital 155). It is somewhat unclear to what extent this gives Member States the authority to deviate from the rules provided in the GDPR. Based on the wording of GDPR, art. 88 (“more specific rules”)some commentators in legal literature argue that the Member States are limited to ratify rules, only, which comply with the spirit and purpose of the GDPR and in particular do not reduce the level of data protection as provided therein. Acknowledging that, in the final version of the GDPR, the addendum contained in its previous draft “within the limits set by this Regulation” has been dropped, however, there is some indication that the Member States have the right to introduce stricter national levels of data protection.96 210 According to GDPR, art. 88, such national rules can in particular provide for specific conditions under which employers may process employees’ personal data – based on consent; – for recruitment purposes; – performance of the employment contract, including discharge of obligations laid down by law or by collective agreements; – managing, planning and organising work; – equality and diversity in the workplace; – health and safety at work; – protection of employer’s or customer’s property; – for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment; and – for the purpose of the termination of the employment relationship. 96 Wybitul/Sörup/Pötters, ZD 2015, 559, 561.

42

Pascal Schumacher

B. Scope of application of the GDPR

It should be noted in this context that GDPR, art. 88 allows derogation from the standards laid down in the Regulation in respect of employment related data processing for the above purposes not only by way of national laws but also by way of collective agreements including works agreements (shop agreements, collective bargaining agreements). This gives companies more flexibility to deal with the specific requirements of their business situation. Businesses will, therefore, have to review and potentially amend their existing works agreements. As long as a Member State has not enacted any such specific laws and companies have not agreed on specific rules in their collective agreements, the standards laid down in the GDPR apply. According to GDPR, art. 88, para 2, national rules on employment data protection (i.e. both national laws and collective agreements) are required to provide for suitable and specific measures to safeguard the employee’s human dignity, legitimate interests and fundamental rights. The rules must pay particular attention to data processing transparency, the intragroup transfer of personal data and monitoring systems at the workplace. Further, GDPR, art. 88, para 3 lays down a notification procedure in which each Member State shall notify to the Commission of their specific national employment related data protection laws by 25 May 2018 and, without delay, any subsequent amendment affecting them. The wording of GDPR, art. 88, para 3 is clearly limited to notifying “laws” to the Commission, which is why collective agreements are not subject to such notification procedure.

211

212

213

214

b) Designation of a data protection officer in cases other than GDPR, art. 37, para 1

GDPR, art. 37 establishes the concept of a data protection officer on an EU- 215 wide basis. Under certain conditions laid out in GDPR, art. 37, para 1, undertakings in all Member States are obliged – i.e. also in the numerous EU states which so far have not known this obligation – to designate a company and official data protection officer. The wording in GDPR, art. 37 is a compromise striking a balance between the 216 diverging interests of the Member States. Originally, the Commission had intended to make the designation of a data protection officer mandatory as soon as an undertaking has more than 250 employees. In the final GDPR, art. 37 this concept has been dropped. The Regulation takes a two-sided approach: on the one hand, designating a 217 data protection officer is, in principle, mandatory; on the other hand, the requirements are less strict than in existing regulations on Member State level. The compromise also entails in GDPR, art. 37, para 4 that the Member States have the possibility to specify national designation requirements. Accordingly, Member State law may require data controllers, processors, associations and other bodies representing categories of controllers or processors to designate a data

Pascal Schumacher

43

B. Scope of application of the GDPR

protection officer also in cases other than those referred to in GDPR, art. 37, para 1. c) Processing carried out in the public interest or in compliance with a legal obligation 218

219

220

221

222

223

The GDPR allows Member States in various instances to maintain or introduce national provisions to enact specific national rules with respect to situations where the controller processes personal data in order to comply with a legal obligation, to perform a task of public interest or to exercise official authority vested in the controller (GDPR, recital 10). E.g. under GDPR, art. 6, para 1, subparas c) and e) data processing that is necessary to comply with a legal obligation of the controller is considered lawful. The same applies in respect of tasks carried out in the public interest or the exercise of official authority. Member States may determine specific requirements under which data processing is acknowledged as being necessary for such purposes (GDPR, art. 6, para 2). Further, the right to erasure (GDPR, art. 17) is inapplicable where the processing is necessary for the controller to comply with EU or Member State statutory law or carry out public interests (GDPR, art. 17, para 3, subpara b)). In the context of international data transfers, GDPR, art. 49, para 5 stipulates that absent an adequacy decision by the Commission (GDPR, art. 45), the Member States may, for important reasons of public interest, limit the transfer of personal data to a third country as well as international organisations. The Member States are required to notify such limiting national provisions to the Commission. Finally, in case of data processing for archiving purposes in the public interest Member States may under certain conditions provide for derogations by law from the rights referred to in GDPR, art. 15, 16, 18-20 and 21 (cf. GDPR, art. 89, para 3). In any event, in such cases the processing must have a basis in EU or Member State law which – determines the purpose of the data processing, – specifies the general conditions of the GDPR governing the lawfulness of the data processing, – establishes specifications to determine the data controller, the type of data being processed, the concerned data subjects, third parties to which the data may be disclosed, the purpose limitations, the storage period and further measures to secure fair processing.

224

Member State law can also determine whether only public authorities or also private persons governed by public law may invoke public interest purposes to legitimise data processing activities. Only where this is in the public interest (including health care purposes and social protection) Member States may also ap44

Pascal Schumacher

B. Scope of application of the GDPR

point private persons governed by private law, such as professional associations, to do so (GDPR, recital 45). d) Automated decisions and profiling

Under GDPR, art. 22 data subjects can refuse to be subject to a decision 225 based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (for more details on profiling see section E.V., → mn. 1146 et seqq.). This right to refuse automated processing decisions does however not apply, 226 inter alia, if the decision is specifically authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (GDPR, art. 22, para 2, subpara b)). In such cases automated processing decisions are per se lawful unless they refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health or data concerning a natural person’s sex life or sexual orientation (cf. GDPR, art. 22, para 3 in connection with art. 9, para 1). Such special categories of personal data may, in principle, not be processed based on solely automated processing decisions unless justified by the data subject’s explicit consent (GDPR, art. 9, para 2, subpara a)) or are necessary for reasons of substantial public interest (GDPR, art. 9, para 2, subpara g)). e) Joint controllers

Finally, Member States have the sovereignty to determine by national law to 227 which the controllers are subject, the respective responsibilities of joint controllers (cf. GDPR, art. 26, para, 1). Such determination of joint controllers’ responsibilities by law prevails over interparty arrangements between the joint controllers (see section D.I.2.c), → mn. 499 et seqq.). f) Further examples

Furthermore, GDPR, art. 23 (in line with the previous GDPR, art. 13) allows 228 Member States to restrict the scope of data subjects’ rights in certain respects. Similar opening clauses relate to the specific processing situations as laid 229 down in Chapter IX of the Regulation (cf. GDPR, art. 6, paras 2 and 3, art. 89, paras 2 and 3). This includes, in particular, data processing for the privileged purposes as per GDPR, art. 89, i.e. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Finally, in some cases, the Member States are granted the possibility to 230 change the level of protection of the GDPR. The most important examples include the right to exclude consent to the processing of special categories of personal data (GDPR, art. 9, para 2, subpara a)), and the right to maintain or intro-

Pascal Schumacher

45

B. Scope of application of the GDPR

duce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health (GDPR, art. 9, para 4). 3. Data protection for online and electronic communication services

GDPR, art. 94 repeals the Directive 95/4697 with effect from 25 May 2018. This affects, inter alia, many existing laws of the Member States regulating specifics of data protection for online services which largely transposed the Directive 95/46 into national law. 232 As far as electronic communication services are concerned, however, the ePrivacy-Directive98 which provides for specific data protection rules in that regard remains unaffected. GDPR, art. 95 explicitly stipulates that the GDPR does not impose additional obligations to publicly available electronic communication services in public communication networks that are covered in the ePrivacy-Directive, i.e. the scope of application of the Regulation does not extend to such electronic communication services. 233 As a consequence, those national laws which are based on the ePrivacy-Directive will not be superseded by the GDPR as of 25 May 2018 but remain in full force and effect. As to the details of which national laws will cease to apply and which will remain in effect, this general principle is likely to lead to some legal uncertainty. Against this backdrop the Commission has decided to also amend the ePrivacy legislation to ensure the consistency with the GDPR and to adapt the rules to the growing challenges of electronic communications and alternative options of communications, e.g. over-the-top service providers. 234 On 10 January 2017, the Commission has published a proposal for a Regulation on Privacy and Electronic Communications.99 Just as with the general data protection rules, the Commission has also decided to replace the current ePrivacy-Directive with a Regulation which will be directly applicable in all Member States. The main cornerstones of the Commission’s proposal include: 231

– The future ePrivacy rules shall apply to over-the-top players providing electronic communications services to ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators. – Due to their high sensitivity the draft Regulation aims to step up the level of protection of metadata (e.g. time of a call and location data). Unless required for billing purposes, providers shall anonymise or delete such data if users have not given their consent.

97 Directive 95/46, 31. 98 ePrivacy-Directive, 37. 99 Proposal of 10 January 2017 for Regulation of the European Parliament and of the Council on Privacy and Electronic Communications concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final.

46

Pascal Schumacher

B. Scope of application of the GDPR

– The draft streamlines current cookie regulation which has resulted in complicated consent requests for internet users by introducing more practicable rules. – Enforcement of the ePrivacy Regulation shall be the responsibility of data protection authorities, which are also in charge of the rules under the GDPR. 4. Data protection at public bodies

According to GDPR, art. 2, para 2, subpara d), the GDPR does not apply to 235 data processing by public authorities for the purposes of – preventing, investigating, detecting or prosecuting criminal offences, or – executing criminal penalties, including the safeguarding against and the prevention of threats to public security. In fact, these types of processing are subject to the more specific Directive 2016/680/EU.100 For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation 45/2001/EC101 applies. Conversely, the GDPR is in principle fully applicable to the processing of personal data by public bodies for other purposes than those of public security (cf. GDPR, recital 19). However, even with regard to the processing of personal data by public authorities for purposes falling within scope of the GDPR, Member States are allowed to maintain or introduce more specific provisions to adapt the application of the rules of the GDPR. Such national law provisions may determine specific requirements for the data processing, taking into account the constitutional, organisational and administrative structure of the respective Member State. In the context, e.g. of anti-money laundering or the activities of forensic laboratories, Member States may also restrict obligations and rights relating to private bodies when such a restriction is necessary and proportionate to safeguarding specific important public interests including public security (GDPR, recital 19). While the GDPR applies to the activities of courts and other judicial authorities, EU or Member State law may further specify the processing operations and processing procedures in relation to the data processing by courts and other judicial authorities (GDPR, recital 20). To safeguard the independence of the judiciary, the competence of the supervisory authorities under the GDPR does, how100 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA. 101 Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

Pascal Schumacher

47

236

237

238

239

B. Scope of application of the GDPR

ever, not stretch to situations in which courts are acting in their judicial capacity. In this respect, Member States are allowed to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State. Such specific body must be equipped to ensure compliance with the GDPR-rules, enhance awareness among members of the judiciary of their obligations under the GDPR and handle complaints in relation to such data processing operations (GDPR, recital 20). 240 Finally, public authorities to which personal data are disclosed based on a legal obligation for the exercise of their official mission,102 are not considered “recipients” in the meaning of the GDPR if they receive data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law (GDPR, recital 31). As a consequence, e.g. disclosure requirements to the data subject by the controller do not apply to the transfer of personal data to such public authorities (cf. GDPR, art. 14, para 3, subpara c) and art. 15, para 1, subpara c)).

102 E.g. tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets.

48

Pascal Schumacher

C. Lawful processing of personal data in companies under the General Data Protection Regulation I. Principles relating to processing of personal data from a business perspective

GDPR, art. 5 enumerates general principles applicable to the processing of 241 personal data. In comparison to the catalogue of data processing principles of Directive 95/46, art. 6, the amendments introduced by the GDPR are not revolutionary. As shown below in more detail, the majority of these principles is almost identical to the principles of the Directive, some have been slightly amended and only a few have been added to the catalogue of principles. 242 Pursuant to GDPR, art. 5, para 1, personal data shall be: – processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); – accurate and, where necessary, kept up to date (‘accuracy’); – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (‘storage limitation’); – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Furthermore, pursuant to GDPR, art. 5, para 2 – the controller shall be responsible for, and be able to demonstrate compliance with these principles (‘accountability’). As shown below in more detail, many of these principles consist of rather 243 vague and open legal terms and do not specify any concrete conditions or specific instructions for the processing of personal data. Rather, this catalogue of essential cornerstones for the protection of personal data has to be considered an Sebastian Dienst

49

C. Lawful processing of personal data in companies under the GDPR

introductive guideline and basic framework for the specific requirements for processing personal data articulated in the following provisions of the GDPR. 244 However, GDPR, art. 83, para 5, subpara a) imposes the risk of severe administrative fines also in case of any violations of the rather generic data protection principles of GDPR, art. 5. From a business point of view, this leads to a considerable financial risk which may prove challenging to assess. The openended terms of the principles essentially expand data protection compliance requirements far beyond more specific provisions of the GDPR to a quite uncertain and indefinite extent. Therefore, businesses need to ensure that their data processing activities not only meet the requirements of specific provisions of the GDPR but also are carried out strictly in accordance with all of the basic data processing principles set out in the GDPR. 245 Due to the mostly vague character of the principles, it is difficult to predict in which cases the supervisory authorities will actually assume a violation of GDPR, art. 5 (see section D.VII.1.a)bb), → mn. 807 et seqq.). It may also be discussed whether the terms are even precise enough to impose any fines at all, considering the fundamental principle of the rule of law. As any violation of these principles is likely to overlap with a breach of more specific provisions of the GDPR, authorities will presumably prefer to impose fines on the grounds of violations of such more specific requirements. However, fundamental violations of the principles articulated in GDPR, art. 5 may be regarded as an aggravating factor in determining the actual amount of an administrative fine. 246 Therefore, from a business perspective, it will be crucial to look into the basic data protection principles and their business impact, especially the fundamental principles of purpose limitation (see section C.I.2., → mn. 261 et seqq.) and data minimisation (see section C.I.3., → mn. 315 et seqq.). 1. Principle of lawfulness, fairness and transparency 247

Almost identical to Directive 95/46, art. 6, para 1, subpara a), GDPR, art. 5, para 1, subpara a) states that personal data shall be processed lawfully and fairly. Additionally, GDPR, art. 5, para 1, subpara a) requires that personal data shall be processed in a transparent manner in relation to the data subject. a) Notion of lawfulness

248

First of all, personal data have to be processed “lawfully”. However, GDPR, art. 5, para 1, subpara a) does not define the term “lawfulness”. Pursuant to GDPR, recital 40 “[i]n order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which

50

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.1 aa) General prohibition of processing personal data

In other words, as already established by the Directive 95/46, the principle of 249 lawfulness stipulates that processing of data is generally prohibited, unless the processing is legitimised by a legal ground as an exception to this general prohibition. In some jurisdictions (for instance in Germany), this fundamental principle is also known as the basic concept of a “general prohibition with exceptions”. bb) Legitimate basis for processing personal data as an exception

Regarding the legal quality of such legitimate basis, GDPR, recital 41 clari- 250 fies that “[w]here this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (‘Court of Justice’) and the European Court of Human Rights.” The legal grounds for processing personal data laid down by the GDPR are 251 exhaustively enumerated in GDPR, art. 6 (see section C.II., → mn. 358 et seqq.). Further legal grounds for the processing of personal data may be laid down by other Union law or by Member State law as referred to in the GDPR. b) Notion of fairness

Secondly, personal data have to be processed “fairly”. However, GDPR, art. 252 5, para 1, subpara a) does not define the term “fairness” either. GDPR, recital 39 gives the impression that the requirement of a “fair” pro- 253 cessing essentially amounts to the requirement of transparency (see section C.I.1.c, → mn. 255 et seqq.). Accordingly, also GDPR, recitals 60 and 71 explain the principles of fair and transparent processing only together without distinguishing between the different terms. Pursuant to Directive 95/46, recital 38 1 Comparable, pursuant to Charter of Fundamental Rights of the European Union, art. 8, para 2 personal data must be processed on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Charter of Fundamental Rights of the European Union, art. 52, para 1 states that limitations are only admissible if they are provided by law, and respect the essence of the right of data protection, and are necessary, subject to the principle of proportionality, and meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others; pursuant to Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, para 2, processing of personal data is lawful if it is in accordance with the law and pursues legitimate purpose and is necessary in a democratic society in order to achieve the legitimate purpose; cf. Council of Europe (ed), Handbook on European data protection law, 2014, 66.

Sebastian Dienst

51

C. Lawful processing of personal data in companies under the GDPR

fairness in terms of Directive 95/46, art. 6, para 1, subpara a) means that “the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection”. In other words, “[f]air processing means transparency of processing, especially vis-à-vis data subjects”2 and prohibits any “secret and covert processing of personal data”.3 As the GDPR now separately articulates the requirement of transparency (see section C.I.1.c), → mn. 255 et seqq.), it seems as though the notion of fair processing remains with no independent meaning at all. 254 However, what is “fair” or “unfair” processing of personal data is highly subjective and leaves quite some room for interpretation. The notion of “fairness” is subject to different social, cultural and political backgrounds. A clear and legally certain definition would have been helpful in terms of legal certainty. Without such clarification, the principle of fairness can be reduced to little more than an vague idea – which is even more critical as it is nonetheless subject to severe administrative fines (see section D.VII.1., → mn. 802 et seqq.). c) Notion of transparency

While Directive 95/46 provides certain information requirements, different to GDPR, it does not explicitly articulate transparency as a principle in the sense that personal data must be processed in a manner that is transparent to the data subject.4 256 According to the Commission, the specific inclusion of the transparency principle is supposed to “emphasise that transparency is a fundamental condition for enabling individuals to exercise control over their own data and to ensure effective protection of their personal data, which could serve as a basis for improved information requirements”.5 257 While GDPR, art. 5, para 1, subpara a) does not define the term “transparency”, the individual characteristics of the principle are broadly explained in GDPR, recital 39: “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent pro255

2 Council of Europe (ed), Handbook on European data protection law, 2014, 73. 3 Council of Europe (ed), Handbook on European data protection law, 2014, 73. 4 Cf. European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 16. 5 European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 16.

52

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

cessing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.” Furthermore, pursuant to GDPR, recital 60 “[t]he principles of fair and trans- 258 parent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.” The specific information requirements based on the transparency principle 259 of GDPR, art. 5, para 1, subpara a) as broadly described in GDPR, recitals 39 and 60 are provided in detail in GDPR, art. 12, 13, 14 (see section D.IV.1. and 2., → mn. 603 and 619 et seqq.). d) No principle of collecting personal data directly from the data subject

Unlike some national data protection laws in Member States under Directive 260 95/46, the GDPR does not stipulate any explicit principle requiring that data shall be collected only (or preferably) directly from the data subject. Quite to the contrary, the specific information obligations of the GDPR for cases where personal data were not obtained from the data subject imply that data may also be collected indirectly from third parties (see GDPR, art. 17). 2. Principle of purpose limitation

Nearly identical to Directive 95/46, art. 6, para 1, subpara b), the principle of 261 purpose limitation stipulated in GDPR, art. 5, para 1, subpara b) consists of two main components requiring that personal data are – collected for specified, explicit and legitimate purposes and – not further processed in a manner that is incompatible with those purposes.

Sebastian Dienst

53

C. Lawful processing of personal data in companies under the GDPR

Besides the basic principle of lawfulness, fairness and transparency (see section C.I.1., → mn. 247 et seqq.), purpose limitation is by far the most important data protection principle because the evaluation whether a data processing complies with other data protection principles, in many cases depends on the relevant purpose. 6 Purpose specification and compatible use are essential principles in the system of data protection, both in the EU and beyond.7 263 Specification of purpose is an essential condition to lawful processing of personal data and a prerequisite for applying other data quality requirements, including adequacy, relevance, and limitation to what is necessary (see section C.I.3., → mn. 315 et seqq.) as well as accuracy (see section C.I.4., → mn. 323 et seqq.) of the data collected and the requirements of storage limitation (see section C.I.5., → mn. 337 et seqq.). Purpose specification is also essential for designing data protection safeguards for any processing operation. Purpose specification and the concept of compatible use contribute to transparency, legal certainty and predictability. The principle aims to protect the data subject by setting limits on how controllers may use their data. In other words, purpose limitation establishes the boundaries within which personal data, collected for a given purpose, may be processed and may be put to further use.8 262

a) Collection for specified, explicit and legitimate purposes

As a first component of the purpose limitation principle, GDPR, art. 5, para 1, subpara b) requires that personal data are collected for specified, explicit and legitimate purposes. 265 The very open-ended wording of the purpose limitation principle of GDPR, art. 5, para 1, subpara b) is nearly identical to the wording of Directive 95/46, art. 6, para 1, subpara b). The vague terminology of the purpose limitation principle of Directive 95/46, art. 6, para 1, subpara b), though adopted by many Member States in similar terms, has led to significant divergences in its national interpretation and application so far.9 Therefore, it remains to be seen whether and how quickly the divergences in the application of the principle in the Member States will merge into a consistent approach. 266 However, in its 2013 opinion on purpose limitation, the Art. 29 Working Party already described in detail the common position of the data protection au264

6 7 8 9

54

Cf. WP 203, 4. See developments in the OECD and in the Council of Europe, cf. WP 203, 11. Cf. WP 203, 4, 11. According to the Art. 29 Working Party, “[t]he divergences touch upon several aspects of the concept. Member States apply different tests to analyse the notions of purpose specification and incompatible use. In some countries, specific rules may apply to the public sector. In others, purposes may sometimes be defined in very broad terms. The approaches in the different Member States also vary as to how the purposes are made explicit, for example, whether specification of purpose is required in the notification to the data protection authority or in the notice to the data subject. The rules concerning the change of purpose, including for research and statistical purposes, also vary considerably, as they do in terms of the requirement of safeguards for these specific uses”, cf. WP 203, 5, 10.

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

thorities of the Member States on the interpretation and application of the purpose limitation principle and provided practical guidelines for its implementation.10 As the Art. 29 Working Party will ultimately be succeeded by the future Board (see section A.I.4.b)a)(3), → mn. 35), it seems reasonable, to adhere to this common position and practical guidelines, as far as applicable to the provisions of the GDPR, until the new Board issues any new opinion or guidance on the specific application and implementation of the principle of purpose limitation under the GDPR. aa) “Specified” purpose

First of all, any purpose must be “specified”. However, same as Directive 95/46, the GDPR does not provide any definition of the term “specified” or any particular criteria or guidelines on how precise such specification of purposes has to be. Consequently, the legal uncertainty remains unaffected, leaving quite some room for interpretation. The principle of transparency, now explicitly governed by GDPR, art. 5, para 1, subpara a) (see section C.I.1.c), → mn. 255 et seqq.) may be an argument for strict standards on the specification of purposes. According to the Art. 29 Working Party, “specified” means that any purpose has to be sufficiently defined to enable the implementation of any necessary data protection safeguards, and to delimit the scope of the processing operation.11 In other words, the definition of the purpose “must be detailed enough to determine what kind of processing is and is not included within the specified purpose.”12 Therefore, as a general rule, a vague or general description will not be considered sufficiently “specific”.13 For instance, according to the Art. 29 Working Party, “improving users’ experience”, “marketing purposes”, “IT-security purposes” or “future research” will usually not be specific enough and require further details.14 The degree of detail in which a purpose has to be specified essentially depends on the particular context in which the personal data are collected and the actual kind of personal data involved. Consequently, in some clear and straightforward cases, a simple definition will be sufficient to provide appropriate specification, while in other more complex cases more detail will be required to sufficiently specify a purpose.15 In any case, the relevant purpose or purposes have to be specified prior to the collection of the personal data, i.e. not later than the time when the collection of personal data actually occurs.16 From a business perspective, it is there10 11 12 13 14 15 16

WP 203. Cf. WP 203, 12. WP 203, 15. Cf. WP 203, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, 16. Cf. WP 203, 16 and further examples in Annex 3 to this WP 203. Cf. WP 203, 16 and further examples in Annex 3 to this WP 203. Cf. WP 203, 15.

Sebastian Dienst

55

267

268

269

270

271

C. Lawful processing of personal data in companies under the GDPR

fore crucial for the controller to carefully consider in advance for what purpose or purposes particular personal data are supposed to be used for.17 bb) “Explicit” purpose

Secondly, any purpose must also be “explicit”. However, the GDPR does not provide any definition of that term either. 273 According to the Art. 29 Working Party’s opinion on purpose limitation, “explicit” means that the purpose of any collection must not only be specified in the minds of the controller but also “sufficiently unambiguous and clearly expressed”.18 The scope of this requirement may also be described by comparing the notion of “explicit purpose” with the notion of “hidden purpose”.19 In other words, the purpose has to be “clearly revealed, explained or expressed in some intelligible form.”20 The Art. 29 Working Party states that “[t]he ultimate objective of this requirement is to ensure that the purposes are specified without vagueness or ambiguity as to their meaning or intent. What is meant must be clear and should leave no doubt or difficulty in understanding. The specification of the purposes must, in particular, be expressed in such a way so as to be understood in the same way not only by the controller (including all relevant staff) and any third party processors, but also by the data protection authorities and the data subjects concerned.”21 274 Reflecting and further shaping this requirement of an “explicit” purpose, GDPR, art. 13, para 1, subpara c) and GDPR, art. 14, para 1, subpara c) specifically require the data controller to provide the data subject with information on the processing purposes for which the personal data are intended when obtaining personal data. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller has to provide the data subject prior to that further processing with information on such other purpose, GDPR, art. 13, para 3 and GDPR, art. 14, para 4 (see section D.IV.1. and 2., → mn. 603 and 619 et seqq.). 272

cc) “Legitimate” purpose

Thirdly, purposes must also be “legitimate”. The criteria for such “legitimate” purpose are also not defined in the GDPR. 276 According to the Art. 29 Working Party’s opinion on purpose limitation, the notion of “legitimate” goes beyond the requirement for a legal ground for the processing under data protection law and also extends to other areas of law.22 Consequently, the requirement of “lawfulness” of processing under GDPR, art. 275

17 18 19 20 21 22

56

Cf. WP 203, 15. WP 203, 12. Cf. WP 203, 12. WP 203, 17. WP 203, 17. Cf. WP 203, 12.

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

5, para 1, subpara a) (see section C.I.1.a), → mn. 248) and the requirement for a “legitimate” purpose under GDPR, art. 5, para 1, subpara b) have to be considered two separate and cumulative requirements.23 In order to be “legitimate”, purposes must comply not only with all provisions 277 of applicable data protection law, but also with other applicable laws such as employment law, contract law and consumer protection law.24 According to the Art 29 Working Party, legitimate purposes must be in accordance with the law in the broadest sense, including all forms of written and common law, primary and secondary legislation, municipal decrees, judicial precedents, constitutional principles, fundamental rights and other legal principles, as well as jurisprudence.25 Furthermore, when determining whether a particular purpose is legitimate, it may also be necessary to consider customs, codes of conduct, codes of ethics, contractual arrangements, and the general context and facts of the case, including the nature of the relationship between the controller and the data subjects.26 Depending on scientific and technological developments, as well as changes 278 in society and cultural attitudes, the legitimacy of a given purpose can also change over time.27 b) No further processing in a manner that is incompatible with the specified, explicit and legitimate purposes of the preceded collection

Nearly identical to Directive 95/46, art. 6, para 1, subpara b), as a second 279 component of the purpose limitation principle, GDPR, art. 5, para 1, subpara b) requires that, once collected for specified, explicit and legitimate purposes, personal data is not further processed in a manner that is incompatible with those purposes. Consequently, any further processing requires a compatibility test. aa) (In)compatibility test requirement

Rather than imposing a positive requirement of compatibility, the GDPR for- 280 mulates a double negation prohibiting incompatibility. In other words, any further processing is still authorised as long as it is not incompatible (and simultaneously fulfils the requirement of lawfulness, see section C.I.2.b)ff)(2), → mn. 310 et seqq.). The purpose of such further processing may be different or close to the initial purpose. Even further processing for a completely different purpose does not necessarily mean that it is automatically incompatible. The (in)compatibility has to be assessed on a case-by-case basis.28 23 24 25 26 27 28

Cf. WP 203, 12, on the nearly identical provisions Directive 95/46, art. 6 and 7. Cf. WP 203, 12. Cf. WP 203, 20. Cf. WP 203, 20. Cf. WP 203, 20. Cf. WP 203, 21.

Sebastian Dienst

57

C. Lawful processing of personal data in companies under the GDPR

In its evaluation of the implementation of Directive 95/46, art. 6, para 1, subpara b), the Commission concluded that the Member States apply different tests to analyse the notions of incompatible use.29 Different to Directive 95/46, GDPR, art. 6, para 4 now at least provides some key factors for the compatibility assessment (see section C.I.2.b)ee), → mn. 297). Apart from that, however, the wording of the principle of purpose limitation in GDPR, art. 5, para 1, subpara b) is nearly identical to the open-ended wording of Directive 95/46, art. 6, para 1, subpara b). Therefore, it remains to be seen if and how quickly the divergences in the interpretation of the notion of compatibility in the Member States will merge into a consistent approach. 282 Until the new Board issues any new opinion or guidance on the application and implementation of the principle of purpose limitation specifically under the GDPR, it seems reasonable, from a business perspective, to closely adhere to the common position and practical guidelines given by the Art. 29 Working Party on the compatibility test in its 2013 opinion on purpose limitation, as far as applicable to the similar provisions of the GDPR (see section C.I.2.a), → mn. 264 et seqq.). 281

bb) Notion of “further processing” and scope of compatibility test 283

Same as Directive 95/46, when setting out the requirement of compatibility, the GDPR does not specifically refer to purposes originally specified and purposes defined subsequently. Rather, GDPR, art. 5, para 1, subpara b) simply differentiates between – the very first processing operation (collection), and – all other subsequent processing operations (including for instance the very first typical processing operation following collection – the storage of data).

284

In other words, any processing of personal data following the initial collection, irrespective of whether for the purposes initially specified or for any other or additional purposes, must be considered “further processing” and is therefore basically subject to the requirement of compatibility.30 However, in cases in which data are processed specifically to achieve legitimate purposes clearly specified at the initial collection, compatibility is usually obvious and easily to be affirmed (see section C.I.2.b)dd)(1) ,→ mn. 294).

29 European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012. SEC(2012) 72 final, Annex 2, 15 f; according to the Art. 29 Working Party, “the test to determine incompatibility varies from ‘reasonable expectations’ of the data subjects (in certain cases in Belgium) to application of balancing tests (Germany and the Netherlands), or it is intimately linked to other safeguarding principles of transparency, lawfulness and fairness (UK and Greece)”, WP 203, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, 10. 30 Cf. WP 203, 21.

58

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

cc) Exceptions from the requirement of a compatibility test

The GDPR stipulates a few exceptions to the requirement of a compatibility 285 assessment. (1) Assumed compatibility of further use for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Pursuant to GDPR, art. 5, para 1, subpara b), sentence 2 further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes. Pursuant to GDPR, rec 162 “[s]tatistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.” Whether “statistical purposes” only means statistical operations in the public interest or also in a commercial interest (for instance, analytical tools of websites or big data applications aimed at market research) is not clearly answered by the GDPR. The same applies for the notion of “scientific purposes”. The differentiation between “archiving purposes in the public interest“ on one hand, and “scientific or historical research purposes or statistical purposes” on the other suggests that only the exception for archiving purposes is limited to purposes in the public interest, whereas, scientific, historical research or statistical purposes can also be in a business interest. Regarding the similar wording of Directive 95/46, art. 6, para 1, subpara b), the Art. 29 Working Party seems to take the view that the compatibility assumption for statistical and scientific purposes also applies to statistics and research in a business interest.31 However, it may be argued that such an assumption of compatibility for commercial interests is quite inconsistent with the other fairly strict rules of the GDPR for data processing in a commercial interest and therefore not intended by the European legislator. In any case, given this uncertainty, from a business perspective, it is not recommendable to rely on the assumption of compatibility for commercial interests until the future Board, the ECJ or preferably the European legislator provide further guidance. It has to be emphasised that this legal assumption only exempts from performing a compatibility test between the enumerated specific purposes and the 31 Cf. WP 203, 29 names “analytical tools of websites or big data applications aimed at market research” as examples for “statistical purposes” and “pharmaceutical research” as example for “scientific purposes” which are obviously in a business interest.

Sebastian Dienst

59

286

287

288

289

C. Lawful processing of personal data in companies under the GDPR

purposes of the prior collection. However, as the requirements of compatibility and lawfulness should be met cumulatively (see section C.I.2.b)ff)(2), → mn. 310 et seqq.), the legal assumption of compatibility does not exempt from having a legal ground for the further processing. As in other situations, a separate test must be carried out to ensure that the processing is based on a legal ground and complies with other relevant requirements of the GDPR. 290 Furthermore, the legal assumption is subject to the requirement of appropriate safeguards for the rights and freedoms of the data subject in accordance with GDPR, art. 89, para 1. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation (see section C.I.3., → mn. 315 et seqq.). (2) Explicit legal exceptions from compatibility test

Pursuant to GDPR, art. 6, para 4 a compatibility test is not required in cases “[w]here the further processing for a purpose other than that for which the personal data have been collected is based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in GDPR, art. 23, para 1”, for instance national security, defence or public security. 292 Obtaining consent for any further processing may help to avoid the significant efforts of a compatibility assessment. However, subsequently obtaining new consent for any further processing may prove difficult in some situations, or at least not favourable from a customer relationship point of view. Therefore, from a business perspective, it will be crucial to carefully identify and explicitly specify all relevant purposes for any intended further processing when designing any consent declarations in advance (see section C.I.2.a)aa), → mn. 267 et seqq.). 291

dd) Compatibility test 293

From a practical perspective, in order to evaluate the intensity of the necessary compatibility assessment, it may help to build different categories of cases:32 (1) No change of purpose

294

The first category describes cases in which data are processed specifically to achieve legitimate purposes clearly specified at collection, and in a way customary to achieve those purposes. In other words, there is no change of purpose. In these cases, compatibility is usually obvious and easily to be affirmed.33

32 Cf. WP 203, 22. 33 Cf. WP 203, 22.

60

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

(2) Change of purpose

The second category includes cases in which data are processed for a purpose 295 other than or additional to the purpose clearly specified at collection, i.e. a change of purpose. These cases require a profound assessment of compatibility. In principle, the greater the distance between the initial purpose specified at collection and the purposes of further processing, the more thorough and comprehensive the analysis will have to be.34 GDPR, art. 6, para 4 requires the controller to “ascertain whether processing 296 for another purpose is compatible with the purpose for which the personal data are initially collected”. However, the GDPR neither provides any explanations as to the specific nature of such compatibility assessment, nor does it indicate practical methods for such evaluation. However, the nature of the evaluation to be carried out by the data controller is quite decisive not only from a business perspective but also for the data protection authority or ultimately for the courts when assessing compliance. According to the Art. 29 Working Party, a substantive compatibility test should be preferred over a rigid formal test. Such substantive assessment will go beyond formal statements to identify both the new and the original purpose and will take into account the way the purposes are (or should be) understood, depending on their context and other factors.35 From a business point of view, such substantive test is also more flexible and pragmatic than a mere formal approach.36 ee) Key factors for the compatibility test

According to the Art. 29 Working Party, an efficient and practical compatibili- 297 ty test requires a limited number of key factors as well as the need for a pragmatic approach allowing practical assumptions (“rules of thumb”).37 Closely following a quite elaborate proposal of the Art. 29 Working Party, GDPR, art. 6, para 4 enumerates a non-exhaustive list of such key factors.38 Pursuant to GDPR, art. 6, para 4, subparas a)-e) the controller, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, shall take into account, inter alia: – any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; – the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; – the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9, or whether personal data 34 35 36 37 38

Cf. WP 203, 22. Cf. WP 203, 21. Cf. WP 203, 22. WP 203, 23. Cf. proposal of the Art. 29 Working Party in WP 203, 3, 23 ff.

Sebastian Dienst

61

C. Lawful processing of personal data in companies under the GDPR

related to criminal convictions and offences are processed pursuant to Article 10; – the possible consequences of the intended further processing for data subjects; – the existence of appropriate safeguards, which may include encryption or pseudonymisation. (1) Link between the purposes

Regarding the criteria of the link between the purposes, in principle, the greater the distance between the purposes of collection and the purposes of further processing, the more it would tilt the balance of the test towards the result of incompatibility.39 299 This link factor cannot be reduced to a formal comparison of the language of the initial purpose to the purposes of further processing. This compatibility factor is rather focussed on the actual substance of the relationship between the two different purposes.40 298

(2) Context in which the personal data have been collected

Regarding the factor of context, in general, the more specific and restrictive the context of collection, the more limitations there are likely to be on further use.41 301 Pursuant to GDPR, recital 50, sentence 6, when taking into account the context in which the personal data were collected, the reasonable expectations of data subjects should be focused, based on their relationship with the controller as to their further use. This means, in general, the more unexpected or surprising the further use is from the perspective of the data subjects, the more likely it is that it would be considered incompatible.42 302 According to the Art. 29 Working Party, the evaluation of the relationship between data subjects and the controller “requires not only a review of any legal statements made, but also consideration of what would be customary and generally expected practice in the given context, and in the given (commercial or other) relationship.”43 Furthermore, “[a]n assessment of the nature of this relationship should also include an investigation into the balance of power between the data subject and the data controller. In particular, it should be noted whether the data subjects, or any third parties on their behalf, were obliged to provide the data under law.”44 300

39 40 41 42 43 44

62

Cf. WP 203, 23 f. Cf. WP 203, 23 f. Cf. WP 203, 24 f. Cf. WP 203, 24. WP 203, 24. WP 203, 24.

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

(3) Nature of the personal data

Another factor on the non-exhaustive list of key factors for the compatibility 303 test is the nature of the personal data. In general, the more sensitive the information involved, the narrower the scope for compatible use would be.45 In particular, a special focus in the evaluation of this factor must be on 304 whether special categories of personal data (see GDPR, art. 9), or personal data related to criminal convictions and offences (see GDPR, art. 10) are being processed. However, using the term “in particular”, the legislator chose to open up this compatibility factor beyond these specific categories of sensitive data expressly regulated by the GDPR. Therefore businesses will have to evaluate whether other personal data may also be of sensitive nature for other reasons narrowing the scope for compatible use. For instance, this may be the case for communication data, location data, and other kinds of quite sensitive data.46 However, as the GDPR does not provide any further guidance, the openended wording leaves quite some legal uncertainty, but also some flexibility for businesses. (4) Possible consequences of the intended further processing

In evaluating possible consequences of the intended further processing, busi- 305 nesses should take both positive and negative consequences for data subjects into account.47 In principle, the more negative or uncertain the consequences of further processing might be, the more unlikely it is to be considered as compatible use.48 (5) Existence of appropriate safeguards

Another key factor for the compatibility test is the existence of appropriate 306 safeguards. From a practical perspective, as the range of possible appropriate safeguards at the controller’s disposal is fairly broad and highly variable, such measures could, in principle, serve as kind of a “compensation” for a change of purpose.49 Pursuant to GDPR, art. 6, para 4, subpara e) such appropriate safeguards may 307 include encryption or pseudonymisation (see also section D.I.8.b)). However, for instance, such measures could also be additional notices to the data subject beyond mandatory information obligations or additional opportunities to optout beyond the scope of GDPR, art. 21.50

45 46 47 48 49 50

Cf. WP 203, 25. Cf. WP 203, 25. Cf. WP 203, 25 f. Cf. WP 203, 25 f. Cf. WP 203, 26. Cf. WP 203, 26.

Sebastian Dienst

63

C. Lawful processing of personal data in companies under the GDPR

ff) Consequences of compatibility and incompatibility (1) Consequences of incompatibility

Neither GDPR, art. 5, para 1, subpara b) nor GDPR, art. 6, para 4 explicitly demonstrate the consequences of incompatibility. Pursuant to GDPR, recital 50, sentence 1 “[t]he processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected.” Therefore, it is immanent that any further processing of personal data in a way incompatible with the purposes specified at collection is unlawful and therefore not permitted.51 309 Furthermore, any further processing for incompatible purposes cannot simply be considered a new processing activity disconnected from the previous one circumventing this prohibition of incompatibility by just referring to one of the legal grounds in GDPR, art. 6 to legitimise the processing.52 308

(2) Consequences of compatibility

GDPR, art. 5, para 1, subpara b) and GDPR, art. 6, para 4 do not explicitly demonstrate the consequences of a compatibility of purposes on any further legal requirements for a further processing either. 311 Regarding the essentially similar concept of compatibility of Directive 95/46, according to the Art. 29 Working Party, the requirements of compatibility and lawfulness would have to be understood as cumulative prerequisites. In other words, compatibility of purposes would not exempt from having a specific legal ground for the further processing.53 312 However, pursuant to GDPR, recital 50, sentence 2 in case the processing of personal data for purposes other than those for which they were initially collected is compatible with the purposes for which the personal data were initially collected, “no legal basis separate from that which allowed the collection of the personal data is required”. In cases where the legal ground applicable to the initial collection would not be applicable to the further processing, GDPR, recital 50, sentence 2 would in fact allow such further processing without a sufficient legal ground. In other words, this would mean that a positive compatibility test 310

51 Cf. WP 203, 36. 52 The initial GDPR draft of the European Commission stated in its art. 6, para 4: “Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.” According to the Art. 29 Working Party’s statement on this draft, this would have meant “that it would always be possible to remedy the lack of compatibility by simply identifying a new legal ground for the processing” (cf. WP 203, 36). The final version of GDPR, art. 6, para 4 does not contain the above cited text. This implies that the legislator has deliberately decided that any further processing for incompatible purposes cannot simply be legitimised by just referring to a new legal ground. 53 Cf. WP 203, 27, 33, 36.

64

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

could also remedy the lack of a legal ground. As this seems hardly acceptable in view of the fundamental principle of lawfulness based on Charter, art. 7 and 8 (see section C.I.1.a), → mn. 248), it remains to be seen whether GDPR, recital 50, sentence 2 reflects a deliberate choice of the European legislator or turns out to be a mere editorial error.54 From a business perspective, to be on the safe side, it will be recommendable 313 to consider the requirements of compatibility and lawfulness cumulativy, until further clarification by the future Board, the ECJ or preferablely the European legislator. gg) Documentation of compatibility test

With regard to the principle of accountability (see section C.I.7., → mn. 351 314 et seqq.), businesses should document all key factors taken into account in the compatibility assessment. In particular, such documentation should be detailed enough to enable the competent data protection authorities or courts to comprehend the relevant key factors and the (positive) outcome of the assessment. 3. Data minimisation a) Notion of “necessity”

GDPR, art. 5, para 1, subpara c) requires that personal data shall be “ad- 315 equate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or further processed”. The necessity of the processing cannot be determined universally but has to be assessed in relation to the specified, explicit and legitimate purposes (see section C.I.2.a), → mn. 264 et seqq.) for which the personal data have been collected on a case-by-case basis. In other words, the principle of data minimisation is closely linked to the principle of purpose limitation (see section C.I.2., → mn. 261 et seqq.). In comparison, Directive 95/46, art. 6, para 1, subpara c) stated that personal 316 data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”.55 In its evaluation of the implementation of Directive 95/46, the Commission states that “the vague termi54 The wording of GDPR, recital 50, sentence 2 was introduced by the adoption of the draft through the European Council and originally accompanied an earlier, quite different version of GDPR, art. 6, para 4 stipulating that “[w]here the purpose of further processing is incompatible with the one for which the personal data have been collected by the same controller, the further processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1”. This would have meant a major change in the logic and system of compatibility in comparison to Council Directive 95/46/EC, as this would have had the effect “that it would always be possible to remedy the lack of compatibility by simply identifying a new legal ground for the processing” (WP 203, 36). Following this new logic of the earlier draft, GDPR, recital 50, sentence 2 simply clarified that, in case of compatible purposes, no separate legal basis would be required. As a result of the Trilogue negotiations, on the initiative of the European Parliament, the aforementioned art. 6, para 4 was substantially modified, essentially returning to the logic and system of compatibility of Council Directive 95/46/EC. However, GDPR, recital 50, sentence 2 remained untouched.

Sebastian Dienst

65

C. Lawful processing of personal data in companies under the GDPR

nology that personal data must be ‘not excessive’ in relation to the purposes for which they are collected and/or further processed, leaves room for divergent interpretations and does not guarantee data minimisation, i.e. limiting the extent of processing to the minimum necessary in relation to its purposes.”56 With the introduction of the concept of “necessity” in the GDPR, the principle of data minimisation has been refined and has become stricter, at least in terms of language. 317 However, GDPR, art. 5, para 1, subpara c) does not define the term “necessary”. According to the ECJ, in the light of the objective of ensuring an equivalent level of protection in all Member States, the term “necessary” cannot have a meaning which varies between the Member States. Therefore “necessity” is a concept which has its own independent meaning in Community law.57 GDPR, recital 39 further specifies that the concept of necessity stipulated by the GDPR requires that “[p]ersonal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.” However, even this definition of “necessity” leaves quite some room for interpretation. 318 From an abstract point of view, the concept of “necessity” is quite simple. However, especially in borderline cases, its practical application will often prove challenging. Essentially, the concept incorporates two key elements: – Firstly, personal data may only be processed if and to the extent that such processing actually causally supports the fulfilment of the relevant purpose (factual element). – Secondly, personal data may only be processed if and to the extent that the relevant purpose cannot be reasonably achieved by other means avoiding such processing (judgemental element). 319

In contrast to the assessment of the causal link between the data processing and the achievement of the relevant purpose, the assessment of “reasonable” alternatives requires a value judgement. The requirement of the absence of “reasonable” alternatives suggests that the concept of “necessity” of the GDPR does not limit data processing to an extent strictly indispensable for technical, economical, organisational or other reasons. Rather, it requires a proportionality test on a case-by-case basis. However, as the criteria of such reasonableness assess-

55 The requirement of Directive 95/46, art. 6, para 1, subpara c) is similar to Convention 108 of the Council from 28.1.1981 which states in art. 5, para c): “Personal data undergoing automatic processing shall be adequate, relevant and not excessive in relation to the purposes for which they are stored.” According to the Council of Europe, the meaning of Convention 108 Art. 5, para a) shall be that “[t] he categories of data chosen for processing must be necessary in order to achieve the declared overall aim of the processing operations, and a controller should strictly limit collection of data to such information as is directly relevant for the specific purpose pursued by the processing.”, cf. Council of Europe (ed), Handbook on European data protection law, 2014, 70. 56 European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012; SEC(2012) 72 final, Annex 2, 16. 57 Cf. Case C-524/06, 16.12.2008, Heinz Huber v. Bundesrepublik Deutschland, ECR 2008 I-9705, para. 47 ff. with regard to Directive 95/46, art. 7, para e).

66

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

ment are not defined by the GDPR, further guidance by the Board, the ECJ or preferably the European legislator would be helpful. Until then, in order to minimise the risk of administrative fines, as a precautionary measure, businesses will have to follow a narrow understanding of the term “necessary” and carefully assess any available measures to reduce the processing of personal data to the extent strictly required. b) Anonymisation and pseudonymisation

Although GDPR, art. 5, para 1, subpara c) does not explicitly instruct con- 320 trollers to use anonymisation and pseudonymisation (GDPR, art. 4, para 5), these measures will certainly be useful to ensure the effective application of the principle of data minimisation in practice. In particular, as the GDPR does not apply to anonymous data (see GDPR, 321 recital 26, see also section B.I.2.d)), when setting up new or reviewing existing business processes involving personal data, businesses should evaluate whether the relevant purposes can also be met by processing of anonymous or anonymised data. c) Concept of data protection by design and by default

A specific expression of the principle of data minimisation is the concept of 322 data protection by design and by default introduced by GDPR, art. 25, embedding the idea of data minimisation to the development and implementation of products (see section D.I.7., → mn. 529 et seqq.). 4. Accuracy

Similar to Directive 95/46, art. 6, para 1, subpara d), GDPR, art. 5, para 1 323 subpara d) requires that personal data shall be “accurate and, where necessary, kept up to date”58 and that “every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified”. In addition, GDPR, art. 5, para 1, subpara d) stipulates that such erasure of rectification has to be performed “without delay”. This principle of accuracy is picked up by the specific provisions on data sub- 324 ject rights to rectification (GDPR, art. 16), to erasure (GDPR, art. 17) and to restriction (GDPR, art. 18) of inaccurate data (see sections D.IV.4 -6., → mn. 642 to 662).

58 Convention 108 (Council of Europe, 28.1.1981), art. 5, para d) also stipulates such a principle: “Personal data undergoing automatic processing shall be accurate and, where necessary, kept up to date”.

Sebastian Dienst

67

C. Lawful processing of personal data in companies under the GDPR

a) Notion of “accurate data”

GDPR, art. 5, para 1, subpara d) does not define the term “accurate”, and leaves quite some legal uncertainty as to its specific meaning. 326 According to the Art. 29 Working Party, “[i]n general, ‘accurate’ means accurate as to a matter of fact”.59 In other words, data are inaccurate if they do not correspond with reality. According to this understanding, only factual information can be classified as “accurate” or “inaccurate”. Value judgements, on the other hand, are not subject to such classification. However, especially in borderline cases, delimiting factual statements from value judgements will often prove challenging. 327 As the GDPR does not provide any further restrictions, the term “accuracy” has to be interpreted in a broad sense. In particular, the extent and cause of any inaccuracy is irrelevant. Furthermore, it is irrelevant who is responsible for any inaccuracy and whether any inaccuracy already existed at the time of collection or incurred subsequently. However, whether personal data are accurate or inaccurate has to be evaluated in the context of the relevant purpose for which they are processed.60 Therefore, personal data which is stored for the purpose of documenting facts (for instance, medical records, statistical records, surveys, questionnaires) do not become “inaccurate” if they are actually not true at the time of collection or if factual circumstances change subsequently. 328 Furthermore, given a broad understanding of the term, personal data may even be regarded as “inaccurate” if they are not complete or embedded in a wrong context. However, whether data are actually complete or embedded in the right context can only be assessed on a case-by-case basis, in regard to the purposes for which they are processed. 325

b) Updating of inaccurate data

GDPR, art. 5, para 1, subpara d) requires that personal data shall be kept up to date “where necessary”. 330 The GDPR does not define the vague and open term “necessary” in this context, leaving quite some legal uncertainty and room for interpretation and calling for further clarification by the European legislator. In particular, the GDPR does not specify whether such updating is only required on demand of the data subject (see GDPR, art. 16) or even requires a periodic review of all processed personal data as suggested for instance by GDPR, recital 39 for erasure (see section C.I.4.c), → mn. 333 et seqq.). Such regular review might prove quite difficult and expensive, especially for big databases that store data for a long period of time. On the other hand, there may be situations where regularly checking the accuracy of data, including updating, will be deemed necessary because of the 329

59 WP 225, 15. 60 Cf. also Council of Europe (ed), Handbook on European data protection law, 2014, 71.

68

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

potential damage which might be caused to the data subject in case data were to remain inaccurate.61 Until further clarification by the Board, the ECJ or preferably the European 331 legislator, in view of the immanent risk of administrative fines for any breach of the principle of accuracy, businesses will have to carefully assess the implementation of periodic review mechanisms, in particular considering the potential damage which might be caused to the data subject by inaccurate data. The requirement of updating may conflict with legal or contractual docu- 332 mentation and archiving obligations of the controller. There may even be cases where updating stored data is prohibited by law, if the purpose of storing the data is principally to document events.62 Therefore, businesses will have to carefully assess whether updating of personal data will be prohibited on a case-bycase basis in order to avoid any illegal forgery of documents. c) Erasure and rectification of inaccurate data

GDPR, art. 5, para 1, subpara d) requires that “every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”. The specific conditions for erasure and rectification can be found in GDPR, art. 16 and 17 which require the controller to act “without undue delay” (see sections D.IV.4. and 5., → mn. 642 to 657). Furthermore, GDPR, art. 18, para 1, subpara a) stipulates that the data subject has the right to obtain from the controller restriction of processing “where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data” (see section D.IV.6., → mn. 658 et seqq.). Neither GDPR, art. 5, para 1, subpara d) nor GDPR, art. 16 and 17 specify any concrete time limit for the performance of any erasure or rectification. GDPR, recital 59, sentence 3 at least specifies that “[t]he controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.” However, the specific time limit for the actual erasure or rectification remains unclear, leaving quite some legal uncertainty for businesses. Until further clarification by the Board, the ECJ or preferably the European legislator, in view of the immanent risk of administrative fines for any breach of the principle of accuracy, businesses should apply the timeframe given by GDPR, recital 59, sentence 3 not only to the response to data subjects requests but also to the actual performance of any necessary erasure or rectification.

61 Cf. Council of Europe (ed), Handbook on European data protection law, 2014, 72. 62 Cf. Council of Europe (ed), Handbook on European data protection law, 2014, 72.

Sebastian Dienst

69

333

334

335

336

C. Lawful processing of personal data in companies under the GDPR

5. Storage limitation

Quite similar to Directive 95/46, art. 6, para 1, subpara e), GDPR, art. 5, para 1, subpara e) requires that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.63 338 This principle of storage limitation can be seen as the temporal aspect of the data minimisation principle (see section C.I.3., → mn. 315 et seqq.). In other words, storage limitation sets the temporal boundaries of the data minimisation principle. 337

a) Notion of “necessity”

The essential core of the storage limitation principle is the concept of “necessity” embedded in the data minimisation limitation principle (see section C.I.3., → mn. 315 et seqq.), deeply tied to the principle of purpose limitation (see section C.I.2., → mn. 261 et seqq.). 340 Pursuant to GDPR, recital 39 from a temporal perspective, the limitation to what is necessary “requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.”64 Furthermore, GDPR, recital 39 also stipulates that “[i]n order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.” 341 From a business point of view, internal policies governing the retention and deletion of personal data are best practice tools to establish time limits for erasure or for a periodic review (see section D.IV.5., → mn. 648 et seqq.). Such internal guidelines should also particularly take into account any legal or contractual documentation and archiving obligations of the controller which may require (and legitimise) further storing of personal data for specific periods of time. 339

b) Exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 342

As an exception to the strict principle of storage limitation, “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” (GDPR, art. 5, para 1, subpara e)). This exception is subject to the requirement of the implementation of appropriate

63 Similar to Convention 108 (Council of Europe, 28.1.1981), art. 5, para e). 64 Cf. the European Court of Human Rights in the Case of S. and Marper v. The United Kingdom (4 December 2008) in para 107 referring on Convention 108, art. 5, para e): “The core principles of data protection require the retention of data to be proportionate in relation to the purpose of collection and insist on limited periods of storage”.

70

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

technical and organisational measures in accordance with GDPR, art. 89, para 1 (see also section C.I.2.b)cc)(1)). Whether the exception for “scientific or historical research purposes or statis- 343 tical purposes” only applies to purposes in the public interest or also to operations in a commercial interest is not clearly answered by the GDPR (see section C.I.2.b)cc)(1), → mn. 286 et seqq.). From a business perspective, to be on the safe side, it may not be recommendable to rely on this exception for operations in a commercial interest, until the future Board, the ECJ or preferably the European legislator have provided further clarification. c) Erasure, restriction and anonymisation of personal data no longer necessary

Where it is no longer necessary to keep data in a form which permits identifi- 344 cation of data subjects for the purposes for which the personal data are processed, as a general rule, a further processing will be subject to the data subject’s right and the controller’s obligation to erasure (GDPR, art. 17, para 1, subpara a)) and to restriction of processing (GDPR, art. 18) of such personal data (see also sections D.IV.5. and 6.). However, as the GDPR does not apply to anonymous data (see GDPR, recital 345 26, see section B.I.2.d), → mn. 97 et seqq.), data which are no longer needed in a form which permits identification, could also be further processed in an anonymised form.65 Such anonymisation requires that personal data is “rendered anonymous in such a manner that the data subject is not or no longer identifiable” (GDPR, recital 26). d) Processing which does not require identification

GDPR, art. 11, para 1 additionally clarifies that “[i]f the purposes for which a 346 controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation”.66 This clarification emphasises that the controller should not be encouraged to further process, in particular store personal data for the sole purpose of complying with the rights of the data subject (GDPR, art. 15 to 20, see also sections D.IV.3.-7.). According to GDPR, recital 57, sentence 2, “[h]owever, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights.” With regard to such cases, GDPR, art. 11, para 2 adds that where “the con- 347 troller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the 65 Cf. Council of Europe (ed), Handbook on European data protection law, 2014, 73. 66 See also GDPR, recital 57, sentence 1.

Sebastian Dienst

71

C. Lawful processing of personal data in companies under the GDPR

purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification”. The first sentence of GDPR, art. 11, para 2 is inherently contradictory:67 It is unclear how the data controller could be able to inform the data subject without being able to identify him. It seems reasonable to assume that the information obligation of GDPR, art. 11, para 2, sentence 1 applies to cases where the data subject has contacted the controller with a request regarding his68 personal data which the controller is unable to comply with due to earlier erasure (or anonymisation) of the relevant personal data. 6. Integrity and confidentiality

GDPR, art. 5, para 1, subpara f) requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.69 In similar words, GDPR, recital 39 stipulates that “[p]ersonal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.” 349 This principle of “integrity and confidentiality” has not been part of the catalogue of principles of Directive 95/46, art. 6. It explicitly addresses the possible risks for security of personal data and appoints some of the protective purposes of data security. 350 However, the introduction of this principle in its vague and open form can be reduced to little more than a general phrase requiring further specification and clarification by more specific provisions of the GDPR in the following. Namely GDPR, art. 32 aims at such further specification at least enumerating some concrete examples of technical and organisational measures (see section D.I.8.b), → mn. 543). However, even GDPR, art. 32 reverts to the open-ended requirement of “appropriate” security. What is “appropriate” is highly subjective and leaves quite some room for interpretation. The open-ended wording essentially extends companies’ duties regarding the security of personal data to a quite uncertain and indefinite extent. On the other hand, this also gives companies quite some flexibility and room for argumentation regarding the adequacy of the actual data security measures implemented. 348

67 In contrast to the earlier version of the GDPR, art. 11, para 2 in the adoption of the draft of the Council, cf. art. 10, para 2 of the General Approach of the Council, Document No. 9565/15, Brussels, 11 June 2015 which stated: “Where, in such cases the controller is not in a position to identify the data subject, articles 15, 16, 17, 17 a, 17 b and 18 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification”. 68 If in the following the masculine form is used when referring to persons in order to simplify legibility, this always refers to both male and female persons. 69 Comparable to Convention 108 (Council of Europe, 28.1.1981), art. 5, para e).

72

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

7. Accountability

GDPR, art. 5, para 2 introduces the new principle of “accountability”. The 351 fact that the legislator chose not to simply add this principle to the catalogue of principles of GDPR, art. 5, para 1, but in a separate paragraph, emphasises that introducing an “architecture of accountability” should not change the substantive principles of data protection but be designed to make the principles more effective.70 a) Notion of accountability

In the discussions about the future European data protection law, account- 352 ability mechanisms have long been suggested as a way of encouraging controllers to implement practical tools for effective data protection.71 The emphasis of “accountability” in a basic common understanding would presumably be on showing how responsibility is exercised and making this verifiable.72 However, understanding the term “accountability” is quite difficult, in particular as there is no clear translation available in other languages and no certain and consistent common understanding of the term throughout the languages and legal systems of the Member States. Therefore, it is to be welcomed that GDPR, art. 5, para 2 provides its own in- 353 dependent legal definition of “accountability” eliminating this linguistic and legal uncertainty. Pursuant to GDPR, art. 5, para 2 accountability in terms of the GDPR means that “the controller shall be responsible for, and able to demonstrate compliance with the principles laid down in paragraph 1”.73 In comparison, Directive 95/46, art. 6, para 2 only required that “[i]t shall be for the controller to ensure that paragraph 1, namely the principles, is complied with”. Therefore, the actual innovation of the “accountability” principle of the GDPR in comparison to Directive 95/46 is the controller’s fundamental obligation to be able to demonstrate compliance with the data processing principles. As a result, the burden of proof for compliance with any and all data protection law requirements essentially lies completely with the controller. The controller’s accountability is particularly important for his liability. Pur- 354 suant to GDPR, art. 82, para 3 a controller or processor shall be exempt if it proves that he is not in any way responsible for the event giving rise to the damage.

70 71 72 73

Cf. WP 173, 5. Cf. WP 173, 3. Cf. WP 173, 7. The GDPR definition of accountability significantly deviates from the Art. 29 Working Party’s far more extensive proposal for a new principle of accountability which would have consisted of “the need for a controller to take appropriate and effective measures to implement data protection principles” and “the need to demonstrate upon request that appropriate and effective measures have been taken”, see in detail WP 173, 9.

Sebastian Dienst

73

C. Lawful processing of personal data in companies under the GDPR

Corresponding to this extensive burden of proof, pursuant to GDPR, art. 57, para 1, subpara a), art. 58, para 1, subpara a) the supervisory authorities may at any time request information proving the controller’s compliance, significantly expanding the authorities’ possibilities to uncover any irregularities or defects in data protection compliance of businesses. 356 In other words, not only any actual breach of specific data protection law requirements but even any lack of complete documentation of compliance with these specific requirements will have to be deemed a violation of the GDPR basically punishable with administrative fines (see section C.I., → mn. 241 et seqq.). Therefore, even more than under Directive 95/46, businesses will have to carefully and comprehensively document their compliance with any requirements of data protection law in order to avoid the financial risk of administrative fines. 355

b) Possibilities to demonstrate compliance 357

GDPR, art. 5, para 2 itself does not implement any concrete measures for the required demonstration of compliance leaving quite some flexibility to businesses. Pursuant to GDPR, recital 78, sentence 2 “[i]n order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default” (GDPR, art. 25, see section D.I.7., → mn. 529 et seqq.). Additionally, GDPR, recital 82 stipulates that “[i]n order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility” (GDPR, art. 30, see section D.I.6., → mn. 525). Furthermore, the GDPR implements a number of different tools which could be regarded as specific implementation of the principle of accountability: – Adherence to approved codes of conduct or approved certification mechanisms, GDPR, art. 24, para 3, art. 40, 42 (see section D.II. and III., → mn. 566 and 580 et seqq.) – Appointment of a Data Protection Officer, GDPR, art. 37-39 (see section D.VI., → mn. 758 et seqq.) – Contracts with processors, GDPR, art. 28 (see section E.II.2., → mn. 969) – Data Protection Impact Assessment, GDPR, art. 35 (see section D.I.9., → mn. 548) – Notification of a data breaches to the data subject and the supervisory authority, GDPR, art. 33, 34 (see section D.IV.10., → mn. 701 et seqq. and D.V.3., → mn. 736 et seqq.).

74

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

II. Key requirements for lawful processing of personal data from a business perspective

Based on the fundamental principle of lawfulness already established by the 358 Directive 95/46, the GDPR continues the basic concept that personal data may only be processed on the basis of the consent of the data subject concerned or some other legitimate basis (see section C.I.1.a), → mn. 248). Exhaustively enumerating the legal grounds of the GDPR for processing per- 359 sonal data, GDPR, art. 6 is the key provision for the requirement of lawfulness (see section C.II.2., → mn. 364 et seqq.). GDPR, art. 7 adds specific requirements for a valid consent of the data subject (see section C.II.3., → mn. 429 et seqq.). GDPR, art. 8 introduces additional prerequisites concerning valid consent of children (see section C.II.3.c), → mn. 459). Processing special categories of personal data is regulated by GDPR, art. 9 (see section C.II.4., → mn. 489 et seqq. and in detail also section E.III., → mn. 1029 et seqq.). GDPR, art. 10 adds some further specific requirements and clarifications regarding personal data relating to criminal convictions and offences. 1. Relevance and importance of the different legal grounds of the GDPR for processing of personal data from a business perspective

In short, nearly identical to Directive 95/46, art. 7, GDPR, art. 6, para 1, sub- 360 paras a) to f) legitimise processing of personal data to the extent: – the data subject has given consent; – it is necessary for the performance of a contract or pre-contractual relations; – it is necessary for compliance with a legal obligation; – it is necessary in order to protect the vital interests of the data subject or of another natural person; – it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; – it is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Unlike some Member State data protection laws under Directive 95/46, the 361 GDPR does not provide any specific legal grounds for specific business scenarios, such as, for instance, (direct) marketing, address trading, scoring, or video surveillance. Therefore, businesses will have to rely on the rather general legal grounds of GDPR, art. 6, para 1, subparas a) to f) instead. The quite similar listing of legal grounds in Directive 95/46, art. 7, paras a) 362 to f) has been transposed into Member State law in very different ways.74 In view of the diverging implementation of the Directive 95/46, the GDPR broadens the horizon of applicable legal grounds for businesses in many Member

Sebastian Dienst

75

C. Lawful processing of personal data in companies under the GDPR

States. Under the GDPR, from a legal point of view, all six legal grounds will have to be considered as alternative grounds for lawful processing on equal footing. The text of the GDPR does not make any legal distinction between the six grounds and does not suggest that there is a hierarchy among them.75 363 Therefore, although consent is listed first in GDPR, art. 6, para 1, subpara a), from a legal point of view, it will not prevail over the five other legal grounds listed in GDPR, art. 6, para 1, subparas b) to f). Quite to the contrary, from a business perspective, legitimisation by one of the other legal grounds of GDPR, art. 6, para 1, subparas b) to f) will presumably even gain a preferred status over consent for many business situations, in particular as the requirements of the GDPR for valid consent are quite strict and consent is often an unreliable factor in many business scenarios: In comparison to Directive 95/46, the GDPR sets even higher standards for valid consent. In particular, the restriction of horizontal and vertical interconnection will render consent useless in many situations in a business to customer context (see section C.II.3.a)bb)(2), → mn. 447 et seqq.). Even higher requirements have to be met when it comes to consent of a child, challenging businesses with requirements which are quite difficult to meet in practice (see section C.II.3.c)aa), → mn. 459). Furthermore, for businesses, basing costly data processing operations on consent is highly unreliable, as consent may be basically withdrawn by the data subject at any time. On the other hand, the legal grounds of GDPR, art. 6, para 1, subparas b) to f), in particular the requirement of “necessity”, are quite vague and leave much space for interpretation and therefore quite some flexibility to businesses (see section C.II.2., → mn. 362 et seqq.). 2. Legitimisation of data processing by law 364

GDPR, art. 6, para 1, subparas b) to f) provide five legal grounds legitimising data processing without consent of the data subject. These legal grounds may be divided in two groups: – legitimisation “ipso iure” (GDPR, art. 6, para 1, subparas b) to e)) – legitimisation subject to a balancing of interests (GDPR, art. 6, para 1, subpara f))

74 According to the European Commission, “[i]n several Member States the criteria set out in Article 7(a) to (f) of the Directive are transposed as alternative grounds for lawful processing on equal footing (e.g. in Belgium, Denmark, Finland, Ireland, Luxembourg, the Netherlands and Sweden). In Austria, Germany and Spain, consent and processing based on a law or to fulfil a legal obligation are given primary status, the other criteria being seen as exceptions. In other countries (including the Czech Republic, France, Greece and Portugal) processing on the basis of consent is the sole primary criterion. In Italy this is the case only for the private sector”, European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012, SEC(2012) 72 final, Annex 2, 16 f. 75 Cf. the Art. 29 Working Party’s statement on the similar Directive 95/46, art. 7; WP 187, 7; WP 217, 10.

76

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

Due to the principle of data minimisation (see section C.I.3., → mn. 315 et 365 seqq.), closely linked to the principle of purpose limitation (see section C.I.2., → mn. 261 et seqq.), and as again explicitly emphasised in each of the legal grounds of GDPR, art. 6, para 1, subparas b) to f), any data processing on the basis of these legal grounds has to be limited to what is necessary (see section C.I.3.a), → mn. 315 to 319 for details). As shown below in more detail, many of these legal grounds incorporate 366 rather vague and open legal terms, leaving quite some room for interpretation. However, in it’s 2014 opinion on the quite similar provisions of Directive 95/46, art. 7, the Art. 29 Working Party already described in detail the common position of the data protection authorities of the Member States on the interpretation and application of the legal grounds giving practical guidelines for their application.76 Therefore, until the future Board, the ECJ or preferably the European legislator have given further guidance on the interpretation of these legal grounds, it seems reasonable, from a business perspective, to closely adhere to the common position and practical guidelines given by the Art. 29 Working Party, as far as applicable to the nearly identical provisions of GDPR, art. 6, para 1. a) Contract or pre-contractual relations

Identical to Directive, 95/46, art. 7, para b), GDPR, art. 6, para 1, subpara b) 367 provides a legal ground in situations where processing of personal data is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, covering two different scenarios: aa) Performance of a contract to which the data subject is party

First, GDPR, art. 6, para 1, subpara b) legitimises processing of personal data 368 necessary for the performance of a contract to which the data subject is party. The provision requires that the data subject is party to the relevant contract. 369 However, it does not require the controller to be party to the contract. Therefore, this legal ground applies to the processing of personal data for the performance of contracts between the controller and the data subject as well as performance of contracts between the data subject and third parties. As explicitly emphasised by GDPR, art. 6, para 1, subpara b), data processing 370 for contractual purposes has to be limited to what is necessary (see section C.I.3.a), → mn. 316 et seqq.). From a business perspective, this requires an evaluation on a case-by-case basis with regard to the “exact rationale of the relevant contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance.”77

76 WP 217. 77 WP 217, 17.

Sebastian Dienst

77

C. Lawful processing of personal data in companies under the GDPR

According to the Art. 29 Working Party’s opinion, the provision requires a strict interpretation. It “does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller.”78 In other words, not every data processing covered in the small print of a contract will actually have to be deemed necessary for its performance.79 Given this strict understanding, for instance, fraud prevention or customer profiling would be typically beyond what is strictly necessary for the actual performance of a sales contract.80 372 The limitation of what is necessary for the actual “performance” of a contract implies that the provision does not legitimise all data processing due to any contractual non-compliance or all other incidents in the execution of a contract.81 According to the Art. 29 Working Party, “processing of basic information of the data subject, such as name, address and reference to outstanding contractual obligations, to send formal reminders should still be considered as falling within the processing of data necessary for the performance of a contract.”82 On the other hand, external debt collection may not be deemed necessary for the “performance” anymore.83 371

bb) Steps at the request of the data subject prior to entering into a contract

Second, GDPR, art. 6, para 1, subpara b) also legitimises processing of personal data necessary “in order to take steps at the request of the data subject prior to entering into a contract”. 374 This provision covers pre-contractual relations, provided that data is processed at the request of the data subject, rather than at the initiative of the controller or any third party. Typical examples for such requests of the data subject are requests for product or service information or price quotes.84 However, detailed pre-contractual background checks at the initiative of the controller, for instance solvency or credit reference checks, would typically not be considered as necessary steps made at the request of the data subject.85 Furthermore, in particular, any direct marketing activities at the initiative of the controller may also not be legitimised by this legal ground86 (see section E.IV., → mn. 1071 et seqq.). 373

78 79 80 81 82 83 84 85 86

78

WP 217, 16. Cf. WP 217, 17 with examples. Cf. WP 217, 18. Cf. WP 217, 17. WP 217, 18. Cf. WP 217, 18. Cf. WP 217, 18 with more details. Cf. WP 217, 18. Cf. WP 217, 18.

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

b) Legal obligation

Identical to Directive 95/46, art. 7, para c), GDPR, art. 6, para 1, subpara c) 375 provides a legal ground in situations where processing of personal data “is necessary for compliance with a legal obligation to which the controller is subject”. This legal ground only applies where the controller does not have a choice 376 whether or not to fulfil the obligation. Therefore, any data processing in voluntary unilateral engagements or public-private partnerships beyond what is required by law is not covered under GDPR, art. 6, para 1, subpara c).87 From a business point of view, anti-money-laundering laws requiring com- 377 panies to report certain suspicious transactions to the competent authorities may be typical examples for such legal obligations. aa) Sources for legal obligations

GDPR, art. 6, para 3 clarifies that the legal obligation as a legal basis for pro- 378 cessing under GDPR, art. 6, para 1, subpara c) must be laid down either by Union law or Member State law to which the controller is subject. Vice versa, this means that legal obligations under the laws of any third countries will not be deemed as sufficient bases for this legal ground, unless officially recognised and integrated in the legal order of the relevant Member State concerned, for instance under the form of an international agreement.88 Therefore, for instance, the obligation to set up whistleblowing schemes under the Sarbanes-Oxley Act of 2002 in the United States is not covered by this legal ground.89 However, in some cases, compliance with laws of any third countries may 379 represent a legitimate interest of the controller legitimising data processing under GDPR, art. 6, para 1, subpara f) (see section C.II.2.e), → mn. 395 et seqq.). bb) Quality of legal basis and additional national provisions

GDPR, art. 6, para 3 stipulates specific requirements for the legal basis for le- 380 gal obligations. Furthermore, GDPR, recital 41 specifies that “[w]here this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.” Additionally, GDPR, recital 45, sentences 2 and 3 clarify that “[t]his Regulation does not re87 Cf. WP 217, 19. 88 Cf. WP 217, 19. 89 Cf. WP 217, 19.

Sebastian Dienst

79

C. Lawful processing of personal data in companies under the GDPR

quire a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject […] may be sufficient.” 381 Pursuant to GDPR, art. 6, para 2 Member States may also maintain or introduce more specific national provisions to adapt the application of the rules of GDPR, art. 6, para 1, subpara c). 382 Businesses relying on GDPR, art. 6, para 1, subpara c) will have to carefully assess whether the legal basis for the relevant legal obligations meets the requirements regarding legal quality. Furthermore, businesses will also have to be aware of any specific Member State law adapting the application of GDPR, art. 6, para 1, subpara c). Particularly in a cross-border context, different standards in the quality of laws of Member States may prove challenging. From a business perspective, this requires a careful evaluation of the applicable laws. c) Vital interests

Identical to Directive 95/46, art. 7, para d), GDPR, art. 6, para 1, subpara d) provides a legal ground in situations where processing of personal data is “necessary in order to protect the vital interests of the data subject”. Additionally, GDPR, art. 6, para 1, subpara d) extends the scope of this legal ground to vital interests of “other natural persons”. 384 GDPR, recital 46, sentence 1 defines the term “vital interest” as an interest which is “essential for the life of the data subject or that of another natural person”. However, as well as Directive 95/46, the GDPR does not specify whether any threat for the life must be immediate.90 The Art. 29 Working Party notes that “[t]his raises issues concerning the scope of the collection of data, for instance as a preventive measure or on a wide scale, such as the collection of airline passengers’ data where a risk of epidemiological disease or a security incident has been identified.”91 385 The language of GDPR, art. 6, para 1, subpara d) is different to the wording used in GDPR, art. 9, para 2, subpara c) (see section C.II.4., → mn. 489 and in detail section E.III., → mn. 1029 et seqq.) which is more specific and refers to situations where the processing of special categories of data “is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”. In comparison, GDPR, art. 6, para 1, subpara d) does not explicitly limit the use of this legal ground to situations where consent cannot be obtained. However, according to the Art. 29 Working Party, a restrictive interpretation of this legal ground requires that “in situations where there is a possibility and need to request a valid consent, consent should indeed be sought whenever practicable”.92 Even more restrictive, GDPR, recital 46, sentence 2 stipulates that “[p]rocessing 383

90 Cf. WP 217, 20. 91 WP 217, 20. 92 WP 217, 20.

80

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.” Therefore, the application of this legal ground is fairly limited and requires a 386 case-by-case analysis. In particular, any massive collection or processing of personal data will typically not be legitimised on the basis of this legal ground.93 Pursuant to GDPR, recital 46, sentence 3, GDPR, art. 6, para 1, subpara d) applies “for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters”. d) Public interest or exercise of official authority

Almost identical to Directive 95/46, art. 7, para e), GDPR, art. 6, para 1, sub- 387 para e) provides a legal ground in situations where processing of personal data is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. However, in comparison to Directive, 95/46, the GDPR narrows the scope from “official authority vested in the controller or in a third party to whom the data are disclosed” to “official authority vested in the controller”. In other words, GDPR, art. 6, para 1, subpara e) does not cover situations anymore where the controller does not have an official authority, but is requested by a third party having such authority to disclose data. Unlike under GDPR, art. 6, para 1, subpara c) (see section C.II.2.b), → mn. 388 375), there is no requirement for the controller to act under a legal obligation when relying on the legal ground of GDPR, art. 6, para 1, subpara e). aa) Relevance for the private sector

In view of the trend to outsource governmental tasks to entities in the pri- 389 vate sector, GDPR, art. 6, para 1, subpara e) is not only relevant for the public but also for the private sector. From a business perspective, situations where private bodies are entrusted with the performance of tasks in the public interest or the exercise of official authority are becoming increasingly common. Typical examples are processing activities in the public transport or health sector.94 bb) Legal basis for public interests or official authority

GDPR, art. 6, para 3 clarifies that the basis for processing referred to in 390 GDPR, art. 6, para 1, subpara e) must be laid down either by Union law or Member State law to which the controller is subject. Therefore, “official authority” refers to an authority granted by the Union or a Member State.

93 Cf. WP 217, 20. 94 Cf. WP 217, 22 with further examples.

Sebastian Dienst

81

C. Lawful processing of personal data in companies under the GDPR 391

Vice versa, this means that any tasks carried out in the public interest of a third country or in the exercise of an official authority vested by virtue of the laws of any third countries will not be deemed as sufficient basis for this legal ground, unless it would be officially recognised and integrated in the legal order of the relevant Member State concerned (see section C.II.2.b)aa), → mn. 378). cc) Quality of legal basis and additional national provisions

GDPR, art. 6, para 3 stipulates specific requirements concerning the quality of the legal basis for public interests or official authority. Additionally, GDPR, recitals 41 and 45 further specify the requirements of the quality of such legal basis (see section C.II.2.b)bb), → mn. 380). 393 Pursuant to GDPR, art. 6, para 2 Member States may also maintain or introduce more specific national provisions to adapt the application of the rules of GDPR, art. 6, para 1, subpara e). In particular, pursuant to GDPR, recital 45, sentence 6 “it should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.” 394 Therefore, businesses relying on GDPR, art. 6, para 1, subpara e) will have to carefully assess whether the relevant legal basis meets the requirements regarding legal quality. Furthermore, businesses will also have to be aware of any specific Member State law adapting the application of GDPR, art. 6, para 1, subpara e). From a business perspective, this requires a careful evaluation of the applicable laws, particularly in a cross-border context. 392

e) Legitimate interests 395

Similar to Directive 95/46, art. 7, para f), GDPR, art. 6, para 1, subpara f) provides a legal ground in situations where processing of personal data “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The only major difference between the language of Directive 95/46, art. 7, para f) and GDPR, art. 6, para 1, subpara f) is the emphasis of the GDPR on children’s data. aa) Legitimate interests pursued by the controller or by a third party

396

First, GDPR, art. 6, para 1, subpara f) requires a “legitimate interest pursued by the controller or by a third party”. However, the GDPR does not define the term “legitimate interest”.

82

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

The term “interest” is closely related to, but also distinct from, the notion of “purpose” mentioned in GDPR, art. 5, para 1, subpara b) (see section C.I.2., → mn. 261 et seqq.). In data protection discourse, “purpose” means the specific reason why personal data are processed. In other words, “purpose” is the aim or intention of the data processing. On the other hand, “interest”, is “the broader stake that a controller may have in the processing, or the benefit that the controller derives – or that society might derive – from the processing”.95 Furthermore, the relevant interest must be “pursued” by the controller or by a third party. According to the Art. 29 Working Party, “[t]his requires a real and present interest, something that corresponds with current activities or benefits that are expected in the very near future. In other words, interests that are too vague or speculative will not be sufficient.”96 Finally, an interest is “legitimate” if the controller or a third party can pursue this interest in a way that is in accordance with data protection and other applicable Union and Member State laws (see also section C.I.2.a)cc) for the similar term of “legitimate purpose”). In short, to be considered legitimate, a purpose must be acceptable under any applicable law.97 Pursuant to GDPR, recital 47, sentence 3 “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” According to the Art. 29 Working Party, “the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial. It will then be in a second step, when it comes to balancing these interests against the interests and fundamental rights of the data subjects, that a more restricted approach and more substantive analysis should be taken.”98 The recitals of the GDPR provide some non-exhaustive examples for situations in which legitimate interest could exist: – Processing in situations where the “data subject is a client or in the service of the controller” (GDPR, recital 47, sentence 2). – Processing for the purposes of preventing fraud (GDPR, recital 47, sentence 6). – Processing for direct marketing purposes (GDPR, recital 47, sentence 7). – Processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems (GDPR, recital 49).

95 96 97 98

WP 217, 24. WP 217, 24. Cf. WP 217, 25. WP 217, 24.

Sebastian Dienst

83

397

398

399

400

401

C. Lawful processing of personal data in companies under the GDPR

– Transmission within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data (GDPR, recital 48, sentence 1). 402

Additionally, the Art. 29 Working Party has provided a list99 of further common business situations where a legitimate interest of the controller may be identified, including: – Enforcement of legal claims including debt collection via out-of-court procedures – Prevention of money laundering – Processing for historical, scientific or statistical purposes – Processing for research purposes (including marketing research) bb) Interests or fundamental rights and freedoms of the data subject

Secondly, GDPR, art. 6, para 1, subpara f) refers to “interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” However, the GDPR does not specify the scope of these interests either. 404 According to the Art. 29 Working Party, the interests and rights should be given a broad interpretation.100 In other words, all categories of interests have to be taken into account, as long as they are relevant within the scope of the GDPR. In particular, as the adjective “legitimate” is not used to precede the “interests” of the data subjects (unlike the case of the controller’s or a third party’s interest), an even wider scope is implied.101 403

cc) Balancing test

Finally, GDPR, art. 6, para 1, subpara f) requires to assess whether the legitimate interests of the controller or a third party (see section C.II.2.e)aa), → mn. 396 et seqq.) are “overridden” by the interests or fundamental rights and freedoms of the data subject (see section C.II.2.e)bb), → mn. 403). 406 In other words, GDPR, art. 6, para 1, subpara f) calls for a balancing test of these two “weights” against each other. The outcome of this balancing test largely determines whether GDPR, art. 6, para 1, subpara f) may be relied upon as a legal ground for processing. However, as well as Directive 95/46, the GDPR does not provide any specific guidance on this balancing test. 407 In its evaluation of the implementation of the nearly identical Directive 95/46, art. 7, para f), the Commission states that the national implementation and interpretation of the “balance of interest” criterion “differs substantially between Member States.”102 According to the Art. 29 Working Party, the open-ended 405

99 Cf. WP 217, 24. 100 Cf. WP 217, 29, 49. 101 Cf. WP 217, 30.

84

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

text of Directive 95/46, art. 7, para f) leaves much room for interpretation and has led to “lack of predictability and lack of legal certainty”.103 The wording of GDPR, art. 6, para 1, subpara f) is nearly identical to the open-ended wording of Directive 95/46, art. 7, para f). Therefore, it remains to be seen if and how quickly the divergences in the application and interpretation of the “balance of interest” criterion in the Member States will merge into a consistent and predictable approach. However, in its 2014 opinion on the notion of legitimate interests,104 the 408 Art. 29 Working Party already described in detail the common position of the data protection authorities of the Member States on the interpretation and application of the “balance of interest” criterion giving practical guidelines for its application. In particular, the Art. 29 Working Party summarised a number of useful factors for the balancing test developed in the Member States. Therefore, until the future Board, the ECJ or preferably the European legislator have given further guidance on the balancing test, it seems reasonable, from a business perspective, to closely adhere to the common position and practical guidelines given by the Art. 29 Working Party, as far as applicable to the nearly identical provisions of GDPR, art. 6, para 1, subpara f). From a practical perspective, it may help to imagine the balancing test as a 409 weighing of two sides on a scale. However, according to the Art. 29 Working Party, the balance of interest criterion “is not a straightforward balancing test which would simply consist of weighing two easily quantifiable and easily comparable ‘weights’ against each other.”105 As described below in more detail, the balancing test rather requires a thorough and complex assessment.106

102 European Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 17: “In the UK it is largely left to controllers to conduct the assessment and to determine whether they can process personal data on this basis. In the Netherlands, the explanatory memorandum to the data protection law sets out guidance on what issues should be taken into account when applying this criterion. Given its vagueness, several Member States (including Belgium, Ireland and UK) have envisaged issuing further rules for the application of this criterion, but have not yet adopted such rules. DPAs have provided guidance in their opinions interpreting the law. In some countries, it is explicitly indicated that the balance test applies only to the private sector (e.g. Germany) or in cases specified by the Data Protection Authority (Italy) or on the basis of the permission of the national data protection supervisory authority in a specific case (Finland). Other countries (including Greece and Spain) impose stricter requirements on processing on the basis of this criterion”; see also Joined Cases C-468/10, 469/10, 24.11.2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C-468/10), Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) v. Administración del Estado, ECR 2011 I-12181, para. 37 f. regarding the leeway of the Member States with regard to the implementation of Directive 95/46, art. 7, para f). 103 WP 217, 51. 104 WP 217. 105 WP 217, 23. 106 Cf. WP 217, 23.

Sebastian Dienst

85

C. Lawful processing of personal data in companies under the GDPR

First of all, the balancing test requires the detailed determination of the “weight” of both sides, assessing the nature and source of the legitimate interests for the processing on one hand (see section C.II.2.e)cc)(1), → mn. 413), and the impact on the data subjects on the other (see section C.II.2.e)cc)(2), → mn. 417). 411 In a second step, a preliminary conclusion may be drawn. Such “provisional balance” may already reach the conclusion that one side clearly prevails over the other (see section C.II.2.e)cc)(3), → mn. 422). However, from a practical perspective, it will be more likely that the outcome of this first provisional balancing test is quite unclear, leaving doubt on which side prevails. In such cases, the controller may consider a further step in the balancing test, assessing whether additional safeguards for the protection of data subjects (beyond compliance with mandatory safeguards) can be introduced helping to “tip” the balance on the scale. Taking such additional safeguards into account, a “final balance” may be established (see section C.II.2.e)cc)(4), → mn. 424).107 412 To enable businesses to perform an efficient and documentable (see section C.II.2.e)cc)(5), → mn. 427) assessment of the necessary balancing test in a structured and simple approach, it will help to break down the evaluation process into its key steps:108 410

(1) Assessment of nature and source of the legitimate interest

The notion of “legitimate interests” itself is fairly broad (see section C.II.2.e)aa), → mn. 396 et seqq.). Legitimate interests may vary “from insignificant through somewhat important to compelling.”109 However, its specific nature and source play a crucial role for the determination of its weight in the balancing test.110 414 In particular, such an assessment should take into account whether the data processing is necessary for the exercise of a fundamental right111 of the con413

107 Cf. WP 217, 30 f., 50 f. 108 Cf. WP 217, 23 f. proposing such structured approach for the required balancing test under Directive 95/46, art. 7, para f). 109 WP 217, 30. 110 Cf. WP 217, 30 f., 34.

86

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

troller or a third party or is in any other way in the public interest.112 Furthermore, such assessment should also focus on whether the data processing benefits from social, cultural or legal recognition.113 The existence of Union law or Member State law specifically allowing 415 (even if not requiring) controllers to pursue certain public or private interests may contribute towards a favourable assessment of the balance.114 Non-binding guidance provided by authoritative bodies encouraging con- 416 trollers to process data in pursuit of a specific interest may also indicate a higher weight of the controller’s interest. In particular, compliance with any non-binding guidance issued by data protection authorities of the Member States, the Art. 29 Working Party or the Board or other regulatory bodies regarding data processing will also typically put additional weight on the controller’s side of the scale.115 (2) Assessment of impact on data subjects

In assessing the weight of the data subject’s side of the scale, the impact of 417 the processing on the interests or fundamental rights and freedoms of the data subject plays a crucial role. The significance of the impact may also vary and range “from trivial to very serious.”116 The assessment should take into account both positive and negative consequences.117 Regarding possible negative consequences, a careful risk assessment identi- 418 fying the sources of potential negative impacts on the data subjects is required. From a business point of view, the terminology and methodology of traditional risk assessment may be useful for such assessment.118 Two key elements contribute to the overall assessment:119 – the likelihood that a risk materialises – the severity of the consequences In particular, the following key aspects are typically relevant for the impact 419 assessment: Above all, GDPR, recital 47, sentences 1 and 3 emphasise that the assessment has to take into consideration the “reasonable expectations of data subjects based on their relationship with the controller” taking into account “the context of the collection”. According to the Art. 29 Working Party, “[i]n general, the more specific and restrictive the context of the collection, the more limita111 112 113 114 115 116 117 118 119

Cf. WP 217, 34 for more details. Cf. WP 217, 35 for more details. Cf. WP 217, 36 for more details. Cf. WP 217, 36. Cf. WP 217, 36. WP 217, 30. Cf. WP 217, 37. Cf. WP 217, 37 f. Cf. WP 217, 38.

Sebastian Dienst

87

C. Lawful processing of personal data in companies under the GDPR

tions there are likely to be on use”.120 The emphasis on the relationship between the data subject and the controller requires to take into account the status of the data subject and the data controller including the balance of power between them.121 Particular focus of this evaluation should be on whether the data subject is a child, as expressly emphasised in GDPR, art. 6, para 1, subpara f). However, the assessment of the status of the data subject should also take into account whether the data subject “otherwise belongs to a more vulnerable segment of the population requiring special protection, such as, for example, the mentally ill, asylum seekers, or the elderly”.122 420 Furthermore, the nature of the personal data will be important for the impact assessment. Similar to the compatibility test for further processing (see section C.I.2.b), → mn. 279), particular focus should be on whether special categories of personal data (GDPR, art. 9), or personal data related to criminal convictions and offences (GDPR, art. 10) are processed. However, other personal data may also be of sensitive nature for other reasons, for instance, communication data or location data, also requiring special protection.123 According to the Art. 29 Working Party, “[i]n general, the more sensitive the information involved, the more consequences there may be for the data subject”.124 Although the GDPR does not provide a specific permission to reuse and further process publicly available personal data, the fact that personal data is publicly available may also be considered a relevant factor in the impact assessment,125 in particular if the publication was carried out by the data subject with a reasonable expectation of further use.126 421 Another key factor of the impact assessment is typically the way data are being processed, in particular “whether the data are publicly disclosed or otherwise made accessible to a large number of persons, or whether large amounts of personal data are processed or combined with other data”.127 According to the Art. 29 Working Party, “[i]n general, the more negative or uncertain the impact of the processing might be, the more unlikely it is that the processing will be considered, on balance, as legitimate.”128

120 121 122 123 124 125

WP 217, 40. Cf. WP 217, 40, 51. WP 217, 40 f. Cf. WP 217, 38. WP 217, 39. Cf. Joined Cases C-468/10, 469/10, 24.11.2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C-468/10), Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) v. Administración del Estado, ECR 2011 I-12181, para. 44: “In relation to the balancing which is necessary pursuant to Article 7(f) of Directive 95/46, it is possible to take into consideration the fact that the seriousness of the infringement of the data subject’s fundamental rights resulting from that processing can vary depending on whether or not the data in question already appear in public sources”. 126 Cf. WP 217, 39. 127 WP 217, 39. 128 WP 217, 39 f.

88

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

(3) Provisional balance

After determining the weight of both sides, a preliminary conclusion may be 422 drawn. The Art. 29 Working Party emphasises “that not all negative impact on the data subjects weighs equally on the balance” and the purpose of the “balancing exercise is not to prevent any negative impact on the data subject. Rather, its purpose is to prevent disproportionate impact.”129 According to the Art. 29 Working Party, “legitimate interests of the controller, when minor and not very compelling may, in general, only override the interests and rights of data subjects in cases where the impact on these rights and interests are even more trivial. On the other hand, important and compelling legitimate interests may in some cases and subject to safeguards and measures justify even significant intrusion into privacy or other significant impact on the interests or rights of the data subjects.”130 Such “provisional balance” may already come to the conclusion that the data 423 controller’s or a third party’s legitimate interest clearly outweighs the interests and rights of the data subjects allowing the controller to rely upon GDPR, art. 6, para 1, subpara f) as a legal ground for processing. On the other hand, such preliminary balance may also indicate that interests and rights of the data subjects prevail. Furthermore, from a practical perspective, it will often be the case that the outcome of this first provisional balancing test is not clear, leaving doubt on which side has more weight. (4) Assessment of additional safeguards and final balance

If, based on the provisional balance, the weight of the legitimate interest is 424 not sufficient to tilt the balance in favour of the controller, or it is not clear which way the scale tilts, the controller may consider assessing whether additional safeguards can be introduced to reduce undue impact of the processing on the data subjects. According to the Art. 29 Working Party, in general, “[t]he more significant the impact on the data subject, the more attention should be given to relevant safeguards”.131 It goes without saying that only measures beyond compliance with manda- 425 tory obligations under the GDPR are fit to help “tip” the final balance.132 However, even if the compulsory measures under the GDPR are quite extensive, they may be scalable and to some extent leave room for controllers to ensure better protection of data subjects. In particular, especially in borderline cases, a general and unconditional 426 right to opt-out without the need for any justification beyond the right to object of GDPR, art. 21 (see section D.IV.8., → mn. 679 et seqq.) could contribute to 129 130 131 132

WP 217, 41. WP 217, 30. WP 217, 42. Cf. WP 217, 41.

Sebastian Dienst

89

C. Lawful processing of personal data in companies under the GDPR

tipping the final balance in favour of the data controller to find a legal ground in GDPR, art. 6, para 1, subpara f).133 (5) Documentation of balance test

In view of the strict accountability principle (see section C.I.7., → mn. 351), when relying on GDPR, art. 6, para 1, subpara f) as a legal ground for processing, businesses will have to carefully and comprehensively document their compliance with the requirements of the balancing test. Businesses should document the steps of the test and relevant factors taken into account in detail in order to be able to demonstrate the complete and correct application of the balancing test.134 From a practical point of view, it will certainly be useful to draw a blueprint of the key steps outlined above.135 428 Furthermore, the controller has to provide the data subject with the information on the legitimate interests pursued by the controller or by a third party (GDPR, art. 13, para 1 subpara d), art. 14, para 2, subpara b), see section D.IV.2, → mn. 619 et seqq.). 427

3. Legitimisation of data processing by consent

Pursuant to GDPR, art. 6, para 1, subpara a) processing of personal data may also be lawful if and to the extent “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. 430 In contrast to GDPR, art. 6, para 1, subparas b) to f), GDPR, art. 6, para 1, subpara a) does not explicitly stipulate any limitation of the data processing on the basis of consent to what is necessary. However, due to the general principle of data minimisation (section C.I.3.), closely linked to the principle of purpose limitation (see section C.I.2., → mn. 261 et seqq.), also any data processing on the basis of consent has to be limited to what is necessary (see section C.I.3.a), → mn. 315 et seqq. for details). 429

a) Notion of consent

Pursuant to GDPR, art. 4, para 11 “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 432 The quite similar concept of consent of Directive 95/46, art. 2, para h) and its key elements, have been transposed into Member State law with considerable discrepancies which led to significant divergences in its national interpretation and application so far.136 GDPR, art. 4, para 11 establishes a universal definition 431

133 134 135 136

90

Cf. WP 217, 41. Cf. WP 217, 43. Cf. WP 217, 56. For instance, under Directive 95/46, “consent as a general concept is not defined in French data protection legislation, but its meaning has been precisely and consistently explained in

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

for consent applicable in all Member States, clearing at least the textual discrepancies created by the diverging approaches of Member State law. In comparison to the otherwise nearly identical definition of Directive 95/46, art. 2, para h), the GDPR adds the requirements of an “unambiguous” indication “by a statement or by a clear affirmative action” to the definition of consent. However, most of the key elements of consent are still not clearly defined by the GDPR. Therefore, it remains to be seen whether and how quickly the divergences in the interpretation and application of the concept of consent in the Member States will actually merge into a consistent approach. However, in its 2011 opinion on the definition of consent, the Art. 29 Work- 433 ing Party already described in detail the common position of the data protection authorities of the Member States on the interpretation and application of the concept of consent of Directive 95/46, art. 2, para h), giving practical guidelines for its implementation.137 From a business perspective, it seems reasonable, to adhere to these practical guidelines as far as applicable to the provisions of the GDPR, until the new Board issues any new opinion or guidance on the application and implementation of the principle of purpose limitation specifically under the GDPR. aa) Indication of data subject’s wishes signifying agreement

First of all, consent requires an “indication of the data subject’s wishes by 434 which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data for one or more specific purposes.” (1) Statement or clear affirmative action

In comparison to the otherwise nearly identical definition of Directive 95/46, 435 art. 2, para h), the GDPR adds the requirement of an indication “by a statement the jurisprudence of the data protection authority (CNIL), in relation to the definition contained in the Data Protection Directive. In the UK, it has been developed by common law in reference to the wording of the Directive. In addition, consent has sometimes been explicitly defined in specific sectors, for instance in the context of e-privacy, e-government or ehealth”, WP 187, 6; In its evaluation of the implementation of Directive 95/46, the Commission states that “several Member States require the consent to be “unambiguous” (e.g. Portugal, Spain, Sweden), given “expressly” (e.g. Cyprus) or “explicit” (e.g. Greece, Luxembourg). In some Member States, the consent for data processing must be, in principle, in writing (Germany, Italy). Poland requires a “declaration of will”, which “cannot be alleged or presumed on the basis of the declaration of will of other content”, but does not particularise the elements “free, specific and informed”. On the contrary, some other Member States (e.g. France, Ireland, Romania and UK) do not provide a definition of “consent” in their national data protection laws. In practice, this leaves room for considering, in certain circumstances, that “consent” to the processing of (non-sensitive) data is implied, as it is the case in the UK. In some cases it is not even clear what would constitute freely given, specific and informed consent to data processing”, Commission, Commission Staff Working Paper, Impact Assessment, Brussels, 25.1.2012 SEC(2012) 72 final, Annex 2, 10. 137 WP 187.

Sebastian Dienst

91

C. Lawful processing of personal data in companies under the GDPR

or by a clear affirmative action” to the definition of consent, clarifying that the lack of any action, i.e. absence of any behaviour, or “passive behaviour” ,138 cannot be interpreted as an indication of agreement. Pursuant to GDPR, recital 32 the following should therefore not constitute consent: – silence – pre-ticked boxes – inactivity 436

Therefore, in particular in online environments, opt-out mechanisms with pre-ticked checkboxes are not considered reliable instruments for valid consent under the GDPR. (2) Written or oral consent

437

Other than that, the form of the indication is not defined in GDPR, art. 4, para 11, opening up the possibility of quite a wide understanding of the scope of such indication. In particular, unlike in some Member State laws under Directive 95/46, GDPR, art. 4, para 11 does not require a “written” indication of agreement. Pursuant to GDPR, recital 32 consent could be given, for instance, by – a written statement, including by electronic means, or – an oral statement. (3) Consent by electronic means

GDPR, recital 32 explicitly allows consent by electronic means, including by

438

– ticking a box when visiting an internet website, – choosing technical settings for information society services. 439

GDPR, recital 32 stipulates that “[i]f the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” However, the GDPR does not provide any further guidance on this restriction, leaving quite some legal uncertainty, in particular on what is “unnecessarily disruptive”. Therefore, until the future Board, the ECJ or preferably the European legislator have given further guidance on this, businesses should connect the consent request as close as possible to the use of the services. (4) Implied consent

440

Different to GDPR, art. 9, para 2, subpara a), GDPR, art. 4, para 11 and GDPR, art. 6, para 1, subpara a) do not require “explicit” consent. Quite the contrary, pursuant to GDPR, recital 32 consent could also include “another state-

138 Cf. WP 187.

92

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

ment or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”. Therefore, it may be argued that “implied” (or “inferred”)139 consent may 441 also constitute valid consent for the processing of other than special categories of personal data (see section C.II.4.a), → mn. 325), as long as the data subject’s conduct signifies agreement to the processing. However, from a business perspective, as the controller has to be able to demonstrate that the data subject has consented to processing of his personal data (GDPR, art. 7, para 1, see section C.II.3.d), → mn. 488), obtaining explicit consent may be preferable in many situations. (5) Limitation to processing of personal data of the data subject

Pursuant to GDPR, art. 4, para 11 and GDPR, art. 6, para 1, subpara a) con- 442 sent of the data subject may only legitimise the processing of personal data of the consenting data subject’s own personal data. Therefore, in situations where personal data refer to more than one data sub- 443 ject, consent would have to be obtained from each data subject individually. However, there may also be situations in which the processing of personal data of other data subjects involved may be legitimised by other legal grounds (for instance, GDPR, art. 6, para 1, subpara f)). bb) Freely given 444 Secondly, the indication of agreement needs to be “freely given”. Approaching this requirement from a negative perspective, GDPR, recital 42 states that “[c]onsent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” In other words, “[c]onsent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”140

(1) Clear imbalance between controller and data subject

Pursuant to GDPR, recital 43, sentence 1 “[i]n order to ensure that consent is 445 freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller”. However, the GDPR does not provide any further specification of this quite vague notion of “imbalance”.141 From a business perspective, such imbalance may especially occur in B2C re- 446 lationships,142 particularly in situations where a business has a monopoly status 139 WP 187, 25. 140 WP 187, 12. 141 In contrast to the initial Draft of a General Data Protection Regulation of the Commission of 25 January 2012, Document No. 2012/0011 (COD), the notion of imbalance is only mentioned in the recitals but not in the provisions of the GDPR.

Sebastian Dienst

93

C. Lawful processing of personal data in companies under the GDPR

and the consumer is dependent on the services of the company. Essentially, this puts quite some uncertainty to consent in B2C contexts and could render useless consent in many business situations. Until the future Board, the ECJ or preferably the European legislator have given further guidance on this, businesses should carefully assess whether alternative legal grounds could be used instead on consent in situations where any kind of imbalance might be assumed. (2) Horizontal and vertical restriction of interconnection

Furthermore, pursuant to GDPR, art. 7, para 4 “[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” Even stricter, GDPR, recital 43 stipulates that “[c]onsent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”. 448 Essentially GDPR, art. 7, para 4 and GDPR, recital 43 stipulate two different major restrictions on consent: 447

– The performance of a contract, including the provision of a service, must not be conditional on consent to the processing of personal data that is not necessary for the performance of that contract (vertical restriction on interconnection) – If appropriate in the individual case, the controller must allow separate consent to be given to different personal data processing operations (horizontal restriction on interconnection) 449

As regards the vertical restriction, GDPR, art. 7, para 4 seems to leave some room for argumentation as to whether a connection between consent and the performance of a contract is appropriate in the individual case. Therefore, it may be argued that the strict presumption of GDPR, recital 43 is incompatible with GDPR, art. 7, para 4. However, it may also be seen as an indication of a strict interpretation of GDPR, art. 7, para 4. Regarding the horizontal restriction, the GDPR does not further clarify in which cases separate consents will be “appropriate”, leaving quite some legal uncertainty for businesses as to the “granularity”143 of consent, calling for clarification by the future Board, the ECJ or prefer-

142 Recital 34 of the initial Draft of a General Data Protection Regulation of the Commission of 25 January 2012, Document No. 2012/0011 (COD), did mention processing by the employer of employees’ data in the employment context as a typical case of a clear imbalance. However, as this example was dropped in the Trilogue negotiations, it is reasonable to assume that consent in employment contexts is not excluded as a general rule. 143 Cf. WP 187, 18 regarding the need for granularity in the obtaining of consent.

94

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

ably the European legislator. For the time being, businesses should adhere to a strict interpretation of the restrictions and avoid any vertical or horizontal interconnections in order to minimise the risk of administrative fines. cc) Specific 450 Thirdly, the indication of agreement must be “specific”. The GDPR does not define the term “specific”. According to the Art. 29 Working Party, “[t]o be specific, consent must be intelligible: it should refer clearly and precisely to the scope and the consequences of the data processing. It cannot apply to an open-ended set of processing activities”.144 In short, “blanket consent without specifying the exact purpose of the processing is not acceptable”.145 Furthermore, GDPR, recital 32 states that “[c]onsent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” As a result, consent has to refer to all purposes of the intended processing.

dd) Informed 451 Fourth, valid consent requires an “informed” indication of agreement. GDPR, recital 42, sentence 4 states that “[f]or consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.” Furthermore, the data subject must also be informed of his right to withdraw consent (GDPR, art. 7, para 3, sentence 3, see section C.II.3.e), → mn. 475 et seqq.). In order to comply with the extensive information obligations of GDPR, art. 452 13 and 14, the controller will have to provide the data subject with significantly more information (see section D.IV.2., → mn. 619 et seqq.). Whether such extensive information is actually also conditional for an “informed” consent may be contested on the grounds of GDPR, recital 42, sentence 4. However, in view of compliance with the fairly broad principle of transparency (see section C.I.1.c), → mn. 32) as a general condition for any lawful processing, business should nevertheless adhere to the more detailed information requirements. In particular, in cases where consent is obtained at the moment of collection of personal data, the information to be provided should coincide with what is listed in GDPR, art. 13.

ee) Unambiguous

Finally, GDPR, art. 4, para 11 requires an “unambiguous” indication of 453 agreement.

144 WP 187, 17 with further details. 145 WP 187, 17 with further details.

Sebastian Dienst

95

C. Lawful processing of personal data in companies under the GDPR

This criteria was also already part of the requirements of valid consent of Directive 95/46, art. 7, para a) in addition to the criteria set forth under Directive 95/46, art. 2, para h). 455 The GDPR does not define the term “unambiguous”, either. According to the Art. 29 Working Party, “[f]or consent to be unambiguous, the procedure to seek and to give consent must leave no doubt as to the data subject’s intention to deliver consent. In other words, the indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent. If there is a reasonable doubt about the individual’s intention, there is ambiguity.”146 Given this understanding, the term “unambiguous” reinforces the notion that consent may only be given “by a statement or by a clear affirmative action” (see section C.II.3.a)aa)(1), → mn. 435).147 456 From a practical point of view, the requirement of “unambiguity” compels data controllers to establish robust procedures and mechanisms for individuals to deliver their consent which leave no doubt of their agreement to the processing of personal data.148 454

b) Consent in the context of a written declaration which also concerns other matters

Pursuant to GDPR, art. 7, para 2 consent may also be given in the context of a written declaration (including by electronic means, see GDPR, recital 32) which also concerns other matters. However, in such case pursuant to GDPR, art. 7, para 2 “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.149 458 Apart from these quite vague requirements, the GDPR does not provide any further specific details on the design of consent embedded in written declarations concerning other matters, leaving quite some legal uncertainty but also room for argumentation by businesses. A clear distinction of consent from other content of a declaration may be achieved by highlighting the consent declaration in colour, by bolding and/or underlining as well as framing. 457

146 WP 187, 21. 147 Cf. also WP 187, 36 f. regarding the suggestion to include “unambiguous” in the definition of consent. 148 Cf. WP 187, 21, 25 with several practical examples regarding the requirement of “unambiguity”. 149 Cf. also GDPR, recital 42, sentence 3: “In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.”

96

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

c) Consent of data subjects lacking full legal capacity, in particular children aa) Consent of children in relation to information society services

In relation to the offer of information society services directly to a child, 459 GDPR, art. 8 imposes special conditions applicable to consent. Additionally, GDPR, art. 17, para 1, subpara f) provides a specific right of the data subject to erasure of personal data which have been collected in relation to the offer of information society services referred to in GDPR, art. 8, para 1 (see section D.IV.5., → mn. 648). (1) Information society services

Pursuant to GDPR, art. 4, para 25 which refers to Council Directive 460 2015/1535,150 art. 1, para 1, subpara b), information society service means “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”. Typical examples for such information society services are, for instance, on- 461 line information services (such as online newspapers), online selling of products and services, online entertainment services and online social networks. (2) Direct offer to a child

The special conditions applicable to the consent of children only apply in re- 462 lation to information society services offered “directly to a child”. However, pursuant to GDPR, recital 38, sentence 3 “[t]he consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.” It seems reasonable to assume that such a direct offer of information society 463 services requires that the relevant offer not only concerns products or services for children but specifically aims at the attraction of children’s attention, for instance by using design, illustration and language appropriate for children. In other words, the relevant information society service would have to be specifically designed to be used by children. However, the GDPR does not provide any further details on the notion of a direct offer, leaving quite some room for interpretation. In order to mitigate the risk of administrative fines, businesses should therefore consider to adhere to the age rules of GDPR, art. 8 for information society services in general. (3) Age thresholds

Where a controller offers information society services directly to a child, con- 464 sent of this child is only valid, where the child is at least 16 years old. Where the 150 Council Directive (EU) 2015/1535 of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (L241/1).

Sebastian Dienst

97

C. Lawful processing of personal data in companies under the GDPR

child is below the age of 16 years, such processing on the basis of a consent shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (cf. GDPR, art. 8, para 1). 465 The GDPR does not specifically regulate consent of data subjects above the age of 16 years until the age of majority which may be higher and may also vary between the Member States. However, it seems reasonable to assume that the lack of such specific rules indicates that valid consent of data subjects above the age of 16 does not require the authorisation by the holder of parental responsibility under the GDPR. 466 The GDPR allows Member States to “provide by law for a lower age for those purposes provided that such lower age is not below 13 years” (GDPR, art. 8, para 1, subpara 2). Therefore, businesses will also have to be aware of any specific Member State law adapting the age threshold of GDPR, art. 8, para 1. From a business perspective, this requires a careful evaluation of the applicable laws, especially in a cross-border context. In particular for services offered in different Member States, businesses should consider to adhere to the harmonised age threshold of 16 years to avoid the implementation of different measures to comply with any diverging Member State legislation. (4) Age and authorisation verification mechanisms

Pursuant to GDPR, art. 8, para 2 “[t]he controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” 468 An effective age and authorisation verification may prove quite challenging for businesses. Harmonised best practice procedures for effectively and reliably verifying a child’s age and parental authorisation have yet to be established. Essentially, an effective procedure would require a two-step test: 467

– Age confirmation and verification: In a first step, the data subject would be required to confirm his age, for instance by entering the information into a form. However, such a mechanism could easily be circumvented by entering a false age. Therefore, an effective age verification process would require further steps to actually verify the information provided. – Request for authorisation and verification: In a second step, depending on the result of the first step, authorisation of the holder of parental responsibility would have to be requested. For instance, such request could be implemented through a double-opt-in mechanism requiring parents to confirm their child’s use of the service by email. However, such mechanism could also easily be circumvented by entering a false email address. Therefore, an effective authorisation process would require further steps to actually verify that authorisation is actually provided by the holder of parental responsibility.

98

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

From a business perspective, whether reliable verification of the age of the 469 data subject and the authorisation of the holder of parental responsibility could actually be achieved with reasonable efforts, seems highly questionable. However, as the open-ended criteria of “reasonable efforts” is not defined by the GDPR, businesses will have to deal with a quite significant legal uncertainty until the Board, the ECJ or preferably the European legislator will give further guidance. bb) Other consent of children and other data subjects lacking full legal capacity

Apart from the specific conditions for consent in relation to information soci- 470 ety services, there are no particular general rules on obtaining the consent of data subjects lacking full legal capacity, including children. Rules regarding the capacity to consent are not harmonised in the EU and 471 may therefore vary from Member State to Member State.151 This absence of harmonisation leaves quite some legal uncertainty. Businesses will therefore have to carefully assess the conditions of the individual Member States for delivering valid consent with regard to legal capacity. Such assessment may well go beyond the scope of data protection law and will most likely particularly touch on civil law issues. d) Ability to demonstrate consent

As a specific expression of the principle of accountability (see section C.I.7., 472 → mn. 351), pursuant to GDPR, art. 7, para 1 “[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. Given this strict burden of proof, controllers are required to demonstrate that 473 they have effectively obtained consent. From a practical perspective, businesses will be compelled to establish standard practices and mechanisms to seek and prove consent.152 The type of these mechanisms will certainly depend on the relevant context. 474 The GDPR does not provide guidance on specific and adequate tools of documentation for that purpose. In situations where consent is given by electronic means, businesses should at least store the declaration of consent together with the name of the data subject or another reliable identifier (e-mail address, etc.) and the time of the consent (“timestamp”). It may also be helpful to use doubleopt-in-procedures where the data subject has to re-confirm the consent via email or other electronic messaging services. However, it may prove challenging to provide an absolutely certain evidence of the identity of the data subject in online environments.

151 Cf. WP 187, 28, 34. 152 Cf. WP 187, 37.

Sebastian Dienst

99

C. Lawful processing of personal data in companies under the GDPR

e) Right to withdraw consent

GDPR, art. 7, para 3, sentence 1 expressly stipulates that “[t]he data subject shall have the right to withdraw his or her consent at any time”, which was not explicitly stated but implicit in Directive 95/46.153 The data subject’s right to withdrawal is unconditional. In particular, it does not require the data subject to give any reasons for a withdrawal. 476 This right to withdraw consent is kind of the “flip side” of a freely given consent. Accordingly, GDPR, art. 7, para 3, sentence 4 requires that “[i]t shall be as easy to withdraw as to give consent”. Therefore, businesses will have to put in place standard practices and mechanisms allowing data subjects to easily withdraw consent. 477 GDPR, art. 7, para 3, sentence 2 clarifies that “[t]he withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal”. In other words, withdrawal is not “retroactive”, but may only prevent any further processing on the basis of consent subsequent to its withdrawal. Basically, the withdrawal of consent does not affect the lawfulness of any further processing based on other applicable legal grounds either. Therefore, as a general rule, even if the data subject has withdrawn his consent, his data may be further processed if and to the extent that another legal ground applies. Accordingly, pursuant to GDPR, art. 17, para 1, subpara b), if the data subject withdraws consent, the right to erasure only applies in cases where there is no other legal ground for the processing (see section D.IV.5., → mn. 648). However, it may be argued that a withdrawal of consent would have to be taken into account in the evaluation of interests of the data subject in the balance test for any further processing under GDPR, art. 6, para 1, subpara f) (see section C.II.2.e)cc), → mn. 405 et seqq.), particularly with regard to reasonable expectations of the data subject (see section C.II.2.e)cc)(2), → mn. 417). 478 For the purpose of an informed and freely given consent (see section C.II.3.a)bb) and dd), → mn. 444 and 451), the data subject must also be informed of the right to withdraw consent prior to giving consent (GDPR, art. 7, para 3, sentence 3). 475

f) Need for adaption and obtaining renewed consent

Pursuant to GDPR, recital 171 “[w]here processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.” 480 As the quite similar concept of consent of Directive 95/46, art. 2, para h) has been transposed into Member State law with considerable discrepancies (see 479

153 Cf. WP 187, 33.

100

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

section C.II.3.a), → mn. 431 et seqq.), businesses in some Member States may be challenged with quite an extensive need for adaption. However, even in Member States which interpreted the requirements of Directive 95/46 quite strictly, businesses will have to carefully assess whether consents already obtained meet all requirements of the GDPR, especially with regard to the new express requirements of a “clear affirmative action” (see section C.II.3.a)aa)(1), → mn. 435) as well as the specific rules on consent in the context of written declarations (see section C.II.3.b), → mn. 457) and the express need to inform the data subject of the right to withdrawal (see section C.II.3.e), → mn. 475 et seqq.). If the manner in which the consent has been given is not in line with the conditions of the GDPR, businesses relying on consent have to adjust to the fact that obtaining renewed consent will be inevitable. 4. Processing of special categories of personal data

Similar to Directive 95/46, art. 8, GDPR, art. 9 regulates the processing of 481 certain special categories of personal data (see section E.III., → mn. 1029 et seqq. for details). Special categories of data are: – – – – – – – –

data revealing racial or ethnic origin data revealing political opinions data revealing religious or philosophical beliefs data revealing trade union membership genetic data biometric data for the purpose of uniquely identifying a natural person data concerning health data concerning a natural person’s sex life or sexual orientation

The processing of such data is in principle prohibited, subject to the excep- 482 tions exhaustively listed in GDPR, art. 9, para 2. In short, the prohibition does not apply if and to the extent: – the data subject has given explicit consent (GDPR, art. 9, para 2, subpara a), (see section E.III., → mn. 1029 et seqq). – one of the statutory exceptions of GDPR, art. 9, para 2, subparas b) to j) applies (see section E.III. for details) a) Additional requirement of a legal ground

Some of the exceptions listed in GDPR, art. 9, para 2 are similar to the legal 483 grounds set forth in GDPR, art. 6, para 1. However, while in some cases GDPR, art. 9, para 2 imposes stricter requirements than the similar legal grounds of GDPR, art. 6, para 1, some exceptions listed in GDPR, art. 9, para 2, do not ap-

Sebastian Dienst

101

C. Lawful processing of personal data in companies under the GDPR

pear equivalent or stricter than the legal grounds listed in GDPR, art. 6, para 1.154 484 This raises the question of the relationship between these two provisions. GDPR, recital 51, sentence 5 clarifies that, in addition to the specific requirements for the processing of special categories of personal data, the general principles and other rules of the GDPR should apply, “in particular as regards the conditions for lawful processing”. In other words, GDPR, art. 6 and 9 apply cumulatively. That means that even if one of the exceptions of GDPR, art. 9, para 2 applies, the processing of special categories of personal data would still require a sufficient legal ground under GDPR, art. 6. b) Explicit consent

Pursuant to GDPR, art. 9, para 2, subpara a) the prohibition of processing of special categories of personal data does not apply if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. In contrast to the legal ground of GDPR, art. 6, para 1, subpara a) (see section C.II.3.a)aa)(4), → mn. 440), the exception of GDPR, art. 9, para 2, subpara a) requires consent to be “explicit”. However, the GDPR does not define the term “explicit”. According to the Art. 29 Working Party, “[i]n legal terms ‘explicit consent’ is understood as having the same meaning as express consent. It encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question”.155 In other words, the requirement for explicit consent typically excludes implied (or “inferred”) consent.156 Furthermore, such explicit consent must specifically refer to the relevant special categories of personal data. 486 Pursuant to GDPR, art. 9, para 2, subpara a), Union or Member State law may provide that a consent of the data subject may not lift the prohibition of processing of special categories of personal data in exceptional cases. Therefore, in particular in cross border scenarios, businesses will have to carefully assess whether consent may be relied upon for the processing of special categories of personal data. 485

c) Statutory exceptions 487

GDPR, art. 9, para 2, subparas b) to j) and para 3 provide further statutory exceptions without the need for the data subjects consent (see section E.III., → mn. 1029).

154 Cf. WP 217, 14 on the similar relationship of Directive 95/46, art. 7 and 8. 155 WP 187, 25. 156 Cf. WP 187, 25.

102

Sebastian Dienst

C. Lawful processing of personal data in companies under the GDPR

d) Further conditions pursuant to Member State law

Pursuant to GDPR, art. 9, para 4 “Member States may maintain or introduce 488 further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health” (see section E.III., → mn. 1029 et seqq. for details). Therefore, businesses will also have to be aware of any specific Member State law imposing further conditions on the processing of special categories of personal data. From a business perspective, this requires a careful evaluation of the applicable laws, particularly in a cross-border context. 5. Processing of personal data relating to criminal convictions and offences

Similar to Directive 95/46, art. 8, para 5, GDPR, art. 10 specifically limits the 489 processing of personal data relating to criminal convictions and offences or related security measures. Such processing may only take place “under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects”. Furthermore, “[a]ny comprehensive register of criminal convictions shall be kept only under the control of official authority”. In the private sector, these restrictions may be particularly relevant for media 490 businesses, especially regarding the reporting of criminal trials. However, as GDPR, art. 10 only applies to processing of personal data based on the legal grounds of GDPR, art. 6, para 1, the restrictions may not be applicable as far as Member States provide exemptions or derogations regarding the right of freedom of expression and information (see GDPR, art. 85, para 2).

Sebastian Dienst

103

D. General conditions for data processing in companies under the GDPR

Business entities processing personal data have to comply with data protec- 491 tion rules in their daily business since the transformation of Directive 95/46 and the ePrivacy-Directive in national law. However, the GDPR provides for extensive new requirements and obligations for such companies, which therefore will have to implement new structures and processes to meet the increased demands. This adaption process should be completed before 25 May 2018 when the GDPR will apply (GDPR, art. 99). I. Data privacy in private companies 1. Company as controller

In GDPR, art. 4, no. 7 a controller is defined as “the natural or legal person, 492 public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. As legal persons companies can be considered as controllers if they determine the purposes and means of data processing (for more details see section B.II.1.a), → mn. 122). The same principles apply for individuals processing personal data for business purposes. Regarding the allocation of responsibilities (see section D.I.2.c), → mn. 499 493 et seqq.), the controller as such rather than a specific natural person employed by and/or acting for the controller will be classified as the controller. Unless there are clear elements indicating that a natural person shall be responsible (e.g. because the person used data for his own purpose), the respective business entity shall be considered ultimately responsible for data processing, although it effectively acts through natural persons being authorised to act on its behalf.1 2. Concept of Joint Controllers (GDPR, art. 4, no. 7 and GDPR, art. 26) a) Definition

GDPR, art. 26, para 1 describes the concept of joint controllers: “Where two 494 or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. Directive 95/46, art. 2, subpara d) already implied this understanding of a joint controller, but no legal framework regarding joint control was provided therein. Further, not all national legislators transformed the

1 WP 169, 32.

Joachim Schrey

105

D. General conditions for data processing in companies under the GDPR

concept of joint controllership into national data protection law (e.g. Germany) so that this legal concept will be completely new in many Member States. 495 The concept of joint control offers the possibility of pluralistic control in cases where multiple actors are involved in the processing of personal data. The Art. 29 Working Party recognises an increasing number of such pluralistic control. This development can be explained by the growing tendency towards organisational differentiation in the private sector by corporate diversification as well as the increasing use of subcontractors and out-sourcing of services (for more information on outsourcing see section E.II., → mn. 961 et seqq.).2 496 Controllers should check whether existing cooperation with other companies of their group of undertakings, customers or service providers will have to be classified as joint control under the GDPR. In that case, the existing contracts should be revised to reflect the new GDPR requirements. b) Forms

Considering the many possible areas of application and the complex reality of data pro-cessing, there is an almost infinite variety of possible joint controllership forms: There may be equally involved actors jointly determining the purposes and means of the data processing and being both responsible to the same extent (“full-fledged joint control”). Apart from that, there may be other forms of joint control in which the actors participate to different degrees or at different stages in the data processing and jointly define only parts of its purposes and means. 498 Regardless of the different forms of joint control, a substantive and functional approach should be taken when assessing joint control, focusing on whether the purposes and means are determined by more than one party. This also applies to cases where the parties, e.g. contractually determined one party to be a processor, but it in fact acts as a controller.3 497

c) Allocation of responsibilities between Joint Controllers

If joint control exists pursuant to the requirements described above, GDPR, art. 26, para 1 imposes the obligation on the joint controllers to “in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation”. According to GDPR, recital 79 a clear allocation of the responsibilities between joint controllers requires specific information about “where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller”. 500 Therefore, joint controllers have to allocate their responsibilities among themselves by agreeing on the purposes and means of the data processing. In doing 499

2 WP 169, 6, 17. 3 WP 169, 18 ff.

106

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

so they have a certain degree of flexibility, as long as they fully comply with their obligations as controllers under data protection rules. aa) Fulfilment of data subject’s rights

GDPR, art. 26, para 1 explicitly demands the allocation of responsibilities re- 501 garding the “exercising of the rights of the data subject”. According to GDPR, recital 79 the allocation is necessary in order to realise “protection of the rights and freedoms of data subjects”. Thus, the fulfilment of data subject’s rights is a main goal of the allocation of responsibilities between joint controllers. The Art. 29 Working Party requires that “it should be made clear if every controller is competent to comply with all data subject’s rights or which controller is competent for which right”.4 In accordance with these requirements, the agreement between the joint con- 502 trollers has to specify in a clear and comprehensive manner which party is responsible for fulfilment of which data subject’s rights. It must be comprehensible which controller the data subjects can contact in cases of complaints, questions, correction or access to personal data. A lack of clarity in a joint control agreement could be considered as lacking transparency, which would lead to the unlawfulness of the entire data processing.5 Moreover, a lack of clarity and transparency in the allocation of responsibilities may also cause data subjects exercising their rights under the GDPR against each of the controllers according to GDPR, art. 26, para 3 instead of the – pursuant to the internal arrangement – competent controller only. Thus, controllers should draft joint controller agreements very clearly and 503 with great care, not only with respect to rights of the data subjects. bb) Fulfilment of obligations to inform pursuant to GDPR, art. 13 and 14

GDPR, art. 26, para 1 explicitly requires the joint controllers to allocate their 504 information duties pursuant to GDPR, art. 13 and 14. These articles impose extensive information duties on a controller. According to GDPR, recital 60 the “controller should provide the data subject with any […] information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.” This includes, amongst others, information regarding the identity and contact details of the controller, the purposes of the processing and its legal basis (for a list of all information duties see GDPR, art. 13 and 14; see section D IV.2.a), → mn. 619 et seqq.). The joint controller agreement should therefore set out which of the joint con- 505 trollers shall fulfil the described information duties to the data subjects.

4 WP 169, 22. 5 WP 169, 24.

Joachim Schrey

107

D. General conditions for data processing in companies under the GDPR

d) Formal requirements, GDPR, art. 26, para 2, sentence 2

GDPR, art. 26, para 2 determines that “the essence of the arrangement shall be made available to the data subject”. The Art. 29 Working Party demands that “a clear information notice is given to the data subjects, explaining the various stages and actors of the processing”.6 507 To fully comply with the obligations of a controller, controllers, therefore, have to document the agreements made with the other joint controllers and shall provide the data subjects with a summary of the main arrangements between them. This could be realised via privacy notices or by other means. 506

e) Joint and several responsibility and liability vis-a-vis data subject 508

Pursuant to GDPR, art. 82 controllers shall be jointly and severally liable for damages caused by processing which infringes the GDPR, except if it proves that they are not in any way responsible for the damage. According to GDPR, art. 82, paras 4 and 5, in cases of joint control, each controller shall be held liable for the entire damage in order to ensure effective compensation of the data subject, but can claim back from the other controller(s) involved that part of the compensation corresponding to the specific controller’s responsibility for the damage (for more details on responsibility and liability see section D.VII.2.d), → mn. 831). In conjunction with GDPR, art. 26, para 3, which states that “the data subject may exercise his rights under this Regulation in respect of and against each of the controllers”, this means that each controller can be held liable for damages of the data subject and that the data subject does not need to investigate how the joint controllers internally allocated their responsibilities. f) Administrative fine

509

If the joint controllers infringe their obligations pursuant to GDPR, art. 26, described above, administrative fines can be imposed, according to GDPR, art. 83, para 4, subpara a), up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (see section D.VII.1.a)(aa), → mn. 805). 3. Group Privilege? a) Principle: no group privilege

A group privilege regarding data processing for groups of undertakings would be very helpful for the data exchange between the members of a group. 511 GDPR, art. 4, no. 19 defines ‘group of undertakings’ as “a controlling undertaking and its controlled undertakings”. GDPR, recital 37 defines in detail that “a group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the under510

6 WP 169, 22.

108

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

taking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings”. National laws currently in effect in Member States did generally not provide 512 group privilege for companies in corporate groups. The GDPR neither explicitly provides for a group privilege. b) Group privilege via concept of joint controllers

The concept of joint controllership – even if used by companies within a 513 group of undertakings – does not mean any privilege regarding the transfer of data within the group, since the data protection rules cannot be avoided by joint controllership. In fact, joint controllers need to fulfil the same general requirements for lawful data processing and transfer to each other as an individual controller. c) Affiliation as a reasonable interest within GDPR, art. 6, para 1, subpara f) and Recital 48

According to GDPR, recital 48 “controllers that are part of a group of under- 514 takings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected”. Accordingly data transfer between controllers within a group of undertakings 515 can be lawful under the terms of GDPR, art. 6, para 1, subpara f). In this context, GDPR, recital 48 does privilege the purpose of internal administration and therefore makes the data transfer in this case easier. However, this does not establish a general group privilege, as the group of undertakings still has to comply with all other requirements for data processing, such as the consideration of conflicting interest of data subjects pursuant to GDPR, art. 6, para 1, subpara f). Therefore, controllers will still have to check the lawfulness of every data 516 transmission within the group of undertakings under the GDPR. Contractual regulations determining a sufficient standard of data protection within the group as well as transparency towards clients or employees regarding the data transfer should be helpful to attain lawfulness of the data transmission. 4. Responsibility for GDPR-compliance

The GDPR does not assign responsibility for compliance with data protection 517 law to a specific person or body within a controller or processor company. As a Joachim Schrey

109

D. General conditions for data processing in companies under the GDPR

general principle, however, the management board is responsible for a company’s compliance with the GDPR regulations. Management may not delegate the responsibility for GDPR-compliance to the DPO; due to the DPO’s role to monitor compliance with the GDPR (cf. GDPR, art. 39, para 1 subpara b)), being responsible for the fulfilment of compliance efforts would mean a conflict of interests. Details will be specified on the respective national laws of the Member States. Mostly, national law requires the management board to ensure the implementation of appropriate technical and organisational measures for compliance with the data protection rules. 518 As a result of the management board’s responsibility for compliance with data protection law, the board members can be made personally liable in case of data breaches depending on the respective civil or criminal liability rules of the Member States’ national laws. 519 Especially in light of the increased administrative fines the controller may face, management boards should keep their responsibility and possible liability in mind when implementing business processes which imply the processing of personal data, and diligently consider measures for data protection compliance. 5. Controllers/processors not established in the European Union, GDPR, art. 27

If controllers or processors are not established in the EU (cf. GDPR, art. 3, para 2; see section B.III.2, → mn. 192), they have to appoint a representative in the EU in writing pursuant to GDPR, art. 27, para 1. The term ‘representative’ is defined in GDPR, art. 4, no. 17 as “natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation”. As the representative may also be a legal person, companies or organisations can be appointed. 521 The representative shall act as a contact partner for data subjects and supervisory authorities and, therefore, has to be located in one of the Member States where the controller or processor operates (GDPR, art. 27, paras 3 and 4). 522 By way of exception, the obligation to appoint a representative does not apply to controllers or processors which process personal data only occasionally or on a small scale and do not touch on sensitive data with high risks to the rights and freedoms of natural persons (cf. GDPR, art. 27, para 2). 523 GDPR, recital 80 specifies that the representative acts on behalf of the controller or processor and performs tasks according to the mandate received from them. Although the appointment of the representative does not affect the responsibility and liability of the controller or processor under the GDPR (cf. GDPR, art. 27, para 5), according to GDPR, recital 80 the representative, however, can also be subject to enforcement proceedings in the event of non-compliance by the controller or processor. The representatives can therefore be held liable if controller therefore or processor therefore do not comply with their obligations 520

110

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

under the GDPR. Companies and organisations within the EU appointed as representatives for companies outside the Union should keep this possible liability in mind when negotiating their respective contracts with the controller or processor they are acting for. Controllers or Processors infringing their obligation to designate a representa- 524 tive may be subject according to GDPR, art. 83, para 4, subpara a) to an administrative fine of up to 10,000,000 EUR, or in case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (see section D.VII.1.a)(aa), → mn. 805). 6. Records of processing activities, GDPR, art. 30

GDPR, art. 30 obligates each controller as well as each processor to maintain records of their processing activities. According to GDPR, recital 82 these records are intended to demonstrate the controller’s and processor’s compliance with the GDPR. GDPR, art. 30, paras 1 and 2 list in detail mandatory information of the records. Pursuant to GDPR, art. 30, para 3 the records shall be in writing, including electronic form. For monitoring purposes, the controller, or where applicable its representative (see section D.I.6,→ mn. 525 et seqq.), or the processor shall make the record of their processing activities available to the supervisory authority upon its request (cf. GDPR, art. 30, para 4). The controller’s obligation to notify supervisory authorities before any processing operation under Directive 95/46, art. 18, does not exist under GDPR. Since the new obligation to maintain records does effectively cover the same kind of information as the previous notification, it should effectively not result in major change for controllers. However, this is a completely new obligation for processors. Thus, processors will now have to implement structures to record their processing activities carried out on behalf of the controller. According to GDPR, art. 30, para 5, exceptions of the record obligation apply to such companies and organisations employing fewer than 250 persons unless the processing they carry out is regularly, of high risk to the rights and freedoms of natural persons or touches sensitive data. These exceptions mirror the riskbased approach in data protection, a concept already known under the Directive 95/46 and extended by the GDPR. Infringements of the record obligations described above may be penalised with administrative fines pursuant to GDPR, art. 83, para 4, subpara a) of up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (see section D.VII.1.a)(aa), → mn. 805).

525

526

527

528

7. Data protection by design and default, GDPR, art. 25

One of the new data protection principles introduced by the GDPR is “data 529 protection by design and by default” as set forth in GDPR, art. 25. Joachim Schrey

111

D. General conditions for data processing in companies under the GDPR

a) Data protection by design

The principle of “data protection by design” requires the implementation of appropriate technical and organisational measures by the controller when determining the means for processing as well as at the time of the processing itself, in order to meet the GDPR requirements and protect the rights of data subjects (GDPR, art. 25, para 1). The underlying idea of this principle is that data protection shall be taken into account at every step of a product or service development in order to prevent infringements against data protection law at an early stage, so that cost-intensive modifications after completion of the product can be avoided. In light of the data-protection-by-design-principle, controllers can no longer use the argument that modifications to a process or an application to ensure data protection compliance after its implementation are too expensive and therefore economically unreasonable, since it can always be countered by the argument that data protection compliant functionalities could have been implemented in the design phase by default to avoid extra costs at a later stage. 531 When deciding on the appropriate measures, the controller shall take into consideration 530

– – – – 532

the state of the art, the cost of implementation, the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing (GDPR, art. 25, para 1).

While Directive 95/46, art. 17 did contain an obligation for the controller to implement appropriate technical and organisational measures in order to protect personal data against unlawful access, the principle of data protection by design significantly extends this obligation. Data protection is no longer an “afterthought”, but a core issue from the very beginning of planning new products and services. For controllers this entails the implementation of compliance procedures and systems at the outset of product or process developments. b) Data protection by default

Data protection by default laid down in GDPR, art. 25, para 2 is described as the controller’s obligation to implement appropriate technical and organisational measures to ensure that by default only data necessary for each specific purpose of the processing will be processed. This principle shall be taken into account regarding the amount of personal data collected, the extent of its processing, its storage period and accessibility. The obligation shall serve the principle of data minimisation codified in GDPR, art. 5, para 1, subpara c). 534 Moreover, pursuant to GDPR, art. 25, para 2 the controller shall by default prevent access to personal data by third parties in order to strengthen integri533

112

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

ty and confidentiality of personal data. In this way, default settings shall lead to full data sovereignty of the data subject. c) Possible measures and scope

GDPR, recital 78 proposes the following possible measures to realise the 535 principles of data protection by design and default: “minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features”. Besides, the Art. 29 Working Party specifies that “parties should focus on the provision of granular choices, enabling individuals to use a ‘do not collect’ option to schedule or quickly disable any collection, the prevention of location tracking, […] to enforce transparency and user control, and limit as much as possible the amount of data leaving devices by transforming raw data into aggregated data directly on the device”.7 Moreover, according to GDPR, recital 78 software designers, developers and 536 manufacturers shall be encouraged to consider the principles of data protection by design and by default when developing and designing their products, services and applications to enable controllers to fulfil their data protection obligations. This shall be taken into consideration even in the context of public tenders.8 d) Administrative fine

The enforcement of the new principles is supported by the administrative fine regulation in GDPR, art. 83. Under GDPR, art. 83, para 4, subpara a) administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, can be imposed if the controller fails to meet the described obligations under the terms of GDPR, art. 25 (see section D.VII.1.a)(aa), → mn. 805). Further, whether and to which extent a controller realised the principles of data protection by design and default in its data processing organisation may be used as an indicator for the degree of responsibility the controller demonstrated when taking into account the implementation of technical and organisational measures to decide on whether and to which amount administrative fines shall be imposed in any infringement case (GDPR, art. 83, para 2, subpara d)). Therefore, controllers should not only meet the obligation to data protection by design and default to prevent administrative fines because of respective infringements, but should also generally document their compliance with GDPR, art. 25 to secure an ad-vantage in cases of other data breaches. According to GDPR, art. 25, para 3 the certification mechanism pursuant to GDPR, art. 42 7 WP 240, 19. 8 Cf. WP 168, 3.

Joachim Schrey

113

537 538

539

540

D. General conditions for data processing in companies under the GDPR

(see section D.III., → mn. 580 et seqq.) may be used as an element to demonstrate the controller’s compliance. 8. Data security, GDPR, art. 32 541

GDPR, art. 32 obliges both controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk arising from processing of personal data. For this purpose, controllers and processors have to, firstly, evaluate the inherent risks and, secondly, establish measures to mitigate such risks in order to maintain security and to prevent data breaches under the GDPR (cf. GDPR, recital 83). a) Risk evaluation

542

When evaluating the possible risks, controllers and processors shall, according to GDPR, art. 32, para 2 take into account risks that are arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Pursuant to GDPR, recital 83 special attention should be paid to risks which may in particular lead to physical, material or non-material damage. b) Appropriate measures

When assessing possible appropriate measures, controllers and processors shall consider in particular the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (GDPR, art. 32, para 1). 544 Besides, GDPR, art. 32, para 1 gives the following examples for possible appropriate measures: 543

– the pseudonymisation or encryption of personal data, – the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, – the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and – a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. c) Control of subordinate natural persons 545

Moreover, pursuant to GDPR, art. 32, para 4 controllers and processors have to adopt measures to ensure that natural persons acting under their authority process personal data only on instructions from the controller, unless the said person is required to do so by Union or Member State law. This corresponds with the rule in GDPR, art. 29 that the processor or any natural person acting 114

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

under the authority of the processor or controller may only process personal data on instructions from the controller. d) Administrative fine

According to GDPR, art. 83, para 4, subpara a): Infringements of the obli- 546 gations under GDPR, art. 32 may be penalised by administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (see section D.VII.1.a)(aa), → mn. 805 et seqq.). Controllers and processors may demonstrate their compliance by adhering to an approved code of conduct as referred to in GDPR, art. 40 or an approved certification mechanism as referred to in GDPR, art. 42 (see section D.III., → mn. 580 et seqq.) (GDPR, art. 32, para 3). 9. Data Protection Impact Assessment, GDPR, art. 35 and 36

The GDPR introduced a new obligation on controllers to conduct data protec- 547 tion impact assessments (“DPIA”) pursuant to GDPR, art. 35 under certain circumstances and, where required, to consult with the supervisory authorities there are pursuant to GDPR, art. 36. DPIAs are means to identify high risks to rights of individuals resulting from 548 new data processing operations prior to their start, to assess their likelihood and to identify possible counter-measures, safeguards and mechanisms suitable to mitigate these risks and to ensure the protection of personal data and to demonstrate controller’s compliance with the GDPR. Although DPIAs are not an entirely new concept9 and are already carried out in different forms by some companies, the obligation for controllers to conduct such impact assessments was introduced for the first time by the GDPR. Directive 95/46 in contrast solely encouraged in its recital 53 Member States to define by law specific, high-risk types of processing, but did not expressly require controllers to conduct DPIAs. Further, Directive 95/46 provided for a general, complex and cost-intensive obligation to notify all processing of personal data to the supervisory authorities, which turned out to improve data protection only in limited cases and rather led to administrative and financial burdens for controllers. Therefore, the indiscriminate general notification obligation of Directive 95/46 was replaced in the GDPR, and by procedures and mechanisms which focus on those types of processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes (cf. GDPR, recital 89). This approach further reflects the risk-based approach contained as

9 The Commission passed recommendations regarding the application of DPIAs in the context of new technologies like RFID (http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX :32009H0387& from=EN (as of 7.4.2017)) or Smart Meters (http://eur-lex.europa.eu/legal-cont ent/EN/TXT/PDF/?uri=CELEX:32012H0148&from=EN (as of 7.4.2017)).

Joachim Schrey

115

D. General conditions for data processing in companies under the GDPR

a core element of the accountability principle in the GDPR (see section C.I.7, → mn. 351).10 549 From a business perspective, the abolishment of the general notification obligation is intended to reduce administrative efforts despite consultations with the supervisory authorities that may still be necessary pursuant to GDPR, art. 36. a) In which cases Data Protection Impact Assessments are to be carried out?

As it is not generally compulsory to implement DPIAs, controllers will have to evaluate in a first step whether they are obliged to execute a DPIA for a specific processing operation. For this purpose, controllers have to assess whether the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. Risky processing operations might be ones that are innovative, use new technologies, or operations where a DPIA has not yet been carried out or became necessary due to the time elapsed since the implementation of a specific processing (GDPR, recital 89). 551 GDPR, art. 35, para 3, lists exemplary cases, in which DPIA are to be carried out: 550

– systematic and extensive evaluating of personal aspects relating to natural persons which are based on automated processing, including profiling (see section E.V., → mn. 1146 et seqq.), and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; – processing on a large scale of special categories of data referred to in GDPR, art. 9, para 1, or of personal data relating to criminal convictions and offences referred to in GDPR, art. 10; or – a systematic monitoring of a publicly accessible area on a large scale (e.g. permanent surveillance by use of optic electronic devices (cf. GDPR, recital 91)). 552

Further exemplary cases of DPIA are listed in GDPR, recital 91 and includes: – data processing operations which make it difficult for data subjects to exercise their rights, namely in case of barely noticeable or non-transparent processing operations; or – operations where the competent supervisory authority considers the data processing to be likely to result in a high risk to the rights of data subjects, particularly because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.

10 WP 218, 2.

116

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

Given that controllers are required to assess, whether carried out and a DPIA 553 must be carried out and given the amount of fines that can be imposed on controllers failing to conduct necessary DPIAs, controllers should carefully document their pre-assessment and the reasons on which they concluded not to conduct a DPIA. As an exception to the rule described above is determined by GDPR, art. 35, 554 para 10, a DPIA is not needed where processing pursuant to GDPR, art. 6, para 1, subpara c) (processing necessary due to a legal obligation of the controller) or subpara e) (processing necessary due to public interest) has a legal basis in Union law or in the law of the Member State to which the controller is subject, and that law regulates the specific processing operation in question, and a DPIA has already been carried out in the context of the adoption of that legal basis. Further, DPIAs are not mandatory pursuant to GDPR, recital 91 in cases where personal data from patients or clients by an individual physician, other health care professional or lawyer are processed, as such processing is not considered “processing on a large scale”. Pursuant to GDPR, art. 35, paras 3 and 4 the supervisory authorities shall 555 establish and publicise lists of processing operations for which DPIAs are required (“black lists”) and those, for which DPIAs are not required (“white lists”). Companies should therefore regularly check whether respective lists were published, as they should provide clarification as to whether the DPIAs are mandatory or not for the processing operation in question. b) Minimum content of Data Protection Impact Assessments

If in the pre-assessment outlined above, controller concluded that the condi- 556 tions under which a DPIA is required are given, controller – in a second step – shall conduct the DPIA itself. Although the GDPR leaves it largely open how and according to which criteria DPIAs shall be carried out, GDPR, art. 35, para 7 establishes as minimum requirements: – a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller; – an assessment of the necessity and proportionality of the processing operations in relation to the purposes; – an assessment of the risks to the rights and freedoms of data subjects referred to in GDPR, art. 35, para 1; and – the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned. Although there are no provisions made regarding documentation or sum- 557 marising reports of the DPIA, it seems advisable to document the assessment Joachim Schrey

117

D. General conditions for data processing in companies under the GDPR

558

559

560

561

procedure in order to both facilitate a possible consultation with the supervisory authorities pursuant to GDPR, art. 36 (see section D.I.9.c), → mn. 562) and to demonstrate compliance with GDPR, art. 35, in case of respective investigations of supervisory authorities pursuant to GDPR, art. 58, para 1, subparas b) and e). If controller cannot establish sufficient proof of its compliance with the DPIA requirement, it will run the risk of being penalised by administrative fines pursuant to GDPR, art. 83, para 4, subpara a). With respect to the analysis of measures to implement in order to minimise identified privacy risks, in an opinion regarding the execution of DPIAs in context with RFID (Radio Frequency Identification Devices) applications the Art. 29 Working Party recommended controls of technical or nontechnical nature which are appropriate to be generally considered. Technical controls could be, e.g. default settings, authentication mechanisms, or encryption methods incorporated into the processing operation itself, whereas nontechnical controls could be management or operational controls, such as policies, procedural requirements, etc. Moreover, the measures to be taken could be preventive, inhibiting infringements, or detective, warning of (attempted) infringements.11 The GDPR provides, however, for some additional guidelines for the DPIA execution. Thus, the controller shall, where appropriate, seek advice and assistance from the following specific third parties: the DPO (see section D.VI.2.a), → mn. 770 et seqq.), if one is designated (GDPR, art. 35, para 2); the data subjects or their representatives (GDPR, art. 35, para 9); the processor, where necessary and upon request (GDPR, recital 95). A set of similar processing operations with similar high risks may be assessed within a single DPIA (GDPR, art. 35, para 1). Also, for economic reasons the DPIA may be aligned on more than a single project if it appears to be appropriate, e.g. if several controllers plan to introduce a common application or processing environment across an industry sector or for a widely used horizontal activity (GDPR, recital 92). Moreover, pursuant to GDPR, art. 35, para 8 compliance with approved codes of conduct referred to in GDPR, art. 40 (see section D.II., → mn. 566 et seqq.) shall be taken into account in assessing the impact of the processing operations. According to GDPR, art. 35, para 11 the controller shall carry out reviews assessing if the processing is still performed in accordance with the DPIA at least when there is a change of the risk represented by the processing operations. As there are, apart from these general provisions, no detailed specifications regarding the DPIA process, it is left to the legal practitioners to put these minimum requirements into a practical system. Thus, it can be expected that models for the execution of DPIAs are presented shortly. Controllers should look out for such guidelines and consider implementing respective structures and processes in a timely manner. 11 WP 180, Annex, 9 f.

118

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

c) Prior Consultation, GDPR, art. 36

If the result of the described DPIA is that the processing would entail a high 562 risk to the rights and freedoms of natural persons if the controller would not take measures to mitigate the risk, the controller shall consult the supervisory authority prior to processing pursuant to GDPR, art. 36, para 1. This means that the consultation obligation applies even if the controller has taken sufficient risk mitigation measures. Additionally, controllers processing for the performance of a task in public interest, including processing in relation to social protection and public health, may be obliged by national law of the Member States to consult with and obtain prior authorisation from the supervisory authority (GDPR, art. 36, para 5). A consultation of the supervisory authority goes hand in hand with the con- 563 troller having to provide the supervisory authority with the following information pursuant to GDPR, art. 36, para 3: – where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings; – the purposes and means of the intended processing; – the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation; – where applicable, the contact details of the DPO; – the DPIA provided for in GDPR, art. 35; and – any other information requested by the supervisory authority. If the supervisory authority decides that the envisaged processing would in- 564 fringe GDPR regulations, it has to provide written advice to the controller and, where applicable, to the processor, and may use any of its investigative powers referred to in GDPR, art. 58 (see section D.V.4.b), → mn. 746) according to GDPR, art. 36, para 2. This shall take place within a period of up to eight weeks upon receipt of the request for consultation and might be extended by another six weeks, taking into account the complexity of the intended processing. However, these periods may be suspended until the supervisory authority has obtained the information requested for the purposes of the consultation (GDPR, art. 36, para 2). d) Administrative fines

If the controller fails to comply with the described obligations pursuant to 565 GDPR, art. 35 or 36, these infringements shall be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, GDPR, art. 83, para 4, subpara a).

Joachim Schrey

119

D. General conditions for data processing in companies under the GDPR

II. Codes of Conduct 566

GDPR, art. 40 and 41 encourage the establishment of approved codes of conduct intended to contribute to the proper application of the GDPR. Generally spoken, codes of conduct are sets of agreed principles to meet data protection requirements. Controllers or processors may adhere to those codes to show compliance with data protection law. 1. Drafting codes of conduct (GDPR, art. 40, para 2)

As GDPR, art. 40, para 1 addresses the Member States, supervisory authorities, the Board and the Commission, these institutions may create codes of conduct. However, GDPR, art. 40, para 2 explicitly also wants associations and other bodies representing categories of controllers or processors to draft, amend or extend codes of conduct. 568 As regards content, codes of conduct may, amongst others, address the following aspects according to GDPR, art. 40, para 2: 567

– – – – – – –

– – – –

fair and transparent processing; the legitimate interests pursued by controllers in specific contexts; the collection of personal data; the pseudonymisation of personal data; the information provided to the public and to data subjects; the exercise of the rights of data subjects; the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained; the measures and procedures referred to in GDPR, art. 24 and 25 and the measures to ensure security of processing referred to in GDPR, art. 32; the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects; the transfer of personal data to third countries or international organisations; or out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to GDPR, art. 77 and 79.

When preparing the codes of conduct the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises shall always be taken into account (GDPR, art. 40, para 1). 570 Besides, according to GDPR, recital 98, codes of conduct can particularly determine obligations of controllers and processors, taking into account the risk likely to result from the processing of personal data for the rights and freedoms of natural persons. According to GDPR, recital 99 the associations or bodies 569

120

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

shall consult relevant stakeholders, including data subjects if possible, and take their responses into account when drafting a code of conduct or amending or extending such a code. 2. Approval procedure

Subsequent to the creation of codes of conduct, they need to be approved ac- 571 cording to GDPR, art. 40, para 5 by the supervisory authority competent pursuant to GDPR, art. 55. In case of a code relating to processing activities in one Member State only, the respective supervisory authority shall issue an opinion on whether the draft code, amendment or extension complies with the regulations under the GDPR and may approve the draft if it finds that it provides sufficient appropriate safeguards (GDPR, art. 40, para 5). Approved codes have to be registered and published by the approving supervisory authority pursuant to GDPR, art. 40, para 6. In contrast, if the code relates to processing activities in several Member States, the supervisory authority has to submit the draft to the Board which provides the respective opinion and may grant approval (GDPR, art. 40, para 7). In such case, the approved code will be forwarded to the Commission which may award general validity within the Union to the respective code by way of an implementing act (GDPR, art. 40, paras 8 and 9). Codes awarded with general validity apply to all companies within the respective sector, even if they did not want to submit to it voluntarily. All approved codes of conduct are registered and made publicly available, e.g. via an online register, by the Board pursuant to GDPR, art. 40, para 11. The GDPR does not provide for a regulation concerning remaining validity of 572 codes of conduct approved under Directive 95/46. Therefore, a new approval by a supervisory authority or the Commission according to GDPR, art. 40 will be necessary. 3. Monitoring of approved codes of conduct

Pursuant to GDPR, art. 40, para 4 and GDPR, art. 41 the codes of conduct 573 must contain regulations for monitoring the compliance with approved codes of conduct. By submitting to a code, companies agree or – in case of general validity awarded – are submitted to a monitoring by a body which, according to GDPR, art. 41, para 1, has an appropriate level of expertise and is accredited for that purpose by the competent supervisory authority. Pursuant to GDPR, art. 41, para 2 the body may only be accredited to monitor compliance regarding a code of conduct where that body has: – demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority; – established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

Joachim Schrey

121

D. General conditions for data processing in companies under the GDPR

– established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and – demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests. The accreditation may be withdrawn pursuant to GDPR, art. 41, para 4 if the conditions for accreditation are not, or are no longer, met or if the body infringed regulations under the GDPR. 575 According to GDPR, art. 41, para 4 the monitoring body may take appropriate actions if controllers or processors infringe an applicable code of conduct. Possible actions may, amongst others, be suspension or exclusion of the controller or processor concerned from the code. The monitoring body has to inform the competent supervisory authority about the infringement and the actions taken. Pursuant to GDPR, art. 83, para 4, subpara c) the monitoring bodies can be fined up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, if they fail to comply with this obligation. 574

4. Relevance for business entities

Firstly, codes can give guidance regarding the interpretation of indeterminate legal terms or specific compliance issues, at least for the application within a specific sector. This can foster legal certainty. Secondly, adherence to codes may provide evidence of compliance with the GDPR and, by doing so may lead to competitive advantages. Controllers, for example, looking for a data protection compliant processor, can specifically consider processors that satisfy a code’s requirements and count on the code’s monitoring system regarding compliance. 577 Moreover, the transfer of personal data to third countries or international organisations can be facilitated, if pursuant to GDPR, art. 40, para 3 controllers or processors outside the EU that are not subject to the GDPR adhere to approved and as generally valid declared codes of conduct. They shall make binding and enforceable commitments via contractual or other legally binding instruments to demonstrate their provision of appropriate safeguards (for more details see section E.I.2.c), → mn. 897 et seqq.). Therefore, companies transferring data internationally should think about the submission to generally valid codes of conduct once those are established. 578 Pursuant to GDPR, art. 35, para 8 the controller’s or processor’s compliance with approved codes of conduct can be a positive factor in a DPIA (see section D.I.9.b), → mn. 556 et seqq. ). Apart from that, the adherence to a code of conduct may be taken into account by the supervisory authority when assessing whether to impose an administrative fine and deciding on the amount of the fine 576

122

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

(GDPR, art. 83, para 2, subpara j)). Therefore, compliance with an applicable code of conduct can be beneficial for companies in the event of data breaches. Compared to Directive 95/46, art. 27, which only offered the advantages of 579 compliance evidence and interpretation guidance, the GDPR provides codes of conduct with substantial new positive effects. Thus, controllers and processors should consider encouraging associations and other representing bodies within their business sector to draft codes of conduct for approval. This seems especially advisable in the light of the Commission’s possibility to declare codes generally valid. If the organisation’s own code is declared generally valid, the respective companies cannot be forced to submit to a code they might not want to adhere to. III. Data protection certifications and privacy seals – relevance of these instruments for business entities

Besides codes of conduct, data protection certifications and privacy seals are 580 another form of self- or co-regulation. GDPR, art. 42 and 43 introduce regulations for data protection certification mechanisms and data protection seals and marks to demonstrate compliance with the data protection principles. The Member States, supervisory authorities, the Board and the Commission shall encourage the establishment of such certification mechanisms (GDPR, art. 42, para 1). Although Directive 95/46 does not address certifications, for years there are 581 certifications already in use. Certifications available to date – partly covering some specific sectors of technical and organisational measures to be taken under GDPR, art. 32 – are, for example: – ISO/IEC 27001, an information security standard;12 – ISO/IEC 29100, a series of privacy standards,13 which can be certified by third certification bodies (e.g. EuroCloud Star Audit);14 – “Service Organization Control” (SOC), which can be certified by the American Institute of Certified Public Accountants (AICPA);15 – The European Privacy Seal (EuroPriSe) as a European certification;16 – Datacenter Star Audit, a certification available especially for data centres.17 However, as for the first time certification mechanisms and data protection 582 seals gain formal recognition under the GDPR, their significance will continue to grow and it is to be expected that more certification schemes and mechanisms for showing adherence will develop in the coming years. Such certifications will 12 http://www.iso.org/iso/iso27001 (as of 7.4.2017). 13 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=45123 (as of 7.4.2017). 14 https://staraudit.org/ (as of 7.4.2017). 15 http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization%27sManagement.aspx (as of 7.4.2017). 16 https://www.european-privacy-seal.eu/EPS-en/Home (as of 7.4.2017). 17 https://www.dcaudit.de/ (as of 7.4.2017).

Joachim Schrey

123

D. General conditions for data processing in companies under the GDPR

be especially relevant in the field of international data transfers (see section E.I.2.d), → mn. 902 et seqq.). 1. Purpose of certifications and seals (GDPR, art. 42, paras 1 and 4)

As GDPR, art. 42, paras 1 and 4 explicitly state, the implementation of data protection certifications, seals and marks shall serve the purpose of demonstrating compliance with the regulations of the GDPR by controllers and processors. The possibility to show adherence via certifications and seals is mentioned in some articles throughout the GDPR (e.g. in GDPR, art. 24, para 3; art. 25, para 3; art. 28, para 5; art. 32, para 3) as well as in GDPR, recitals 77 and 81. 584 To demonstrate the compliance visually, the certification or seal is usually accompanied by some form of symbol, like a label or sign, which controllers and processors submitting to the certification or seal scheme may display on their websites, advertisings or documents. This allows data subjects (or other interested parties) to quickly assess the level of data protection of relevant products and services (cf. GDPR, recital 100). 583

2. Voluntariness (GDPR, art. 42, para 3) 585

Pursuant to GDPR, art. 42, para 3 the certification is voluntary. However, due to ad-vantages and effects of certifications described below (see section D.III.7, → mn. 598 et seqq.), it seems advisable for companies to participate in a data protection certification process to demonstrate their compliance. 3. Certification bodies (GDPR, art. 42, para 5 and GDPR, art. 43)

According to GDPR, art. 42, para 5 the certifications are issued by either the certification bodies referred to in GDPR, art. 43 or by the competent supervisory authority. 587 The GDPR introduces a system of accredited certification bodies. According to GDPR, art. 43, para 1 certification bodies need to have sufficient expertise in relation to data protection and need to be accredited either by 586

– the supervisory authority which is competent pursuant to GDPR, art. 55 or 56, or – the national accreditation body named in accordance with Regulation (EC) No.765/2008 of the European Parliament and of the Council in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to GDPR, art. 55 or 56. 588

GDPR, art. 43, para 1 permits accreditations only if the possible certification bodies have

124

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

– demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority; – undertaken to respect the criteria referred to in GDPR, art. 42, para 5 and approved by the supervisory authority which is competent pursuant to GDPR, art. 55 or 56 or by the Board pursuant to GDPR, art. 63; – established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks; – established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and – demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests. According to GDPR, art. 43, para 3 the accreditation shall take place on the 589 basis of criteria approved by the supervisory authority which is competent pursuant to GDPR, art. 56 or by the Board pursuant to GDPR, art. 63. The accreditation is limited to a maximum period of five years, but may be 590 renewed pursuant to GDPR, art. 43, para 4 if the certification body keeps on meeting the accreditation requirements. If this is not the case or if the certification body infringes rules under the GDPR, the accreditation may be withdrawn pursuant to GDPR, art. 43, para 7. As the GDPR does not define the legal personality of the certification bodies, 591 they can be both legal entities under private and public law. Due to the new accreditation system, already existing private certification bodies will have to apply for a new accreditation under the GDPR regime. 4. Certification Proceeding, GDPR, art. 42, para 6

The certification shall be available via a transparent process (GDPR, art. 42, 592 para 3). When applying for a certification or seal, the controller or processor wishing to submit its data processing to the certification mechanism have to provide the certification body or the competent supervisory authority (see section D.II.3., → mn. 573 et seqq.) with all information and access to its processing activities which are necessary for the certification procedure (GDPR, art. 42, para 6). Object of certification can only be processing operations by controllers and 593 processors, and not any specialist knowledge or qualification, e.g. of the DPO (see section D.VI., → mn. 758 et seqq.). The certifications are based on criteria approved by the competent superviso- 594 ry authority pursuant to GDPR, art. 58, para 3 or by the Board pursuant to GDPR, art. 63. Once the Board approved criteria, this may result in a common certification, the European Data Protection Seal (GDPR, art. 42, para 5). Be-

Joachim Schrey

125

D. General conditions for data processing in companies under the GDPR

sides, GDPR, art. 42, para 1 explicitly states that in the process of establishing certifications the special needs of micro, small and medium-sized enterprises shall be taken into account. 595 Pursuant to GDPR, art. 43, paras 7 and 8 the Commission is empowered to adopt delegated acts to specify the requirements to be taken into account for the data protection certification mechanisms as well as to adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise them. 5. Maximum term of certificate/seal, GDPR, art. 42, para 7 596

Certification mechanisms and data protection seals and marks are awarded to controllers or processors for a maximum period of three years with the possibility of renewals if the requirements are still met. Once a controller or processor does not or no longer comply with the respective provisions for the certification or seal, it shall be withdrawn by the certification bodies referred to in GDPR, art 43 (see section D.III.3, → mn. 586 et seqq.) or by the competent supervisory authority (GDPR, art. 42, para 7). The time limited certification as well as the possibility of withdrawal requires controllers to constantly review their compliance with the certificate requirements and, thus, with the data protection rules under the GDPR. Holding a valid certification does not reduce the responsibility of the controller or the processor for compliance with the GDPR and is without prejudice to the tasks and powers of the supervisory authorities (GDPR, art. 42, para 4). 6. Register for certifications, data protection seals and marks

597

Pursuant to GDPR, art. 42, para 8 all certification mechanisms and data protection seals and marks shall be compiled in a register by the Board and be made publicly available e.g. via an online register, to enable parties interested in certifying to obtain information on mechanism available. 7. Relevance of certifications or seals for companies

The demonstration of compliance with data protection law via certifications or seals is of relevance for companies on different levels. 599 Towards data subjects these certificates are likely to increase confidence in the handling of personal data. Thereby resulting in an advantage in competition for the company, not only regarding data subjects as possible customers looking for a specific product or service but also in relation to controllers searching for data protection compliant processors or service providers.18 600 Moreover, although any certified company can still be subject to controls by supervisory authorities, a certification could have a positive effect on such 598

18 Cf. http://www.eudataprotectionregulation.com/#!certification/c44 d (as of 7.4.2017).

126

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

controls, as the certificate or seal can be seen as an indication for GDPR compliant conduct. As the adherence to approved certification mechanisms is one of the criteria 601 laid down in GDPR, art. 83, para 2, subpara j) to decide on whether and to which amount administrative fines shall be imposed in the respective case, companies will also have a financial interest in applying for certification and seal mechanisms. IV. Duties towards the data subjects and their rights

Chapter III of the GDPR defines the rights of the data subject towards the 602 controller and the corresponding duties of the controller towards the data subject. The rights awarded to the data subjects shall serve the legal protection of the principles of lawful processing of personal data laid down in GDPR, art. 5. For this purpose, the GDPR provides for three different elements regarding the protection of the data subject: – Transparency of data processing – ensured by the information duties of the controller (GDPR, art. 13 and 14) and the data subjects right of access (GDPR, art. 15). – Correctness of data processing – ensured by the data subject’s right to rectification (GDPR, art. 16), erasure (GDPR, art. 17), restriction (GDPR, art. 18) and data portability (GDPR, art. 20). – Limitation of data processing – ensured by the right to object (GDPR, art. 21) and the regulation of decisions based on automated processing and profiling (GDPR, art. 22). 1. General Requirements related to the rights of data subjects, GDPR, art. 11 and 12

GDPR, art. 11 addresses regulations regarding data processing which does not 603 require identification, whilst GDPR, art. 12 lays down the general modalities to the exercise of the rights pursuant to GDPR, art. 13, 14, 15 to 22 and 34. a) Deadline for fulfilment of data subject’s rights: One month pursuant to GDPR, art. 12, para 3

Pursuant to GDPR, art. 12, para 3 the controller shall provide information to 604 the data subject on actions taken on request under GDPR, art. 15 to 22 without undue delay and in any event within one month upon receipt of the request at the latest. Where necessary, that period may be extended by two further months due to complex or numerous requests. If the controller does not or cannot take action on the request of the data subject, however, it shall inform the data subject without delay and at the latest within one month upon receipt of the request on the reasons for not taking action.

Joachim Schrey

127

D. General conditions for data processing in companies under the GDPR 605

Directive 95/46 does not contain deadlines to fulfil data subject’s rights, although such time limits did exist in some Member States’ national law. However, compliance with the time limits set out in the GDPR will be a significant burden for all controllers. b) Form requirements

In accordance with the principle of transparency, GDPR, art. 12, para 1 determines, firstly, that the information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (cf. also in GDPR, recital 58). As a consequence, controllers may have to provide the relevant information to the data subject in his mother tongue or another familiar language. Complex topics or technical details need to be addressed in a generally comprehensible form for every data subject regardless of its level of education or expertise in the specific field. This imposes high demands on the controllers regarding the linguistic and editorial presentation of the information. 607 The requirements are even increased if the information is directed to children. As this group of recipients needs specific protection, any information and communication regarding processing addressed to a child should be in a language especially easy to understand and suitable for children. 608 Secondly, pursuant to GDPR, art. 12, para 1 and GDPR, recital 58 information shall be provided in writing, which includes, where appropriate, the electronic form. The respective information does not have to be actively given to each data subject, but rather be provided in a form available for every data subject concerned, e.g. through a privacy policy (see section E.VI.3 and E.VII.4, → mn. 1198 and 1221 et seqq.) on a public website. This obligation will be particularly relevant in technologically complex situations where it is difficult for the data subject to know whether, by whom and for what purpose personal data is collected, e.g. in the case of online advertising. Moreover, if requested by the data subject, the information may be provided orally if the identity of the data subject is proven. However, unless requested by the data subject, by giving oral information controllers will not satisfy the information obligations set forth in the GDPR. 609 Additionally, visualisation can be used for the provision of information where appropriate, e.g. according to GDPR, art. 12, para 7 in form of standardised icons. This shall give a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner. If icons are used in electronic form, they shall be machine-readable. Contrary to previous draft versions of the GDPR, there are no specific icons prescribed by the GDPR, but GDPR, art. 12, para 8 empowers the Commission to adopt delegated acts determining the information to be presented by the icons and the procedures for providing standardised icons. Controllers can, however, decide freely whether to use official icons, their own designed icons or none at all. In any case, by pro606

128

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

viding the relevant information only via icons without any textual content, controllers may not properly fulfil the applicable information obligations. c) Right to determine identity of individual wishing to enforce their rights pursuant to GDPR, art. 12, para 6: Controller’s right to request a copy of the claimant’s passport

If the controller has reasonable doubts concerning the identity of a natural 610 person making a request pursuant to GDPR, art. 15 to 21, the controller may ask for additional information necessary to confirm the identity of the data subject (GDPR, art. 12, para 6). Background of this controller’s right is the possible risk of unauthorised third parties trying to exercise rights of data subjects. A reasonable doubt may be given, e.g. if a request is made via an unknown email address or user account. In such cases controllers are permitted but not required to request information as proof of identity before meeting the requests. Should it turn out that the requesting party was not the data subject concerned, providing information to that person may be considered an illegal transfer of personal data which can be penalised under GDPR, art. 83, para 4 with administrative fines up to 20,000,000 EUR or 4 % of the total worldwide annual turnover of the controller. Documentation of the incoming requests, controller’s measures taken to investigate the lawfulness of the request including requestor’s identity, and the measures taken to fulfil such requests will be of the essence to establish sufficient proof for controller’s GDPR compliance. To verify the requesting person’s identity the controller may, according to 611 GDPR, recital 64, use “all reasonable measures”, in particular in the context of online services and online identifiers. Such reasonable measures may include contacting the data subject at its known postal address or, in the context of online services, certifying a digital identification of the data subject, for example through authentication mechanisms, such as the same credentials, used by the data subject to log-in to the online service offered by the controller (cf. GDPR, recital 57). Requesting a copy of the data subject’s passport might exceed the appropriate extent, as the document provides more information that is usually needed. In some Member States, such as in Germany, national law does not allow copying the data subject’s passport and the use of such copies for identification purposes unless this is explicitly allowed under any other applicable law. In view of the very general wording of GDPR, art. 12, para 6 (“additional information necessary to confirm the identity of the data subject”), it is unclear whether this rule would be accepted as a statutory authorisation to make copies of a passport. As Directive 95/46 does not address the need to confirm the identity of data 612 subjects, although national laws of some Member States do, this regulation will be a change for most controllers.

Joachim Schrey

129

D. General conditions for data processing in companies under the GDPR

d) Processing which does not require identification, GDPR, art. 11, para 2 and no right to refuse (GDPR, recital 57) 613

GDPR, art. 11 regulates data processing which does not require identification, in which case the controller is not obliged according to GDPR, art. 11, para 1 to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR. GDPR, art. 11, para 2 states that if the controller is able to demonstrate that it cannot identify the data subject, GDPR, art. 15 to 20 shall not apply except where the data subject provides additional information enabling his identification for the purpose of exercising his rights under those articles. However, pursuant to GDPR, recital 57 the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his rights. e) Free of charge, GDPR, art. 12, para 5

Information provided under GDPR, art. 13 and 14 and any communication or actions taken under GDPR, art. 15 to 22 and 34 shall be provided free of charge (GDPR, art. 12, para 5) except in cases of manifestly unfounded or excessive requests by the data subject. In the latter case the controller may either charge a reasonable fee (GDPR, art. 12, para 5, subpara a)) or refuse to respond to the request (GDPR, art. 12, para 5, subpara b)), but he bears the burden of demonstrating the existence of an exceptional case, including the risk that supervisory authorities will consider the exception as not applicable and the controller as committing an administrative offence which can be penalised under the GDPR, art. 83, para 5, subpara b). 615 Manifestly unfounded may be, e.g. requests for deletion of information pursuant to GDPR, art. 17 after getting the correct information via an information request pursuant to GDPR, art. 15 that there is no information processed by the controller regarding the respective data subject. Data subjects may repeat requests “at reasonable intervals” pursuant to GDPR, recital 63, but repetitive requests might be considered as excessive, e.g. if requests are repeated in intervals of less than one month. However, whether an exceptional case exists is to be determined in each individual case. 616 Controllers will, therefore, have to provide the extended information generally without a possibility to financial reimbursement of costs and expenses they had to bear for the implementation of new organisational processes in order to comply with the information duties in form of fees they can impose on requesting data subjects. 614

f) Information on legal remedies available, GDPR, art. 12, para 4 617

Pursuant to GDPR, art. 12, para 4 the controller has to inform the data subject on the possibility of lodging a complaint with a supervisory authority and seek-

130

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

ing a judicial remedy, if the controller does not take action on the request of the data subject. g) Administrative fines

According to GDPR, art. 83, para 5, subpara b) infringements of the provi- 618 sions in GDPR, art. 12 shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 2. Information to be provided, GDPR, art. 13 and 14 a) Information duties

The controller’s information duties towards data subjects are set out in 619 GDPR, art. 13 and 14. The GDPR differentiates between information duties in case the data is collected from the data subject (GDPR, art. 13) and information duties in case the data is not collected from the data subject (GDPR, art. 14). The respective duties are largely identical, although there are some particularities in each article. Compared to Directive 95/46, the GDPR significantly extends the scope of information to be provided. Although some of the new obligations may have already been compulsory for controllers under some Member States’ national laws, most controllers will have to revise and expand their existing privacy policies and notices. The adaption of existing privacy policies will be an important part of each controller’s action plan to ensure GDPR compliance before it becoming applicable on 25 May 2018. The following duties are imposed on the controller regardless of whether the 620 data was collected from the data subject or not. New obligations which are not contained in the Directive 95/46 are indicated in italics: – the identity and the contact details of the controller and, where applicable, of the controller’s representative (GDPR, art. 13, para 1, subpara a) and GDPR, art. 14, para 1, subpara a)). The disclosure of the identity and contact details of the controller or its representative shall enable the data subjects to exercise their rights under the GDPR. Therefore, the controller’s name (company name), its postal address, and according to GDPR, recital 23 also an email address, but not necessarily a telephone number, shall be provided. – the contact details of the DPO, where applicable (GDPR, art. 13, para 1, subpara b) and GDPR, art. 14, para 1, subpara b)). The DPO’s contact details shall be disclosed to enable data subjects to exercise their rights. However, in contrast to the contact details of the controller, only the DPO’s postal address and email address, but not necessarily the person’s name is to be disclosed. This new obligation indicates the new role and responsibilities of the DPO under the GDPR: In Member States in which national law already provided for the obligation to appoint a DPO, the DPO’s Joachim Schrey

131

D. General conditions for data processing in companies under the GDPR

–

–

– –

–

–

132

current role is an internal one only. Under the GDPR, the DPO will also have “external” tasks as being the first point of contact for data subjects vis-à-vis a controller. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (GDPR, art. 13, para 1, subpara c) and GDPR, art. 14, para 1, subpara c)). As another new obligation, privacy policies have to contain the information on the legal ground of the processing. The GDPR does not specify how detailed this information regarding the legal basis for the processing shall be. Nevertheless, it seems advisable for the controller in order to comply with the transparency principle to inform the data subject extensively regarding possible different legal grounds for the processing. where the processing is based on GDPR, art. 6, para 1, subpara f), the legitimate interests pursued by the controller or by a third party (GDPR, art. 13, para 1, subpara d) and GDPR, art. 14, para 2, subpara b)). Concerning a processing pursuant to GDPR, art. 6, para 1, subpara f) it should be sufficient for the controller to inform the data subject about the controller’s or third party’s envisaged interest, but not about the respective balancing of interest itself, with which the processing has to correspond. the recipients or categories of recipients of the personal data, if any (GDPR, art. 13, para 1, subpara e) and GDPR, art. 14, para 1, subpara e)). where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in GDPR, art. 46 or 47, or of GDPR, art. 49, para 1, subpara b) reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available (GDPR, art. 13, para 1, subpara f) and GDPR, art. 14, para 1, subpara f)). This new obligation requires controllers to disclose their intentions to transfer personal data internationally as well as to be aware of the circumstances which might make such a transfer particularly risky. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period (GDPR, art. 13, para 2, subpara a) and GDPR, art. 14, para 2, subpara a)). Providing information regarding the retention period for the data subject’s personal data is a new obligation every controller will have to comply with. However, this information will be in many cases not so easy for the controllers to provide, in fact, it might rather be hard to differentiate between the various categories of personal data stored, and to provide the retention periods themselves, not to speak of the technical implementation of a highly differentiated data deletion concept. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning Joachim Schrey

D. General conditions for data processing in companies under the GDPR

the data subject or to object to processing as well as the right to data portability (GDPR, art. 13, para 2, subpara b) and GDPR, art. 14, para 2, subpara c)). These provisions determine the controller’s obligation to inform extensively about the data subject’s possible data protection rights, in detail the right to access (GDPR, art. 15), rectification (GDPR, art. 16), erasure (GDPR, art. 17), restriction (GDPR, art. 18), object (GDPR, art. 21) and data portability (GDPR, art. 20). This, again, corresponds to the controller’s obligation laid down in GDPR, art. 12, para 2 to facilitate the exercise of data subject rights under GDPR, art. 15 to 22 and should not be difficult for controllers to implement. Due to the number of different data subject’s rights and the different prerequisites which must be given to exercise these rights, it will be more challenging to explain the differences between these rights in a concise, transparent, intelligible form and in a clear and plain language as required under GDPR, art. 12, para 1. – where the processing is based on GDPR, art. 6, para 1, subpara a) or GDPR, art. 9, para 2, subpara a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR, art. 13, para 2, subpara c) and GDPR, art. 14, para 2, subpara d)). When giving consent to data processing data subjects have to be informed about their right to withdraw consent at any time regardless of the consent being in written or electronic form. Although this constitutes a new information obligation for controllers, it should be easy to provide. – the right to lodge a complaint with a supervisory authority (GDPR, art. 13, para 2, subpara d) and GDPR, art. 14, para 2, subpara e)). While this information duty is new for controllers, it should be easy to realise once the competent authority has been determined (see section D.V.1, → mn. 713 et seqq.). – the existence of automated decision-making, including profiling, referred to in GDPR, art. 22, paras 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (GDPR, art. 13, para 2, subpara f) and GDPR, art. 14, para 2, subpara g)). Controllers not only have to disclose their usage of automated decision-making and profiling (see section E.V., → mn. 1146 et seqq.), but also its logic for the respective process including the mathematical calculation basis. In doing so, trade secrets or intellectual property of the controller shall be safeguarded, which, however does not authorise controllers to refrain from providing any information at all (GDPR, recital 63). In case of data collected from the data subject pursuant to GDPR, art. 13, 621 para 2, subpara e) the controller has to, additionally, inform the data subject

Joachim Schrey

133

D. General conditions for data processing in companies under the GDPR

– whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. 622

If the data is not collected from the data subject the controller also has to inform the data subject about – the categories of personal data concerned (GDPR, art. 14, para 1, subpara d)). Regarding this information duty there is no change compared to Directive 95/46. – the source from which the personal data originate, and if applicable, whether it was collected from publicly accessible sources (GDPR, art. 14, para 2, subpara f)). If the original source should not be retraceable, either because the information was obtained from the internet, e.g. from publicly accessible websites, or via more than one source, a corresponding general information may be provided to the data subject (GDPR, recital 61).

623

Additional information duties result from GDPR, art. 21, para 4 (regarding the data subjects right to object), GDPR, art. 26, para 2 (regarding the arrangement of joint controllers, see section D.I.2.c)(bb), → mn. 504) or GDPR, art. 18, para 3 (regarding the right to restriction of processing). b) Point in time

It is decisive for the controller to know at which point in time it has to provide the data subject with the respective information to be able to comply with the information duties. 625 If the personal data is collected from the data subject, the information shall be provided at the time when personal data are obtained (GDPR, art. 13, para 1 and GDPR, recital 61), e.g. if the data subject enters his personal data into an online form, a reference to a privacy policy containing the required information has to be provided. 626 If personal data is not collected from the data subject, GDPR, art. 14, para 3 establishes a temporally graduated system depending on the individual case and purpose of the data collection. The controller has to provide the respective information 624

– within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed. This rule applies, e.g. if a controller obtains personal data which do not stem from the respective data subject, but does neither aim for a data transfer nor a communication with the data subject. 134

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

– if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject. If the controller aims at using the personal data, e.g. for advertising purposes the information has to be contained within the first advertising message to the data subject. – if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. A typical use case for this rule is the intended transfer of personal data collected to third parties (e.g. credit information agencies). In cases of a change of purpose GDPR, art. 13, para 3 and GDPR, art. 14, 627 para 4 determine that if the controller intends to further process the personal data for a purpose other than that for which the personal data were originally collected, it shall provide the data subject prior to that further processing with information on that other purpose. c) Exceptions of the information duties

According to GDPR, art. 13, para 4 and GDPR, art. 14, para 5, subpara a) an 628 exception to the information duties exists if the data subject already has the respective information, e.g. because the respective information is obtained otherwise. Additionally, GDPR, art. 14, para 5 provides for the following exceptional 629 cases which apply only if the personal data were not collected from the data subject: – the provision of the information proves impossible or would involve a disproportionate effort, in particular in case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in GDPR, art. 89, para 1 or in so far as the obligation referred to in GDPR, art. 14, para 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available; – obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or – where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. d) Administrative fines

Pursuant to GDPR, art. 83, para 5, subpara b) administrative fines up to 630 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldJoachim Schrey

135

D. General conditions for data processing in companies under the GDPR

wide annual turnover of the preceding financial year, whichever is higher, can be imposed on the controller if it fails to comply with the described information duties of GDPR, art. 13 and 14. 3. Right of access by the data subject, GDPR, Art. 15 631

GDPR, art. 15, para 1 grants the data subject a right to obtain confirmation whether his personal data are being processed as well as the right to gain access to the respective data and additional information regarding the data processing. This shall enable data subjects to enforce their data protection rights under the GDPR. a) Obligation to provide information, GDPR, art. 15, para 1

632

The right to additional information regarding personal data processed corresponds largely with the information to be provided pursuant to GDPR, art. 13 and 14. For more information on each obligation please see above (see section D.IV., → mn. 602 et seqq.). Information which previously was not compulsory to provide under Directive 95/46, art. 12 are indicated in italics: – the purposes of the processing; – the categories of personal data concerned; – the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; – where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; – the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; – the right to lodge a complaint with a supervisory authority; – where the personal data are not collected from the data subject, any available information as to their source; – the existence of automated decision-making, including profiling, referred to in GDPR, art. 22, paras 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Pursuant to GDPR, recital 63 the data subject shall be able to exercise the access right easily and at reasonable intervals. The controller, however, shall respond to the request – as with all information rights – without undue delay and in any event within one month upon receipt of the request (GDPR, art. 12, para 3). 634 The extended information obligations combined with the one-month period could become a significant administrative burden for controllers. Controllers 633

136

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

should, therefore, implement structures in due time in order to be able to provide the respective information shortly after the data subject’s request. b) Right of access, GDPR, art. 15, para 3

Pursuant to GDPR, art. 15, para 3 access to the personal data processed shall 635 be provided by making a copy of the relevant data available to the data subject. Further copies requested by the data subject may be charged with a reasonable fee based on controller’s administrative costs. There is no specific form required for the access request. If the data subject, 636 however, makes his request by electronic means, the information shall be provided in a commonly used electronic form unless otherwise requested by the data subject (GDPR, art. 15, para 3). The GDPR does not define which electronic forms are considered as “commonly used”. However, this should be standard electronic formats, such as PDF, PNG etc., which can be opened at any common terminal advice (notebooks, smartphones etc.). Moreover, where possible, the controller should be able to provide remote access to a secure system enabling the data subject to directly access his personal data (GDPR, recital 63). Both in case of an electronic transmission and remote access the controller should take care of appropriate safety measures and encryption techniques. This obligation could impose costs on controllers, e.g. arising from paper records or the need to implement commonly used electronic forms or remote access. Pursuant to GDPR, recital 63 access to all categories of data including data 637 relating to a data subject’s health shall be provided, e.g. data in medical records, such as diagnoses, examination results, assessments by treating physicians, information on treatments or interventions provided. c) Exceptions, GDPR, art. 15, para 4

An explicit exception of the right to access to personal data is laid down in 638 GDPR, art. 15, para 4. According to this provision access to a copy of the processed personal data referred to in GDPR, art. 15, para 3 must not be given to the extent it adversely affects the rights and freedoms of others. According to GDPR, recital 63 this may include possible trade secrets or intellectual property rights of the controller, in particular the copyright protecting a software. In such a case the data subject needs to be informed that the access has been restricted, so that the controller complies with the obligation under GDPR, art. 12, para 3 to provide information on the respective actions taken on a request. In order to comply with these requirements it is advisable for controllers to separate the various types of information at an early stage of the processing, e.g. in different categories depending on whether the information may be accessible or not. If the data subject requests access to large quantities of information, which 639 e.g. may result from long-term data processing or usage of online services, the controller may pursuant to GDPR, recital 63 request the data subject to specify his inquiry to specific information or processing activities before the information Joachim Schrey

137

D. General conditions for data processing in companies under the GDPR

is provided. However, if the data subject requests all information regarding his personal data, full access has to be granted. 640 GDPR, art. 15 grants data subjects a right to request access to personal data only in order to be aware of, and verify, the lawfulness of the processing. Requests made for other, non-data protection purposes, can be lawfully rejected (cf. GDPR, recital 63). d) Administrative fines 641

If the controller fails to comply with the described obligations pursuant to GDPR, art. 15, GDPR, art. 83, para 5, subpara b) imposes administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 4. Rectification, GDPR, art. 16

Incorrectly or incompletely stored data can have negative impacts on the data subject as the controller might come to inaccurate conclusions, e.g. regarding creditworthiness of the data subject or results of a medical treatment. In order to prevent such negative impacts, GDPR, art. 16 entitles data subjects to obtain correction or completion of their personal data. The burden of demonstration and proof of the incorrectness and incompleteness of the data is with the data subject. 643 The right to rectification is already contained in Directive 95/46, art. 6, para 1, subpara d) and art. 12, para b), whereas the right to complete fragmental data is newly awarded to the data subject under the GDPR. 642

a) Correction

According to GDPR, art. 16 only the data subject affected (and not any third party) shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him. 645 Pursuant to GDPR, art. 19 the controller has to communicate any rectification to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Technically, this will require a permanent logging by the controller which personal data were disclosed to which third party, and it is not clearly defined in the GDPR how long such log-data shall be stored. From the principle of data minimisation it can be derived that as long as the personal data may be stored and processed, also such historic log-data can be stored. Furthermore, the controller shall inform the data subject about those recipients if the data subject so requests. 644

b) Completion 646

GDPR, art. 16, moreover, gives the data subject the right to have fragmentary personal data completed, including by means of providing a supplementary

138

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

statement, taking into account the purposes of the processing. This can prevent uncertainties or misunderstandings arising from incomplete data. The GDPR, however, does not define when an information is to be considered incomplete. An information about a data subject’s private bankruptcy, e.g. can be misleading without the complementary information that it is already processed. The requirement in GDPR, art. 16 to take into account the purposes of the 647 processing is targeted on limiting the completion of data on cases where the additional information is actually relevant. This has to be decided in each individual case. Nevertheless, controllers should implement processes to be able to receive data subjects’ supplementary information or statements, as well as checking their relevance and, if necessary, complement the respective data. 5. Right to Erasure/Right to be forgotten, GDPR, art. 17

With the right to deletion and the right to be forgotten GDPR, art. 17 lays 648 down essential data subject rights. a) Prerequisites for right to erasure pursuant to GDPR, art. 17, para 1

Pursuant to GDPR, art. 17, para 1 a data subject’s personal data has to be 649 deleted due to one of the following reasons: – the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (GDPR, art. 17, para 1, subpara a)). In this case the further processing of the data would be unlawful according to GDPR, art. 5, para 1, subpara b). If a different purpose compatible to the initial purpose arises, the data may, however, be processed for said other purpose, but the data subject has to be informed about the changed purpose in accordance with GDPR, art. 13 and 14. – the data subject withdraws consent on which the processing is based according to GDPR, art. 6, para 1, subpara a) or GDPR, art. 9, para 2, subpara a), and where there is no other legal ground for the processing (GDPR, art. 17, para 1, subpara b)). The withdrawal of a data subject’s consent in accordance with GDPR, art. 7, para 3 makes a continuation of processing based on the consent unlawful, so that the personal data has to be deleted. If, however, another legal ground for processing exists, the processing may be continued on that basis and the personal data does not need to be deleted. Controllers should, therefore, always be aware of possible different legal grounds for their processing operations. – the data subject objects to the processing pursuant to GDPR, art. 21, para 1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to GDPR, art. 21, para 2 (GDPR, art. 17, para 1, subpara c)).

Joachim Schrey

139

D. General conditions for data processing in companies under the GDPR

After objecting to a processing in accordance with GDPR, art. 21 (see section D.IV.8, → mn. 679), further processing of the data subject’s personal data is not allowed due to the processing prohibition pursuant to GDPR, art. 21, paras 1 and 3, if there are no other legal grounds legitimising the processing. – the personal data have been unlawfully processed (GDPR, art. 17, para 1, subpara d)). Processing could be unlawful, e.g. if there was no legal ground for processing pursuant to GDPR, art. 6 or 9 or if the controller did not meet his obligations of data protection. – the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR, art. 17, para 1, subpara e)). This reason is an opening clause for Member States’ own additional provisions for the deletion of personal data. – the personal data have been collected in relation to services referred to in GDPR, art. 8, para 1, which means data subjects are under 16 years (GDPR, art. 17, para 1, subpara f)). This deletion reason is a special provision to protect children. If the data subject has given his consent as a child, he might not have been fully aware of the risks involved by the processing. Therefore, he must be enabled to have his personal data deleted, even if he is no longer a child (cf. GDPR, recital 65). Whether the controller would have another legal ground for the processing is not decisive. b) Exceptions, GDPR, art. 17, para 3 650

According to GDPR, art. 17, para 3 personal data may not be deleted if its processing is necessary for – exercising the right of freedom of expression and information (GDPR, art. 17, para 3, subpara a)). According to GDPR, art. 85, para 1 the Member States are obliged to reconcile the right to the protection of personal data with the right to freedom of expression and information pursuant to Charter, art. 11. This exception recognises this conflict and shall prevent the data subject to exercise its erasure rights in order to delete any unpleasant information about him, although the distribution of the relevant information may be permitted by Charter, art. 11. A use case may be ratings of services on online portals. – compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (GDPR, art. 17, para 3, subpara b)).

140

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

– reasons of public interest in the area of public health in accordance with GDPR, art. 9, para 2, subparas h) and i) as well as GDPR, art. 9, para 3 (GDPR, art. 17, para 3, subpara c)). – archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR, art. 89, para 1 in so far as the right referred to in GDPR, art. 17, para 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing (GDPR, art. 17, para 3, subpara d)). The exceptions determined in GDPR, art. 17, para 3, subparas b), c) and d) recognise different public interests, which may prevail over the data subject’s interest in deletion. – the establishment, exercise or defence of legal claims (GDPR, art. 17, para 3, subpara e)). Controllers relying on one of these exceptions bear the burden of demonstra- 651 tion and proof. c) Right to be forgotten, GDPR, art. 17, para 2 and GDPR, art. 19

The right to be forgotten is explicitly mentioned in the GDPR for the first 652 time. However, in its ruling “Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” the ECJ derived the right to be forgotten from Directive 95/46, art. 12, para b and art. 14, para 1, subpara a). In that case the Court determined that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person”.19 Grounds for removal include cases where the search result(s) “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed.” This ruling was the basis of the right to be forgotten laid down in GDPR, art. 653 17, para 2, which is a consequence of the controller’s obligation to delete personal data of a data subject on request pursuant to GDPR, art. 17, para 1. According to GDPR, art. 17, para 2 the controller is obliged to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, taking account of available technology and the cost of implementation. It is, therefore, only relevant in cases in which the personal data that is to be deleted was disclosed to third parties or made public by the controller. GDPR, recital 66 clarifies that this shall strengthen the right to be forgotten especially in the online environment. Although this right will in practice be mostly relevant in the online 19 Case C-131/12, 13.5.2014, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 3 CMLR 50, para. 88.

Joachim Schrey

141

D. General conditions for data processing in companies under the GDPR

environment, it is not restricted to this field, but applies to all kinds of data processing. 654 According to GDPR, art. 17, para 2 the duty to inform other controllers applies only upon request of the data subject. However, it does not need to expressly demand deletion of all links or copies of the respective personal data. Implied requests of deletion, e.g. by demanding “a complete” deletion, are sufficient. The controller does not have to make excessive or disproportionate efforts, but as a technical measure the search for copies or replications of the personal data via common methods, e.g. search engines, will still be considered as “reasonable effort”. 655 Corresponding to the described information obligation under GDPR, art. 17, GDPR, art. 19 also obliges the controller to communicate erasure of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Furthermore, the controller shall inform the data subject about those recipients if the data subject requests so. 656 To be able to comply with the requirements set out in GDPR, art. 19 controllers should document and keep track of the organisations they transfer personal data to and the categories of personal data transferred. d) Administrative fines 657

Pursuant to GDPR, art. 83, para 5, subpara b) infringements of the provisions set forth in GDPR, art. 17 can be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 6. Right to restriction of processing, GDPR, art. 18

658

The data subject has the right to obtain a restriction of the data processing from the controller pursuant to GDPR, art. 18, para 1 if one of the following cases of temporary processing restriction applies: – the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. The controller’s data processing will be restricted for the period needed to verify the data subject’s entitlement to make a rectification request pursuant to GDPR, art. 16. – the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. In case of unlawful processing and the data subject opposing the erasure of the personal data pursuant to GDPR, art. 17, he may instead request the restriction of processing of the personal data. The processing will be restricted until the data subject requests erasure of the personal data.

142

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

– the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. In this case the duration for the restriction will be the time needed for the data subject to establish, exercise or defend his legal claim. In contrast to the other cases, the controller here does not have an interest in keeping the personal data. However, controller is obliged to store the personal data further on due to the legitimate interest of the data subject. – the data subject has objected to processing pursuant to GDPR, art. 21, para 1 pending the verification whether the legitimate grounds of the controller override those of the data subject. The processing will in this case be restricted for the time needed to verify the data subject’s right to object the processing pursuant to GDPR, art. 21, para 1. In each of the cases listed above the data subject bears the burden of demonstration and proof. If a case defined in GDPR, art. 18, para 1 is given, the controller shall pursuant to GDPR, art. 18, para 2 no longer process, but only store the respective personal data. However, processing is still lawful with the data subject consents or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A controller trying to invoke one of these exceptional cases bears the respective burden of demonstration and proof. GDPR, recital 67 gives examples as to how the restriction of the processing may be realised. Methods to restrict the processing of personal data could include, e.g. temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. It should be clearly indicated in the system that the processing of personal data is restricted. To facilitate the processing limitation restricted data should be marked accordingly (cf. GDPR, art. 4, no. 3). Keeping those recommendations in mind, controllers should consider implementing respective measures in due time to be able to comply with possible restriction requests by data subjects as soon as the GDPR applies. If the respective restriction period comes to an end, the data subject who has obtained the restriction of processing shall be informed by the controller before the restriction of processing is lifted (GDPR, art. 18, para 3). The controller will also have to communicate any restriction of processing implemented to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests so (GDPR, art. 19). Joachim Schrey

143

659 660

661

662

D. General conditions for data processing in companies under the GDPR

7. Data Portability, GDPR, art. 20

Data portability pursuant to GDPR, art. 20 is a completely new right for data subjects, which is not contained in Directive 95/46. Whereas GDPR, art. 20, para 1 gives the data subject the right to receive his personal data provided to the controller, GDPR, art. 20, para 2, grants the data subject a right to have the personal data transmitted directly from one controller to another, if it is technically feasible. The Art. 29 Working Party adopted on 13 December 2016 its working paper 242 “Guidelines on the right of data portability”20 to provide guidance on the way to interpret and implement the right to data portability. 664 These new rights are intended to strengthen the data subject’s control over his own data (cf. GDPR, recital 68) to prevent vendor lock-in effects. 663

a) Prerequisites 665

The right to data portability is given only, if – the processing is based on consent pursuant to GDPR, art. 6, para 1, subpara a) or GDPR, art. 9, para 2, subpara a) or on a contract pursuant to GDPR, art. 6, para 1, subpara b); and – the processing is carried out by automated means.

The GDPR does not establish a general right to data portability even less in cases where the processing of personal data is not based on consent or contract (GDPR, recital 68). 666 The term “automated means” is not separately defined within the GDPR, however, it is mentioned in GDPR, art. 4, no. 2 in the definition of “processing”, which might be performed by automated means or not. Nevertheless the right to data portability is only applicable with processing by automated means. 667 According to GDPR, art. 20, para 1 the right to data portability is only granted with respect to personal (including pseudonymised, but not anonymised) data provided to the controller by the data subject. Where personal data refer to several data subjects, each data subject is entitled to portability of such data. 668 Data “provided” by the data subject includes not only the data subject’s master data relevant for the performance of the contract but also data collected by the controller from the data subject with the data subject’s consent or in performing a contract with the data subject such as raw data generated by a smart meter installed in the data subject’s household, heartbeat tracks transmitted by the data subject’s fitness or health trackers or search history data.21 Data created by the controller on the basis of personal data provided by the data subject (fitness analysis, credit scores, etc.) are to be considered as controller’s data and are not subject to the right to data portability. Pursuant to the Art. 29 Working Party

20 WP 242. 21 WP 242, 8.

144

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

the term “fprovided by the data subject” must in general be interpreted broadly; only inferred or derived data shall be excluded.22 b) Performance of data portability

Personal data to be provided or transmitted pursuant to GDPR, art. 20, para 1, 669 must be made available in a structured, commonly used and machine-readable format. Given the range of data processing systems and format uses by data controllers the GDPR does not stipulate a specific data for not to be used. Therefore, the term is open to technical change and has to be interpreted according the current state of the art. Besides, data controllers shall be encouraged to develop interoperable23 formats that enable data portability (GDPR, recital 68). Besides, GDPR, art. 20, para 1 determines that data subjects have the right to 670 transmit their personal data to another controller “without hindrance” from the initial controller. The latter shall not impede the transmission to and the possible competition with other controllers by any (legal or technical) restrictions. If the data subject requests transmission of his personal data to another con- 671 troller pursuant to GDPR, art. 20, para 2, the personal data shall be transmitted directly from one controller to another, where this is technically feasible. Whether a direct transmission is technically feasible must be determined in each individual case depending on both the state of the art, which is to be determined from an objective point of view, as well as on subjective factors regarding the specific controller company, its economic strength and the temporal and financial effort to implement the technical feasibility. If, with regard to these parameters, the direct transmission is technically not feasible, the controller may reject the respective data subject’s request. However, the data subject may still demand a transmission pursuant to GDPR, art. 20, para 1, which the controller will usually have to comply with. c) What means “portability”?

The GDPR does not define the term “portability”. However, in accordance 672 with the procedure described above, the term describes the factual possibility to receive and transfer one’s own personal data in a technically convenient way. Data portability does not automatically trigger the erasure of the data from the data controller’s systems and does not affect the original retention period applying to the data which have been transmitted according to the right to data portability.24 On a technical level, the Art. 29 Working Party recommends that data con- 673 trollers should offer different implementations of the right to data portability 22 WP 242, 8 f. 23 Within the meaning of Art. 2 of Decision No. 922/2009/EC of the Parliament and of the Council of 16 September 2009 on interoperability solutions for European public administrations OJ L 260, page 20. 24 WP 242, 6.

Joachim Schrey

145

D. General conditions for data processing in companies under the GDPR

such as direct download opportunities for the data subject to directly transmit the data to another data controller via an application programming interface (API) or the possibility that a trusted third party holds and stores the personal data and grants access to the personal data as required.25 d) Receiving data controller 674

In case of a data transfer to another data controller the receiving data controller is responsible to ensure that the portable data received are relevant and not excessive with regard to the new data processing. A receiving data controller shall, therefore, analyse whether the data received are relevant for the new processing and, if necessary, discard data.26 e) Exceptions, GDPR, art. 20, paras 3 and 4

GDPR, art. 20, paras 3 and 4 determine exceptions of the data portability rights. Although both of the foregoing paragraphs only refer to GDPR, art. 20, para 1, these exceptions should be applicable to both GDPR, art. 20, paras 1 and 2. 676 Pursuant to GDPR, art. 20, para 3 the data portability rights shall not apply to such processing activities which are necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right should, therefore, not be exercised against controllers processing personal data in the exercise of their public duties and where the processing of the personal data is necessary for compliance with a legal obligation (cf. GDPR, recital 68). Exercising of the data portability right shall leave the data subject’s right to deletion pursuant to GDPR, art. 17, unaffected (GDPR, art. 20, para 3). 677 According to GDPR, art. 20, para 4 the right of data portability shall not apply where it would adversely affect the rights and freedoms of others. This may, amongst others, include the rights of other data subjects, e.g. if data records of one data subject contain data of another person. Especially in the context of social networks and, e.g. uploaded pictures which portray more than one person, rights of other persons may be relevant. Also the controller may not be affected in its rights and freedoms, like the practice of its established and operating business. Controllers will have to come up with technical solutions to be able to provide data portability whilst complying with the described exceptional cases, especially regarding the protection of rights of third persons. 675

f) Administrative fines 678

Pursuant to GDPR, art. 83, para 5, subpara b) infringements of the provisions set forth in GDPR, art. 20 can be subject to administrative fines up to 25 WP 242, 5. 26 WP 242, 6.

146

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 8. Right to object, GDPR, art. 21

The GDPR does not grant data subjects a general right to object to the processing of their personal data. Pursuant to GDPR, art. 21, para 1 the data subject shall, however, have the right to object on grounds relating to his particular situation at any time to processing of personal data concerning him which is based on legitimate interests or performance of a task carried out in the public interest or in the exercise of official authority, including profiling based on those provisions. A right to object is also granted under Directive 95/46, art. 14, para a). Under this provision, however, the data subject has to bring forward compelling legitimate grounds relating to his particular situation to the processing of data relating to him, in order to oblige the controller to stop processing these data. GDPR, art. 21, para 1 inverses the burden of proof to the detriment of the controller. It states that the controller “shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”. Thus, the controller now has to demonstrate its compelling legitimate grounds which allow processing to continue if it wishes to further process the personal data concerned. The term “on grounds relating to his particular situation”, however, is no requirement for the admissibility of the right to object. Rather, the data subject shall have the right to emphasise his specific interests in his personal data not being processed which the controller may not yet have considered within its weighing of interests. It is to be clarified that in the situations defined in GDPR, art. 21 the data processing is generally lawful, but may nevertheless be subject to objection due to particular grounds lying in the data subject’s specific situation.

679 680

681

682

683

a) Right to object to processing for direct marketing purposes

In contrast to GDPR, art. 21, para 1, GDPR, art. 21, para 2 provides for an 684 absolute right to object of data subjects to data processing for direct marketing purposes, which include profiling. In such cases the data subject neither has to demonstrate compelling grounds for objection, nor can the controller demonstrate compelling grounds which would allow him to continue to process the data (cf. see section E.V.2.e), → mn. 1158). The legal consequence is stipulated in GDPR, art. 21, para 3: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes”. Lawful processing for other purposes, thus, remains unaffected.

Joachim Schrey

147

D. General conditions for data processing in companies under the GDPR

b) Obligation to inform the data subject about his right to object 685

An obligation to inform the data subject about the existence of his right to object already follows from GDPR, art. 13, para 2, subpara b) and GDPR, art. 14, para 2, subpara c). GDPR, art. 21, para 4 specifies that the right to object “shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information […] at the latest at the time of the first communication”. Thus, companies should pay particular attention to the right to object and provide for the required information accordingly. c) Modalities to exercise the right to object

According to GDPR, recital 59 controllers should provide modalities enabling data subjects to exercise their right free of charge. The controller can, e.g. enable data subjects to exercise their right by providing a possibility to register the respective personal data in a specific list (online or offline). To the specific Robinson lists concerning the objection to processing for direct marketing purposes (see section E.IV.4.a)(aa), → mn. 1084). 687 Where personal data are processed by electronic means (namely in an online context), the controller should also provide means for electronic submission of requests (GDPR, recital 59). In GDPR, art. 21, para 5 specific modalities are defined how to exercise the right to object in the context of the use of information society services. The data subject may, notwithstanding the ePrivacy-Directive, exercise his right to object by automated means using technical specifications. Pursuant to GDPR, art. 4, no. 25 in conjunction with Directive (EU) 2015/1535, art. 1, para 1, subpara b) information society services are “services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” and accordingly include online services. When offering such services, controller is required to provide the users an automated method to exercise the objection. Thus, the right to object can. e.g. be realised through enabling a do-not-track-function of the data subjects browser. 686

d) Deadline for the controller to respond to an objection 688

GDPR, art. 12, paras 3 and 4 require a response to a request of the data subject without undue delay and in any event within one month of receipt of the request (see section D.IV.1.a), → mn. 604). If the objection was exercised under GDPR, art. 21, para 1 the controller must therefore demonstrate his compelling legitimate grounds for further processing within one month. In case of an objection to processing for direct marketing purposes pursuant to GDPR, art. 21, para 2, the controller has to fulfil the requirement of responding without undue delay, to desist from the processing shortly upon receipt of the request. Controllers should, therefore, implement respective mechanisms enabling them to respond and react within the given time frame.

148

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

e) Right to object to processing personal data for scientific or historical research purposes or statistical purposes pursuant to GDPR, art. 89, para 1

Pursuant to GDPR, art. 21, para 6 the data subject shall, on grounds relating 689 to his particular situation, have the right to object to processing of personal data for statistical, scientific or historical research purposes pursuant to GDPR, art. 89, para 1 concerning him, unless the processing is necessary for the performance of a task carried out for reasons of public interest. This specific right to object to processing of personal data pursuant to GDPR, art. 89, para 1 is new under the GDPR. The obligation to inform the data subject about the right to object in this context follows from GDPR, art. 13, para 2, subpara b) and GDPR, art. 14, para 2, subpara c). In this case, the information does (in contrast to the information to be provided in the context of GDPR, art. 21, paras 1 and 2) not necessarily have to be presented separately from any other information. f) Administrative fines

If the controller fails to comply with the obligations pursuant to GDPR, art. 690 21, administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, might be imposed, GDPR, art. 83, para 5, subpara b). 9. Right not to be subject to automated individual decision-making, GDPR, art. 22

Pursuant to GDPR, art. 22, para 1 “[t]he data subject shall have the right not 691 to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him.” Although the provision does not explicitly set forth the legal consequence if this right is exercised, its systematic position within Chapter III “rights of the data subject”, clarifies that the data subject shall have the right to a final decision by a human being instead of a solely automated individual decisionmaking. A decision is based solely on automated processing if no human interven- 692 tion takes place and the outcome of the processing is not reviewed by a person who is responsible for the decision. For a definition and more information on profiling please see section E.V., → mn. 1146 et seqq. a) Legal or similar significant effects

GDPR, art. 22, para 1 only applies, if the decision produces legal effects con- 693 cerning the data subject or similarly significantly affects him. Whereas the GDPR itself does not provide for a clear definition of “significantly affecting practices”; GDPR, recital 71 only gives examples for similar significant effects: These are automatic refusals of an online credit application (due to negative scoring) and e-recruiting practices without any human intervention. Another exJoachim Schrey

149

D. General conditions for data processing in companies under the GDPR

ample could be the general refusal to conclude a contract based on automated individual decision-making. These practices are prohibited under GDPR, art. 22, para 1. However, exceptions may apply pursuant to GDPR, art. 22, para 2 (see section D.IV.9.b), → mn. 695). 694 It can be disputed whether targeted advertisements “significantly affect” data subjects. Targeted advertisements may be perceived as encumbering, but do not result in immediate legal or commercial effects compared to the examples listed in GDPR, recital 71 (“automatic refusal of an online credit application or e-recruiting practices”). Therefore, targeted advertising alone does not immediately affect data subjects significantly. If, however, targeted advertising results in offering different prices or instalment payments only to certain customers, a significant effect in the meaning of GDPR, art. 22 can be assumed. b) Exceptions and examples 695

The right not to be subjected to an automated decision is not granted pursuant to GDPR, art. 22, para 2 if an automated decision – is necessary for entering into, or performance of, a contract between the data subject and a data controller (GDPR, art. 22, para 2, subpara a)). This exception applies, inter alia, in cases in which the automated decision is part of the services offered by the contractual partner. Whether an automated decision is “necessary” in the foregoing meaning is to be assessed from an objective point of view. As a result, automated decision-making which the controller considers helpful but which is not objectively necessary when entering into or performing a contract is not exempted. – is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (GDPR, art. 22, para 2, subpara b)). This exception contains an opening clause to the national legislators and gives Member States the option to authorise automated individual decisionmaking in certain cases. Pursuant to GDPR, recital 71 examples may be automated decisions for fraud and tax-evasion monitoring, prevention purposes and to ensure the security and reliability of a service provided by the controller. – is based on the data subject’s explicit consent (GDPR, art. 22, para 2, subpara c)). There is no equivalent to this provision under the Directive 95/46. The consent given by the data subject must comply with the requirements of GDPR, art. 7 (see section C.II.3., → mn. 429 et seqq.) and cannot be derived from a conduct implying that the data subject gives his consent. Consent for automated decision-making is often given in the context of insurance contracts to

150

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

evaluate which insurance tariff can be offered to the prospective policyholder. If one of these exceptional cases apply, automated individual decision-making 696 can take place without any human intervention. The controller must, nevertheless, ensure that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised pursuant to GDPR, recital 71. Furthermore, the controller must prevent, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation. Appropriate mathematical or statistical procedures for the profiling should be used and appropriate technical and organisational measures should be implemented (cf. see section D.I.8.b), → mn. 543). This includes, inter alia, ensuring confidentiality, integrity and resilience of processing systems and a process for regularly testing, assessing and evaluating the effectiveness of these measures. Moreover, automated decisions or measures under GDPR, art. 22 should not be open for use by children (cf. GDPR, recital 71). Accordingly, automated individual decision-making should not be conducted in circumstances where personal data of children is concerned. Furthermore, the data subject has to be informed about the logic involved in the automatic processing and the significance and consequences of such processing pursuant to GDPR, art. 13, para 2, subpara f) or art. 14, para 2, subpara g). c) Right to review

When automated individual decisions are necessary for a contract (GDPR, 697 art. 22, para 2, subpara a)) or based on the data subject’s consent (GDPR, art. 22, para 2, subpara c)), the controller shall, pursuant to GDPR, art. 22, para 3, implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. The data subject should at least have the right to obtain human intervention, to express his point of view and to contest the decision. Pursuant to GDPR, recital 71 the data subject also has the right to obtain an explanation of the decision reached after such assessment. In summary, GDPR, art. 22, para 3 constitutes a right to review for the data subject. According to GDPR, art. 70, para. 1, subpara f) the Board shall issue guidelines, recommendations and best practices for further specifying the criteria and conditions for decisions based on profiling pursuant to GDPR, art. 22, para 2. Businesses should therefore regularly verify whether such guidelines or recommendations were issued and adopt their practises accordingly. d) Special categories of personal data

GDPR, art. 22, para 4 prohibits automated individual decision-making 698 based on special categories of personal data (GDPR, art. 9, para 1). An exception is made if the data subject has given his explicit consent pursuant to

Joachim Schrey

151

D. General conditions for data processing in companies under the GDPR

GDPR, art. 9, para 1, subpara a) or if the processing is necessary for reasons of substantial public interest (GDPR, art. 9, para 1, subpara g)). The latter exception will not be relevant for private companies which process personal data. Therefore, if a company wishes to automate decisions based on special categories of personal data, it has to obtain explicit prior consent of the data subject. Controllers may often want to incentivise data subjects giving his consent by offering more favourable contractual conditions. This practice, however, may infringe the prohibition of interconnection (see section C.II.3.a)(bb)(2), → mn. 447, and section E.IV.5.a)(aa), → mn. 1105). e) Administrative fines 699

In case the controller fails to comply with the data subject’s rights pursuant to GDPR, art. 22, administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, might be imposed on the controller (GDPR, art. 83, para 5, subpara b)). 10. Data breach notification to data subject, GDPR, art. 34

700

GDPR, art. 34 introduces a new obligation for the controller to notify data subjects in specific cases of data breaches. This duty supplements the general information duties of the controller pursuant to GDPR, art. 13 and 14 (see section D.IV.2., → mn. 619 et seqq.). a) Obligation of the controller to notification

Pursuant to GDPR, art. 34, para 1 the controller shall communicate a personal data breach to the data subject without undue delay, if it is likely to result in a high risk to the rights and freedoms of natural persons. 702 The term “personal data breach” is defined in GDPR, art. 4, no. 12 as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples for such a data breach are hacked e-mail or bank accounts. Data breaches can “result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”. The information shall enable data subjects to react to such situations taking the necessary precautions to prevent (further) damages, e.g. replacing their credit cards if the card details have leaked. 703 The GDPR does not define what is to be considered as a “high risk” to the rights and freedoms of natural persons. Considering the purpose of this clause as to prevent data subjects from damages, which is only possible if the data subject 701

152

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

is informed in due time, it appears reasonable to interpret the requirement of a high risk broadly. However, as too many notifications are likely to desensitise data subjects, which would run contrary to the purpose of GDPR, art. 34 as described above, the term should not be understood as including any possibility of infringements. Notification of minor data breaches which are unlikely to adversely affect the rights and freedoms of data subjects should, therefore, be avoided.27 Thus, a “high risk” must be assumed as given, whenever there is a reasonable probability of infringements of data subjects’ rights and freedoms. The level of risk has to be evaluated in each individual case. If such high risks are given, the controller shall inform the data subject with- 704 out undue delay, i.e. “as soon as reasonably feasible”, so that the data subject has a higher chance to prevent damages possibly resulting from data breach. The need to mitigate an immediate risk of damage, e.g. requires prompt communication with the data subjects, whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify a longer time period before the data subject is to be informed (cf. GDPR, recital 86). Therefore, the specific time frame for the notification depends on the individual case. If the controller has not yet communicated the personal data breach to the da- 705 ta subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may pursuant to GDPR, art. 34, para 4 order the controller to notify the data subject or may decide that one of the exceptional cases referred to in GDPR, art. 34, para 3 (see below) exists. The controller should act in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities (cf. GDPR, recital 86). Therefore, controllers will have to implement not only structures to detect da- 706 ta breaches and to evaluate the level of possible risks for data subjects concerned but also notification measures to be able to inform the data subjects in due time. b) Minimum content and form

By referring to GDPR, art. 22, para 3, subparas b), c) and d), under GDPR, 707 art. 34, the controller is required to include in the notification at least the following information: – the name and contact details of the DPO or any other contact person where more information can be obtained; – description of the likely consequences of the personal data breach; – description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

27 WP 191, 16.

Joachim Schrey

153

D. General conditions for data processing in companies under the GDPR

Furthermore, the communication to the data subject shall describe in clear and plain language the nature of the personal data breach, so that it is easily understandable for everyone (GDPR, art. 34, para 2). Usually a notice in written or textual form should be sufficient. However, where the controller can contact the data subject only via telephone, because its e-mail or postal address is unknown, the controller is obliged to do so. In cases where the controller either does not have enough contact details to notify the respective data subjects or it is not possible to identify all data subjects likely to be affected by the data breach, the obligation under GDPR, art. 34 may result in the controller having to pursue all other reasonable efforts to notify those individuals, e.g. through advertisements in major national or regional media or on the respective company website.28 The GDPR does not require a minimum amount of data subjects concerned to impose the notification obligation so that if just one individual data subject is affected by a personal data breach, the controller is obliged to inform that data subject.29 709 The notification obligation might become quite laborious for controllers who process large amounts of personal data of a huge number of data subjects. Thus, controllers should consider preparing notification forms, which in case of a data breach can be quickly filled in with the relevant information of the specific data breach and sent out to the respective data subjects. 708

c) Exceptions 710

Pursuant to GDPR, art. 34, para 3 data breach notifications to the data subjects are not needed if any of the following conditions are met: – the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption. The controller itself is able to implement appropriate measures reducing the risk of data subjects being affected by data breaches to be exempted from the described notification obligation. Since encryption is particularly effective to render the data subjects’ personal data unintelligible for any person not authorised to access it, data subjects are not likely to be affected by possible breaches of encrypted data, so that they do not need to be notified.30 – the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in GDPR, art. 34, para 1 is no longer likely to materialise.

28 WP 213, 15. 29 WP 213, 14. 30 WP 213, 3.

154

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

Similar to the first exception the controller itself can take appropriate measures to mitigate data breach risks for data subjects. As, consequently, there is no high risk for the data subjects’ rights and freedoms, they do not need to be notified. Therefore, the best way for controllers to avoid having to notify data subjects, is to implement appropriate privacy safeguards within their processing operations.31 – it would involve disproportionate effort. Instead, in such a case, there shall be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. An effective manner to inform a large number of data subjects could be through advertisements in major national or regional media or company website, as described above, which may, however, cause more reputational damage to the controller than individual communication. With regard to these exceptions it seems advisable for controllers to imple- 711 ment appropriate measures reducing risks for data subjects in cases of data breaches in order to avoid the burdensome notification obligations. Moreover, any public notification of data breaches is likely to harm the controller’s reputation. d) Administrative fines

Pursuant to GDPR, art. 83, para 4, subpara a) infringements of the described 712 notification obligation may be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. V. Cooperation between companies and the supervisory authorities 1. Competent authority – one stop shop

The supervision of data protection and privacy compliance by govern- 713 mental authorities has been significantly strengthened by GDPR, art. 51 to 76, in comparison to Directive 95/46, art. 28 to 30. Pursuant to GDPR, recital 117 the regulator qualifies the establishment of governmental supervisory authorities in each Member State being authorised and empowered to perform the tasks and exercise their powers with complete independence as an essential component of the protection of individuals with regard to the processing of their personal data. If and to the extent necessary to reflect their constitutional, organisational and administrative structure, Member States are enabled to establish more than one supervisory authority. The requirement of complete interdependence of a supervisory authority is 714 detailed in GDPR, art. 4, no. 21, art. 51, para 1 and art. 52, paras 1 and 2 ff. This independence means: 31 WP 213, 4.

Joachim Schrey

155

D. General conditions for data processing in companies under the GDPR

– Their supervisory activities shall not be impacted by any third party or external influence and from any third parties’ instructions. This also means that supervisory authorities shall neither seek nor take instructions from anybody, GDPR, art. 52, para 2; – Pursuant to GDPR, art. 52, para 3 members or officials working in a supervisory authority shall refrain from any action which might be incompatible with their duties and shall not engage in any incompatible occupation, whether gainful or not; – Each Member State shall ensure that its supervisory authorities are provided with sufficient personnel as well as technical and financial resources, premises and infrastructure which might be necessary for the effective performance of its tasks and exercise of its powers including fulfilment of its obligation to assist other supervisory authorities, to cooperate with other supervisory authorities and participate in the Board (GDPR, art. 70), GDPR, art. 52, para 4; – Pursuant to GDPR, art. 52, para 6 each supervisory authority shall have separate, public annual budgets which may be part of the overall state or national budget and any financial control hereon shall not affect its independence; – With respect to the provision of sufficient personnel, GDPR, art. 52, para 5 clarifies that each supervisory authority may choose and have its own staff which shall be subject to the exclusive direction of the executive director of the supervisory authority. However, as necessary in each constitutional state, the activities and administrative measures of each supervisory authority are obviously subject to control by the competent national courts (cf. GDPR, recital 118). Both the data subject as well as each controller and processor shall have the right to seek for legal protection by the competent courts (regularly administrative courts) to protect against administrative measures of supervisory authorities as well as enforcing its rights and claiming for administrative measures by supervisory authorities. 716 In the majority of cases not only one supervisory authority will be obliged to fulfil the tasks defined in GDPR, art. 57 and will be competent to take the measures under GDPR, art. 58; instead – pursuant to GDPR, art. 4, no. 22 – various supervisory authorities will qualify as “supervisory authority concerned”, if 715

– the controller or processor is established on the territory of the Member State of that supervisory authority (GDPR, art. 4, no. 22, subpara a)); – data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing of personal data (GDPR, art. 4, no. 22, subpara b)); or – a complaint has been lodged by a data subject concerned with that supervisory authority (GDPR, art. 4, no. 22, subpara c)).

156

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

In cross-border-processing within the meaning of GDPR, art. 4, no. 23, su- 717 pervisory authorities in several Member States will qualify as the supervisory authorities concerned within the meaning of GDPR, art. 4 no. 22, since either processing of personal data will take place in the context of the activities of establishments of a controller or processor in more than one Member State where the controller or processor is established in more than one Member State; or processing of personal data will take place in the context of the activities of a single establishment of the controller or processor in the Union but which substantially affects or is likely to substantially affect data subject in more than one Member State (cf. GDPR, art. 4, no. 23). The GDPR, however, neither defines under which circumstances the data subject is considered “substantially” or only unsubstantially affected, nor under which conditions an individual is seen as “affected” at all. The Art. 29 Working Party interprets the term “substantial” in line with its most relevant ordinary English meaning as “of ample or considerable amount or size”, “sizable”, “fairly large”, or “having solid worth or value of real significance”.32 A data subject is affected by data processing if it has some form of impact on the data subject.33 Substantial effect can, therefore, be assumed, if the relevant processing of personal data would require the preparation of a data impact analysis pursuant to GDPR, art. 35 or the effect would require a notification of personal data breach both to the data subject (GDPR, art. 34) or to the supervisory authority (GDPR, art. 33). a) Concept of lead and concerned authority

Each supervisory authority is entitled to take administrative measures only in 718 its own jurisdiction so that in case of a data privacy breach it is very likely that different supervisory authorities in different Member States can be competent to take administrative measures under both the GDPR and/or any applicable national law. To avoid that each competent supervisory authority takes (different) adminis- 719 trative measures in the same case of data privacy breach, the GDPR implemented the concept of the lead and a concerned authority. The purpose of this concept is not only to define the finally competent authority between various competent supervisory authorities, but also to implement a one-stop-shop-concept that enables controllers and/or processors to correspond and cooperate with one supervisory authority only and to prevent that controllers and/or processors are confronted with possibly contradictory administrative measures of several supervisory authorities. The Art. 29 Working Party adopted on 13 December 2016 a guideline for identifying a controller’s or processor’s lead supervisory authority.34

32 WP 244, 3. 33 WP 244, 3. 34 WP 244.

Joachim Schrey

157

D. General conditions for data processing in companies under the GDPR

Pursuant to GDPR, art. 56, para 4 the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for cross-border-processing carried out by that controller or processor. The lead supervisory authority shall then cooperate with the other supervisory authorities concerned pursuant to the cooperation and assistance mechanisms outlined in GDPR, art. 60. 721 In view of the one-stop-shop principle, each controller or processor will have to identify the lead supervisory authority, which will be competent for that controller or processor. In case of several legal entities acting as joint controllers or processors for the specific processing of personal data, the one-stop-shop concept of lead authority, however, does not mean that only one supervisory authority which is competent for one of the joint controllers is competent for the entire process activity. Instead, for each of the joint controllers the locally competent supervisory authority remains competent to supervise the part of the process for which the respective (joint) controller is responsible. The one-stop-shop-concept of a lead supervisory authority can only resolve the demarcation dispute between the supervisory authority being locally competent for the main establishment of the controller or processor and the supervisory authorities which may be competent for other branches of the same controller or processor. 722 The one-stop-shop-concept of lead supervisory authority does not mean that only one supervisory authority generally qualifies as the competent authority for all processing of personal data within the same legal entity or group of entities. The term “establishment” used in GDPR, art. 56, para 1 means not only a branch office of the same legal entity, but comprises also legal entities which are affiliated with the controller or processor, as long as such branch offices or affiliates do not for themselves qualify as controller or processor. If a branch office or an affiliate is itself responsible for a specific processing of personal data, it qualifies as controller or processor and the local supervisory authority is competent to supervise such processes. Only if and to the extent processes within branch offices or affiliates for which the main establishment of a legal entity is responsible, the supervisory authority being locally competent for the main establishment qualifies as lead supervisory authority competent also for such branch offices and affiliates. If within a legal entity or a group of entities, more than one entity qualifies as controller or processor being responsible for one or more processing of personal data, GDPR, art. 56, para 1 will not apply. Rather, each controller or processor will – independently from the other controllers and processors in its group of undertakings35 – be subject to its locally competent supervisory authority. Between these supervisory authorities, the consistency mechanism pursuant to GDPR, art. 60 is applicable and supervisory authorities will be entitled to cooperate pursuant to GDPR, art. 61 to 63 only. 720

35 As defined in GDPR, art. 4, no. 19.

158

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

If the controller or processor has several establishments within the EU, a 723 lead supervisory authority is the authority of the main establishment of the controller or processor. This main establishment means not necessarily the headquarter of the respective controller or processor; rather an establishment is the “main establishment” within the meaning of GDPR, art. 56, para 1, if it takes the final decisions on the purposes, tools and processes how to process personal data and if these decisions are binding for all the other establishments. Therefore, the “main establishment” within the meaning of GDPR, art. 56, para 1 can be (and regularly will be) the headquarter of the respective controller or processor; depending on the internal organisational structure of a controller or processor, the main establishment can also be a branch office different from the headquarter or the group-internal IT service providing affiliate (GDPR, art. 4, no. 16). GDPR, recital 36 clarifies that the presence and use of technological equipment for processing of personal data may be taken as an indicator, but must not necessarily constitute a main establishment.36 GDPR, art. 4, no. 16 defines the main establishment of a processor’s headquarter if located in an EU Member State and, if the processor is not headquartered in an EU Member State, the processor’s branch office in the Union, if the material part of the processing of personal data is carried out in that EU-based branch office. Both the controller/processor and its DPO (if appointed) have to identify the 724 locally competent authority pursuant to the following steps: – As a first step the controller should identify its main establishment within the meaning of GDPR, art. 4, no. 16, subpara a). Regularly this will be the controller’s headquarter if located in an EU Member State. – Only if the material decisions on the purposes, tools and processes how to process personal data are not made in controller’s headquarter, but in another branch office with binding effect for all other establishments of the controller, this branch office will qualify as controller’s main establishment within the meaning of GDPR, art. 4, no. 16, subpara a). – The supervisory authority being locally competent for the controller’s main establishment as identified above, will be the lead supervisory authority with which the controller is obliged to cooperate pursuant to GDPR, art. 31 and controller’s DPO is obliged to consult and cooperate pursuant to GDPR, art. 36 and GDPR, art. 39, para 1, subpara d). – The lead supervisory authority is the controller’s or processor’s sole contact with the authorities for any questions arising out of or in connection with the cross-border-processing of a personal data (GDPR, art. 56, para 6).37

36 WP 244, 6 f. 37 WP 244, 6 ff.

Joachim Schrey

159

D. General conditions for data processing in companies under the GDPR

b) Cooperation between authorities 725

In case more than one supervisory authority is involved pursuant to GDPR, art. 56, para 1, the lead supervisory authority shall cooperate with the other supervisory authorities concerned as outlined in GDPR, art. 60 to achieve a consensus between the supervisory authorities involved, as follows: – The lead supervisory authority shall, without delay, communicate the relevant information on the respective matter to the other supervisory authorities concerned, regardless of whether this information were investigated by the lead supervisory authorities or provided by the other supervisory authorities concerned (GDPR, art. 60, para 3, first sentence). – The lead supervisory authority shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion in which the views of the other supervisory authorities concerned are already reflected (GDPR, art. 60, para 3, second sentence). – Within the period of four weeks after receipt of the lead supervisory authority’s draft decision, the other supervisory authorities concerned may express any relevant and reasoned objections to the draft decision. If the lead supervisory authority does not follow these relevant and reasoned objections or holds the objections provided as not relevant or reasoned, the lead supervisory authority shall submit the matter to the consistency mechanism as outlined in GDPR, art. 63 (GDPR, art. 60, para 4). If the lead supervisory authority intends to follow the relevant and reasoned objection made by any other supervisory authority concerned pursuant to GDPR, art. 60, para 4, the lead supervisory authority shall submit to the other supervisory authorities concerned the revised draft decision for their opinion. Another two weeks upon receipt of the revised draft decision, the other supervisory authorities concerned can again express any relevant and reasoned objections to the revised draft decision (GDPR, art. 60, para 5, second sentence in connection with GDPR, art. 60, para 4). If none of the other supervisory authorities concerned has objected to the (revised) draft decision submitted by the lead supervisory authority within the periods set out in GDPR, art. 60, paras 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with the (revised) draft decision and shall therefrom be bound by it (GDPR, art. 60, para 6). – The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and shall inform the other supervisory authorities concerned and the Board (GDPR, art. 68, para 1), including a summary of the relevant facts and grounds. Moreover, the supervisory authority with which a complaint has been filed, shall inform the complainant (cf. GDPR, art. 77) 160

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

on the decision adopted by the lead supervisory authority (GDPR, art. 60, para 7). If the complaint is dismissed or rejected, the supervisory authority with which the complaint was filed shall adopt the decision (instead of the lead supervisory authority) and notify it to the complainant and shall inform the controller concerned thereof (GDPR, art. 60, para 8). – If the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject only parts of a complaint and to act on other parts of the same complaint, separate decisions shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions to be taken in relation to the controller and shall notify it to the main establishment or single establishment of the controller or processor concerned located in the territory of its Member State, and shall inform the complainant thereof. The supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, notify it to that complainant and inform the controller or processor concerned thereof (GDPR, art. 60, para 9). The criteria under which an objection raised by a supervisory authority con- 726 cerned shall be qualified as “relevant and reasoned”, shall be detailed by guidelines to be adopted by the Board (cf. GDPR, recital 124). These criteria will then be applied within the consistency mechanism pursuant to GDPR, art. 63. c) Consistency mechanism GDPR, art. 63

The consistency mechanism in GDPR, art. 63 is outlined as a means to the 727 consistent appliance of the GDPR in all Member States by obliging the supervisory authorities to cooperate with each other and with the Commission. The main instrument to ensure a consistent appliance of the GDPR is the es- 728 tablishment of the Board pursuant to GDPR, art. 68, para 1 which replaces the Art. 29 Working Party established pursuant to Directive 95/46, art. 29. The Board established as a body of the Union with legal personality represented by the president (GDPR, art. 73, 74) and is supported by a secretary pursuant to GDPR, art. 75 (GDPR, art. 68, paras 1 and 2). The Board shall be independent and not bound by any instructions (GDPR, art. 69). The Board shall be composed of the head of one supervisory authority of each 729 Member State and the European Data Protection Supervisor with the Commission having the right to participate in the activities and meetings of the Board without an own voting right. The Board shall be represented by its chair (GDPR, art. 68, para 2), elected pursuant to GDPR, art. 73, with the tasks to invoke the meetings and prepare its agenda, to notify decisions adopted by the Board pursuant to GDPR, art. 65 to the lead supervisory authority and the supervisory authorities concerned and to ensure the timely performance of the task of the Board in particular in relation to the consistency mechanism (GDPR, art. 74, para 1). The Board shall be supported by a secretariat to be provided by the

Joachim Schrey

161

D. General conditions for data processing in companies under the GDPR

European Data Protection Supervisor but being bound by the instructions of the chair of the Board only (GDPR, art. 75). The Board itself shall act independently and shall not be bound by any third parties’ instructions (GDPR, art. 69). 730 Main instruments of the consistency mechanism are – Issuing Opinions where a competent supervisory authority intends to adopt any of the measures defined in GDPR, art. 64, para 1 and the competent supervisory authority has communicated the draft decision to the Board; or – Examining any matter of general application or producing effects in more than one Member State with the view to obtaining an opinion upon request of any authority, the chair of the Board or the Commission, in particular where a competent supervisory authority does not comply with the obligations of mutual assistance in accordance with GDPR, art. 61 of or joined operations in accordance with GDPR, art. 62 (cf. GDPR, art. 64, para 2). 731

Issuing an opinion of the Board is required if – a competent supervisory authority aims to adopt a list of processing operations which shall be subject to the requirement for a DPIA pursuant to GDPR, art. 35, para 4; – a decision is to be issued whether a draft code of conduct or an amendment or extension to a code of conduct complies with the GDPR, pursuant to GDPR, art. 40, para 7, subpara b); – to approve the criteria for accreditation of body pursuant to GDPR, art. 41, para 3 or a certification body pursuant to GDPR, art. 43, para 3, subpara c); – to determine standard data protection clauses referred to in GDPR, art. 46, para 2, subpara d) and in GDPR, art. 28, para 8, subpara d); – to authorise contractual clauses referred to GDPR, art. 46, para 3, subpara a) or subpara e); or – to approve by incorporate rules within the meaning of GDPR, art. 47, subpara f).

The process to be followed by the Board to adopt an opinion is outlined in GDPR, art. 64, para 4 pursuant to which the supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned. 732 To ensure the correct and consistent application of the GDPR throughout the EU the Board may also adopt binding decisions for dispute resolution purposes (GDPR, art. 65) in one of the following cases: – The supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority, or the lead authority has rejected such an objection as being not relevant or reasoned (as referred to in GDPR, art. 60, para 4). 162

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

– Where there are conflicting views which of the supervisory authorities concerned is competent for the main establishment (GDPR, art. 65, para 4, subpara b)) or where the competent supervisory authority does not request the opinion of the Board in the cases referred to in GDPR, art. 64, para 1 or does not follow the opinion of the Board issued under GDPR, art. 64. The binding decisions of the Board shall be adopted within one month from 733 the referral of the subject-matter by a two-thirds majority of the members of the Board. This period may be extended by a further month on account of the complexity of the subject-matter. The Board’s decision shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them (GDPR, art. 65, para 2). For further details of the process to adopt the Board’s decisions see also GDPR, art. 65, paras 3 to 6. The supervisory authorities concerned shall not adopt a decision on the subject-matter submitted to the Board during the decision making process as outlined in GDPR, art. 65, paras 2 and 3 (cf. GDPR, art. 65, para 4), with the exceptions, however, outlined in GDPR, art. 66. 2. Duty to cooperate (GDPR, art. 31)

Pursuant to GDPR, art. 31 controllers and processors and their representatives 734 within the meaning of GDPR, art. 27 are obliged to cooperate with the supervisory authority concerned upon the authority’s request. If a DPO has been appointed, the supervisory authority will address its request for cooperation to such DPO pursuant to GDPR, art. 39, para 2, subparas d) and e), as the DPO shall be the single point of contact for the competent supervisory authority. The DPO – although being employed by the controller – shall cooperate with the supervisory authority upon its request which may cause a conflict of loyalty for such DPO (cf. see section D.VI., → mn. 602 et seqq.). The controllers’ and processors’ obligations to cooperate with the supervisory 735 authorities are set forth in various provisions throughout the GDPR. Controllers and, as the case may be, the processors shall, e.g. – upon the authority’s request make available the record of data processings pursuant to GDPR, art. 30, para 4; – notify any data breach to the competent supervisory authority without undue delay pursuant to GDPR, art. 33, para 1 and, where feasible, not later than 72 hours after having become aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons. The controller’s obligation to document any personal data breaches under GDPR, art. 33, para 5 implicitly requires that the documentation is made available to the supervisory authority; – in case of the controller, consult the competent supervisory authority pursuant to GDPR, art. 36, para 1 prior to processing where a DPIA under GDPR, art. 35 indicates that the processing would result in a high risk in the Joachim Schrey

163

D. General conditions for data processing in companies under the GDPR

absence of measures taken by the controller to mitigate the risk. The controller, therefore, has to disclose besides its results of the DPIA also any other information or documentation which may be relevant for the supervisory authority to assess the risks pursuant to GDPR, art. 35. Moreover, it will have to describe the sufficiency of the mitigation measures taken by the controller. The supervisory authority shall within a period up to eight weeks upon receipt of the request for consultation provide written advice to the controller if the supervisory authority is of the opinion that the intended processing would infringe the GDPR (GDPR, art. 36, para 2, first sentence); communicate the contact details of the DPO to the competent supervisory authority under GDPR, art. 37, para 7; within the certification mechanism as outlined in GDPR, art. 43 submit its processing and all relevant information both to the certification body referred to GDPR, art. 43 or, where applicable, also to the competent supervisory authority, GDPR, art. 42, para 6; in case of the controller to inform the competent supervisory authority of a transfer of personal data to a third country or an international organisation on the basis of the exception set forth in GDPR, art. 49, para 1, second sentence; provide information requested by the supervisory authority for the performance of the supervisory authorities’ tasks pursuant to GDPR, art. 58, para 1, subpara a), tolerate any on-site investigations in the form of data protection audits, pursuant to GDPR, art. 58, para 1, subpara b) and grant the supervising authorities access to (i) all personal data, (ii) all information necessary for the performance of the authority’s tasks, (iii) any premises of the controller or the processor including (iv) access to any data processing equipment and means (GDPR, art. 58, para 1, subparas e) and f)); notify pursuant to GDPR, art. 60, para 10, second sentence the measures taken for complying with a decision of the lead supervisory authority pursuant to GDPR, art. 60, paras 7 and 9, to enable the lead supervisory authority to inform the other supervisory authorities concerned.

– –

–

–

–

–

3. Data breach notification to the supervisory authorities (GDPR, art. 33) 736

The obligation to notify a personal data breach both to the supervisory authorities and to the data subject concerned under GDPR, art. 33 is much stricter as set forth under the Directive 95/46 and no longer restricted to specific categories of data (e.g. specific categories of personal data, personal data being subject to professional secrecy, personal data related to criminal offences or administrative offences or personal data concerning bank or credit card accounts). Rather, the obligation to notify data breaches applies in any case of personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. As a personal data breach may re164

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

sult in physical, material or non-material damage to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, even identity theft, financial losses, unauthorised reversal of pseudonymisation, damage of reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned, GDPR, art. 33 requires the controller to notify such data breach both to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware thereof (GDPR, art. 33, para 1). Only if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall also communicate the personal data breach to the data subject concerned without undue delay (GDPR, art. 34, para 1). To enable the controller to comply with its notification obligations under GDPR, art. 33 and 34, the processor shall notify the controller only without undue delay after becoming aware of a personal data breach (GDPR, art. 33, para 2). Pursuant to GDPR, art. 33, para 2 the notification to the supervisory au- 737 thority shall include at least – a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; – the name and contact details of the DPO or other contact point from whom or which more information can be obtained; – a description of the likely consequences of the personal data breach and – a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including where appropriate, measures to mitigate its possible adverse effects. In view of the catalogue of information to be included in a data breach notifi- 738 cation to the competent supervisory authority as outlined above, it will be hard for any controller to comply with the deadline of maximum 72 hours after having become aware of a data breach to provide all this information to the competent supervisory authority. Therefore, it will be advisable for each controller, to identify potential data breaches in advance and to least roughly prepare the information to be included in a data breach notification, to be able to meet the deadline of maximum 72 hours in all. It is not defined in GDPR, art. 33 or art. 34, under which circumstances a con- 739 troller is “aware” of a personal data breach occurred so that it will be difficult to exactly define the starting point of the 72 hours’ deadline. In practice, usually the controller will become aware of a leak, i.e. the fact that personal data have become available to or accessed by an unauthorised third party, without exactly knowing how the third party could access such personal data or by which technical means the third party received unauthorised control over such personal data. Then, the controller will have to investigate the potential data breach and find

Joachim Schrey

165

D. General conditions for data processing in companies under the GDPR

out whether there is any leak or illegal measure under his responsibility or whether any third party is responsible for such data breach. The 72 hours’ deadline will in many cases not be sufficient to reconstruct the data breach having taken place, so that GDPR, art. 33, para 4 allows the controller to provide the information pursuant to GDPR, art. 33, para 3 “in phases” without undue further delay. 740 This means that the controller should establish internal processes to ensure that (a) any data breach occurred is brought to the attention of the controller’s management as soon as possible after the data breach is ascertained to have happened, (b) the investigation measures start immediately to find out any relevant details of the data breach occurred, and (c) that appropriate measures to close any leaks and mitigate any damages which may arise from the data breach are identified and defined in the necessary detail. Simultaneously a risk assessment has to be initiated to find out whether the data breach occurred is likely to result in a high risk to the rights and freedoms of the data subject concerned so that the controller’s management can decide whether it shall communicate the personal data breach to the data subject concerned also pursuant to GDPR, art. 34, para 1. It will not be sufficient to copy the notification filed with the competent supervisory authority and provide it to the data subject concerned; rather the communication to the data subject shall describe “in clear and plain language” the nature of the personal data breach occurred and shall inform the data subject about the likely consequences of the personal data breach and the measures taken to mitigate its possible adverse effects and simultaneously the name and the contact details of the controller’s DPO or other contact point (GDPR, art. 34, para 2 in connection with GDPR, art. 33, para 3, subparas b), c) and d)). 741 In GDPR, art. 34, para 3 exceptional cases are defined where the data breach notification to the data subject concerned is no longer required, i.e. if any of the following conditions are met: – the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any unauthorised person, such as encryption; – the controller has taken subsequent measures which ensure that the high risk of the rights and freedoms of the data subject is no longer likely to materialise; or a communication to all data subjects concerned would involve inappropriate effort for the controller where the controller shall instead communicate data breach publicly or take any similar measures which ensure that the data subjects are informed in an equally effective manner, which under reputational aspects, is even worse than an individual communication to the data subjects concerned. – Pursuant to GDPR, art. 34, para 4 the supervisory authority after having considered the likelihood of the personal data breach resulting in a high risk, may impose an obligation on the controller to communicate the personal data 166

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

breach to the data subject or may decide that any of the exceptional situations as defined in GDPR, art. 34, para 3 are met. Infringements of the obligations to notify personal data breaches to the super- 742 visory authority or the data subject concerned shall be subject to administrative fines up to EUR 10,000,000 or in the case of an undertaking up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR, art. 83, para 4, subpara a)). As both GDPR, art. 33 and GDPR, art. 34 leave sufficient scope for judgement evaluation (e.g. with respect to the meeting of the deadline for the notification to the competent supervisory authority, the provision of information in phases pursuant to GDPR, art. 33, para 4 or the assessment of the risks to the rights and freedoms of natural persons pursuant to GDPR, art. 34, para 1), an infringement of the data breach notification obligations can be penalised by administrative fines only in an event, where the controller committed lasting offences against its obligations under GDPR, art. 33, 34. 4. Tasks and enforcement powers of the supervisory authorities a) Tasks of the supervisory authorities

The supervisory authorities in each Member State are empowered to perform 743 their tasks and exercise their powers with complete independence which – pursuant to GDPR, recital 117 – is an essential component of the protection of natural persons with regard to the processing of their personal data. Pursuant to GDPR, art. 57 a supervisory authority shall fulfil the following tasks on its territory: (a) monitoring and enforcing the application of the GDPR; (b) measures and activities to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing, whereby activities addressed specifically to children shall receive specific attention; (c) advising, in accordance with national law applicable in the relevant Member State, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; (d) measures and activities to promote the awareness of controllers and processors of their obligations under the GDPR; (e) upon request, provision of information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other Member States (pursuant to GDPR, art. 60 ff.) to that end; (f) handling complaints lodged by a data subject, or by a body, organisation or association in accordance with GDPR, art. 80, in accordance with national (administrative) law and investigating, to the extent appropriate, the subject

Joachim Schrey

167

D. General conditions for data processing in companies under the GDPR

matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority (cf. GDPR, art, 60) is necessary; (g) cooperation with, including sharing information and providing mutual assistance to, other competent supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR; (h) conducting investigations on the application of the GDPR, including on the basis of information received from other supervisory authorities or other public authorities; (i) monitoring relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices; (j) adoption of standard contractual clauses referred to in GDPR, art. 28, para 8, and in GDPR, art. 46, para 2, subpara d); (k) establishing and maintaining a list in relation to the requirement for DPIA pursuant to GDPR, art. 35, para 4; (l) giving advice on the processing operations referred to in GDPR, art. 36, para 2; (m) encouraging the drawing up of codes of conduct pursuant to GDPR, art. 40, para 1 and provision of opinions and approvals of such codes of conduct which provide sufficient safeguards, pursuant to GDPR, art. 40, para 5; (n) encouraging the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to GDPR, art. 42, para 1, and approve the criteria of certification pursuant to GDPR, art. 42, para 5; (o) where applicable, carrying out a periodic review of certifications issued in accordance with GDPR, art. 42, para 7; (p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to GDPR, art. 41 and of a certification body pursuant to GDPR, art. 43; (q) conducting the accreditation of a body for monitoring codes of conduct pursuant to GDPR, art. 41 and of a certification body pursuant to GDPR, art. 43; (r) authorisation of contractual clauses and provisions referred to in GDPR, art. 46, para 3; (s) approval of binding corporate rules pursuant to GDPR, art. 47; (t) contribution to the activities of the Board; (u) keeping internal records of infringements of the GDPR and of measures taken in accordance with GDPR, art. 58, para 2; and (v) fulfil any other tasks related to the protection of personal data. 744

Pursuant to GDPR, art. 57, para 2 each supervisory authority shall facilitate the submission of complaints referred to in GDPR, art. 57, para 1, subpara f) by

168

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication. To make the access to supervisory authorities as easy as possible and to 745 lower the hurdle to contact and communicate with public authorities, pursuant to GDPR, art. 57, para 3 the performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, also for a DPO if seeking advice from such supervisory authorities. Only if requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request (GDPR, art. 57, para 4), whereas the supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request if it wishes to charge such administrative fees. b) Enforcement empowerments

To fulfil the tasks as outlined in GDPR, art. 57, the supervisory authorities 746 are empowered with three different categories of rights and administrative empowerments, i.e. – investigative powers to clarify the facts on which administrative measures can be based on (GDPR, art. 58, para 1); – corrective powers to ensure a lawful processing of personal data (GDPR, art. 58, para 2); and – authorisation and advisory powers pursuant to GDPR, art. 58, para 3.

Joachim Schrey

169

D. General conditions for data processing in companies under the GDPR 747

In detail, the empowerments are (in order of the categories outlined above): Investigative powers (GDPR, art. 58, para 1, subparas a) to f)) (a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative, to provide any information it requires for the performance of its tasks; (b) to carry out investigations in the form of data protection audits;

(b) to carry out a review on certifications issued pursuant to GDPR, art. 42, para 7;

(c) to notify the controller or the processor of an alleged infringement of the GDPR;

(d) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and

170

Corrective powers (GDPR, art. 58, para 2, subparas a) to j))

Authorisation and advisory powers (GDPR, art. 58 para 3, subparas a) to j)) (a) to issue warnings to a (a) to advise the controller controller or processor in accordance with the that intended processing prior consultation prooperations are likely to cedure referred to in infringe provisions of GDPR, art. 36; this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;

(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with national Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data; (c) to order the controller (c) to authorise processing or the processor to comreferred to in GDPR, ply with the data subart. 36, para 5, if the naject’s requests to exertional law of the Memcise his rights pursuant ber State requires such to the GDPR; prior authorisation; (d) to order the controller (d) to issue an opinion and or processor to bring approve draft codes of processing operations conduct pursuant to into compliance with GDPR, art. 40, para 5; the provisions of the GDPR, where appropriate, in a specified manner and within a specified period; (e) to order the controller (e) to accredit certification to communicate a perbodies pursuant to sonal data breach to the GDPR, art. 43; data subject;

Joachim Schrey

D. General conditions for data processing in companies under the GDPR Investigative powers (GDPR, art. 58, para 1, subparas a) to f))

Corrective powers (GDPR, art. 58, para 2, subparas a) to j))

(e) to obtain access to any (f) to impose a temporary premises of the conor definitive limitation troller and the procesincluding a ban on prosor, including to any dacessing; ta processing equipment and means, in accordance with Union or national Member State procedural law. (g) to order the rectification or erasure of personal data or restriction of processing pursuant to GDPR, art. 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to GDPR, art. 17, para 2 and GDPR, art. 19; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to GDPR, art. 42 and GDPR, art. 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; (i) to impose an administrative fine pursuant to GDPR, art. 83, in addition to, or instead of measures referred to in GDPR, art. 58, para 2, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

Authorisation and advisory powers (GDPR, art. 58 para 3, subparas a) to j)) (f) to issue certifications and approve criteria of certification in accordance with GDPR, art. 42, para 5;

(g) to adopt standard data protection clauses referred to in GDPR, art. 28, para 8 and in GDPR, art. 46, para 2 subpara d);

(h) to authorise contractual clauses referred to in GDPR, art. 46, para 3 subpara a);

(i) to authorise administrative arrangements referred to in GDPR, art. 46, para 3, subpara b);

(j) to approve binding corporate rules pursuant to GDPR, art. 47.

Pursuant to GDPR, art. 58, para 4 the exercise of the powers conferred on the 748 supervisory authority as outlined above shall be subject to appropriate safeJoachim Schrey

171

D. General conditions for data processing in companies under the GDPR

guards, including effective judicial remedy and due process, set out in Union and national Member State law in accordance with the Charter. Each Member State shall provide by law that its supervisory authority both shall have (i) the power to bring infringements of the GDPR to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of the GDPR, and (ii) any additional powers to that the national legislator deems fit and appropriate (GDPR, art. 58, paras 5 and 6). c) Administrative fines, GDPR, art. 83

One of the most effective measure to enforce the GDPR and to “incentivise” controller’s and processor’s compliance with the GDPR is the empowerment of the supervisory authorities to impose administrative fines. The penalties as set forth in GDPR, art. 83 can be imposed by the competent supervisory authority in addition to or instead of appropriate measures imposed by the supervisory authority pursuant to the GDPR (GDPR, recital 148). Pursuant to GDPR, art. 83, para 1 each supervisory authority shall ensure that the imposition of administrative fines in respect of infringements of the GDPR shall “in each individual case be effective, proportionate and dissuasive” which means that not only any individual criteria derived from the individual infringement and the circumstances under which the infringement was committed shall be included in the authority’s decision on the amount of the administrative fine; rather the authority may also include the effect that the imposition of administrative fines onto one controller or processor may also discourage and distract other controllers or processors from similar or the same behaviour infringing the GDPR. 750 In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine (GDPR, recital 148). When setting the administrative fine in an individual case, pursuant to GDPR, art. 83, para 2 due regard should, however, be given to 749

(a) the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to GDPR, art. 25 and 32; (e) any relevant previous infringements by the controller or processor;

172

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in GDPR, art. 58, para 2 have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to GDPR, art. 40 or approved certification mechanisms pursuant to GDPR, art. 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. These criteria can be applied both within the authority’s decision whether to 751 impose an administrative fine at all and in its decision on the amount of the administrative fine to be imposed on an infringer. The first opinions of supervisory authorities, however, have been published according to which these authorities feel themselves being obliged to impose an administrative fine in each individual case, since GDPR, art. 83, para 1 uses language of obligation (“shall ensure”, “shall in each individual case be effective, proportionate and dissuasive”). As GDPR, art. 83, para 2, however, also allows to impose an administrative fine instead of any other administrative measure, it seems to be implied that the authority may also decide not to impose an administrative fine if and to the extent by having taken any other measure outlined in lit. (b) below sufficiently enforces the GDPR in the individual case and is discouraging enough to distract other potential infringers from similar offences. Within the wealth of criteria set out in GDPR, art. 83, para 2, the supervisory 752 authorities have a very broad room when setting the administrative fine which the administrative courts will not always be able to control in every detail. To ensure a common application of GDPR, art. 83, the Board shall draw up guidelines for supervisory authorities concerning the setting of administrative fines (GDPR, art. 70, para 1, subpara k)). Due to the fact that the EU is not authorised to harmonise Member States’ 753 criminal law, Member States should be able to lay down the rules on criminal penalties for infringements of the GDPR, including for infringements of national rules adopted pursuant to and within the limits of the GDPR. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of the GDPR. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem (GDPR, recital 149).

Joachim Schrey

173

D. General conditions for data processing in companies under the GDPR 754

GDPR, art. 83, paras 4 and 5 provide for two categories of infringements: (a) infringements of less severance where the supervisory authorities are entitled to impose administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, i.e. infringements of: (i) the obligations of the controller and the processor pursuant to GDPR, art. 8, 11, 25 to 39, 42 and 43; (ii) the obligations of the certification body pursuant to GDPR, art. 42 and 43; and (iii) the obligations of the monitoring body pursuant to GDPR, art. 41, para 4, (GDPR, art. 83, para 4). As many of the obligations mentioned in this category leave a broad room for interpretation on the scope of the obligation and the exact definition of activities to be taken and activities which are no longer required under the GDPR, it is questionable whether GDPR, art. 83 is compliant with the rule-of-law-principle applicable in all Member States. (b) infringements of major severance where the supervisory authorities are entitled to impose administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, i.e. infringements of: (i) the basic principles for processing, including conditions for consent, pursuant to GDPR, art. 5, 6, 7 and 9; (ii) the data subjects’ rights pursuant to GDPR, art. 12 to 22; (iii) the transfers of personal data to a recipient in a third country or an international organisation pursuant to GDPR, art. 44 to 49; (iv) any obligations pursuant to Member State law adopted under GDPR, Chapter IX; and (v) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to GDPR, art 58 para 2 or failure to provide access in violation of GDPR, art. 58, para 1.

Where administrative fines are imposed on an undertaking, pursuant to GDPR, recital 150, an undertaking should be understood to be an undertaking in accordance with TFEU, art. 101 and 102 for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. 756 Pursuant to GDPR, recital 151 the legal systems of Denmark and Estonia do not allow for administrative fines as set out in GDPR, art. 83. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the 755

174

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine and the criteria set forth in GDPR, art. 83, paras 1 and 2. Where the GDPR does not harmonise administrative penalties or where nec- 757 essary in other cases, for example in cases of serious infringements of the GDPR, Member States are free to implement a system in addition to the empowerments and fines to which the supervisory authorities are entitled under the GDPR, which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law (GDPR, recital 152). VI. Appointment and role of an internal or external data protection officer (“DPO”)

Pursuant to GDPR, art. 37, para 1 the controller and the processor shall 758 each designate a DPO in any case where – the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; – the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or – the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to GDPR, art. 9 and personal data relating to criminal convictions and offences referred to GDPR, art. 10. The controller or the processor shall publish the contact details of the DPO 759 and communicate them to the supervisory authority, GDPR, art. 37, para 7. Unlike Directive 95/46, which did not contain an obligation to appoint a DPO 760 and left the institution of the concept of DPOs to the national legislator, the GDPR now establishes the DPO as an internal or external official with various tasks and obligations within a company or a group of companies on an EU-wide basis. Pursuant to the Art. 29 Working Party DPOs will be “at the heart” of the new legal framework set by the GDPR.38 As the GDPR is to be applied as of 25 May 2018, the DPO should be appointed before or at the latest with effect as of this date by companies which either fulfil the conditions set forth in GDPR, art. 37, para 1, subparas b) or c) or for which the establishment of a DPO is required

38 WP 243, 4.

Joachim Schrey

175

D. General conditions for data processing in companies under the GDPR

by Union or Member State law (GDPR, art. 37, para 4, first sentence, second alternative). 1. Obligation to appoint a DPO, GDPR art. 37, para 1 a) Risk based approach, GDPR, art. 37, para 1 761

The criteria defined in GDPR, art. 37, para 1, subparas b) and c), however, are the lowest common denominator which Commission, Council and Parliament could agree on in the trilogue negotiations and follow a risk based approach. As a result, the overwhelming majority of companies in the EU will not be obliged to appoint a DPO under the GDPR, so that an obligation to nevertheless appoint a DPO will arise under national law only. It is expected that those EU Member States which already implemented the concept of a company-internal data protection official in their national data protection and privacy laws, e.g. Germany, will adhere to this concept also in future and will adapt their national data protection and privacy laws correspondingly. b) Criteria to appoint a DPO in GDPR, art. 37, para 1, subparas b) and c)

A DPO shall be designated in any case where processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences. 763 In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities (GDPR, recital 97, second sentence). In practice, it will be difficult to differentiate between a “core”/primary activity of the relevant controller and a mere ancillary activity. 764 “Core activities” are interpreted as the key operations necessary to achieve the controller’s or processor’s goals.39 Processing personal customer data by a webshop operator to improve the webshop functionalities or the product range or to analyse customer data, may not yet be qualified as a “core” activity although it still supports the webshop business. To the extent, however, the webshop operator collects and processes its customers’ address data, invoice and payment as well as shipment data, the processing of such data will most likely be seen as an inextricable part of the webshop operator’s core activities.40 In modern business models in the Internet-of-things industry, personal data is often the “currency” in which users pay for the services offered free of (monetary) charge. Although, rendering these digital services is the “core” activity of those companies, monetarisation is made by exploiting and marketing the user-related 762

39 WP 243, 6. 40 WP 243, 6 f. with additional examples.

176

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

data collected from these services. It therefore appears reasonable to qualify their “core” activity as processing of personal data within the meaning of GDPR, art. 37, para 1, subparas b) or c). c) Processing on a large scale

The criterion “Processing on a large scale” replaced the specific number of 765 employees mentioned in previous drafts of the GDPR as decisive criteria for the obligation to appoint a DPO. The term “on a large scale” manifests the principle of proportionality: The more information relating to an individual is collected and processed the lower the number of persons affected may be and vice versa. Pursuant to the Art. 29 Working Party the following factors must be considered to determine, whether processing occurs on a large scale: – The number of data subjects concerned – either as a specific number or as a proportion of the relevant population; – the volume of data and/or the range of different data items being processed; – the duration, or permanence, of the data processing activity; – the geographical extent of the processing activity.41 d) Regular and systematic monitoring of the data subjects

The term “monitoring” of data subjects is to be interpreted in the light of the 766 risk based approach of the GDPR legislator: Against this background not only overall observation fulfils this criterion, but also the collection of one or more categories of personal data of an individual at several occasions, if it occurs on the basis of a planned methodical proceeding, is sufficient.42 Even if the controller or processor immediately pseudonymises or even anonymises the personal data collected, such data would relate to an identified or identifiable individual in the moment of collection so that such processes would fall under the section requiring the appointment of a DPO. e) Special categories of personal data

“Special categories” of personal data are defined in GDPR, art. 9, para 1 as 767 personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (see section E.III.1, → mn. 1030 et seqq.). In Member States where the tax authorities also collect church tax directly at 768 source, i.e. the employer is obliged to deduct church tax from the employee’s gross income (e.g. in Germany), each employer processes personal data reveal-

41 WP 243, 7. 42 WP 243, 8.

Joachim Schrey

177

D. General conditions for data processing in companies under the GDPR

ing the religious belief of its employees. As such tax is payable regularly, the processing of such special categories of personal data is also carried out on a regular, systematic and large-scale basis. f) Data relating to criminal convictions and offences 769

As criminal convictions and offences are usually very relevant for an individual’s reputation, it seems to be obvious that the processing of those categories of personal data may have a particular relevance for the data subjects’ privacy which may justify the requirement also to appoint a DPO. In many industries it became business practice to conduct background checks of applicants for jobs with a certain level of security-relevance. Although background checks may unveil information that individuals have been convicted of a crime or an administrative offence, in most cases, conducting background checks will most rarely be the core activity of a controller or processor, so that only in exceptional cases a DPO is to be appointed under GDPR, art. 37, para 1, subpara c). The same apply where criminal convictions and offences are relevant in connection with compliance systems established in companies. 2. Addresses of the obligation to appoint a DPO a) Controllers

Unless controllers are public authorities or bodies, except for courts acting in their judicial capacity, every controller which fulfils the criteria set out in GDPR, art. 37, para 1, subparas b) or c) has to appoint a DPO. 771 In case of joint controllers in the meaning of GDPR, art. 26, it is unclear whether (i) each of the joint controllers has to appoint its own DPO, or (ii) the joint controllers may appoint a common DPO for those processes where they are joint controllers with others, or (iii) it is sufficient if just one of the joint controllers has appointed a DPO as long as the joint controllers agreed in the arrangement to be concluded under GDPR, art. 26, para 1, second sentence that the DPO appointed by said controller shall be entrusted and authorised to fulfil the task set out in GDPR, art. 39 also with respect to those parts of the joint processing of personal data which is carried out by the other joint controllers. Neither GDPR, art. 37 nor GDPR, art. 26 provide for a clear statement to this open question. According to GDPR, art. 26, para 1, third sentence, however, the arrangement to be concluded by the joint controllers may designate a (common) contact point for data subjects, and the DPO shall also act as a contact point for data subjects. Against this background it appears reasonable to interpret GDPR, art. 39 in such way that it is sufficient if just one of the joint controllers appoints a DPO and the joint controllers agreed in the arrangement that this DPO is entrusted and authorised to fulfil the task of the DPO with respect to those parts of the joint processing of personal data which is carried out by the other joint controllers. 770

178

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

b) Processors

Also every processor which fulfils the criteria set out in GDPR, art. 37, para 772 1, subparas b) or c) has to appoint a DPO. Under GDPR, art. 28, para 3, subpara h) the processor is required – and processor and controller are required to explicitly agree hereon in the data processing agreement – to make available to the relevant controller all information necessary to demonstrate compliance with the obligations laid down in GDPR, art. 28. In practice this obligation means that the controller’s DPO is authorised to request from the processor’s DPO all GDPR-related compliance information and documents. Moreover, if the controller’s DPO intends to monitor the processor’s compliance with the GDPR by means of an audit (GDPR, art. 39, para 1, subpara b)), it can address its request to the processor’s DPO and the processor’s DPO will be obliged to enable such audits. Even if the controller fulfils the criteria for mandatory designation of a DPO, 773 its processor is not necessarily required to appoint a DPO, even though this may be good practice.43 3. Infringement to appoint a DPO

Pursuant to GDPR, art. 83, para 4, subpara a) any infringement of an obliga- 774 tion under GDPR, art. 37 can be penalised with an administrative fine by the competent supervisory authorities of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. GDPR, art. 83, para 4 applies regardless whether the obligation of a controller 775 or a processor to appoint a DPO arises from GDPR, art. 37, para 1, subparas b) or c) or from GDPR, art. 37, para 4 in connection with the applicable national law of an EU Member State. 4. Group privilege, GDPR, art. 37, para 2

Pursuant to GDPR, art. 37, para 2 a group of undertakings may appoint a sin- 776 gle DPO (“Group-DPO”) provided that a DPO is easily accessible from each establishment. The appointment of a Group-DPO is subject to his easy accessibility from 777 each group establishment. The notion of “accessibility” is neither defined in GDPR, art. 37, para 2 nor in the GDPR recitals. Given the DPO’s task to serve as contact point for data subjects and the supervisory authority, the following aspects have to be considered:44

43 WP 243, 9. 44 WP 243, 10.

Joachim Schrey

179

D. General conditions for data processing in companies under the GDPR

– communication means available to the data subjects to contact the GroupDPO; – resources of the Group-DPO, namely whether he can rely on an organisation supporting him in his role as DPO; – sufficient know how of the Group-DPO (or the organisation headed by him) not only on the GDPR but also with respect to all national data protection and privacy laws in all Member States where the group has establishments; – languages in which the Group-DPO can be contacted and whether it is ensured that the data subjects in all relevant Member States are able to communicate in one of these languages. 5. Internal/external, GDPR, art. 37, para 6

Pursuant to GDPR, art. 37, para 6 the DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. This provision shall increase the flexibility of the controllers and processors which are required to appoint a DPO so that they are not forced to invest in own employees and their professional education and training, but can rather rely on the expertise of an external service provider. When using an external service provider as DPO, however, it should be ensured that in view of the data processing operations carried out, its cross-border scope and the protection required for the personal data processed the time budget agreed with such external service provider is sufficient so that the external service provider appointed as DPO has a realistic chance to fulfil all its tasks defined in GDPR, art. 39.45 779 It is also possible to appoint an external organisation as external DPO in which case each member of such organisation must fulfil the requirements of GDPR, art. 37, para 5, and is privileged in its position as set out in GDPR, art. 38, para 3. Within a DPO team, however, it is recommended to have a clear allocation of tasks, and to assign a single individual as lead contact and person “in charge”.46 778

6. Full or part time 780

GDPR, art. 37, para 1 is silent as to whether the DPO must be a full time position or whether the DPO function can also be fulfilled on a part time basis. However, pursuant to GDPR, art. 38, para 6, first sentence, the DPO may also fulfil other tasks and duties. Controllers will have to decide on a case-by-casebasis, e.g. in view of the data processing operations carried out, its cross-border scope and the protection required for the personal data processed, whether the DPO must be a full or part time position.

45 WP 243, 13. 46 WP 243, 12.

180

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

7. Qualification, GDPR, art. 37, para 5

Pursuant to GDPR, art. 37, para 5 the DPO shall be designated on the basis of 781 professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in GDPR, art. 39. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor (GDPR, recital 97), e.g. whether the controller or processor systematically transfers personal data to recipients outside a Member State of the EU.47 The position of a DPO requires – profound knowledge of Union and national data protection and privacy laws including the relevant legal background relating to administrative law, criminal law and employment law, commensurate with the sensitivity, complexity and amount of data processed; – practical know how to transfer legal requirements into practical business processes and how to implement such processes; – technical and organisational expertise necessary to assess the technical and organisational measure to be taken under GDPR, art. 32 including knowledge on technologies to pseudonymise and/or encrypt personal data; – data protection management including risk management; – industry-related know how to be able to monitor industry-specific developments and needs; and – communication skills (with management, employees and supervisory authorities, data subjects). Controllers/processors having appointed an internal DPO must ensure that 782 the person appointed is sufficiently experienced, i.e. the DPO must be enabled to join external training courses and to stay up to date (by subscribing to relevant publications etc., GDPR, art. 38, para 2). As the appointment of a person who does not fulfil these professional qualities may also mean an infringement of GDPR, art. 37, para 5 which can be penalised pursuant to GDPR, art. 83, para 4, the controller or processor should ensure that it can prove that the person appointed has the relevant professional qualities, e.g. by presenting respective credentials and certificates. 8. Publication/communication contact details, GDPR, art. 37, para 7

Pursuant to GDPR, art. 37, para 7 the controller or the processor shall publish 783 the contact details of the DPO (e.g. on their website and/or in any privacy policy, cf. GDPR, art. 13, para 1, subpara b) and GDPR, art. 14, para 1, subpara b)) and communicate them to the supervisory authority. The contact details to be published should include information allowing data subjects and the supervisory 47 WP 243, 11.

Joachim Schrey

181

D. General conditions for data processing in companies under the GDPR

authorities to easily reach the DPO. In particular for purposes of communications with the public the Art. 29 Working Party recommends to establish a dedicated hotline or a dedicated contact form addressing to the DPO on the controller’s or processor’s website. While it is not explicitly required to publish the personal name of the DPO, it may be a good practice to do so. The Art. 29 Working Party48 recommends to inform the supervisory authority and the controller’s or processor’s employees of the name and the contact details of the DPO. 9. Role of the DPO, GDPR, art. 38 784

DPOs are not personally responsible or liable in case of a non-compliance of the appointing controller or processor with the GDPR. According to GDPR, art. 24, para 1 this obligation remains with the controller or the processor. The role of the DPO is therefore that of an intermediary between the relevant stakeholders (i.e. controllers, processors, data subjects, supervisory authorities). To be able to assume this role it must be given sufficient autonomy and resources to carry out its tasks effectively.49 a) Secrecy obligation

785

Pursuant to GDPR, art. 38, para 5 the DPO shall be bound by secrecy or confidentiality concerning the performance of his tasks, in accordance with Union or Member State law. This means that the secrecy obligation itself must be implemented by national law of each Member State. b) No instructions, privileged status

Pursuant to GDPR, art. 38, para 3, first sentence the controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of the tasks defined in GDPR, art. 39. Although not explicitly mentioned in GDPR, art. 38, this also means that neither a member of the controller’s or processor’s management, nor an owner or a shareholder (unless shareholder within an employee stock option scheme) of the controller or processor, Cx-positions in a company which do not allow their holder to be appointed as DPO, e.g. the Chief Information Officer (CIO), the compliance officer or the head of the legal department can be appointed as DPO, in order to avoid conflicts of interest.50 787 Pursuant to GDPR, art. 38, para 3, second sentence the DPO shall not be dismissed or penalised by the controller or the processor for performing his tasks. This protection against unfair dismissal, however, does not prevent the appointing body to dismiss the DPO for other reasons unrelated to the performance of his task.51 Unlike some national data protection laws of the Member States, 786

48 WP 243, 12. 49 WP 243, 4. 50 WP 243, 15 f.

182

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

GDPR, art. 38 does not provide protection of the DPO against dismissal after the end of the appointment. GDPR, art. 38 does not provide for an opening clause under which the Mem- 788 ber States can establish a supplemental protection of the status as DPO. Therefore, any extensive protection against dismissal as set out under national law will have to be abolished by the national legislator. c) Information obligation

The controller and the processor shall ensure that the DPO is involved, prop- 789 erly and in a timely manner, in all issues which relate to the protection of personal data, GDPR, art. 38, para 1. Ensuring that the DPO is informed and consulted at the outset will – pursuant to the Art. 29 Working Party – facilitate compliance with the GDPR, ensure privacy by design approach and should therefore be standard procedure within the controller’s or processor’s governance.52 Failure of a controller or processor to involve the DPO in time, may prevent the DPO to carry out his tasks effectively which may in the individual case be considered as an infringement of GDPR, art. 38, which may be penalised by an administrative fine pursuant to GDPR, art. 83, para 4, subpara a) of up to EUR 10,000,000.00, or in the case of an undertaking, up to 2 % of the total worldwide turnover of the preceding financial year, whichever is higher. Consequently, the Art. 29 Working Party recommends that the controller or processor – as the case may be – set up processes which ensure timely involvement of the DPO.53 The controller/processor should further document in an accountable manner 790 (e.g. in internal policies or guidelines) whether and how the involvement of the DPO is to be ensured. d) Necessary resources

Pursuant to GDPR, art. 38, para 2 the controller and processor shall support 791 the DPO in performing the tasks referred to in GDPR, art. 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his expert knowledge. This includes in particular, but without limitation – making available financial resources, infrastructure (premises, facilities, equipment) and staff; – communicating the appointment of the DPO by controller’s/processor’s management to all staff to ensure that the DPO’s existence and function is known within the organisation;

51 WP 243, 15. 52 WP 243, 13. 53 WP 243, 13.

Joachim Schrey

183

D. General conditions for data processing in companies under the GDPR

– granting DPO necessary access to the organisation’s other relevant services such as HR, Legal, IT, (IT-)Security so that the DPO is in a position to fulfil his tasks and obligations under the GDPR effectively; – enabling the DPO to participate in continuous training to stay up to date with respect to developments within data protection.54 792

The more complex and/or sensitive the controller’s or processor’s processing operations and personal data effected, the more resources must be given to the DPO. e) Direct reporting line, GDPR, art. 38, para 3, third sentence

793

Pursuant to GDPR, art. 38, para 3, third sentence the DPO shall directly report to the highest management level of the controller or the processor. Although the DPO can be integrated organisationally into other departments (e.g. the legal department or the compliance department, provided this does not cause conflicts of interest), it must be ensured that the DPO can directly report to the top management without any intermediary. This direct reporting line is intended to ensure that the top management is always properly informed about any issues which may be relevant for the entity’s compliance with applicable privacy law. It can also help the DPO and release him from a personal liability if he can address issues and concerns to the top management so that it may then become the task of the top management to take corrective measures. f) Contact for data subjects

Pursuant to GDPR, art. 38, para 4 data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR. Correspondingly, the controller is obliged to publish the DPO’s contact details together with the other information to be given under GDPR, art. 13, para 1, subpara b) and GDPR, art. 14, para 1, subpara b), e.g. on its website and/or in any privacy policy. 795 In many Member States in which the requirement to appoint a DPO was already established, this communication role vis-à-vis the data subjects concerned is completely new. Before the GDPR came into effect, the DPO had an internal role only without the task to maintain a formalised contact neither to data subjects nor to the supervisory authorities. This means that even established DPO organisations have to be restructured so that the necessary processes are in place by which data subjects can contact the DPO and by which the DPO can properly manage complaints relating to data protection and privacy-related aspects. 796 Moreover, the task on the one hand to manage data protection-related data subjects’ complaints and on the other hand to take care about the controller’s/ 794

54 WP 243, 14.

184

Joachim Schrey

D. General conditions for data processing in companies under the GDPR

processor’s interests might cause a conflict of interests for the DPO which is even more intensive if the DPO is an employee of the controller/processor. Management and DPO should therefore agree in advance on communication strategies and on processes how to react to data protection and privacy-related complaints. 10. Tasks of a DPO, GDPR, art. 39 a) Inform

According to GDPR, art. 39, para 1, subpara a), the DPO shall inform and ad- 797 vise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions. b) Monitor

According to GDPR, art. 39, para 1, subpara b), the DPO shall monitor com- 798 pliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awarenessraising and training of staff involved in processing operations, and the related audits. The task of awareness-raising requires that the DPO does not only carry out incident related training measures but to permanently and repeatedly train employees and provide other learning tools to ensure a high level of awareness for data protection and privacy in the undertaking or group of undertaking to prevent data protection breaches. The DPO’s monitoring task includes collecting information to identify processing activities, the analysis and compliance check of the processing activities identified and the information and advice of the controller’s or processor’s management in all data protection-related matters.55 c) Advice

According to GDPR, art. 39, para 1, subpara c), the DPO shall also provide 799 advice where requested as regards the DPIA and monitor its performance pursuant to GDPR, art. 35. d) Cooperate with authorities/contact point

According to GDPR, art. 39, para 1, subpara d), the DPO shall cooperate 800 with the supervisory authority and act as the contact point for the supervisory authority on issues relating to data processing, including the prior consultation referred to in GDPR, art. 36, and to consult, where appropriate, with regard to any other matter.

55 WP 243, 16.

Joachim Schrey

185

D. General conditions for data processing in companies under the GDPR 801

The task being a contact point for the supervisory authorities and also to cooperate with the authorities requires a close coordination between the management and the DPO on how to react to any requests of supervisory authorities to avoid any conflicts of interest: As the DPO is obliged to pursue the interests of its employing entity he can cooperate with the authorities to a limited extent only, i.e. as long as the reasonable interests of the controller or processor are not yet endangered. The obligation to cooperate with the authorities does not entitle the DPO to disclose trade secrets, internal know how or other protected information to the authorities as it does not legitimise or justify any offence against professional secrecy obligations. VII. Risks of Liability for breaches of data protection law 1. Administrative fines under the GDPR

From a business point of view, administrative fines are one of the most controversial topics of the GDPR, especially, since fines can easily amount to millions of euros. The significant differences between Member States law regarding the imposition of administrative fines resulting from breaches of national data protection laws is abolished and replaced with uniform rules of the GDPR applicable in all Member States. A consistent application of the fining practice throughout the EU is ensured via the consistency mechanism (see GDPR, art. 63) for this purpose (see GDPR, recital 150 (see section D.V.1.c) , → mn. 727 et seqq.). 803 With regard to infringements by public authorities and bodies, the GDPR leaves it up to the Member States to determine under which conditions financial penalties may be imposed against those bodies (GDPR, art. 83, para 7). 802

a) Levels of fines 804

Under the new Regulation, fines have increased significantly in comparison to earlier drafts of the GDPR. Basically, there are two levels of administrative fines: aa) Level 1 infringements

GDPR, art. 83, para 4 sets the frame for administrative fines for certain infringements up to 10 million euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 806 Infringements of the following provisions are subject to level 1 fines: 805

– obligations of the controller and the processor pursuant to GDPR, art. 8 (conditions applicable to child’s consent in relation to information society services), 11 (processing which does not require identification), 25 to 39 (e.g. general obligations, obligations relating to security of personal data, da-

186

Pascal Schumacher

D. General conditions for data processing in companies under the GDPR

ta protection impact assessment and prior consultation and the data protection officer), 42 (certification) and 43 (certification bodies), – obligations of the certification body pursuant to GDPR, art. 42 and 43 and – obligations of the monitoring body pursuant to GDPR, art. 41, para 4. bb) Level 2 infringements

More serious infringements of the GDPR are subject to administrative fines 807 of up to 20 million euros or, in the case of undertakings, 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. According to GDPR, art. 83, para 5, infringements of the following provi- 808 sions are level 2 infringements subject to such higher fines: – basic principles for processing, including conditions for consent (GDPR, art. 5, 6, 7 and 9), – data subject’s rights pursuant to GDPR, art. 12 to 22, – transfers of personal data to a third country or an international organisation pursuant to GDPR, art. 44 to 49, – obligations pursuant to Member State law adopted under Chapter IX of the GDPR, and – non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to GDPR, art. 85, para 2 or failure to access in violation of GDPR, art. 58, para 1. cc) Concept of “undertaking”

The GDPR does not contain a definition of the notion “undertaking”. It must 809 further not be equated to the definition of an enterprise (GDPR, art. 4, para 18). According to GDPR, recital 150, an undertaking should rather be understood as an undertaking in accordance with TFEU, art. 101, 102 where fines are to be imposed on an undertaking. There is also no definition of the notion in the TFEU. According to the broad interpretation applied by the ECJ in antitrust cases, an undertaking is every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed.56 Therefore, the ECJ has approved antitrust fines imposed by the Commission under TFEU, art. 101 on the parent company of a group of undertakings even though the parent company had not been involved in the infringement. The mere fact that the parent and its subsidiary, which had committed the antitrust infringement, form a “single economic entity”, suffices to constitute the parent`s liability, the Court says.57

56 Cf. ECJ, decision of 23 April 1991, C-41/90 – Höfner and Elser. 57 Cf. ECJ, decision of 29 September 2011, C-521/09 P – Elf Aquitaine; ECJ, decision of 11 July 2013, C-440/11 P – Stichting Administratiekantoor Portielje.

Pascal Schumacher

187

D. General conditions for data processing in companies under the GDPR

Some authors in legal literature and some data protection authorities58 draw from the reference in GDPR, recital 150 to the notion of an undertaking in the antitrust context as described above that also under GDPR, art. 83 the group and not the individual legal entity is meant. This could have mainly two different implications: First, fines against undertakings would not be calculated based on the turnover of the infringing legal entity but of the turnover of the whole group of companies. Second, adopting the definition of an undertaking as applied by the ECJ in antitrust cases could also imply flexibility for the supervisory authority when determining the recipient(s) of an administration fine. In case of antitrust violations, fines can be imposed on a mother company for the infringements of its subsidiaries under certain conditions.59 Additionally, the antitrust definition of an undertaking enables the supervisory authority to impose fines after corporate restructurings on the legal successors of the infringing undertaking as they are normally considered to be still the same undertaking as their legal predecessor. 811 However, there remains a large uncertainty as to whether the notion of an undertaking in GDPR, art. 83 can really be identical to the ECJ`s interpretation in the antitrust context. Different from the TFEU, the GDPR expressly defines in art. 4, para 19 the term “group of undertakings”, which means “a controlling undertaking and its controlled undertakings”. This differentiation in the text of the GDPR between an “undertaking” and a “group of undertakings” indicates that the legislator may not have made intentional reference to case law under which the ECJ interprets the term “undertaking” as including also a group of undertakings. 812 In any event, there remains a large legal uncertainty for all companies organised in a group structure. The developments in the practice of data protection authorities and related case law should be closely monitored to identify potential risks of being fined for subsidiary`s infringements of GDPR provisions. 810

dd) Further criteria 813

In general, the imposition of administrative fines has to be always effective, proportionate and dissuasive (GDPR, art. 83, para 1). GDPR, art. 83, para 2 sets out specific criteria to be considered by the supervisory authority when deciding whether to impose a fine and deciding on its amount: – the nature, gravity and duration of the infringement (taking into account the nature, scope or purpose of the processing as well as the number of data subjects affected and the level of damage), – the intentional or negligent character of the infringement, – actions taken by the infringer to mitigate the damage, 58 https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (as of 6.4.2017). 59 Cf. ECJ, decision of 29 September 2011, C-521/09 P – Elf Aquitaine; ECJ, decision of 11 July 2013, C-440/11 P – Stichting Administratiekantoor Portielje.

188

Pascal Schumacher

D. General conditions for data processing in companies under the GDPR

– degree of responsibility considering technical and organisation measures implemented pursuant to GDPR, art. 25 and 32 (see section D.I.7., → mn. 5229 et seqq., and D.I.8., → mn. 541 et seqq.), – relevant previous infringements, – degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the negative consequences of the infringement, – type of the affected personal data, – the manner in which the infringement became known to the supervisory authority (in particular whether there was a complete notification by the infringer), – measures under GDPR, art. 58, para 2 against the controller or processor regarding the same subject-matter and his compliance with these measures, – compliance with approved codes of conduct pursuant to GDPR, art. 40 or approved certification mechanisms pursuant to GDPR, art. 42, and (see section D.II., → mn. 566 et seqq., and D.III., → mn. 580 et seqq.) – other aggravating or mitigating factors depending on each individual case such as financial benefits or avoided losses resulting from the infringement. If either a single processing operation or several linked operations infringe 814 different provisions of the GDPR, the total amount of the fines imposed by the supervisory authority shall not exceed the amount specified for the most serious infringement (GDPR, art. 84, para 3). Different from the practice under the current legal framework (where fines 815 were only imposed in exceptional cases) companies should prepare for that under the GDPR the supervisory authorities will impose fines more often. This is because under GDPR, art. 83 and recital 148 the imposition of fines has been made the general rule in order to strengthen the enforcement of the rules of this Regulation. In exceptional cases, only, where a fine would impose a disproportionate burden to a natural person or in the case of a minor infringement, the supervisory authorities can issue a reprimand instead of a fine (GDPR, recital 148). b) Enforcement aa) Ex officio proceedings

First of all, based on GDPR, art. 58, para 1 the competent supervisory author- 816 ities can initiate and carry out investigations ex officio, if initial suspicion for a data protection breach comes to the authority`s attention. Investigative powers include supervisory authorities` right to access any premises of the controller and the processor. bb) Administrative complaints (GDPR, art. 77 and 78)

Further, if a data subject feels that his rights under the GDPR have been in- 817 fringed, he can lodge an administrative complaint with a single supervisory auPascal Schumacher

189

D. General conditions for data processing in companies under the GDPR

thority, in particular in the Member State of his habitual residence, place of work or place of the alleged infringement (GDPR, art. 77). Upon such complaint, which can be lodged, inter alia, by way of an electronic complaint submission form, the authority must start an investigation of the alleged infringement by the data controller or processor. GDPR, recital 141 further specifies that the investigation by the supervisory authority must be carried out as appropriate on a caseby-case basis and subject to judicial review. The data subject must be kept up to date on the progress, further developments and the outcome of the complaint within a reasonable period. 818 Where the supervisory authority does not act timely (i.e. within three months, cf. GDPR, art. 78, para 2) on a complaint, rejects or dismisses a complaint, does not act where such action is necessary to protect the rights of the data subject or does not inform the data subject as appropriate, the data subject has the right to bring an action before a national court (GDPR, art. 78). Measures such as opinions or advice provided by the supervisory authority are, however, not encompassed by this right as they are not binding (GDPR, recital 143). 819 In order to avoid contradictory judgments, GDPR, art. 81, para 2 states that if related proceedings are pending before a court of another Member State, any court seized at a later point in time may suspend its proceedings. Where proceedings are pending at first instance, the second court may also decline jurisdiction on request of a party in favour of the court first seized. This applies only if the court first seized has jurisdiction over the proceedings and if its law permits the consolidation of such related proceedings (GDPR, art. 81, para 3). cc) Proceedings against data controllers and data processors (GDPR, art. 79) 820

Further, data subjects also have the right to launch proceeding directly against data controllers or processors in case of any violation of the GDPR related to the processing of their personal data. This is a major difference compared to the Directive 95/46 which only contained such a provision for judicial remedy against controllers but not against processors. Proceedings shall be brought either before the courts of the Member State where the infringer is established or, unless the infringer is a public authority of a Member State acting in the exercise of its public powers, before the courts of the Member State of the data subject`s residence (GDPR, art. 79, para 2). dd) Capacity to sue for non-profit bodies, organisations or associations mandated by the data subject (GDPR, art. 80)

821

GDPR, art. 80 includes two provisions. GDPR, art. 80, para 1 allows data subjects to mandate NPOs and associations to lodge administrative complaints on their behalf (GDPR, art. 77), exercise the right to a judicial remedy on their behalf (GDPR, art. 78) or launch proceedings against data controllers and processors (GDPR, art. 79). If provided for in Member State law, this may also include the right to receive compensation on behalf of the data subjects (GDPR, 190

Pascal Schumacher

D. General conditions for data processing in companies under the GDPR

art. 82). Especially in lawsuits against big companies, the possibility of being represented by NPOs is meant to strengthen consumers` rights, as individuals often do not have the means and realistic options to bring the actions themselves. The body, organisation or association mandated by the data subject must be properly constituted under the law of the respective Member State. Therefore, these bodies, organisations or association need to have statutory objectives in the public interest, be active in the field of the protection of data subjects’ rights and be of non-profit making character. GDPR, art. 80, para 2 further contains an opening clause for collective redress 822 that goes beyond the representation in case of a mandate as per paragraph 1. Member States may provide for NPOs or associations to have their own right to lodge a complaint against an alleged infringement of individual rights under the GDPR. This complaint right is completely independent of a specific mandate by a data subject, i.e. the data subject does not have to give his consent to actions that are brought to the court by the NPO. The NPO may, however, not claim compensation on a data subject`s behalf unless explicitly mandated by the data subject. The possibility of such abstract enforcement of rights by NPOs is likely to 823 lead to a substantial increase of proceedings against companies for alleged data protection infringements.60 Complying with the provisions and requirements of the GDPR will, therefore, be the more significant for companies due to the drastically increased fines and easier possibilities of private data subjects to enforce their rights. 2. Damages based on the GDPR

Different from the legal situation under the Directive 95/46, the GDPR grants 824 data subjects that suffered a damage from infringement of the Regulation a direct right to sue controllers and processors for compensation of damages. This right will be directly and uniformly applicable across the EU and, therefore, be easier to enforce than under the legal status quo. a) Concept of damage

According to GDPR, recital 146, the concept of damage applied in GDPR, 825 art. 82 should be interpreted in a broad manner. Data subjects are supposed to receive full and effective compensation for the damage they have suffered due to the non-compliant processing. This encompasses both material and non-material damages and comes in addition to any claims for damage deriving from the violation of other rules in Union or Member State law (GDPR, recital 146). However, to prevent escalating liability under the Regulation damages have to be caused by the infringement.

60 Bitkom, Comments on Chapter VIII – Remedies, Liabilities and Sanctions, 6/11.

Pascal Schumacher

191

D. General conditions for data processing in companies under the GDPR

b) Relevant infringements 826

Under GDPR, art. 82, para 1 “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.

“Infringement of this Regulation” in the meaning of GDPR, art. 82, para 1 includes processing that infringes the terms of the GDPR itself but also delegated and implementing acts adopted in accordance with the GDPR and Member State law specifying rules of the GDPR. 828 With respect to Infringements of Member State law which does not specify the GDPR, on the other hand, data processors will be held liable on the basis of the respective national rules, only. 829 While a controller is, in principle, held responsible for any and all processing in which he is involved and which infringes the GDPR, data processors’ liability for infringements is limited to a breach of obligations of the GDPR which are specifically imposed on processors or an action outside or contrary to the controller`s lawful instructions (GDPR, art. 82, para 2). The liability of the processor is a major change compared to the situation under Directive 95/46, where the processor was privileged (Directive 95/46, art. 23, para 1). It must be emphasised, that the involvement in data processing is sufficient to establish liability under the GDPR. Involvement in the damaging act itself is not required. 827

c) Exemption 830

Both controllers and processors are exempt from liability if they can prove that they are not responsible for the infringement, i.e. the burden of proof vests with the controller/processor (GDPR, art. 82, para 3). d) Joint processing

In case more than one controller and/or processor are involved in the same processing operation they are jointly and severally liable for the entire damage (GDPR, art. 82, para 4), unless one (or several) are exempt under GDPR, art. 82, paras 2 or 3. 832 However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. 833 GDPR, art. 82, para 5 ensures that a controller or processor who has paid full compensation to the data subject may subsequently institute recourse proceedings against other parties involved in the non-compliant processing. 834 According to GDPR, art. 82, para 6, recourse-proceedings may be brought before the courts competent under the law of the Member State referred to in 831

192

Pascal Schumacher

D. General conditions for data processing in companies under the GDPR

GDPR, art. 79, para 2, which means either the courts of the Member State where the infringer is established or, unless the infringer is a public authority of a Member State acting in the exercise of its public powers, the courts of the Member State of the data subject`s residence. 3. Liability based on national laws

In many cases, the processing of personal data is based on a contractual rela- 835 tionship between the data subject and the processor or controller. Thus, contractual claims e.g. for damages or injunctive relief may often arise from the contract law provisions of each Member State law. Further claims can arise from national tort law or unfair competition law. In addition, the Member States are still able to lay down their own rules, in 836 particular criminal law provisions, which apply on infringements of the GDPR (GDPR, art. 84, para 1).

Pascal Schumacher

193

E. Practical examples

Advancing digitalisation and interconnectivity of everyday items, globalisa- 837 tion and the growth of the cloud computing business have led to an ever-increasing collection of personal data and a need to freely transfer such data across national borders. Group internal consolidation and efficiency enhancement programmes likewise often require centralisation of IT services and transfers of data to offshore providers. These providers are often located in third countries, i.e. jurisdiction outside the EU, with favourable economic framework conditions, but rules of law, which do not ensure a level of data protection comparable to the one within the EU. Understanding data protection requirements and limitations applicable to 838 cross border transfers of personal data to recipients outside the EU is therefore an essential prerequisite to benefit from those favourable framework conditions, consolidation means and international trade in line with data protection law. The following chapter covers the rules and regulations applicable to transfers 839 of personal data to third countries, i.e. countries outside the EU, and to international organisations. I. Transfer of personal data to third countries

Any transfer of personal data to third countries or to an international organisa- 840 tion may take place only, if the general provisions of the Regulation applicable to any processing of personal data and additionally the specific provisions applicable to a transfer of personal data to third countries or international organisations laid down in Chapter V of the GDPR are complied with (GDPR, art. 44). Like under the Directive 95/46, lawfulness of a transfer of personal data to a 841 third country or an international organisation must therefore be assessed by applying a two-step-test. In a first step it is to be verified whether the general principles applicable to any processing of personal data (see section C.I., → mn. 241 et seqq.) are complied with. In a second step it is to be verified, whether the specific transfer requirements set forth in GDPR, art. 44 to 50 are complied with, which are intended to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined as a consequence of the transfer to a recipient outside the EU. It is important to notice that the requirements of both steps of the test must be 842 satisfied. Implementing adequate safeguards in the meaning of GDPR, art. 46 and thereby satisfying the second step of the test, is not sufficient to ensure lawfulness of the transfer.1 1 WP 38, 3.

Tobias Kugler

195

E. Practical examples

In contrast to Directive 95/46, GDPR, art. 44 explicitly sets out that the foregoing requirements likewise apply to onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 844 The requirements of the second step are satisfied if the recipient is located in a country in respect of which the Commission adopted an adequacy decision (GDPR, art. 45), if the transfer is subject to appropriate safeguards (GDPR, art. 46) or a derogation set out in the Regulation applies (GDPR, art. 49). In the absence of an adequacy decision and unlike under Directive 95/46, the EU and the Member States may set limits in EU or Member State law to the transfer of specific categories of personal data to a third country or an international organisation (GDPR, art 49, para 5). In case of such limits, personal data may not be transferred to third countries and/or international organisations irrespective of any safeguards or derogations. 843

1. Adequate level of protection 845

A transfer of personal data to a recipient in a third country or an international organisation may take place, i.e. the requirements of the second step of the test are satisfied, where the third country or territory in which the recipient is located, or the sector of said country in which the recipient is active in, or said international organisation respectively was subject of an adequacy decision of the Commission (GDPR, art. 45, para 1). a) Procedure of implementing an adequacy decision

846

The Commission may adopt an adequacy decision relating to a third country, territory sector and/or international organisation by means of an implementing act in the meaning of TFEU, art. 291 and in accordance with the examination procedure referred to in GDPR, art. 93, para 2 after conducting an assessment on the adequacy of data protection in said third country or international organisation. When assessing adequacy, the Commission shall take account elements exemplary listed in GDPR, art. 45, para 2 which can be grouped to the following three main elements: – the data protection regime in the third country or international organisation; – the existence of independent data protection supervisory authorities; and – the existence of international commitments or other obligations relating to data protection.

847

In its implementing act the Commission must specify the territorial and sectoral application of the act and, where applicable, identify the supervisory authority or authorities in the third country or to which the international organisation covered by the adequacy decision is subject. The implementing act must further provide for a mechanism for a periodic review of the decision. Such 196

Tobias Kugler

E. Practical examples

periodic reviews must be carried out at least every four years and shall take into account all relevant developments in the third country or international organisation (GDPR, art. 45 para 3). According to GDPR, art. 45, para 4 the Commission is obliged to monitor 848 on an ongoing basis developments in third countries and international organisations that could affect the functioning of an adequacy decision adopted pursuant to GDPR, art. 45, para 3 or on the basis of Directive 95/46, art. 25, para 6. If the Commission becomes aware in its periodic review or otherwise that a third country, territory or specified sector within a third country, or an international organisation that was subject to an adequacy decision no longer ensures an adequate level of protection it shall repeal, amend or suspend the adequacy decision to the extent necessary and shall enter into consultations with the third country or international organisation to remedying the situation giving rise to said decision. The decision to repeal, amend or suspend the adequacy decision must be tak- 849 en in line with the initial requirements by way of an implementing act in accordance with the examination procedure set forth in GDPR, art. 93, para 2 and without retro-active effect. On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the examination procedure mentioned above. The Commission shall publish in the Official Journal of the EU and on its 850 website2 a list of the third countries, territories specified sectors and international organisations for which it has decided that an adequate level of protection is or is no longer ensured. Business transferring personal data to third countries or international organisations which were subject of an adequacy decision should therefore monitor the Official Journal of the EU or the Commission’s website on an ongoing basis to be able to respond to the repeal or suspensions of the adequacy decision by providing appropriate safeguards in the meaning of GDPR, art. 46 para. 2. b) Adequacy decisions under Directive 95/46

Decisions adopted on the basis of Directive 95/46, art. 25, para 6 remain in 851 force according to GDPR, art. 45, para 9 until amended, replaced or repealed by a new Commission Decision. Until today the Commission has adopted adequacy decisions according to Di- 852 rective 95/46, art. 25, para 6, for following countries: Andorra (Commission Decision 2010/625/EU), Argentina (Commission Decision 2003/490/EC), Canada (Commission Decision 2002/2/EC),3 Switzerland (Commission Decision 2000/518/EC), Faeroe Islands (Commission Decision 2010/146/EU), 2 http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm (as of 6.4.2017). 3 This decision allows the transfer of certain personal data exclusively to recipients in Canada subject to the Canadian Personal Information Protection and Electronic Documentation Act.

Tobias Kugler

197

E. Practical examples

Guernsey (Commission Decision 2003/821/EC), State of Israel (Commission Decision 2011/61/EU),4 Isle of Man (Commission Decision 2004/411/EC), Jersey (Commission Decision 2008/393/EC), New Zealand (Commission Decision 2013/65/EU), Eastern Republic of Uruguay (Commission Decision 2012/484/ EU). It follows that transfer of personal data to those countries is without any further permission compliant with the GDPR if a legal basis under the first step of the 2-step-test is assured. c) Special case: United States (Safe Harbour/EU-U.S. Privacy Shield) 853

854

855

856

857

The ability to transfer personal data to recipients in the United States has traditionally been an important factor for entities in the EU, whether in the context of international trade, group internal consolidation and centralisation efforts or in the context of receiving IT related services from US based IT service providers. From an EU perspective privacy and data protection in the United States was seen as governed by a complex fabric of sectoral regulation, at both federal and state level, combined with industry self-regulation,5 which did not provide for an adequate level of data protection. Against this background, the Commission and the US government negotiated with the assistance of the Article 29 Working Party the Safe Harbour Principles intended to ensure an adequate level of data protection for transfers of personal data made thereunder. These principles where supplemented by a list of frequently asked questions issued by the US Department of Commerce. In its Decision 2000/520/EC6 the Commission decided that the ‘Safe Harbour Principles’ set out in Annex I to the decision, implemented in accordance with the guidance provided by the frequently asked questions issued by the US Department of Commerce set out in Annex II to the decision are considered to ensure an adequate level of protection for personal data transferred from the Community to organisations established in the United States.7 To benefit from the Safe Harbour Principles, entities had to self-certify to the US Department of Commerce their adherence to the principles in accordance with the frequently asked questions. To self-certify, entities had to provide to the US Department of Commerce a letter, signed by a corporate officer on behalf of the entity stating that it is joining the Safe Harbour. This letter had to contain 4 This decision stipulates an adequate level of protection in relation to automated international transfers of personal data. 5 WP 15, 2. 6 Commission Decision of 26 July 2000 pursuant to Directive 95/46of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce. 7 Commission decision of 26 July 2000 pursuant to Directive 95/46of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, C(2000) 2441, which can be found under: http://trade.ec.europa.eu/doclib/docs/2003/october/ tradoc_111715.pdf (as of 6.4.2017).

198

Tobias Kugler

E. Practical examples

certain information listed in the frequently asked questions attached to the Decision 2000/520/EC, which included information on the certifying organisation, its intended processing activities with respect to personal data received from the EU and on its privacy policy. To adhere to the Safe Harbour principles, entities had to comply with the principles and had to apply to be listed in a publicly available list of certified entities made available by the US Department of Commerce. On 6 October 2015 the ECJ ruled in its “Schrems Judgment”, that the Com- 858 mission Decision 2000/520/EC on Safe Harbour, is invalid.8 It stated that the Commission had failed to determine in its decision that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. Instead the Commission had determined that the “Safe Harbour Principles” are considered sufficient to ensure an adequate level of protection. The ECJ concluded that consequently, without there being any need to examine the content of the Safe Harbour Principles, Article 1 of Commission Decision 2000/520 fails to comply with the requirements laid down in Directive 95/46, art. 25, para 6, read in the light of the European Charter, and that it is accordingly invalid. The Court further concluded that the implementing power granted by the EU legislature to the Commission in Directive 95/46, art. 25, para 6 did not confer upon it a competence to restrict the national data protection supervisory authorities’ powers as done in Commission Decision 2000/520/EC, art. 3. The Court also noted that Decision 2000/520/EC enabled interference with the fundamental rights of data subjects founded on national security and public interest requirements or on domestic legislation of the United States without containing any findings regarding the existence of effective legal protection against respective interference. It concluded that, that protection of the fundamental right to respect for private life at the EU level requires that derogations and limitations in relation to the protection of personal data apply only in so far as strictly necessary and that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the fundamental right to respect for private life guaranteed by art. 7 of the Charter.9 On 29 of February 2016 the Commission published a draft of a EU-U.S. Pri- 859 vacy Shield consisting of a draft adequacy decision plus Annexes thereto.10 While the draft of the EU-U.S. Privacy Shield was largely perceived as providing improvements compared to the Safe Harbour decision it was also object of criticism by the Art. 29 Working Party and the European Parliament. The Art. 29 Working Party criticised in its opinion on the draft decision, amongst others, a 8 Case C‑362/14, 6.10.2015, Maximilian Schrems v Data Protection Commissioner, EU:C:2015:650. 9 Case C‑362/14, 6.10.2015, Maximilian Schrems v Data Protection Commissioner, EU:C:2015:650. 10 http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm (as of 6.4.2017).

Tobias Kugler

199

E. Practical examples

lack of clarity of the new framework considered that certain key data protection principles of European law are not properly reflected in the draft, such as the data retention principle and the principle of purpose limitation. With respect to derogations for national security purposes the Art. 29 Working Party acknowledged that considerable steps were made but noted that that representations of the U.S. Office of the Director of National Intelligence contained in the EU-U.S. Privacy Shield did not exclude massive and indiscriminate collection of personal data from the EU.11 860 After agreeing on certain amendments with the United States, the Commission adopted on 12 of July 2016 the final version of EU-U.S. Privacy Shield.12 It consists of an adequacy decision of the Commission, the privacy principles (Annex II), and official representations and commitments by various U.S. authorities contained in the documents in Annexes I, III to VII.13 The mechanism remains one of self-certification (see Annex II, Sec. III.6 of the Privacy Shield) but enforcement, and particularly individuals’ rights, were strengthened. The EU-U.S. Privacy Shield contains inter alia regular updates and reviews of selfcertified companies, safeguards and transparency obligations on U.S. government access including redress mechanisms and an Ombudsperson mechanism, a free of charge Alternative Dispute Resolution as mechanism for protection of individual rights.14 Pursuant to Annex I of the Privacy Shield the US Department of Commerce is required to maintain and make available a list of self-certified companies under the EU-U.S. Privacy Shield, to verify the self-certification requirements and conduct compliance reviews. 861 Addressing the shortcomings of the Commission Decision 2000/520/EC, art. 1, para 1 of the EU-U.S. Privacy Shield now explicitly states that “the United States ensure an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.” Supervising powers of the supervisory authorities in the EU are not restricted in the EU-U.S. Privacy Shield. 862 Annex II, section I.5. of the EU-U.S. Privacy Shield, however, still contains a provision limiting the obligation of data importers in the U.S. to adhere to the principles of the Privacy Shield “(a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit au11 WP 238, 37. 12 Commission implementing Decision of 12.7.2016, pursuant to Directive 95/46of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, C(2016) 4176 final. 13 The Annexes are assembled in one document: Annexes to the Commission Implementing Decision pursuant to Directive 95/46of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, C(2016) 4176 final, Annexes 1 to 7. 14 See the press release of the Commission (Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows), 12 July 2016, which can be found under: http://europa.eu/rapid/press-release_IP-16-2461_en.htm (as of 6.4.2017).

200

Tobias Kugler

E. Practical examples

thorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation”. In its statement of 1stJuly 2016 the Art. 29 Working Party welcomed the im- 863 provements brought by the Privacy Shield mechanism but expressed to regret the lack of specific assurances that U.S. authorities do not conduct mass and indiscriminate collection of personal data. It announced that it will carefully assess in its first annual review of the EU-U.S. Privacy Shield, if the remaining issues are solved and safeguards provided under the EU-U.S. Privacy Shield are workable and effective.15 Given on going criticism and publicly communicated concerns of Art. 29 864 Working Party, the EU-U.S. Privacy Shield appears to face an uncertain future and is likely to be challenged in front of the ECJ in the near future. From a business perspective it is therefore recommended to carefully docu- 865 ment transfers to recipients on the basis of the EU-U.S. Privacy Shield and consider alternative approaches, such as agreeing on appropriate safeguards pursuant to GDPR, art. 46 (e.g. EU-Model Clauses, see section E.I.2.b), → mn. 883). 2. Appropriate safeguards

If no adequacy decision was adopted with respect to a third country or inter- 866 national organisation, personal data may nonetheless be transferred according to GDPR, art. 46, para 1 to said third country or international organisation if the controller or the processor provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In contrast to Directive 95/46, under which only controllers were able to im- 867 plement adequate safeguards to facilitate a data transfer to a third country, the GDPR enables controllers as well as processors to implement such safeguards. This amendment is likely to simplify contractual frameworks in constellations in which processors within the EU subcontract processors in third countries (see section E.II.2.b) and E.II.3.b)), → mn. 971 and 995. The appropriate safeguards set forth in the GDPR are categorised into safe- 868 guards which require additional authorisation from a supervisory authority and those that can be provided without such authorisation. Safeguards that can be provided by entities in the private sector without requiring specific authorisation from the supervisory authorities are enumerated in GDPR, art. 46, para 2 and include BCRs, standard data protection clauses adopted by the Commission, 15 Article 29 Working Party Statement on the decision of the Commission on the EU-U.S. Privacy Shield, 26 July 2016, which can be found under http://ec.europa.eu/justice/data-protection/a rticle-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statem ent_eu_us_privacy_shield_en.pdf (as of 6.4.2017).

Tobias Kugler

201

E. Practical examples

standard data protection clauses adopted by a supervisory authority and approved by the Commission, approved code of conduct and approved certification mechanisms. While BCRs were already developed under Directive 95/46 as appropriate safeguards and standard data protection clauses were explicitly mentioned therein, codes of conduct and approved certification mechanisms are new safeguards introduced by the GDPR which are likely to benefit larger international business and cloud providers dependent on frequent data transfers to third countries. 869 Safeguards requiring explicit authorisation from a supervisory authority may consist of contractual clauses between the data exporter and the receiving controller, processor or other recipient in the third country. a) Binding Corporate Rules

BCRs are defined in GDPR, art. 4, no. 20 as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”. 871 Thus, BCRs are an instrument to enable lawful international transfers of personal data within multinational groups of undertakings or between enterprises otherwise engaged in a joint economic activity (cf. GDPR, recital 110). They consist of internal rules, which must apply throughout the group, irrespective of any criteria or consideration.16 872 The term “group of undertakings” is defined in GDPR, art. 4, no. 19 as “a controlling undertaking and its controlled undertakings”. Although used several times in the GDPR, the notion of “a group of enterprises engaged in a joint economic activity”, however, is not defined in the GDPR. As a “group of undertakings” according to the definition above must consist of at least two undertakings, it appears reasonable to apply this interpretation accordingly and interpret the notion of a “group of enterprises” as a group consisting of at least two enterprises. The term “enterprise” is defined in GDPR, art. 4 para. 18 as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity”. The engagement in a joint economic activity requires some sort of collaboration of several enterprises in relation to an economic activity, whether in relation to the production of goods, the provision of services or otherwise. Until further guidance on the interpretation is provided by the Board or the ECJ, it appears reasonable to interpret the notion of a “group of enterprises engaged in a joint economic activity” as a group of two or more natural or legal persons, whether affiliated or not, which collaborate with respect to an economic activity. 870

16 WP 74, 8.

202

Tobias Kugler

E. Practical examples

While the process of initially implementing BCRs and the requirement to 873 have them approved by the competent supervisory authority as described below may turn out to be time consuming, BCRs provide for a means to implement safeguards tailored to the specifics and particularities of data transfer within the group of undertaking or group of enterprises engaged in a joint economic activity in question and result in reduction of administration efforts once approved, by eliminating the need to conclude individual contracts or obtain the competent supervisory authority’s approval for each and any data transfer between the various undertakings bound by the BCRs. From a business perspective it therefore appears advisable to consider BCRs as one of the safeguards available to facilitate data transfers in outsourcing or other long-term service provision constellations involving the transfer of personal data. aa) Binding Corporate Rules under Directive 95/46

BCRs were already partly considered as a means to adduce adequate safe- 874 guards with respect to the protection of the privacy and fundamental rights and freedoms of individuals under Directive 95/46, art. 26, para 2.17 Even though not explicitly mentioned in Directive 95/46, the Art. 29 Working Party developed rules on mandatory content of and procedures to adopt BCRs as such a means in several Working Papers.18 These rules also include recommendations on standard applications for obtaining the mandatory approval of the competent data protection supervisory authorities to the BCRs.19 These rules further include a “co-operation procedure for issuing common 875 opinions on adequate safeguards resulting from BCRs”, which aim at simplifying the process to obtain the approval to the BCRs, where the corporate group interested in obtaining such approval consists of several entities in various Member States and therefore approval from more than one supervisory authority is required.20 According to this cooperation procedure the corporate group has to propose a lead authority on the criteria provided by the Art. 29 Working Party and negotiate with it the content of a “consolidated draft” of the BCR which is distributed among all data protection authorities concerned for comments. After transmitting the comments on the consolidated draft and, where necessary, further discussions and negotiations, the lead authority invites the applicant to send a “final draft” on which it invites confirmation from the other data protection authorities that they are satisfied as to the adequacy of the safeguards proposed. Such confirmation is regarded by all the participant authorities and the organisation concerned as an agreement to provide the necessary permit or authorisation

17 See WP 74. 18 A list of the BCR related documents adopted by the Art. 29 Working Party can be found under: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/ tools/index_en.htm (as of 6.4.2017). 19 WP 133. 20 WP 107.

Tobias Kugler

203

E. Practical examples

at national level. 21 In 2008 this process was supplemented by a mutual recognition procedure under which participating Member States agreed to accept the opinion of the lead supervisory authority as sufficient basis for providing their own national permit or authorisation for the BCR, or for giving positive advice to the body that provides that authorisation. Countries part of this mutual recognition procedure are Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United Kingdom.22 876 The rules and guidance of the Art. 29 Working Party initially related to BCRs intended to facilitate the data transfer by undertakings acting as controller. However, in 2012 the Art. 29 Working Party also adopted a Working Paper setting forth mandatory elements and principles of BCRs for Processor.23 These BCRs for Processors “aim to frame international transfers of personal data that are originally processed by the company as Data Processor according to the external instructions of a Data Controller (such as outsourcing activities)”24 (for more details on outsourcing see section E.II., → mn. 961 et seqq.). 877 While some Member States also adopted provisions in their national acts which transposed Directive 95/46 into national law and explicitly mention BCRs as safeguards to facilitate transfers of personal data to third countries, other Member States refused to accept BCRs as such a means.25 Further, requirements to be observed in case of a transfer of personal data to third countries on the basis of the BCRs already approved by the competent supervisory authority remained diverse and inconsistent between Member States.26 878 At present, BCRs are approved amongst others for certain larger international groups of companies, listed on the website of the Commission.27 According to GDPR, art. 46, para 5, authorisations on the basis of Directive 95/46, art. 26, para 2 shall remain valid until amended, replaced or repealed. As BCRs are such authorisations adopted on the basis of GDPR, art. 26, para 2, they will for now remain valid under the GDPR.

21 WP 107. 22 http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutu al_recognition/index_en.htm (as of 6.4.2017). 23 WP 195. 24 WP 195, 2. 25 See list of national filing requirements for controller BCR published by the Art. 29 Working Party which can be found under http://ec.europa.eu/justice/data-protection/international-transf ers/files/table_nat_admin_req_en.pdf (as of 6.4.2017). 26 See list of national filing requirements for controller BCR published by the Art. 29 Working Party which can be found under http://ec.europa.eu/justice/data-protection/international-transf ers/files/table_nat_admin_req_en.pdf (as of 6.4.2017). 27 A list of companies for which the EU BCR cooperation procedure is closed can be found under: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/ bcr_cooperation/index_en.htm (as of 6.4.2017).

204

Tobias Kugler

E. Practical examples

bb) Procedure to implement Binding Corporate Rules

The mandatory content and the procedures of implementing BCRs initially 879 established by the Art. 29 Working Party are now stipulated in GDPR, art. 47. Pursuant to GDPR, art. 47, para 1 the BCRs are to be approved by the competent supervisory authority. The BCRs have to be: – legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; – expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and – fulfil the requirements laid down in paragraph 2. Pursuant to GDPR, art. 47, para 2 the BCRs referred to in paragraph 1 shall 880 specify at least: – the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members (subpara a)); – the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question (subpara b)); – their legally binding nature, both internally and externally (subpara c)); – the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the BCRs (subpara d)); – the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with GDPR, art. 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with GDPR, art. 79, and to obtain redress and, where appropriate, compensation for a breach of the BCRs (subpara e)); – the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the BCRs by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage (subpara f));

Tobias Kugler

205

E. Practical examples

– how the information on the BCRs, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to GDPR, art. 13 and 14 (subpara g)); – the tasks of any data protection officer designated in accordance with GDPR, art. 37 or any other person or entity in charge of the monitoring compliance with the BCRs within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling (subpara h)); – the complaint procedures (subpara i)); – the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the BCRs. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to under subpara h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority (subpara j)); – the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority (subpara k)); – the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in subpara j) (subpara l)); – the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the BCRs (subpara m)); and – the appropriate data protection training to personnel having permanent or regular access to personal data (subpara n)). To establish BCRs, the group of undertakings, or group of enterprises engaged in a joint economic activity wishing to rely on the BCR for data transfers are required to submit the draft BCR to the competent lead supervisory authority which shall approve binding corporate rules in accordance with the consistency mechanism set out in GDPR, art. 63 (see section D.V.1.c), → mn. 610 et seqq.) if they comply with GDPR, art. 47, para 1. 882 Pursuant to GDPR, art. 47, para 3 the Commission may specify the format and procedures for the exchange of information between controllers (or processors) and supervisory authorities for BCRs. 881

206

Tobias Kugler

E. Practical examples

b) Standard Data Protection Clauses

As already set out in Directive 95/46, appropriate safeguards for a transfer of 883 personal data to third countries or international organisations may also be provided by standard clauses entered into between the data exporter in the EU and the data importer in the third country. These clauses, referred to as “standard contractual clauses” in Directive 95/46, art. 26, para 4 are now referred to in GDPR, art. 46, para 2 as standard data protection clauses. They are intended to ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country (cf. GDPR, recital 108). In contrast to Directive 95/46 art. 26, para 4, pursuant to which standard con- 884 tractual clauses can only be adopted by the Commission, GDPR, art. 46 para. 2 also permits supervisory authorities to adopt standard data protection clauses, if they are approved by the Commission. aa) Standard Contractual-Clauses under Directive 95/46

Currently three different sets of standard contractual clauses exist which were 885 adopted by the Commission under Directive 95/46. In Commission Decision 2001/497/EC28 the Commission adopted a first set 886 of standard contractual clauses concerning the transfer of personal data from a controller within the EU or the EEA to a controller located in a third country (often referred to as “controller to controller clauses”). After businesses had demanded more business-friendly and flexible clauses the Commission adopted in Commission Decision 2004/915/EC29 an alternative set of standard contractual clauses on the basis of a draft proposed by the International Chamber of Commerce and other business associations.30 This alternative set of standard contractual clauses contains more flexible auditing requirements” (see its recital 4) a “liability regime based on due diligence obligations” (see its recital 5) and “greater involvement of the data exporter in the resolution of data subjects’ complaints” (see its recital 6). Furthermore, it contains optional clauses, e.g. on dispute resolution mechanisms. Both sets may be used interchangeably. Business interested in transferring personal data to controllers established in third countries may therefore choose the set which better addresses their internal requirements.

28 Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46. 29 Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries. 30 See WP 84, 2; Commission Decision 2004/915/EC, recital 2.

Tobias Kugler

207

E. Practical examples 887

888

889

890

891

In 2001 the Commission had also adopted a set of standard contractual clauses for data transfers from controllers within the EU or EEA to processors established in third countries (often referred to as “controller to processor clauses”), which was replaced by a new set of standard contractual clauses adopted by the Commission in its Commission Decision 2010/87/EU.31 On 16 December 2016 Commission Decision 2001/497/EC and Commission Decision 2010/87/EU were amended by a Commission Implementing Decision (EU) 2016/2297 in response to the ECJ’s Schrems Judgment by replacing provisions of those Commission Decisions which had limited the powers of the national supervisory authorities to oversee and suspend data flows to third countries on the basis of these standard contractual clauses. The standard contractual clauses, however, remained unchanged. Pursuant to GDPR, art. 46, para 5 the standard contractual clauses described above adopted by the Commission on the basis of Directive 95/46, art. 26, para 4 remain in force until amended, replaced or repealed by the Commission. However, on 20 May 2016 the office of the data protection commissioner of Ireland published a statement on its website that it “will seek declaratory relief in the Irish High Court and a referral to the ECJ to determine the legal status of data transfers under standard contractual clauses”.32 It therefore appears not unlikely that the validity of the standard contractual clauses adopted under Directive 95/46 will be challenged in front of the ECJ shortly. Business should therefore carefully document all cases of data transfers to third countries on the basis of standard contractual clauses and monitor future developments in order to be able to swiftly respond should the standard contractual clauses be amended, replaced or repealed or declared invalid by the ECJ. bb) Implementation and use of Standard Data Protection Clauses

892

To provide appropriate safeguards under Directive 95/46 by means of standard contractual clauses, the controller within the EU/EEA and the recipient in the third country are required to supplement the annexes by providing inter alia information on the categories of personal data to be transferred, the scope of the envisaged processing activities and the data subjects affected thereby and to sign the clauses. In addition, national implementation acts of some Member States require to notify the competent data protection supervisory authority of the intended transfer on the standard contractual clause or even obtain its authorisation.33

31 Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46of the European Parliament and of the Council. 32 The statement can be found under: https://www.dataprotection.ie/docs/25-05-2016-Statementby-this-Office-in-respect-of-application-for-Declaratory-Relief-in-the-Irish-High-Court-and-R eferral-to-the-CJEU/1570.htm (as of 6.4.2017). 33 E.g. an authorisation according to Art. 68ff. Act n 78-17 of January 6 1978 on Processing Data Files and Public Liberty, in France; or a notification according to Art. 21 f. Belgian Law of 8

208

Tobias Kugler

E. Practical examples

Under the GDPR no such additional notification or authorisation will be necessary. Instead appropriate safeguards may be provided for by standard data protection clauses without requiring any specific authorisation from a supervisory authority (GDPR, art. 46, para 2). Further, under GDPR appropriate safeguards as a general principle may not only be provided by the controller within the EU but also by the processor which may greatly simplify contractual frameworks in sub-processor constellations on the basis of future standard data protection clauses (see section E.II.4.b)aa), → mn. 1019). Even though standard contractual clauses adopted by the Commission under Directive 95/46 remain applicable until amended, replaced, repealed or declared invalid, they may not be used as appropriate safeguards by processors in the EU and data recipients in third countries as they are to be entered between the data exporter within the EU, which is defined in the respective clause as the “controller who transfers the personal data”. Finally, standard data protection clauses adopted under the GDPR may also be included pursuant to GDPR, recital 109 in a wider contract or supplemented by other clauses or additional safeguards, provided that the other provisions do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Given the harmonisation of requirements applicable in Member States when using standard data protection clauses, the ease of use and the fact that new data protection clauses adopted under the GDPR may potentially be entered directly into between processors within the EU and sub-processors in third countries, standard data protection clauses are likely to become even more popular means to facilitate transfers to third countries.

893

894

895

896

c) Codes of conduct

Appropriate safeguards to facilitate a transfer to third countries or internation- 897 al organisations may also be provided by means of approved code of conduct pursuant to GDPR, art. 40 together with binding and enforceable commitments of the controller or processor in the third country to apply those safeguards (GDPR, art. 46, para 2, subpara e)). While such codes of conduct are mentioned in Directive 95/46, art. 27 solely 898 as a means to contribute to the proper implementation of the national provisions on data protection, they are introduced under the GDPR also as a new means to provide appropriate safeguards for transfer of personal data to third countries and international organisations. To provide appropriate safeguards by means of a code of conduct, the con- 899 troller or processor in the third country must adhere to a code of conduct apDecember 1992 on the protection of privacy in relation to the processing of personal data, in Belgium.

Tobias Kugler

209

E. Practical examples

proved by the competent supervisory authority and having obtained general validity pursuant to GDPR, art. 40 para 9 and must make binding and enforceable commitments to apply those appropriate safeguards including with regard to the rights of data subjects (GDPR, art. 40, para 3). 900 According to GDPR, art. 40, para 3 the binding and enforceable commitments of the controller or processor in the third country may be made via contractual or other legally binding instruments. These “other legally binding instruments” are, however, neither defined nor further specified in the GDPR. Until further guidance on the interpretation is given by the Board or the ECJ, it therefore appears reasonable to interpret these terms in line with the guidance given by the Art. 29 Working Party on how to make BCRs binding within an organisation and to rely on instruments mentioned by the Art. 29 Working Party, such as incorporating the code of conduct in the general business principles of the organisation in question, backed by appropriate policies, audits and sanctions.34 901 To provide appropriate safeguards the code of conduct must contain provisions ensuring compliance when processing personal data in the third country with the data protection requirements and the rights of the data subjects appropriate to processing within the Union, including enforceable data subject rights and effective legal remedies for data subjects (cf. GDPR, recital 108). For more information on codes of conduct see section D.II., → mn. 566. d) Certification

Appropriate safeguards for data transfers to third countries or international organisations may further be provided pursuant to GDPR, art. 46, para 2, subpara f) by means of an approved certification mechanism pursuant to GDPR, art. 42 together with binding and enforceable commitments of the controller or processor in the third country to apply those safeguards. 903 To be able to rely on this new means to provide safeguards introduced by GDPR for a transfer of personal data to third countries, each of the following criteria must be fulfilled: 902

– The controller or processor in the third country must be certified pursuant to GDPR, art. 42, para 5 by an accredited certification body or the competent supervisory authority; – The controller or processor in the third country must provide enforceable commitments to apply the appropriate safeguards, including as regards data subjects’ rights. Those binding and enforceable commitments may be provided via contractual or other legally binding instruments like incorporating those commitments into general business principles of the controller or processor organisation backed by appropriate policies, audits and sanctions;

34 WP 108, 5.

210

Tobias Kugler

E. Practical examples

– The respective certification mechanism must have been approved pursuant to GDPR, art. 42, para 5 by the competent supervisory authority or by the Board; and – the certification mechanism must contain provisions ensuring compliance when processing personal data in the third country with the data protection requirements and the rights of the data subjects appropriate to processing within the Union, including enforceable data subject rights and effective legal remedies for data subject (cf. GDPR, recital 108). Approved certification mechanisms – unlike standard data protection clauses 904 – are not limited in their scope of application to specific data transfers but are likely to demonstrate the existence of appropriate safeguards provided by controllers or processors in a more general sense. Accordingly, they may prove suitable for controllers and processors in third countries receiving personal data on a frequent basis from various controllers or processors within the EU. Entities in third countries frequently receiving personal data from various 905 controllers or processors in the EU should therefore monitor the availability of approved certification mechanisms, their scope of applications and the time required to become certified. e) Individual authorisation of contractual clauses

As an alternative to the appropriate safeguards described above and subject 906 to the authorisation from the competent data supervisory authority, controllers and processors may also provide appropriate safeguards by means of contractual clauses entered into with the recipient of the data in the third country or international organisation (GDPR, art. 46, para 3). Before authorising such ad-hoc contractual clauses, the competent data supervisory authority must apply the consistency mechanism referred to in GDPR, art. 63 intended to assure a consistent application of the GDPR throughout the Union (GDPR, art. 46, para 4). Since contractual clauses in the meaning of GDPR, art. 46, para 3 may be 907 specifically tailored to the data transfer in question and the parties involved, they are very flexible means to provide appropriate safeguards. Due to the administrative burden resulting from the authorisation requirement and the consistency mechanism, it appears likely that such contractual clauses will be used in isolated cases only to facilitate data transfer to third countries or international organisations. Under Directive 95/46, art. 26, para 2 Member States are already permitted to 908 authorise a transfer or a set of transfers of personal data to a third country not ensuring an adequate level of protection, where the controller adduces adequate safeguards, namely on the basis of contractual clauses. Those authorisations granted under Directive 95/46 remain valid pursuant to GDPR, art. 46, para 5 until amended, replaced or repealed by the competent supervisory authority.

Tobias Kugler

211

E. Practical examples

3. Derogations for specific situations 909

910

911

912

913

If no adequacy decision was adopted with respect to a third country or international organisation and no appropriate safeguards pursuant to GDPR, art. 46 were provided, transfers of personal data to said third country or international organisation may take place – subject to compliance with the provisions applicable to the first step of the two-step-test described in section E.I. – if one of the derogations set out in GDPR, 49 para. 1 applies. Thus, GDPR, art. 49, para 1 enumerates genuine derogations from the principle of adequate protection set out in GDPR, art. 44 and allows data transfers to third countries – subject to compliance with the other provisions applicable to the first step of the two-step-test – in specific cases. Those derogations concern cases in which risks for data subjects are considered relatively small or where other interests prevail over the data subjects’ interests.35 The derogations listed in GDPR, art. 49, para 1 subparas a) to f) are largely identical to those set out in Directive 95/46, art. 26, para 1. The literal wording of the clauses, however, was amended and reflects for the most part the Art. 29 Working Party’s interpretation of the derogations in Directive 95/46, art. 26, para 1. Until further guidance is published by the Board, the Art. 29 Working Party’s opinions on the Directive 95/46, art. 26, para 1 therefore remain a helpful and important source for interpretation which may be used by business wishing to avail themselves of these derogations when transferring personal data to third countries. Given their nature as derogation from a general principle of adequacy, intended to prevent circumvention of the level of protection of natural persons guaranteed by the GDPR in case of data transfers to recipients not subjected to the GDPR, these derogations must be interpreted restrictively.36 Further GDPR, recital 114 states that, “in any case where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that they will continue to benefit from fundamental rights and safeguards.” Hence, the controller should favour the use of safeguards provided by GDPR, art. 46 and 47 and rely on derogations set out in GDPR, art. 49 only, where such safeguards are not practical and/or feasible so that data subjects continue to benefit – to the largest extent possible – from the fundamental rights and safeguards provided by the GDPR.37

35 WP 114, 2. 36 See WP 114, 7 applicable on the interpretation of the largely identical provisions of Directive 95/46, art. 26. 37 WP 114, 8.

212

Tobias Kugler

E. Practical examples

Even though neither the GDPR nor Directive 95/46 penalises non-compliance 914 with said preference of safeguards over derogations, the Art. 29 Working Party concluded in its guidance that supervisory authorities can, if there is sufficient reason to do so, intervene at any time and recommend that an international transfer of data should be carried out on the basis of adequate safeguards rather than by applying the derogations.38 a) Consent of the data subject

In the absence of an adequacy decision or of appropriate safeguards a transfer or a set of transfers of personal data to a third country may take place pursuant to GDPR, art. 49, para 1, subpara a), if the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. While consent as a legal basis of data processing can generally be given in form of a statement or by a clear affirmative action (GDPR, art. 4 no. 11) a transfer of personal data to a third country pursuant to GDPR, art. 49, para 1, subpara a) can only be based on explicit consent which excludes any forms of implied consent. Like any other consent it is, however, not subject to any written or other specific form requirement and must comply with general requirements applicable to consent set out in GDPR, art. 7 (see section C.II.3., → mn. 429 et seqq.). Further, consent may only serve as derogation, if the data subject was informed in advance about possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. Accordingly, the data subject must not only be informed about the lack of appropriate safeguards and an adequacy decision relating to the third country in question but also about specific risk resulting therefrom for the data subjects fundamental rights and freedoms and their right to the protection of personal data, to be able to consent with full knowledge of the facts. The level of detail of such information required is neither prescribed in the GDPR nor in its recitals. It therefore remains to be seen, whether supervisory authorities and/or competent courts interpret the derogation strictly in such way that data subjects must be informed about specific risk resulting from specific uses of personal data permitted by national legislation in the specific third country in question or whether it will be seen as sufficient if data subjects are informed and warned not to expect the same level of privacy as in the EU. Given its nature as derogations from a general principle of adequacy intended to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined in case of a transfer to third countries, it appears reasonable to interpret the information requirement in GDPR, art. 49, para 1, subpara a) broadly 38 WP 114, 10.

Tobias Kugler

213

915

916

917

918

E. Practical examples

and request that data subjects be informed about the lack of protection offered by general principles of the GDPR, such as the principle of purpose limitation, lawfulness, fairness and transparency, as well as the potential absence of a right to access, rectification, erasure and/or restriction of processing. 919 While the resembling derogation in Directive 95/46, art. 26, para 1, subpara a), does not explicitly require to inform data subject about possible risks resulting from a transfer of personal data to third countries, the Art. 29 Working Party has held in the past that a consent in the meaning of in Directive 95/46, art. 26, para 1, subpara a) may only be deemed valid, if it was given with full knowledge of all facts, namely the risk resulting therefrom.39 In practise the business wishing to apply the exception set out in GDPR, art. 49, para 1, subpara a) in order to transfer personal data to third countries will therefore face similar requirements as previously faced under Directive 95/46. 920 Given the severe penalties that may be imposed in case of an unlawful transfer of personal data to third countries (see section D.VII.1.a) bb), → mn. 817) business wishing to apply this exception should therefore carefully and regularly verify the interpretation of the information requirement by supervisory authorities and competent courts and adapt their consent forms and information material accordingly. b) Performance of a contract

According to GDPR, art. 49, para 1, subpara b) data may also be transferred to a third country, if “the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject’s request”. 922 This derogation is identical to the derogation set out in Directive 95/46, art. 26, para 1, subpara b). Its scope of application is theoretically very broad, but limited in practise by the criterion of “necessity”. This criterion is only fulfilled, if the specific personal data to be transferred can be considered truly necessary for the performance of the contract in question or for the implementation of pre-contractual measures taken at the data subject’s request. Accordingly, the necessity cannot be determined universally but must be verified by applying a “necessity test” in the individual case. This “necessity test” requires a close and substantial connection between the data subject and the purposes of the contract40 which is only given, where the purpose of the transfer cannot reasonably be fulfilled by other means (see section C.I.3.a), → mn. 315 et seqq.). 923 The derogation may therefore serve as an acceptable legal basis for the transfer by travel agents of personal data concerning their individual clients to hotels required for the organisation of the client’s stay at the hotel. 921

39 WP 114, 12. 40 WP 114, 13.

214

Tobias Kugler

E. Practical examples

c) Interest of the data subject

Pursuant to GDPR, art. 49, para 1, subpara c) the transfer of personal data to a 924 third country which does not provide for an adequate level of data protection may occur – subject to compliance with the provisions of the GDPR applicable to the first step of the two-step-test described in section C.I. – if “the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person”. In contrast to derogation GDPR, art. 49, para 1, subpara b) the data subject is 925 not a party to the agreement. However, the agreement must be concluded in his interest between the controller and a third party. The transfer may therefore be based on this derogation in case of third-party beneficiary agreements concluded in favour of the data subject, such as an agreement concluded between an employer and an insurance company in a third country where the employee is the beneficiary. Apart from that, the interpretation of this derogation is necessarily similar to 926 the one of GDPR, art. 49, para 1, subpara b).41 The transfer of data to the third country or international organisation can therefore in particular be considered lawful only, if it is truly necessary for the conclusion or performance of a contract between the data controller and another natural or legal person in the interest of the data subject and therefore passes the corresponding “necessity test”.42 d) Public interest

GDPR, art. 49, para 1, subpara d) further permits in the absence of an adequa- 927 cy decision and appropriate safeguards – subject to the other provisions of the GDPR – a transfer or a set of transfers of personal data to a third country or an international organisation where the transfer is “necessary for important reasons of public interest”. According to GDPR, art. 49, para 4, this public interest must be “recognised 928 in Union law or in the law of the Member State to which the controller is subject”. Any transfer necessary for reasons of public interest specific only to a third country may therefore not be based on this derogation. Otherwise it would be easy for foreign authorities to circumvent the requirement for adequate protection in the recipient country by unilaterally establishing public interests requiring the transfer of personal data. Unlike GDPR, art. 6, para 1, subpara e), which may serve as legal basis for 929 any other processing of personal data necessary for the performance of a task carried out in the public interest, a transfer of personal data to third country may only be based on GDPR, art. 49, para 1, subpara d) where the public interest is

41 WP 114, 13. 42 WP 114, 13.

Tobias Kugler

215

E. Practical examples

an important one. The derogation set out in GDPR, art. 49, para 1, subpara d) must therefore be interpreted as particularly restrictive. 930 Examples of such important reasons of public interest mentioned in GDPR, recital 112 include data exchanges between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. e) Legal claims

Personal data may further be transferred pursuant to GDPR, art. 49, para 1, subpara e) to a third country which was not found to provide an adequate level of data protection if “the transfer is necessary for the establishment, exercise or defence of legal claims”. 932 In contrast to the corresponding derogation in Directive 95/46, art. 26, para 1, subpara d) the derogation set out in GDPR, art. 49, para 1, subpara e) is equally worded in the different translations of the GDPR and further does not need to be transposed into national law (see section A.I.2.a), → mn. 3 et seqq.). It will therefore likely eliminate differences existing under current data protection Member State law applicable to certain cases of cross border litigation. 931

aa) Interpretation of derogation Directive 95/46, art. 26, para 1, subpara d)

The English language version of Directive 95/46, art. 26, para 1, subpara d) contains a derogation merely identical with GDPR, art. 49, para 1, subpara e). The literal wording of other language versions of Directive 95/46, art. 26, para 1, subpara d), namely the French and the German version, however is slightly different. The German version e.g. permits a transfer only if it is “necessary for the establishment, exercise or defence of legal claims in court”. 934 The derogation in Directive 95/46, art. 26, para 1, subpara d) was also transposed inconsistently into the national laws of the Member States and thereby added another layer of complexity for international businesses. 935 According to the Data Protection Act 1998 of the United Kingdom, schedule 4, para 5, e.g. the exception applies if the transfer (a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights. 936 In contrast, the respective exception set out in German Federal Data Protection Act, art. 4 c, para 1, no. 4 only applies where the transfer is necessary for the establishment, exercise or defence of legal claims in court. Consequently, this exception set out in the German Federal Data Protection Act was interpreted restrictively and considered not applicable to data transfers to the United States in response to disclosure requests of authorities in the context of official investi933

216

Tobias Kugler

E. Practical examples

gations relating to suspected corruption or to pre-trial civil litigation discovery request43 or in the context of arbitration proceedings. This inconsistent transposition added another layer of complexity and legal uncertainty for international businesses in the context of cross border litigation, namely in case of pre-trial discoveries in common law jurisdictions and most prominently in the United States. Under the US litigation procedure the parties are encouraged, once litigation has been commenced and prior to the trial, to exchange materials prior to the trial.44 In this so called “pre-trial discovery of documents” the parties are allowed extensive insight in an early stage of the proceedings into materials of the opponent that may contain relevant information or – if not relevant itself – could lead to the discovery of relevant information (the so-called “smoking gun”).45 In this discovery between filing of the claim and the trial opponents and/or third parties can be forced to produce materials potentially relevant without the claim having been verified for conclusiveness.46 These materials include all forms of information and information systems, such as correspondence, tape recordings, factsheets, e-mails, other content of file servers or database systems, metadata47 and obviously also personal data relating to the parties’ employees or customers or other third parties.48 Whilst the courts are involved only as far as the issue of protective or coercive measures is concerned, it is otherwise primarily the litigating parties and their legal counsel who are in charge of these proceedings.49 “Pre-trial discovery” as established under U.S. law effectively corresponds to so called “fishing expedition”, which are prohibited in most civil code jurisdictions. If and to the extent the material to be disclosed contains personal data, it is only permitted, if it passes the two-step-test described in (see section E.I., → mn. 840). The second step of the test (adequacy test) would be passed in this context, if the respective national derogation transposing Directive 95/46, art. 26, para 1, subpara d) into national law applies to those pre-trial discoveries. German data protection supervisory authorities and the German ministry of Justice have taken the view that pre-trial discovery requests touch the scope of application of the Hague Convention and, since such discovery requests are litigation procedure unknown under German procedural law and Germany50 has 43 44 45 46 47

Annual Report of the supervisory authority of Berlin, BlnBDI 2007, 191. WP 158, 4. WP 158, 4. Annual Report of the supervisory authority of Berlin, BlnBDI 2007, 187. The Sedona Conference, Framework for Analysis of Cross-Border Discovery Conflicts: A Practical Guide to Navigating the Competing Currents of International Data Privacy and eDiscovery, August 2008, 5. 48 WP 158, 2. 49 Annual Report of the supervisory authority of Berlin, BlnBDI 2007, 187. 50 Amongst other countries, including Czech Republic, Estonia (with restrictions), France (with restrictions), Latvia, Malta, Netherlands (with restrictions), Romania (with restrictions), Slovakia and Slovenia.

Tobias Kugler

217

937

938

939

940

941

E. Practical examples

declared that it will not execute letters of request issued for the purposes of obtaining pre-trial discovery of documents, German data protection law transposing Directive 95/46, art. 26, para 1, subpara d) into national law does not apply to discovery requests.51 942 Due to the incoherent transposition of Directive 95/46, art. 26, para 1, subpara d) into national law the Art. 29 Working Party published a working paper on pretrial discovery for cross border civil litigation52 in which it advocates a multistep procedure according to which information is inter alia filtered by means of search terms to reduce it to potentially relevant information, disclosed an anonymised or redacted form data with redactions lifted only where absolutely necessary for the trial. bb) Uniform Interpretation and framework under the GDPR

GDPR, art. 49, para 1, subpara e) directly applies in all Member States and thus will eliminate the legal uncertainty previously caused by different transpositions of Directive 95/46, art. 26, para 1, subpara d) into national law. It therefore provides a uniform legal framework for data transfers in case of cross-border litigation. However, Union and Member State law may expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation for important reasons of public interest (GDPR, art. 49, para 6) which may again lead to inconsistent rules of law in the EU applicable to cross-border litigation. Business should therefore carefully review whether blocking status has been imposed by Union or Member State prohibiting the transfer on the basis of GDPR, art. 49, para 1, subpara e) before relying on this exception. 944 According to GDPR, recital 111 the transfers should be possible, if it is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-ofcourt procedure, including procedures before regulatory bodies. The notion of “legal claims” in GDPR, art. 49, para 1, subpara e) must therefore be broadly interpreted as covering those procedures. Subject to limitations set out in other Union or Member State law, business may therefore rely on the derogation in GDPR, art. 49, para 1, subpara e) when transferring personal data to third countries for the establishment, exercise or defence of legal claims whether in a pretrial discovery, administrative or other out-of-court proceedings. 945 As GDPR, art. 49, para 1, subpara e) contains a genuine derogation from the principle of adequate protection and accordingly must generally be applied restrictively, it may not serve as derogation where no legal claim exists but might be brought up one day. The derogation can therefore not be used to justify a transfer of e.g. all employee files to the group’s parent company on grounds that 943

51 Annual Report of the supervisory authority of Berlin, BlnBDI 2007, 190. 52 WP 158.

218

Tobias Kugler

E. Practical examples

of the possibility that legal claims by an employee against the parent company might be brought one day.53 cc) Transfers or disclosures not authorised by Union law

The derogations in GDPR, art. 49, para 1, subpara e) must always be read in 946 conjunction with GDPR, art. 48. 947 According to said provisions “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”

The provision was firstly introduced during the legislative procedure by the 948 European Parliament in its legislative resolution of 12 March 2014 on the proposal for a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data,54 not adopted by the Council but later reinserted in an amended form during trilogue negotiations. GDPR, art. 48 prohibits recognition and enforcement of such data requests 949 unless based on an international agreement and will therefore enable business affected by such a request to refuse compliance. Since this prohibition is without prejudice to other grounds for transfer pursuant to GDPR, Chapter V, business affected by such requests, namely by pre-trial discovery requests may voluntarily transfer personal data on other grounds, such as the derogation set out in GDPR, art. 49, para 1, subpara e). f) Vital interests

Personal data may be transferred – subject to the other provisions of the 950 GDPR – to third countries or international organisations which were not subject of an adequacy decision, if the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (GDPR, art. 49, para 1, subpara f). This exception may e.g. be relied on in cases where the data subject is un- 951 conscious and in need of urgent medical care, and his usual doctor in the EU, is the only source of data necessary for the treatment.55 The scope of application of the exceptions in GDPR, art. 49, para 1, sub- 952 para f) and GDPR, art. 49, para 1, subpara d) may overlap. Both exceptions may therefore apply, e.g. to a transfer to an international humanitarian organisation of 53 WP 114, 15. 54 Resolution of the European Parliament P7_TA(2014)0212 available on http://www.europarl.eu ropa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//E N#BKMD-5 (as of 6.4.2017). 55 WP 114, 15.

Tobias Kugler

219

E. Practical examples

personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts (GDPR, recital 112). g) Public register

The exception GDPR, art. 49, para 1, subpara g) concerns transfers made “from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.” 954 This derogation evidently correlates with the open nature of the register. Registers open for consultation by everyone or by anyone who can demonstrate a legitimate interest may serve this purpose only, if it can be consulted by everyone or everyone demonstrating the legitimate interest irrespective of the consulting persons whereabouts. 955 In the interest of affected data subjects, the right to consult the register is not granted without restriction but limited to data required for the purpose for which the right is granted. According to GDPR, art. 49, para 2, the transfer shall therefore not involve the entirety of the personal data or entire categories of the personal data contained in the register. 956 Where the register is intended for consultation by persons having a legitimate interest, the transfer shall further be made only at the request of those persons or if they are to be the recipients. 953

h) Special justification

GDPR, art. 49, para 1, sentence 2 introduces a new derogation, which is not listed in Directive 95/46, art. 26, para 1. It is subsidiary to any other statutory permission and may therefore only be applied pursuant to GDPR, art. 49, para 1, subpara 2 “where a transfer could not be based on a provision in Articles 45 or 46, including the provisions on Binding Corporate Rules, and none of the derogations for a specific situation pursuant to points (a) to (g) of this paragraph is applicable”. Pursuant to GDPR, art. 49, para 1, subpara 2 a transfer on the basis of said derogation “may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.” 958 To be able to avail themselves of this derogation controllers are required to verify all circumstances of the transfer. According to GDPR, recital 113 the con957

220

Tobias Kugler

E. Practical examples

troller should give particular consideration in this context “to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data [...]. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.” Neither GDPR, art. 49, para 1, sentence 2 nor GDPR, recital 113 further de- 959 fines the notion of “limited number” or “compelling legitimate interest”. Until further specified by the ECJ or guidance is given by the Board, their interpretation remains unclear. Given its function as subsidiary derogation of the general principle of adequate protection GDPR, art. 49, para 1, sentence 2 and the notions above, must necessarily be interpreted restrictively and applied only in exceptional cases. When relying on said derogation, controllers are required to “inform the su- 960 pervisory authority of the transfer in advance [… and …] in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued” (GDPR, art. 49, para 1, sentence 2). Finally, the controller shall document the assessment as well as the suitable safeguards in the records of processing activities referred to in GDPR, art. 30 (see section D.I.6., → mn. 525 et seqq.). II. Outsourcing

Globalisation and digitalisation of the industry have led to growing cost and 961 competitive pressure on business and ever shorter innovation cycles. Businesses are increasingly required to focus on their core competence and review their “make or buy” decisions. Division of labour and outsourcing of non-core business activities to specialised third party or group internal service providers, which can realise economies of scale, often prove as solution to cope with those challenges and simultaneously improve the quality of service. Outsourcing of business activities to providers in offshore regions outside the EU further enables businesses to benefit from lower labour costs in those regions without the need to relocate their own production facilities. Service provisioning and business processes outsourced may include all types 962 of service and typically range from IT service provision to facility management and payroll accounting. Briefly described, outsourcing is the commissioning of an external or inter- 963 nal supplier for the provision of internal services or completion of certain work for a specified time and at specified cost and levels of service. Where these services consist of or require the processing of personal data by the outsourcing provider, the requirements of the GDPR applicable to the transfer of personal data to the outsourcing provider, its processing of the data on behalf of Tobias Kugler

221

E. Practical examples

the controller and on the retransfer of the data to the controller must be complied with. Where the outsourcing provider is located outside the EU, the additional requirements applicable to third country transfers must be complied with (see section E.I.). 964 To be able to comply with the provisions of the GDPR, a clear allocation of roles and responsibility between the parties involved, namely amongst the business outsourcing its tasks and services and its outsourcing provider and potential sub-provider is required. 1. Controller or processor

Since outsourcing by definition is a transfer of an internal task or services by a company to a service provider, it is mostly the outsourcing company which – by initially selecting its business fields and services – decides on the purpose of the outsourced data processing or the data processing inherent to the outsourced business processes. Therefore, the outsourcing company is mostly to be qualified as a controller responsible for the processing activity (see section B.II.1.b) cc), → mn. 134) and the outsourcing provider as its processor. The outsourcing company will further often seek to contractually retain a general right of instruction on the purpose and scope of the data processing by its outsourcing provider (processor) to prevent misuse of the data it made available and ensure satisfactory service provision. Where the outsourcing company is active in a regulated industry, it will generally be required by statutory regulation applicable to business active in the regulated industry to retain a certain level control over the processing activity and to including the outsourcing provider into its risk management system. 966 Like under Directive 95/46, outsourcing constellation will therefore in many cases qualify under the GDPR as data processing constellations with the company outsourcing its task qualifying as controller and the outsourcing service provider as its processor. 967 Conversely, outsourcing companies and their outsourcing providers qualify as joint controller in the meaning of GDPR, art. 26 (see section D.I.2., → mn. 494 et seqq.) where they jointly determine the purposes and means of processing. This is the case where the outsourcing provider has discretion to decide on the essential means of data processing, such as the categories of data to be processed or on the purpose of certain processing activities. In practise this may be the case where the outsourcing company outsources an entire business function, such as e.g. its entire human resource department, without predefining in detail the categories of data to be processed, workflows, work results and means of data processing. In those cases the outsourcing provider will effectively need to determine the “purpose/why” and the “means/how” of the data processing itself and therefore insofar qualifies as a controller. 968 The GDPR does not establish any privilege applicable to the exchange of personal data between joint controllers. Hence any exchange of personal data be965

222

Tobias Kugler

E. Practical examples

tween the outsourcing company and its outsourcing provider is subject to the same principles as other data processing activites. Where the outsourcing provider is located outside the EU, the requirements applicable to a data transfer to third countries must further be applied in addition. 2. Data processing

If the outsourcing provider is to be qualified as processor, it must be selected 969 and commissioned in accordance with the requirements set out in GDPR, art. 28 (see section B.II.2.b), → mn. 162 et seqq.). If the processor is located in a third country, the provisions for international data transfers pursuant to GDPR, art. 44 ff. have to be adhered in addition (see section E.I., → mn. 840 and section E.II.2.b), → mn. 971). a) Selection of service provider and commissioning as processor

According to GDPR, art. 28, para 1 the controller shall use only processors 970 “providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. It must therefore carefully select its provider (processor) taking particular account of the technical and organisational measures implemented by the processor. According to GDPR, art. 28, para 5 the controller may rely on the processor’s adherence to an approved code of conduct as referred to in GDPR, art. 40 or an approved certification mechanism as referred to in GDPR, art. 42 as one element to verify implementation of sufficient technical and organisational measures by the processor (see section B.II.2.c), → mn. 171). b) Processors in third countries

If the processor is located in a third country the requirements set out in 971 GDPR, art. 44 ff. (see section E.I.) have to be complied with additionally. Accordingly, any transfer to a processor which was lawfully commissioned as described in section E.II.2.a) (→ mn. 970). may only take place, if the Commission has decided that the third country, a territory or one or more specified sectors within that third country in which the processor is active, ensures an adequate level of protection or in the absence of such an adequacy decision the controller has provided appropriate safeguards in the meaning of GDPR, art. 46 paras 2 and 3 or one of the derogations set out in GDPR, art. 49 para. 1 applies. aa) Standard data protection clauses

According to GDPR, art. 46, para 2, subpara c) appropriate safeguards may 972 be provided for by standard data protection clauses adopted by the Commission

Tobias Kugler

223

E. Practical examples

973

974

975

976

or according to GDPR, art. 46, para 2, subpara d) adopted by a supervisory authority. In its decision 2010/87/EU56 in 2010 the Commission had adopted specific standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46. According to GDPR, art. 46, para 5 this Commission Decision remains in force until amended, replaced or repealed by a new Commission Decision. Since the standard contractual clauses adopted in said Commissions Decision where not amended or replaced by the Commission yet, they may be used to provide appropriate safeguards when commissioning an outsourcing provider in third countries which does not provide an adequate level of data protection. Although these clauses are intended to “implement the obligation provided for in Article 17(3) of Directive 95/46 and should not prejudice the content of the contracts or legal acts established pursuant to that provision”,57 i.e. to provide appropriate safeguards in case of a transfer of personal data to processors established in third countries which were not subject of an adequacy decision of the Commission and not as a general legitimisation to transfer personal data, they may also be used as a basis for the mandatory data processing agreement to be entered into with the processor pursuant to GDPR, art. 28 para. 3. However, by entering into the standard contractual clauses attached to Commission Decision 2010/87/EU the outsourcing entity will not satisfy all requirements applicable to the data processing agreement which must comply with a more detailed list of mandatory provisions set out in GDPR, art. 28 para. 3 and 4. In addition to the standard contractual clauses adopted in Commission Decision 2010/87/EU, the controller and processor are therefore required to enter into a separate data processing agreement covering the following aspects set out in GDPR, art. 28, para 3 and 4 not covered by the standard contractual clauses or complete and supplement the standard contractual clauses accordingly by: – describing the subject-matter, duration, nature and purpose of the processing in the section “processing operations” in Appendix 1 to the clauses; – specifying that the processor may only process personal data on documented instructions from the controller including with regard to transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (GDPR, art. 28 para. 3 lit. a));

56 Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 of the European Parliament and of the Council. 57 Commission Decision 2010/87/EU, recital 10.

224

Tobias Kugler

E. Practical examples

– adding an obligation of the processor to ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR, art. 28 para. 3 lit. b)); – Specifying the technical and organisational measures necessary pursuant to GDPR, art. 32 in Appendix 2 to the clauses; – agreeing on appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR, Chapter III; – agreeing on assistance by the processor to be provided to the controller in ensuring compliance with the obligations pursuant to GDPR, art. 32 to 36 taking into account the nature of processing and the information available to the processor; According to GDPR, art. 28 para 6 the mandatory data processing agreement 977 may be based in whole or in part on standard contractual clauses adopted by the Commission (GDPR, art. 28 para 7 in conjunction with GDPR, art. 93 para. 2) or the supervisory authority (GDPR, art. 28 para 8 in conjunction with GDPR, art. 63). According to GDPR, art. 46 para. 2 lit. c) and d) appropriate safeguards for a transfer to a third country may be based on standard data protection clauses adopted by the Commission or the supervisory authorities. Although named differently in GDPR, art. 28 and 46, both types of clauses are referred to in GDPR, art. 57 para. 1 lit. j) as standard contractual clauses which appears to suggest that these clauses, once adopted by the supervisory authority may be used to pass both steps of the two-step-test referred to in (see section E.I.), and may serve as basis for the mandatory data processing agreement in the meaning of GDPR, art. 28 paras. 2 and 4 and as appropriate safeguard in the meaning of GDPR, art. 46. To simplify compliance with both of these provisions, business should regularly verify whether new standard contractual clauses were adopted by the Commission or the supervisory authority and analyse whether they prove suitable as basis for their specific agreements. bb) Binding Corporate Rules

Instead of applying standard data protection clauses, appropriate safe- 978 guards may also be provided by BCRs. According to the definition on BCRs in GDPR, art. 4 para. 20 these BCRs are “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. Since BCRs must be adhered to by the controller or processor established in 979 the territory of a Member State which exports the data, they may be used in

Tobias Kugler

225

E. Practical examples

cases in which the outsourcing entity (controller) in the EU and the outsourcing service provider (processor) in the third country belong to the same group of undertakings, or group of enterprises engaged in a joint economic activity but not in cases where those two entities do not belong to the same group. Further, they may be used in form of BCRs between processors (“Processor BCRs”), where a processor in the EU subcontracts a member of the same group of undertakings, or enterprises engaged in a joint economic activity in a third country as sub-processor (see section E.II.3.b), → mn. 996 et seqq.). cc) Approved codes of conduct and approved certifications 980

Appropriate safeguards to enable a transfer to the outsourcing service provider (processor) located in the third country which does not provide an adequate level of data protection may further be provided pursuant to GDPR, art. 46, para 2, subpara e) by means of approved codes of conduct having general validity (see section E.I.2.c), → mn. 897 et seqq.) and pursuant to GDPR, art. 46, para 2, subpara f) by approved certification mechanism (see section E.I.2.d), → mn. 902 et seqq.). In addition to adhering to those codes of conduct or certifications respectively, the outsourcing service provider (processor) in the third country shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects. dd) Other measures

981

Finally, appropriate safeguards for a transfer of personal data to the outsourcing provider (processor) in the third country may also be provided pursuant to GDPR, art. 46, para 3 – subject to the authorisation from the competent supervisory authority – by means of contractual clauses between the outsourcing entity and its processor in the third country. Given the administrative burden resulting from the approval requirement, this means is likely to be useful only in isolated cases. ee) Derogations

Although personal data may be transferred to the outsourcing provider in the third country in the absence of an adequacy decision and appropriate safeguards if any of the derogations applies, these derogations are unlikely to apply in practise in an outsourcing constellation or may not be suitable. 983 Given the fact that consent is revocable, entities relying on consent when outsourcing tasks or services would e.g. be at risk that data subjects revoke consent and thereby eliminate the derogation enabling the transfer in the absence of an adequacy decision and appropriate safeguards. As a consequence the outsourcing entity would either need to refrain from transferring data or rely on appropriate safeguards. The requirements of other derogations set out in GDPR, art 49 para. 1, such as e.g. the necessity of a transfer for the performance of a contract 982

226

Tobias Kugler

E. Practical examples

between the data subject and the controller as set out in GDPR, art. 49 para. 1 lit. b) or the necessity of the transfer for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person as set out in GDPR, art. 49 para. 1 lit. c), are generally not fulfilled in an outsourcing context. Hence these derogations do not apply. 3. Sub-processing

Organisational differentiation at the level of outsourcing providers often necessitates further subcontracting of parts of the processing activities to affiliated or third party sub-processors. Directive 95/46 does not contain specific provisions on subcontracting and is therefore interpreted by the Art. 29 Working Party as not prohibiting the designation of several entities as data processors and (sub-)processors.58 To ensure lawful sub-processing, the data protection obligations and responsibilities of all actors involved must, however, be clearly allocated.59 Chains of (sub-)processors that would dilute or even prevent effective control and clear responsibility for processing activities, must be avoided. GDPR, art. 28 para. 4 contains specific provisions on sub-processing which also address those crucial aspects on sub-processing under Directive 95/46 already identified by the Art. 29 Working Party.

984

985

986

987

a) General provisions applicable to sub-processing

The commissioning of sub-processors by a processor is subject to specific 988 provisions set out in in GDPR, 28 para. 2 and 4 and must comply with stipulations set out in the processing agreement between the controller and the processor. aa) Prior authorisation

According to GDPR, art. 28, para 2 “the processor shall not engage another 989 processor without the prior specific or general written authorisation of the controller.” Although the wording of the provision explicitly requires “written” authorisa- 990 tion of the controller, it is disputed whether authorisation in text form may also be sufficient. According to preliminary statements of a supervisory authority authorisation may be given either in writing or text form.60 According to GDPR, art. 28, para 3 the conditions on which a processor may sub-contract the processing to a sub-processor must be explicitly set out in the contract or other legal act 58 WP 169. 59 WP 169. 60 The supervisory authority of the German state Bavaria published a statement on data processing in which it considers an authorisation in text form as sufficient (see https:// www.lda.bayern.de/media/baylda_ds-gvo_10_processor.pdf (as of 6.4.2017.)).

Tobias Kugler

227

E. Practical examples

between the controller and the processor or the processor and its sub-processor respectively which – according to GDPR, art. 28 para. 9) – “shall be in writing, including in electronic form”. If the contract between the controller and the processor itself may be made in electronic form, it appears unreasonable to subject the authorisation to subcontract processing activities to a sub-processor in said agreement to stricter formal requirements. 991 In case of a prior specific authorisation the sub-processor and the processing activities which may be subcontracted, must set out in the agreement between the controller and the processor. 992 If a prior general written authorisation for sub-processing is granted, the processor must inform the controller suitably in advance of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes, GDPR, art. 28, para 2. If the controller does not exercise his right to object, the processor may commission the sub-processor. GDPR, art. 28, para. 2, however, does not set out in which cases the controller may object the replacement or commissioning of a sub-processor. It therefore remains unclear whether the controller has a general right to object the engagement of any new processor or only in certain cases. Where the controller has granted a general written authorisation permitting the engagement of sub-processors which fulfil certain criteria, it is bound by its agreement and may object the engagement only, if the processor does not fulfil these criteria. To obtain legal certainty, business should therefore specify criteria to be fulfilled by future sub-processors and stipulate a period of time in which the controller may exercise his right to object. bb) Contract between processor and sub-processor

According to GDPR, art. 28, para 4 “the same data protection obligations as set out in the contract or other legal act between the controller and the processor […] shall be imposed on that other processor” i.e. on the sub-processor by way of contract. Pursuant to GDPR, art. 28, para 4 the content of the contract between the processor and the sub-processor shall in particular provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation”. According to GDPR, art. 28, para 5, adherence to a code of conduct or a certification mechanism may be used as an element by which to demonstrate such sufficient guarantees. Like the contract between the controller and processor, the contract between the processor and the sub-processor shall “be in writing, including in electronic form”, GDPR, art. 28, para 9. 994 The contract between processor and sub-processor may be based on standard contractual clauses laid down by the Commission (GDPR, art. 28, para 7) or a supervisory authority (GDPR, art. 28, para 8). 993

228

Tobias Kugler

E. Practical examples

cc) Liability

GDPR, art. 28, para 4 clarifies that the initial processor shall remain fully li- 995 able to the controller for the performance of that other processor’s obligations where that other processor (the sub-processor) fails to fulfil its data protection obligations. b) Third country transfers

In case of a data transfer to a processor or sub-processor in a third country the 996 requirements applicable to transfers of personal data to third countries pursuant to GDPR, art. 44 ff. (see section E.I.) must be observed in addition to the general requirements listed above. In the absence of an adequacy decision in the meaning of GDPR, art. 45 per- 997 sonal data may therefore only be transferred to a third country, if appropriate safeguards were provided and on the “condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Whereas under Directive 95/46 these safeguards have to be adduced by the 998 controller, they may be provided by the controller or the processor under the GDPR (GDPR, art. 46). This possibility is likely to simplify contractual arrangements based on future standard contractual clauses in constellations where controllers commission several processors or rely on chains of (sub-)processors which (partly) process personal data in third countries. aa) Processor and sub-processor in third countries EU Controller

Processor

Sub-processor

If the controller in the EU commissions a processor in a third country which 999 in turn commissions a sub-processor also located in a third country, the controller itself has to satisfy the requirements applicable to third country transfers set out in GDPR, art. 44 ff. In the absence of an adequacy decision in the meaning of GDPR, art. 45 (see 1000 section E.I.1.b), → mn. 851) and if no derogation set out in GDPR, art. 49 applies, the controller may therefore transfer personal data to its processor only if it provides appropriate safeguards by means of BCRs (GDPR, art. 47), standard data protection clauses (GDPR, art. 46, para. 2 lit. c) or d)), an approved code of conduct (GDPR, art 40) or an approved certification mechanism (GDPR, art. 42). Until the Commission amends, replaces or repeals its decision 2010/87/EU of 1001 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46, the controller Tobias Kugler

229

E. Practical examples

may further provide appropriate safeguards by entering into the standard contractual clauses attached to said decision (see section E.II.2.a), → mn. 970). 1002 According to clause 11 para. 161 of these standard contractual clauses, the clauses may also be used as means to provide appropriate safeguards with respect to the transfer of personal data to the sub-processors, if the clauses are cosigned by the sub-processor. Where the clauses were supplemented as described in section E.II.2.b)aa) and co-signed by the sub-processor, they may also serve as a means to imposed the same data protection obligations on the sub-processor set out in the agreement between the controller and the processor, as required pursuant to GDPR, art. 28 para. 4. 1003 If the controller, processor and sub-processor belong to the same group of undertakings, or group of enterprises engaged in a joint economic activity company, appropriate safeguards may also be provided by means of Binding Corporate Rules for Processors (see section E.II.2.b)bb), → mn. 978). Alternatively, adequate safeguards may be provided by an approved Codes of conduct having general validity (GDPR, art. 46, para 2, subpara e), art. 40) or by an approved certification mechanism (GDPR, art. 46, para 2, subpara f, art. 42) (see section E.II.2.b)cc), → mn. 980), provided the processor and sub-processor have made binding commitments, namely in the contract with the controller or the processor respectively, to apply those appropriate safeguards, including with regard to the rights of data subjects. bb) Processor in the EU and sub-processor in a third country

EU Controller

Processor

Sub-processor

If a processor located in the EU makes use of a sub-processor in a third country which was not subject of an adequacy decision, the obligation to provide appropriate safeguards resides – unlike under Directive 95/46 – with the processor. Where the processor and sub-processor belong to a group of undertakings, or group of enterprises engaged in a joint economic activity, appropriate safeguards may be provided by means of BCRs in the meaning of GDPR, art. 47 which are legally binding on and enforceable against the processor and its sub-processor (so called processor BCRs). 1005 Appropriate safeguards may also be provided alternatively by means of an approved Codes of conduct having general validity (GDPR, art. 46, para 2, subpara e), art. 40) or by an approved certification mechanism (GDPR, art. 46, 1004

61 See footnote in clause 11 para. 1 of the standard contractual clauses adopted by Commission Decision 2010/87/EU.

230

Tobias Kugler

E. Practical examples

para 2, subpara f, art. 42) (see section E.II.2.b)cc), → mn. 980) provided the processor and sub-processor have made binding commitments, namely in the contract with the controller or the processor respectively, to apply those appropriate safeguards, including with regard to the rights of data subjects. Alternatively, the processor may provide appropriate safeguards by entering 1006 into standard data protection clauses with its sub-processor (GDPR, art 46 para. 2 subpara c, and d). Although the standard contractual clauses adopted by the Commission on the basis of Directive 95/46, art. 26 para. 4, such as the clauses for a transfer of personal data to processors established in third countries adopted by Commission Decision 2010/87/EU remain in force until amended, replaced or repealed, its application to scenarios where processors in the EU commission sub-processors in a third country is generally ruled out in its recital 23. According to said recital 23 the clauses do not apply to “subcontracting by a 1007 data processor established in a third country of his processing services to a subprocessor established in a third country, [but] should not apply to the situation by which a processor established in the European Union and performing the processing of personal data on behalf of a controller established in the European Union subcontracts his processing operations to a sub-processor established in a third country.”62 To facilitate data transfers in those scenarios under Directive 95/46 the Art. 29 1008 Working Party recommended the following three possible approaches:63 – The standard contractual clauses pursuant to Commission Decision 2010/87/EU are signed directly between the controller within the EU and the sub-processor in the third country. – The controller gives its processor in the EU a clear mandate to sign standard contractual clauses pursuant to Commission Decision 2010/87/EU in the controller’s name and on his behalf. This mandate may be granted either generally or specifically for each new sub-processing. – An ad-hoc contract is signed between the controller and the sub-processor or between the processor and the sub-processor.64 Until amended, these clauses remain inapplicable between processor in the 1009 EU and their sub-processor in third countries. In 2014 the Art. 29 Working Party already published a Working Paper on 1010 draft Ad hoc contractual clauses “EU data processor to non-EU sub-processor”.65 Since these clauses were not adopted by the European Commission, they do not constitute a new official set of model clauses, nor a finalised set of ad hoc clauses that may be used by companies in order to offer appropriate guarantees in the meaning of Directive 95/46 art. 26 para. 2 of Directive 95/46.66 Until new 62 63 64 65

See also: WP 176, 3. WP 1764 f. WP 176, 5. WP 214.

Tobias Kugler

231

E. Practical examples

standard data protection clauses that may be entered into between processors in the EU and sub-processors in third countries are adopted by the Commission, or by a supervisory authority and approved by the Commission, processors transferring personal data to sub-processors in third countries should therefore rely on alternative means to provide appropriate safeguards. 4. Example: Cloud computing

Cloud computing is a computing model that can be defined as the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network.67 It differs from traditional outsourcing in that customers do not hand over their own IT resources to a third party to be managed by said third party. Instead they plug into the “cloud” for infrastructure services, platform services, or software services, and use those services just like internal computing resources providing the same functions.68 1012 The use of cloud computing generally does not require significant upfront investments but is charged for on a pay-per-use cost model and therefore provides economic benefits and fast means for data processing. In addition to these economic benefits cloud computing may also provide security benefits, since enterprises, especially small-to-medium sized ones, may acquire high-class technologies at a lower cost, which would otherwise be out of their budget range.69 1011

a) Cloud computing rollout and service models

Cloud computing solutions are made available in different rollout models, namely in form of private clouds, public clouds, hybrid or community clouds. Whereas private clouds consist of IT infrastructure dedicated to a single customer, public clouds are based on infrastructure owned by a provider but made available to and shared with several users. In case of hybrid clouds services provided by private infrastructures co-exist with services purchased from public clouds whereas in case of community clouds IT infrastructure is shared by several organisations for the benefit of a specific user community.70 1014 Cloud solutions available on the market may further be grouped into three main service models with different level of abstraction. These service models are Infrastructure as a service (“IaaS”), Platform as a Service (“PaaS”) and Software as a Service (“SaaS”). In case of IaaS, the cloud provider offers technological infrastructure, such as virtual machines and network resources, as a service to subscribe. The PaaS offering consist of a computing platform which 1013

66 WP 214, 2. 67 Accenture, found on CIO Online under http://www.cio.com/article/501814/Cloud_Computing _Definitions_and_Solutions (as of 6.4.2017). 68 Accenture, found on CIO Online under http://www.cio.com/article/501814/Cloud_Computing _Definitions_and_Solutions (as of 6.4.2017). 69 WP 197, 4. 70 WP 197, 4.

232

Tobias Kugler

E. Practical examples

typically comprises an operating system, programming tools, database, and a web server and is made available as development environment to application developers. In the SaaS cloud service model the cloud provider offers access to an application software and database via internet browser or a dedicated client software over the internet. It is common for cloud computing providers to subcontract parts of the ser- 1015 vices out to sub-contractors which may also be located outside the EU in third countries.71 This applies in particular in case of international cloud services, which are designed to respond to workloads that shift geographically as a function of time-of-day or other triggering events. Besides the company providing the cloud service (the “cloud provider”) and the company using the cloud service (the “cloud client”) cloud computing therefore often entails the involvement of a number of further contracted parties. b) Cloud computing and data protection

The use of cloud computing generally entails the processing of personal data 1016 by the cloud provider, whether said data is contained in user log-in credentials or in content stored in or processed by means of the cloud. Despite the structural differences mentioned above (see section E.II.4., → 1017 mn. 1011 et seqq.), cloud computing comprises number elements of traditional outsourcing, namely elements of data processing, sub-processing and international data transfers and is therefore subject to the same legal requirements mentioned above (see section E.II.2. and E.II.3. for further details on processing and sub-processing in an international context). In addition to these elements, cloud computing carries specific risks associat- 1018 ed with the sharing of resources and consists of a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.72 Some of these risks are addressed by new statutory obligations introduced by the GDPR which require to clearly allocate roles and responsibilities along the contractual chain. aa) Roles and responsibilities of parties involved

The cloud client generally determines the ultimate purpose of the processing 1019 and decides on the outsourcing of the processing activities to an external organisation. Like under Directive 95/4673 it is therefore to be qualified as the controller under the GDPR. The cloud provider supplying the means and the platform, acting on behalf of the cloud client is to be qualified as the processor,74 except where it determines purposes and means of processing – whether in breach of its agreement or within the scope of discretion provided by the con71 72 73 74

WP 196, 9. WP 196, 4. WP 196, 7. WP 196, 8.

Tobias Kugler

233

E. Practical examples

troller – (GDPR, art. 28, para 10). Where the cloud provider subcontracts parts of the services to third parties, which then gain access to personal data, these third parties qualify as sub-processors. bb) Commissioning as data processing and sub-processing 1020

1021

1022

1023

1024

1025

Where controllers decide to contract cloud computing services, they are required to choose processors which “provide sufficient guarantees to implement appropriate technical and organisational measures […]” (GDPR, art. 28 para. 1). However, in the current cloud computing scenario, clients of cloud computing services may not have room for manoeuvre in negotiating the contractual terms of use of the cloud services as standardised offers are a feature of many cloud computing services.75 Cloud clients may therefore not be in a position to negotiate obligations of the cloud provider to implement additional technical and organisational measures they consider necessary or to reserve specific audit rights. Further cloud providers offering public cloud services may be unwilling to permit each of their prospective and current customers to enter its premises to carry out an audit. Even if this is not the case cloud clients using international cloud offerings may not be in the position to conduct such audits for logistical reasons, namely the geographical location of the infrastructure.76 Unlike Directive 95/46 GDPR, art. 25, para 5 now explicitly clarifies that adherence of a processor to an approved code of conduct as referred to in GDPR, art. 40 or an approved certification mechanism as referred to in GDPR, art. 42 may be used as an element by which to demonstrate sufficient guarantees, which is likely to simplify the selection of reliable cloud providers. Since adherence to these codes of conduct or certification mechanisms may be used only as one element to demonstrate sufficient guarantees, cloud customers may need to take further measures to verify implementation of sufficient guarantees (see section B.II.2.b)bb), → mn. 163). Lack of transparency regarding the cloud provider’s use of sub-processors immanent to many cloud offerings is addressed by GDPR, art. 28, para 2. According to this provision cloud providers – when acting as processors – may engage sub-processors only with prior specific or general written authorisation of the cloud client. Where the cloud client provides general authorisation, the cloud provider must inform it “of any intended changes concerning the addition or replacement of other processors”, thereby giving it the opportunity to object to such changes; GDPR, art. 28, para 2, sentence 2 (see section E.II.3.a), → mn. 988) for further information on sub-processing). Transparency is further improved as a consequence of the requirement to agree on the minimum content set out in GDPR, art. 28, para 2 in the data pro-

75 WP 196, 8. 76 ICO, Guidance on the use of cloud computing, 13.

234

Tobias Kugler

E. Practical examples

cessing contract to be entered into between the cloud client, acting as controller, and the cloud provider, acting as processor described in section B.II.2.b). cc) Documentation and information obligations

The GDPR further introduced certain documentation and information obligations applicable to processors which will likely increase transparency of cloud offerings and thereby mitigate data protection risks specific to cloud computing (see section E.II.4.b), → mn. 1016). According to GDPR, art. 30, para 2 processors shall maintain a record of all categories of processing activities carried out on behalf of a controller, which must be made available to the supervisory authority on request. Incompliance with this obligation may even result in administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR, art. 83, para 4, subpara a)). Pursuant to GDPR, art. 33, para 3 cloud providers acting as processors are further required to notify the cloud client without undue delay after becoming aware of a personal data breach. These notifications will not only enable cloud clients to comply with their own obligation pursuant to GDPR, art. 33, para 1 to notify the competent supervisory authority within 72 hours of the personal data breach but also to better monitor their cloud provider’s compliance with service level agreements and other contractual terms agreed upon. The cloud providers’ willingness to comply with the provisions of the GDPR will likely be increased as a consequence of the GDPR’s extended territorial scope of application (see section B.II.1. and 2., → mn. 120 and 152) and sever administrative fines set out in GDPR, art. 83. Where cloud providers located in third countries use personal data uploaded to their cloud outside the contractual arrangements with the cloud client to monitor data subjects’ behaviour in the EU, they are themselves subject to the rules of GDPR and qualify as controller (GDPR, art. 28, para 10). Unless this monitoring activity is permitted by the GDPR, the cloud provider is subject to the administrative fines set out in GDPR, art. 83 (see section B.II.2.e), → mn. 178). III. Processing of special categories of personal data

The GDPR does not contain a definition of “sensitive data”. However, it lists in GDPR, art. 9, para 1 special categories of personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms. These special categories merit specific protection as the context of their processing can create significant risks to the data subject’s fundamental rights and freedoms (GDPR, recital 51).

Tobias Kugler

235

1026

1027

1028

1029

E. Practical examples

1. Special categories of personal data

Except for the categories genetic data, biometric data and data concerning the sexual orientation newly introduced in GDPR, art. 9, para 1 as special categories of personal data, this list of special categories of personal data is identical with the one set out in Directive 95/46, art. 8, para 1. It includes “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. 1031 According to the Art. 29 Working Party, the term “revealing” in Directive 95/46, art. 8, para 1 is to be understood to mean that not only data which by its nature contains sensitive information are covered by this provision but also data from which such sensitive information with regard to an individual can be concluded.77 1032 In contrast to Directive 95/46, the terms “genetic data”, “biometric data” and “data concerning health” used in GDPR, art. 9, para 1 are defined in GDPR, art. 4. 1030

a) Genetic data 1033

According to GDPR, art. 4, no. 13, genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Those analysis include in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis (GDPR, recital 34). b) Biometric data

Biometric data are defined in GDPR, art. 4, no. 14 as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. 1035 Since facial images are commonly taken in everyday life, an extensive interpretation of the definition of the term “biometric data” would increase the risk of penalising common human behaviour. The qualification of photographs as biometric data therefore correlates with the use of specific technical means. Photographs are therefore “covered by the definition of biometric data only when 1034

77 http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2011 /2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf (as of 7 April 2017.).

236

Tobias Kugler

E. Practical examples

processed through a specific technical means allowing the unique identification or authentication of a natural person” (GDPR, recital 51). c) Data concerning health

GDPR, art. 4, no. 15 defines data concerning health as “personal data related 1036 to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. According to GDPR, recital 35 this definition should be interpreted broadly as covering “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services, […] information derived from the testing or examination of a body part or bodily substance, [..] and any information on, […] the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test”. Accordingly, medical data and physical performance data collected by fitness apps and devices, such as heart rate monitors, qualify as medical data concerning health and is subject to the restrictive processing provisions mentioned above (see section E.III.2., → mn. 1037). 2. Specific prohibition with exceptions

The processing of special categories of personal data is subject to the same 1037 principles applicable as to processing of other types of personal data set out in GDPR, art. 5, para 1, including the principle of lawfulness. Accordingly, their processing is generally prohibited, unless it is legitimised by an exception (see section C.I.1.a), → mn. 248). In addition, it is subject to a specific prohibition with exceptions, set out in 1038 GDPR, art. 9, para 1, which must be applied cumulatively (see section C.II.3.c), → mn. 459). According to GDPR, art. 9, para 1, processing of personal data of one of the special categories is prohibited. This prohibition does not apply, if one of the exceptions set out in GDPR, art. 9, para 2 is fulfilled. a) Explicit Consent

According to GDPR, art. 9, para 2 subpara a), the specific prohibition set out 1039 in GDPR, art. 9, para 1 does not apply, if “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in GDPR, art. 9, para 1 may not be lifted by the data subject”. In contrast to the consent set out in GDPR, art. 6, para 1, subpara a) permit- 1040 ting the processing of other categories of personal data, the consent permitting the processing of special categories of personal data must be given explicitly.

Tobias Kugler

237

E. Practical examples

Accordingly, implied consent would not be sufficient in this regard (see section C.II.3.a)aa)(1), → mn. 435). 1041 Since Member States may provide counter-exceptions which exclude lifting the general prohibition of processing by way of the data subject’s consent, the existing prohibitions introduced by Member State law under Directive 95/46, art. 8, para 2 subpara a) remain valid. b) Statutory exceptions

The specific prohibition set out in in GDPR, art. 9, para 1 further does not apply, if one of the statutory exceptions set out in GDPR, art. 9, para 2 applies. These exceptions are merely identical to the ones set out in Directive 95/46. 1043 According to GDPR, art. 9, para 2 the prohibition to process special categories of personal data does not apply if: 1042

1044 –

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject (GDPR, art. 9, para 2, subpara b));

1045 –

processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (GDPR, art. 9, para 2, subpara c));

1046 –

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects (GDPR, art. 9, para 2, subpara d));

1047 –

processing relates to personal data which are manifestly made public by the data subject (GDPR, art. 9, para 2, subpara e));

1048 –

processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (GDPR, art. 9, para 2, subpara f));

1049 –

processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (GDPR, art. 9, para 2, subpara g));

238

Tobias Kugler

E. Practical examples

– processing is necessary for the purposes of preventive or occupational 1050 medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in GDPR, art. 9, para 3 (GDPR, art. 9, para 2, subpara h)). – processing is necessary for reasons of public interest in the area of public 1051 health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (GDPR, art. 9, para 2, subpara i)); – processing is necessary for archiving purposes in the public interest, sci- 1052 entific or historical research purposes or statistical purposes in accordance with GDPR, art. 89, para 1 based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (GDPR, art. 9, para 2, subpara j)). aa) Employment, social security and social protection law

The exception in GDPR, art. 9, para 2, subpara b) addresses the fact that con- 1053 trollers are often required to process special categories of personal data in an employment, social security and social protection law context. It enables, e.g. employers to process special categories of personal data relating to their employees, such as data concerning health (e.g. on physical handicaps) to be able to meet specific health related requirements of the respective employee, or biometric data (e.g. fingerprints) in biometric access control systems. The processing must be authorised by Union or Member State law or a collec- 1054 tive agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. The GDPR does not further specify the appropriate safeguards to be provided by Union or Member State law or collective agreement. GDPR, art. 6, para 4 subpara e), however, indicates that appropriate safeguards may include encryption or pseudonymisation. The rights of the data subject to be safeguarded must be equivalent to those set out in GDPR, Chapter III. bb) Vital interests

Pursuant to GDPR, art. 9, para 2, subpara c) the specific prohibition in GDPR, art. 9, para 1 governing the processing of special categories of personal data Tobias Kugler

239

E. Practical examples

does not apply, where the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. As in GDPR, art. 6, para 1, subpara d), which permits the processing of other types of personal data where necessary to protect vital interest of the data subject or of another natural person, vital interests are to be interpreted as interests essential for the life of the data subject or that of another natural person (see section C.II.2.c), → mn. 383 et seqq.). To address the particular sensitivity of special categories of personal data in relation to fundamental rights and freedoms of data subjects, the exception in GDPR, art. 9, para 2, subpara c), however, only applies, where the data subject is physically or legally incapable of giving consent, which may, e.g. be the case, where the data subject is unconscious, buried by an avalanche or otherwise trapped and unreachable. cc) Foundation, association or any other not-for-profit body

The exception in GDPR, art. 9, para 2, subpara d) applies to controllers, which qualify as foundations, associations or other bodies pursuing political, philosophical, religious or trade-union aims and act on a non-profit basis. 1056 To be covered by the exception, the processing activity must be carried out in the course of the controllers legitimate political, philosophical, religious or trade-union activity. Accordingly, any processing unrelated to this activity, such as the sale of the personal data collected or the processing of special categories of personal data unrelated to the body’s activity (e.g. information on religious beliefs processed by a trade union), is not covered by this exception. 1057 Further this exception only applies, if it is limited to the internal processing of data relating to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes. The personal data may therefore not be disclosed to recipients outside that body without the consent of the data subject. 1055

dd) Personal data manifestly made public 1058

Personal data related to a special category that has been manifestly made public by the data subject does no longer require specific protection. The prohibition in GDPR, art 9, para 1 therefore does not apply, to such data. Personal data may be considered to have been manifestly made public by the data subject, if the data have been disclosed by the data subject in press releases, or published by the data subject on its webpage or social media account accessible by the public. ee) Legal claims

1059

Pursuant to GDPR, art. 9, para 2, subpara f), the specific prohibition of processing special categories of personal data in GDPR, art. 9, para 1 does not apply, if the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. The deroga240

Tobias Kugler

E. Practical examples

tion shall apply, regardless of whether legal claims are established, exercised or defended in court proceedings or in an administrative or out-of-court procedure (GDPR, recital 52). ff) Substantial public interest

GDPR, art. 9, para 2, subpara g) exempts the processing of special categories 1060 of personal data from the specific prohibition set out in GDPR, art. 9, para 1, if it is necessary for substantial reasons of public interest and is based on Union or Member State law. In contrast to the similar exception in GDPR, art 6, para 1 subpara e), which applies to the processing of other types of personal data, GDPR, art. 9, para 2, subpara g), however, requires a “substantial” public interest. The notion “substantial public interest”, however, is not defined or further explained in the GDPR. Until further guidance is provided by the Board or the ECJ the interpretation of “substantial public interest” therefore remains unclear. To serve as legal basis, the Union and Member State law must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. gg) Processing for medical purposes

The exception in GDPR, art. 9, para 2, subpara h) applies to the processing of 1061 special categories of personal data necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, if the processing is based on Union or Member State law, or on a contract with a health professional. The exception must be read in conjunction with GDPR, art. 9, para 3. Accord- 1062 ing to this provision, special categories of personal data may be processed for the foregoing purposes only “by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies”. Accordingly, existing obligations of professional secrecy under Union or Member State law remain applicable and must be observed even though such data is processed on the basis of this exception. These obligations of professional secrecy may prohibit any disclosure of special categories of personal data to third parties. As the outsourcing and the use of cloud computing services generally entail such a disclosure to employees of the outsourcing or cloud computing provider the possibilities to outsource health related processing activities and the use of cloud computing services in this sector may be restricted.

Tobias Kugler

241

E. Practical examples

Businesses considering to outsource processing activities relating to special categories of personal data or use cloud computing services in the health sector will likely face different legal frameworks applicable in the various Member States and should carefully assess such professional secrecy obligations to avoid incompliance with those provisions which may lead to breaches of GDPR, art. 9, para 3. hh) Public interest in the area of public health

The exception in GDPR, art. 9, para 2, subpara i) applies to the processing necessary for reasons of public interest in the area of public health, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. 1064 According to GDPR, recital 54 the term “public health” should be interpreted as defined in Regulation 1338/2008 and comprises “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality”.78 GDPR, recital 54, sentence 4, explicitly clarifies that such processing of data concerning health for reasons of public interest must comply with the principle of purpose obligation and must not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies. 1063

ii) Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 1065

Pursuant to GDPR, art. 9, para 2, subpara j the specific prohibition of processing special categories of personal data does not apply, if it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR, art. 89, para 1. This, however, only applies if the processing is based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. According to GDPR, recital 159, scientific research purposes should be interpreted in a broad manner including e.g. technological development and demonstration, fundamental research, applied research and privately funded research.

78 Regulation (EC) No.1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work, art. 3, para c).

242

Tobias Kugler

E. Practical examples

Scientific research purposes should also include studies conducted in the public interest in the area of public health. jj) Limitations in Member State law

GDPR, art. 9, para 4 provides that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”. Accordingly, the permissions and restrictions applicable to the processing of special categories of personal data listed in GDPR, art. 9, para 1 may vary from Member State to Member State. Businesses processing special categories of personal data within the EU should therefore carefully review the laws applicable in Member States in which they process special categories of personal data. 3. Additional protective measures

To address the particular sensitivity of special categories of personal data in 1066 relation to fundamental rights and freedoms of data subjects, the processing of personal data is subject to further requirements and restrictions: – Where special categories of personal data are to be processed on a large 1067 scale a data protection impact assessment (see section D.I.9., → mn. 547 et seqq.) must be applied (GDPR, art. 35, para 3, subpara b)) prior to the processing; – Where the core activities of the controller or the processor consist of pro- 1068 cessing on a large scale of special categories of data it must designate a DPO (GDPR, art. 37, para 1, subpara c)); – Automated decisions in the meaning of GDPR, art. 22, para 1 (see section 1069 D.IV.9., → mn. 691) may not be based on the processing of special categories of personal data, unless it is based on the data subject’s explicit consent in the meaning of GDPR, art. 9, para 2 subpara a), or the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law in the meaning of GDPR, art. 9, para 2 subpara g) and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place (GDPR, art. 22, para 4). Finally, supervisory authorities shall give due regard to the category of per- 1070 sonal data affected when deciding on the amount of administrative fines to be imposed on businesses due to their infringement of the rules of the GDPR (GDPR, art. 83, para 2, subpara g). IV. Direct Marketing

The processing of personal data plays an important role for direct marketing. 1071 While some data are necessary to reach potential customers (e.g. e-mail addresses), other data are helpful to target the right audience (e.g. age and gender). FurEva Irene Wille

243

E. Practical examples

thermore, companies often collect and analyse personal data of (potential) customers visiting their websites and shops prior to marketing campaigns to evaluate which marketing strategies will be effective. 1. Definition of direct marketing 1072

Even though the GDPR mentions direct marketing explicitly (cf. GDPR, recitals 47, 70 and GDPR art. 21), it does not provide for a definition of direct marketing or advertising itself. Directive 2006/114/EC79 concerning misleading and comparative advertising can serve as a guideline in this regard. It defines advertising as “the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations” (Directive 2006/114/EC, art. 2, para a)). The term direct marketing only refers to those forms of advertising by means of selective, direct contact with potential clients or customers. This includes, for example, sending newsletters via e-mail to a pre-defined group of recipients or telemarketing. 2. Direct Marketing in Directive 95/46 and the GDPR

Under Directive 95/46, some Member States enacted special provisions with regard to marketing privileging e.g. the use of certain data categories for the purposes of address trading and marketing.80 The GDPR will supersede these national provisions specifying the conditions under which personal data may be processed for marketing purposes. As a result, companies in some Member States may face more legal uncertainty than before. Since the GDPR does not provide for such legal bases specifically tailored to marketing, GDPR, art. 6, para 1, subpara f) (legitimisation subject to a balancing of interests) serves, next to the data subject’s consent (GDPR, art. 6, para 1, subpara a)), as the main legal basis for the processing of personal data for marketing purposes. 1074 In practice, the absence of specific provisions with regard to marketing makes it more difficult under the GDPR to assess whether processing of personal data for these purposes is lawful. Until further guidance is published by e.g. the Board, current common positions as well as opinions and recommendations of the Art. 29 Working Party concerning marketing under Directive 95/46 can serve as a guideline when interpreting the GDPR. 1075 One example of such guidance is the European code of conduct of the Federation of European Direct Marketing (FEDMA) for the use of personal data in direct marketing. It was adopted in 2003 pursuant to Directive 95/46, art. 27 in coordination with the Art. 29 Working Party81 in order to provide guidelines to 1073

79 Directive 2006/114/EC of the European Parliament and the Council of 12 December 2006 concerning misleading and comparative advertising. 80 Cf. German Federal Data Protection Act (Bundesdatenschutzgesetz), sec. 28, para 3 and sec. 29. 81 See WP 77.

244

Eva Irene Wille

E. Practical examples

marketers. In 2010, the code of conduct was complemented by an annex on online-marketing.82 It will need re-approval pursuant to GDPR, art. 40, para 9 to have general validity within the EU under the GDPR (see section D.II.3., → mn. 573 et seqq.). 3. ePrivacy-Directive and Unfair Commercial Practices Directive

Not only the GDPR is of importance when assessing the lawfulness of direct 1076 marketing activities. In particular, national laws implementing Directive 2002/58/EC (ePrivacy-Directive) and Directive 2005/29/EC (Unfair Commercial Practices Directive) which provide for specific provisions on online and offline advertising must be observed. This chapter focuses on the requirements set forth in the ePrivacy-Directive and Unfair Commercial Practices Directive without taking specifics of Member State laws into account. a) Directive 2002/58/EC (ePrivacy-Directive)

Directive 2002/58/EC83 (ePrivacy-Directive) on privacy and electronic com- 1077 munications, as amended by Directive 2009/136/EC,84 contains provisions concerning “unsolicited communications” for the purposes of direct marketing (ePrivacy-Directive,85 art. 13). The ePrivacy-Directive aims “to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector” (ePrivacy-Directive, art. 1, para 1). Pursuant to GDPR, recital 173 the GDPR “should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC”. In other words, the ePrivacy-Directive complements the GDPR which remains applicable to all matters not specifically addressed in the ePrivacy-Directive. The scope of application of the ePrivacy-Directive is restricted to electron- 1078 ic communications meaning “any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service” (ePrivacy-Directive, art. 2, para d)). This includes e.g. automated calling, fax or electronic mail.86 However, it should be noted that in some 82 See WP 174. 83 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. 84 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No.2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. 85 If reference is made to the ePrivacy-Directive, such reference refers to Directive 2002/58/EC as amended by Directive 2009/136/EC.

Eva Irene Wille

245

E. Practical examples

Member States the scope of application of the implementing acts is wider than required by the ePrivacy-Directive.87 Often, national provisions include means of communication such as post88 or non-automated calling89 as well. 1079 ePrivacy-Directive, art. 13, paras 1 and 3 on unsolicited communications apply to subscribers who are natural persons only. In practice, differentiating between commercial communication to a natural or a legal person on the basis of the recipient’s contact detail can be difficult. For example, it may require to determine the capacity in which a person left his contact details. However, if marketing e-mails are sent to an e-mail address containing a natural person’s name, the e-mail should be considered as marketing to a natural person.90 1080 The ePrivacy-Directive is currently under review with the aim to ensure consistency with the GDPR (cf. GDPR, recital 173). In April 2016, the Commission launched a public consultation as a first step in the review process. In January 2017, the Commission published its Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications (“ePrivacy Regulation”).91 According to the Commission, the “proposal is lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR”.92 b) Directive 2005/29/EC (Unfair Commercial Practices Directive) 1081

Directive 2005/29/EC93 (Unfair Commercial Practices Directive) concerns unfair business-to-consumer commercial practices before, during and after a commercial transaction in relation to a product. It states in its Annex I, no. 26 that the aggressive commercial practice of “making persistent and unwanted so86 Electronic mail includes “SMS, MMS and other kinds of similar applications” (Directive 2009/136/EC, recital 67). 87 Commission, ePrivacy-Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation, a study prepared for the Commission, published on 10 June 2015, 8. 88 E.g. German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb), sec. 7; The Swedish Marketing Act (2008:486) (Marknadsföringslagen), sec. 21. 89 E.g. German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb), sec. 7; Austrian Telecommunications Act 2003 (Telekommunikationsgesetz 2003), sec. 107; Irish S.I. No. 336 of 2011 (European Communities (electronic communications networks and services) (privacy and electronic communications) Regulations 2011), sec. 13, para 5 and 6; The Swedish Marketing Act (2008:486) (Marknadsföringslagen), sec. 21. 90 WP 90, 7 f. 91 Cf. https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications (as of 6.4.2017). 92 Commission, Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications, p. 2. 93 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No.2006/2004 of the European Parliament and of the Council.

246

Eva Irene Wille

E. Practical examples

licitations by telephone, fax, e-mail or other remote media except in circumstances and to the extent justified under national law to enforce a contractual obligation” is considered unfair in all circumstances. Pursuant to Unfair Commercial Practices Directive, art. 5, para 1 such unfair commercial practices shall be prohibited. Furthermore, Unfair Commercial Practices Directive, Annex I, no. 26 explicitly sets forth that this applies without prejudice to Directive 95/46 and the ePrivacy-Directive. Thus, it can be concluded that the Unfair Commercial Practices Directive also applies without prejudice to the GDPR. The provisions implementing the ePrivacy-Directive and Unfair Commercial 1082 Practices Directive into national law may turn marketing activities unlawful irrespective of their compliance with the GDPR. In addition, they may also have an influence on compliance with the GDPR. If national provisions are violated, the interests of the controller will usually not prevail where the lawfulness under the GDPR depends on a balancing of interests. As a result, there is an increased risk of legal consequences as e.g. national unfair competition laws and data protections laws are affected at the same time. 4. General requirements

Regardless of the applicable legal basis for the processing, some general re- 1083 quirements set forth in the GDPR are relevant whenever personal data are processed for marketing purposes. In particular, the data subjects’ right to object and the principles of transparency and purpose limitation must be adhered to. a) Right to object aa) GDPR

Similar to Directive 95/46, art. 14, para b), GDPR, art. 21, para 2, grants da- 1084 ta subjects the right to object to the processing of their personal data for direct marketing purposes at any time and free of charge (cf. GDPR, art. 12, para 5 and recital 70). Pursuant to GDPR, art. 21, para 3 “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes”. In contrast to GDPR, art. 21, para 1, GDPR, art. 21, para 2 provides for an absolute right to object requiring the controller to stop the processing of personal data without any further evaluation. Compelling legitimate grounds for the processing which override the interests of the data subject cannot legitimise any further processing (see section D.IV.8.a) and b), → mn. 542 et seqq.). Where the data subjects’ prior consent to the processing is required, the with- 1085 drawal of consent can also be interpreted as an objection to future processing. In practice, this is particularly relevant when consent is required due to the use of means of electronic communication referred to in ePrivacy-Directive, art. 13, para 1.

Eva Irene Wille

247

E. Practical examples

Pursuant to GDPR, art. 12, para 2 and recital 59 the controller should provide modalities for facilitating the data subjects’ right to object (cf. see section D.IV.8.d), → mn. 546). In many countries, people who do not wish to receive advertising can register their name, e-mail address, telephone number and further contact details in so-called Robinson lists (online or offline).94 While in most countries verifying those lists is not compulsory,95 they provide companies with a convenient solution to ensure that data subjects can exercise their right to object easily. 1087 In order to do so, companies must inform their customers about the possibility to object by entering themselves into the indicated Robinson list. If customers make use of this possibility, any further processing of their personal data for marketing purposes is unlawful. However, as long as a company has not indicated its voluntary adherence to a specific Robinson list, the enrolment in such list cannot repeal the legitimacy of advertising otherwise in compliance with the GDPR. 1088 Pursuant to GDPR, art. 21, para 5 in the context of the use of information society services such as online social networks (see section C.II.3.c)(aa)(1), → mn. 435), the data subject may exercise his right to object by automated means using technical specifications. Thus, the right to object can for example be realised through enabling the do-not-track-function of the data subject’s browser.96 1086

bb) Directive 2002/58/EC (ePrivacy-Directive) 1089

In cases referred to by ePrivacy-Directive, art. 13, para 2, customers also have a right to object. This provision contains an exception to the obligatory opt-in solution (prior consent) of ePrivacy-Directive, art. 13, para 1 (for marketing via automated calling, fax or electronic mail). A company may use their customers’ electronic contact details which it obtained in the context of the sale of a product or a service for direct marketing of its own similar products or services without explicit consent. In this case, the customer must be given the opportunity to object, free of charge and in an easy manner, at the time of the collection of the contact details and on the occasion of each message. Companies must at least provide an opt-out mechanism using the same communications service that is used to send the advertising (e.g. by sending an SMS to opt-out of an SMSbased marketing list).97 Electronic mail in this context includes “SMS, MMS and other kinds of similar applications” (Directive 2009/136/EC, recital 67). The 94 E.g. DDV-Robinsonliste and idi-Robinsonliste (Germany), liste robinson (France), UK Mailing Preference Service, Telephone Preference Service (UK), Listas Robinson (Spain). 95 In Austria, for example, it is obligatory for service providers to check the Austrian Robinson list, if they wish to send unsolicited e-mail advertisements (cf. E-Commerce Act (E-Commerce Gesetz), article 7, para 2). 96 Jan Philipp Albrecht (member of the EU parliament and rapporteur on the GDPR), CR 2016, 88 (93). 97 WP 90, 6.

248

Eva Irene Wille

E. Practical examples

Art. 29 Working Party proposes to extend the scope of Directive 2009/136/EC to cover services that are functionally equivalent such as Voice over IP and instant messaging providers such as Skype, FaceTime and WhatsApp.98 This proposal will potentially be taken up in the new legislative proposal on the ePrivacy-Directive. The Commission’s Proposal for an ePrivacy Regulation published in January 2017 explicitly states that an extension of scope to cover socalled Over-the-Top communications services is necessary in order to ensure the effective legal protection of respect for privacy and communications.99 b) Right to obtain erasure

Additionally, under GDPR, art. 17, para 1, subpara c), the data subject has 1090 the right to obtain erasure of his personal data (so-called right to be forgotten, see section D.IV.5., → mn. 648 et seqq.) “where the data subject objects to the processing pursuant to [GDPR, art. 21, para 1] and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to [GDPR, art. 21, para 2]”. Unlike GDPR, art. 17, para 1, subpara c), alternative 1, the general right to 1091 obtain erasure pursuant to GDPR, art. 17, para 1, subpara c), alternative 2 excludes the possibility to legitimise the processing subject to a balancing of interests in case of direct marketing. This corresponds to the difference between an objection pursuant to GDPR, art. 21, para 1 and para 2: While GDPR, art. 21, para 2 grants an absolute right to object to processing of personal data for direct marketing purposes, the controller may demonstrate compelling legitimate grounds in order to continue processing personal data after an objection pursuant to GDPR, art. 21, para 1. Pursuant to GDPR, art. 17, para 3, subpara b) the right to obtain erasure does, 1092 inter alia, not apply to the extent that processing is necessary “for compliance with a legal obligation which requires processing by Union or Member State law” (see section D.IV.5.b), → mn. 650 et seqq., for further exceptions). Accordingly, the controller will not be obligated to erase data to the extent and as long as such data are e.g. subject to retention obligations. Since the right to object under GDPR, art. 21, para 2 and ePrivacy-Directive, art. 13, para 2 specifically applies to the processing of personal data for marketing purposes, processing of such data on a legal basis for another purpose should still be possible. A requirement to erase, for example, the postal address of a customer that was used for direct marketing, even though this address is still necessary to deliver the customer’s order, would not be reasonable.

98 Cf. WP 240, 10; Commission, ePrivacy-Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation, a study prepared for the Commission, published on 10 June 2015, 110. 99 Commission, Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications, p. 4.

Eva Irene Wille

249

E. Practical examples

c) Principle of transparency

The principle of transparency set forth in GDPR, art. 5, para 1, subpara a) requires that data subjects are adequately and sufficiently informed about the processing of their personal data (see section C.I.1.c), → mn. 255 et seqq.). In general, the information must be easy to understand and clear and plain language must be used. If the information is also addressed to children, it must be designed in such a way that children can easily understand it (cf. GDPR, recital 58). In the context of direct marketing, certain aspects are of particular importance. 1094 Pursuant to GDPR, art. 21, para 4 the data subject must be informed about his right to object clearly and separately from any other information. The information must be provided at the latest at the time of the first communication with the data subject. It may not be hidden within long terms and conditions or in the advertising material itself. If the processing is based on consent, the data subject must further be informed about his right to withdraw consent prior to giving it (GDPR, art. 7, para 3). 1095 According to GDPR, recital 58, transparent, clear and concise information is of particular relevance in situations where it can be difficult for the data subject to know and understand whether, by whom and for what purpose personal data are being collected, such as in case of online advertising. Therefore, special attention should be paid to the information requirements stipulated in GDPR, art. 12 ff (see section D.IV.2., → mn. 619 et seqq.). The data subject must, inter alia, be informed about the controller’s identity, contact details and the purposes of the processing. The information must be precise in order to enable data subjects to exercise their rights effectively. Referring to a group of companies (“Acme Group”) instead of the relevant group company which is responsible for the processing is not sufficient. Even though the level of detail depends on the particular circumstances, generic terms to describe the purposes of the processing such as “marketing purposes” are usually not specific enough. Specifying the purposes of the processing is not only necessary to comply with the principle of transparency but also with the principle of purpose limitation which requires that personal data are collected for specified, explicit and legitimate purposes. Usually, these requirements are fulfilled by providing the relevant information in a privacy notice. 1096 The requirement to provide precise information does not mean that longer, more detailed specifications are always necessary or helpful.100 A very long and detailed description can make the information rather less than more transparent. The information should be reduced to what is actually helpful for the data subject while legal language and disclaimers should be avoided. If longer explanations cannot be avoided due to the particular circumstances, a layered notice may serve as a workable solution. Especially on the Internet, a layered 1093

100 WP 203, 16.

250

Eva Irene Wille

E. Practical examples

notice can ensure that “key information is provided to data subjects in a very concise and user-friendly manner, while additional information (perhaps via a link to a more detailed description of the processing on another Internet page) is provided for the benefit of those who require further clarification”.101 d) Principle of purpose limitation

The principle of purpose limitation requires that personal data are collected 1097 for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Since the principle of purpose limitation stipulated by GDPR, art. 5, para 1, subpara b) is nearly identical to Directive 95/46, art. 6, para 1, subpara b), the opinion on purpose limitation of the Art. 29 Working Party102 can serve as guideline as long as no new opinion on the interpretation of the principle of purpose limitation under the GDPR is issued by the Board (see section C.I.2., → mn. 261 et seqq.). The requirement that personal data are collected for specified, explicit pur- 1098 poses is related to the requirements stipulated by the principle of transparency. Any purpose has to be sufficiently defined and sufficiently unambiguous and clearly expressed (purpose specification).103 In the context of direct marketing, the principle of purpose limitation is often violated due to a use of “catchall clauses” which aim at covering a wide range of marketing methods. The way in which personal data are processed, criteria used for potential profiling, the marketing methods themselves (e.g. postal advertisements or e-mails) and the categories of the advertised goods and services must be specified.104 Widely used phrases such as “we will inform you about other interesting offers” or “other offers of our partners” do not meet the requirement of specificity. The principle of purpose limitation also requires that personal data are pro- 1099 cessed for legitimate purposes only (see section C.I.2.a), → mn. 264). This requirement goes beyond the requirement to have a legal ground for the processing and also extends to other areas of law.105 The use of the term “legitimate” provides a link to broader legal principles of applicable law, such as non-discrimination.106 An example for an illegitimate purpose in the context of marketing is the racial profiling of customers.107 If higher prices are charged for “white” as opposed to “Asian” customers or higher discount coupons are issued to persons with Asian surnames, the processing of personal data for these purposes results in discriminatory practices.108

101 102 103 104 105 106 107 108

WP 203, 16. WP 203. WP 203, 12. WP 90, 5; WP 203, 52. Cf. WP 203, 12. Cf. WP 203, 12. WP 203, 54. WP 203, 54.

Eva Irene Wille

251

E. Practical examples

The principle of purpose limitation further requires that, once collected for specified, explicit and legitimate purposes, personal data are not further processed in a manner that is incompatible with those purposes. Consequently, any further processing requires a compatibility test on a case-by-case basis (see section C.I.2., → mn. 264 et seqq.). For example, this is relevant if a company received personal data for the performance of a contract and wishes to use these data (e.g. postal addresses) later on for marketing purposes. GDPR, art. 6, para 4 lists a number of key factors which need to be taken into account when assessing the compatibility between the initial and any further purpose (see section C.I.2.), e.g. if the purchaser can reasonably expect promotional measures. It is important to note in this context that compatibility and lawfulness are cumulative requirements (see section C.I.2.b)ff)(2), → mn. 310). In other words, compatibility of purposes does not exempt the controller from having a specific legal ground for the further processing of personal data initially collected for another purpose.109 1101 If consent of the data subject is obtained, no compatibility test is required (cf. GDPR, art. 6, para 4). Consequently, conducting a compatibility assessment can be avoided by obtaining consent. 1100

5. Legitimisation of advertising by consent

In practice, consent is one of the main legal bases for the processing of personal data for marketing purposes. To a large extent, this is due to national provisions implementing ePrivacy-Directive, art. 13, para 1 that require consent for advertising by means of electronic communications. 1103 In these cases, the consent requirement prevails over other legal grounds (such as legitimate interests of the data controller) stated in GDPR, art. 6, para 1.110 Pursuant to ePrivacy-Directive, art. 2, para f) consent has the same meaning as the data subjects’ consent defined in Directive 95/46. Accordingly, the Commission’s Proposal for an ePrivacy Regulation published in January 2017 states that the definition of and conditions for consent provided for under GDPR, art. 4, para 11 and GDPR, art. 7 shall apply (cf. Commission’s Proposal for an ePrivacy Regulation, art. 9, para. 1). As a consequence, where consent is necessary pursuant to the ePrivacy-Directive, it has to meet the requirements set forth in the GDPR. 1102

a) Requirements for consent 1104

Consent under the GDPR means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him (GDPR, art. 4, para 11). This definition summaris109 Cf. WP 203, 27, 33, 36. 110 WP 240, 4.

252

Eva Irene Wille

E. Practical examples

es the main requirements for obtaining valid consent which are described in further detail in see section C.II.3., → mn. 429 et seqq. aa) Freely given

Consent must be freely given. It should not provide a valid legal ground for 1105 the processing of personal data “where there is a clear imbalance between the data subject and the controller” or “if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance” (cf. GDPR, recital 43). It could be argued that there is always an implied imbalance between big commercial enterprises and their customers. At least where a business has a monopoly position and the consumer is dependent on the services of the company, there is an increased risk that consent is regarded as invalid. Companies should consider alternative legal grounds instead of consent in situations where any kind of imbalance might be assumed until there is further guidance on the interpretation of this requirement (see section C.II.3.a)(bb)(1), → mn. 445). In order to safeguard that consent is freely given, GDPR, art. 7, para 4 and 1106 recital 43 stipulate a vertical and a horizontal restriction on interconnection (see section C.II.3.a)(bb)(2), → mn. 445). Especially with regard to (online) business models where the services are “paid” by allowing the use of the users’ personal data, the restrictions on interconnection could have a significant impact. If strictly interpreted, these service providers could be required to make consent to the use of personal data optional. On the other hand, it could also be argued that the strict wording of GDPR, recital 43 is incompatible with GDPR, art. 7, para 4 which does not prohibit any interconnection per se but only requires that “utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” It remains to be seen how the restriction of GDPR, art. 7, para 4 will be interpreted by e.g. the Board or the ECJ. For the time being, businesses should adhere to a strict interpretation of the restrictions and avoid any vertical or horizontal interconnections in order to minimise the risk of administrative fines. Options that are being discussed are, inter alia, providing a fee-based service 1107 without the necessity to consent to the use of personal data for e.g. marketing purposes as an alternative to an otherwise identical free-of-charge service which requires such consent. This is not a completely new approach under the GDPR. In its opinion on the notion of legitimate interests of the data controller under Directive 95/46, art. 7, the Art. 29 Working Party also states that “[i]n the context where customers signing up for ‘free’ online services actually ‘pay for’ these services by allowing the use of their personal data, it would also contribute […] towards the finding that the consumer had a genuine freedom of choice, and therefore valid consent was provided […] if the controller also offered an Eva Irene Wille

253

E. Practical examples

alternative version of its services, in which ‘personal data’ were not used for marketing purposes”.111 Without such data protection-friendly alternatives, the Art. 29 Working Party finds it “more difficult to argue that a valid (freely given) consent has been granted” under Directive 95/46, art. 7, subpara a). bb) Pre-formulated declaration of consent 1108

In practice, it is possible to use pre-formulated declarations of consent. If consent is given in the context of a written declaration (including electronic means) which also concerns other matters (e.g. combined with a purchase agreement), consent must be “presented in a manner which is clearly distinguishable from the other matters […]” (GDPR, art. 7, para 2). To ensure compliance with this requirement, the declaration of consent can be highlighted or framed. cc) Time limit

1109

Companies which obtain consent for marketing purposes also need to consider the period of time throughout which consent can be considered as valid. While in UK legislation, the recipient consents “for the time being”,112 in EU legislation and many Member States’ implementing acts, no regulations concerning the period of validity exist. The Art. 29 Working Party focuses on the period of time during which consent might reasonably be considered as valid.113 Consequently, the period of validity must be assessed on a case-by-case basis. b) Right to withdraw consent

Pursuant to GDPR, art. 7, para 3 the data subject has the right to withdraw his consent at any time. This is a logical consequence of the requirement that consent must be freely given. It must be as easy to withdraw as to give consent. Thus, data subjects must be enabled to withdraw consent using the same means that were used to obtain consent. 1111 In the context of direct marketing purposes, it should be assessed on a caseby-case basis whether a withdrawal of consent also constitutes an objection pursuant to GDPR, art. 21, para 2. GDPR, art. 21, para 2 provides for an absolute right to object with the consequence that personal data must not be processed for direct marketing purposes on another legal ground in the future. 1110

6. Legitimisation of advertising by law 1112

Processing of personal data for advertising purposes can also be based on GDPR, art. 6, para 1, subpara b) (if the processing is necessary for the perfor111 WP 217, 47. 112 Cf. The Privacy and Electronic Communications (EC Directive) Regulations 2003, regulation 19-22. 113 WP 90, 9.

254

Eva Irene Wille

E. Practical examples

mance of a contract or in order to take steps at the request of the data subject prior to entering into a contract) or GDPR, art. 6, para 1, subpara f) (legitimate interests). Where consent is not required by statutory law, using GDPR, art. 6, para 1, 1113 subparas b) or f) as a legal basis for advertising can be preferable (see section C.II.1., → mn. 360 et seqq.). Obtaining consent does not necessarily provide more legal certainty than relying on another legal ground of GDPR, art. 6, para 1. The standards for valid consent under the GDPR are quite strict and can be difficult to fulfil in practice (see section C.II.3., → mn. 429 et seqq.). a) Contract or pre-contractual relations

GDPR, art. 6, para 1, subpara b) legitimises processing of personal data if “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” (see section C.II.2.a), → mn. 367). The provision is identical to Directive 95/46, art. 7, para b). Thus, guidance issued by the Art. 29 Working Party with regard to Directive 95/46 can serve as a guideline for the interpretation of GDPR, art. 6, para 1, subpara b). Any data processing on the basis of GDPR, art. 6, para 1, subpara b) must be limited to what is necessary. This corresponds to the principles of data minimisation (see section C.I.3., → mn. 315 et seqq.) and purpose limitation (see section C.I.2., → mn. 261 et seqq.). According to the Art. 29 Working Party, “[t]he provision must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller”.114 Consequently, merely mentioning certain processing activities in the small print of the contract will not make them necessary for the performance of the contract.115 Accordingly, the possibilities to use GDPR, art. 6, para 1, subpara b) as a legal ground for direct marketing activities are limited. Potential use cases are further narrowed by national provisions implementing ePrivacy-Directive, art. 13, para 1 which require consent if means of electronic communication are used. If consent pursuant to ePrivacy-Directive, art. 13, para 1 is required, this consent requirement prevails over other legal grounds.116 In the context of advertising, processing of personal data can be necessary for the performance of a contract if the subject matter of the contract requires that the data subject is provided with information which also qualifies as advertising (e.g. purchase of restaurant guides). In this case, the processing of personal data in order to deliver the information is lawful pursuant to GDPR, art. 6, para 1, subpara b), first alternative. And even though direct marketing at the initia114 WP 217, 16. 115 WP 217, 17. 116 WP 240, 4.

Eva Irene Wille

255

1114

1115

1116

1117

E. Practical examples

tive of the controller will not be possible,117 the request of a person to receive information about the company, certain services or goods before entering into a contract can be lawful pursuant to GDPR, art. 6, para 1, subpara b), second alternative. For further information on GDPR, art. 6, para 1, subpara b) see section C.II.2.a), → mn. 264 et seqq. b) Advertising based on legitimate interests

Pursuant to GDPR, art. 6, para 1, subpara f) processing of personal data is lawful if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” (see section C.II.2.e), → mn. 395). The wording is similar to Directive 95/46, art. 7, para f). Therefore, the opinion of the Art. 29 Working Party on legitimate interests of the data controller under Article 7 of Directive 95/46118 can serve as a guideline when interpreting GDPR, art. 6, para 1, subpara f). It can be assumed that established principles will remain under the GDPR. 1119 A legitimisation based on GDPR, art. 6, para 1, subpara f) requires legitimate interests pursued by the controller or by a third party and an assessment whether those legitimate interests are overridden by the interests or fundamental rights and freedoms of the data subject (balancing test) (see section C.II.2.e), → mn. 395). 1120 The threshold as to what constitutes a legitimate interest is rather low. A legitimate interest must be lawful (i.e. in accordance with applicable law) and represent a real and present interest (i.e. not be speculative).119 According to the Art. 29 Working Party, “the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial”.120 GDPR, recital 47 explicitly mentions that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This corresponds to the interpretation of legitimate interests by the Art. 29 Working Party that “conventional direct marketing and other forms of marketing or advertisement” qualify as legitimate interests.121 The interest of a company in marketing is also acknowledged under the Charter, art. 16 (freedom to conduct a business) and Charter, art. 17 (right to property). 1121 However, the classification as legitimate is without prejudice to whether the interests of the controller will ultimately prevail in a balancing test. Assessing legitimacy of the data controller’s interest is just a starting point. In a second 1118

117 118 119 120 121

256

WP 217, 18. WP 217. WP 217, 25. WP 217, 24. WP 217, 25.

Eva Irene Wille

E. Practical examples

step, these legitimate interests must be balanced against the interests and fundamental rights of the data subjects.122 The balancing test must be conducted in several steps (for details see section C.II.2.e)(cc), → mn. 405 et seqq.) and various factors must be considered: nature and source of the legitimate interests, impact on data subjects, type of personal data processed, specific purposes, period of retention and additional safeguards. Furthermore, it should be taken into account “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place” (GDPR, recital 47). The interests of the data subject could override the interests of the controller where data subjects do not reasonably expect further processing. According to the Art. 29 Working Party, “[i]n general, the more specific and restrictive the context of the collection, the more limitations there are likely to be on use”.123 On the other hand, appropriate safeguards such as an easy-to-use opt-out mechanism, measures to increase transparency and other factors such as data protection-friendly alternatives to online services that are “paid for” by the user’s personal data can contribute towards a favourable assessment on the balance.124 According to the Art. 29 Working Party, a company can have a legitimate 1122 interest in getting to know their customers’ preferences so as to enable them to better personalise their offers, and ultimately, offer products and services that better meet the needs and desires of the customers.125 This legitimate interest can justify the use of personal data for some types of marketing activities, online and offline, provided that appropriate safeguards are in place (including, among others, a workable mechanism to allow objecting to such a processing).126 In contrast, controllers cannot rely on a legitimisation based on legitimate interests “to unduly monitor the online or offline activities of their customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes, and create […] complex profiles of the customers’ personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent. Such a profiling activity is likely to present a significant intrusion into the privacy of the customer, and when this is so, the controller’s interest would be overridden by the interests and rights of the data subject”.127 7. Use cases

The provisions of the GDPR, ePrivacy-Directive and Unfair Commercial 1123 Practices Directive set the framework for the lawfulness of direct marketing

122 123 124 125 126 127

WP 217, 24 f. WP 217, 40. WP 217, 47, 51. WP 217, 25, 26. WP 217, 25, 26. WP 217, 25, 26.

Eva Irene Wille

257

E. Practical examples

activities. Even though determining the lawfulness of a particular marketing measure requires an assessment on a case-by-case basis, the following use cases are intended to provide assistance in common situations. 1124 In practice, businesses should carefully review existing processes for compliance with the GDPR. This is particularly important with regard to consent (GDPR, art. 6, subpara a)), one of the main legal bases for the processing of personal data in the context of direct marketing. The concept of consent under Directive 95/46 has been interpreted and implemented in a number of different ways by the Member States. As a result, the GDPR will bring about more changes for businesses in some Member States than in others. Where necessary, mechanisms and declarations of consent should be amended to meet the requirements of the GDPR (see section C.II.3., → mn. 429 et seqq.) before it becomes applicable as of 25 May 2018. With regard to the impact of ePrivacy-Directive, art. 13 on the lawfulness of direct marketing by means of electronic communications, it is advisable to monitor closely the developments concerning the revision of the ePrivacy-Directive. This will enable companies to prepare early for potentially stricter requirements or to make use of new possibilities under the revised legal framework. a) Electronic mail 1125

The use of electronic mail for direct marketing purposes is governed by ePrivacy-Directive, art. 13 (see section E.IV.3., → mn. 1076 et seqq.). The scope of application of ePrivacy-Directive, art. 13, paras 1 and 3 is limited to subscribers who are natural persons.). However, if e-mails for marketing purposes, related or unrelated to business purposes, are sent to a (business) e-mail address containing a natural person’s name (e.g. [email protected]), the e-mail should be considered as marketing to a natural person.128 In the context of e-mails, it is also important to observe national provisions implementing the Unfair Commercial Practices Directive. aa) Obligatory prior consent (opt-in)

Pursuant to ePrivacy-Directive, art. 13, para 1 electronic mail for the purposes of direct marketing requires prior consent (opt-in). Under the Commission’s Proposal for an ePrivacy Regulation published in January 2017 the general requirement to obtain consent remains unchanged (cf. art. 16). The definition of and conditions for consent provided for under GDPR apply (see section E.IV.5., → mn. 1102 et seqq.). 1127 Consent must be freely given, specific, informed and unambiguous. The categories of products for which electronic communication may be sent and the (categories of) recipients have to be clearly described before obtaining consent for electronic mail marketing.129 Consent cannot be presumed from the mere 1126

128 WP 90, 7 f.

258

Eva Irene Wille

E. Practical examples

disclosure of contact details (e.g. e-mail address, phone number for SMS or WhatsApp messages) to a company by the data subject. The contact details must be provided specifically for the purposes of direct marketing. In practice, consent is often obtained by using a “double-opt-in” mechanism 1128 for e.g. subscriptions to a newsletter. Subscribers have to confirm their subscription for a newsletter by clicking on a link in a confirmation e-mail sent to them after their initial subscription. Only if the subscriber confirms his subscription, newsletters will be sent to him. This enables the controller to demonstrate that the data subject has consented to the processing of his personal data (cf. GDPR, art. 7, para 1) and reduces the risk of the data subject arguing that someone else entered his e-mail address in the subscription form. Pursuant to GDPR, art. 7, para 3 it should be as easy to withdraw consent as 1129 to give it. A widely-used method is adding an unsubscribe link to each subsequent message allowing recipients to unsubscribe with a single click on the link. The recipient must not be forced to give reasons for the withdrawal of consent. bb) Exceptions

ePrivacy-Directive, art. 13, para 2 contains an exception to the obligatory 1130 opt-in solution (prior consent) pursuant to ePrivacy-Directive, art. 13, para 1 “where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case the customer has not initially refused such use”. The Commission’s Proposal for an ePrivacy Regulation contains a nearly identical exception in art. 16, para 2, however, referring to the GDPR instead of Directive 95/46. The exception applies only if the sale was definitely closed. Therefore, contact details obtained in connection with a request for information about a product or service cannot be used for marketing on the basis of ePrivacy-Directive, art. 13, para 2. The Art. 29 Working Party proposes to clarify the scope of “similar products and services” and to limit the exception to a reasonable level of marketing communication (i.e. prohibiting excessive number of calls or messages) in the new ePrivacy Regulation.130 cc) Transparency and information

In addition to applicable transparency and information requirements under the 1131 GDPR (see section C.I.1.c), → mn. 255 et seqq. and section D.IV.2., → mn. 619 129 WP 240, 20. 130 WP 240, 21.

Eva Irene Wille

259

E. Practical examples

et seqq.), ePrivacy-Directive, art. 13, para 4 prohibits the practice of sending electronic mail for the purposes of direct marketing which, inter alia, disguise or conceal the identity of the sender on whose behalf the communication is made. Pursuant to the Commission’s Proposal for an ePrivacy Regulation “[a]ny natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in an easy manner, to receiving further marketing communications” (cf. Commission’s Proposal for an ePrivacy Regulation, art. 16, para 6). b) Telemarketing

Telemarketing is a method of direct marketing via phone calls to prospective customers. Phone calls which serve direct marketing purposes without prior consent of the recipient are also referred to as cold calling. Under ePrivacy-Directive, art. 13, para 1, a distinction needs to be made between automated calling and direct marketing voice-to-voice calls. Whereas automated calling refers to calls by automated calling machines, direct marketing voice-to-voice calls are phone calls by employees or third persons on behalf of a company. 1133 Both, automated calling and direct marketing voice-to-voice calls, can qualify as unfair business-to-consumer practices under national provisions implementing Unfair Commercial Practices Directive, art. 5, para 1, Annex I, no. 26 which requires Member States to prohibit persistent and unwanted solicitations by telephone. 1132

aa) Automated calling

Pursuant to ePrivacy-Directive, art. 13, para 1 “the use of automated calling and communication systems without human intervention (automatic calling machines) […] for the purposes of direct marketing” requires prior consent (optin). As with consent to e-mail marketing, the data subject has to give his consent specifically for the purposes of direct marketing via telephone and prior to the phone call. This opt-out consent can be obtained by e.g. having customers fill out a consent form at a point of sale or asking them for their consent at the conclusion of a contract online or offline. 1135 The requirement of prior consent concerns all kinds of marketing purposes. Also, satisfaction surveys and opinion polls via telephone can be seen as a “representation in order to promote the supply of goods or services” if, in fact, commercial interests are pursued (disguised advertising). Thus, they may fall under the definition of advertising pursuant to Directive 2006/114/EC, art. 2, para a) which can serve as a guideline when defining marketing purposes under the GDPR (cf. see section E.IV.1., → mn. 1072 et seqq.). 1134

260

Eva Irene Wille

E. Practical examples

bb) Direct marketing voice-to-voice calls

ePrivacy-Directive, art. 13, para 1 applies to automated calling only. Direct 1136 marketing voice-to-voice calls made by employees or third persons (e.g. a call centre) on behalf of a company for direct marketing purposes do not fall under its scope of application. Member States can choose between an opt-in or an optout solution pursuant to ePrivacy-Directive, art. 13, para 3 which requires that Member States “take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing [in cases other than those referred to in art. 13, paras 1 and 2], are not allowed either without the consent of the subscribers or users concerned [opt-in] or in respect of subscribers or users who do not wish to receive these communications [opt-out].” In Member States where the opt-out solution (by giving the data subject a right to object) is implemented by national law, GDPR, art. 6, para 1, subpara a) (consent), GDPR, art. 6, para 1, subpara b) (necessity for the performance of a contract) and GDPR, art. 6, para 1, subpara f) (legitimate interests) come into consideration as a legal basis for the processing of personal data in the context of direct marketing voice-to-voice calls (see section E.IV.5., → mn. 1102 et seqq. and 6. and section C.II.2. and 3., → mn. 364 et seqq.). cc) ePrivacy Regulation

It should be noted that pursuant to the Commission’s Proposal for an ePriva- 1137 cy Regulation all forms of direct marketing calls to end-users who are natural persons require consent. However, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons are allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications (i.e., based on optout instead of opt-in consent). Furthermore, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall be required to present the identity of a line on which they can be contacted; or present a specific code or prefix identifying the fact that the call is a marketing call. c) Postal advertising

Postal advertising is deemed to be less intrusive than advertising via elec- 1138 tronic mail or telephone. As a result, it is subject to less stringent legal requirements. There are two main marketing strategies in this field. One use case is door-to door flyer advertising which is not directed at spe- 1139 cific persons. Flyers are delivered to any household in a certain area. Since no personal data are processed, data protection regulations are not affected. This practice does also not fall under the scope of direct marketing because it is not targeted at specific, selected persons. Consequently, ePrivacy-Directive, art. 13, para 3 is not applicable. However, national requirements under the Unfair

Eva Irene Wille

261

E. Practical examples

Commercial Practices Directive (see section E.IV.3., → mn. 1076 et seqq.) must be observed. 1140 Another use case is direct mail advertising, using addresses to deliver advertising to targeted recipients. Direct mail advertising qualifies as direct marketing. Thus, ePrivacy-Directive, art. 13, para 3 is applicable. As with voice-tovoice direct marketing calls, the Member States may choose between an opt-in (prior consent) and an opt-out (right to object) solution for this form of direct marketing (see section E.IV.7.b)(bb), → mn. 1136). This includes any type of advertising, such as recommendations, third-party-advertising enclosed to a parcel and any other mail advertising directed at selected potential customers. If the opt-out solution is chosen and consent is not obtained from the data subject, another legal basis under GDPR, art. 6, para 1 for the processing of personal data is necessary (cf. see section E.IV.5. and 6. (→ mn. 1102 et seqq) and section C.II.2. and 3.), → mn. 364 et seqq. An example for direct mail advertising on the basis of GDPR, art. 6, para 1, subpara b) (contract or pre-contractual relations) is the sending of information (e.g. brochures, catalogues or trial subscriptions) at the request of the data subject. d) Sweepstake 1141

Promotional competitions or games – whether online or offline – are often used as a marketing tool. Companies aim to collect personal data through these measures in order to either sell this data to third parties (address trading) or for their own marketing purposes. Often, the use of personal data collected via sweepstakes for direct marketing purposes requires that consent of the participants is obtained, e.g. if the data shall be used for advertising by means of electronic communications (see section E.IV.5., → mn. 1102 et seqq.). Since consent must be, inter alia, freely given, making the participation in the sweepstake conditional on consent to the processing of personal data for marketing purposes raises the question of interconnection (see section E.IV.5.a)(aa), → mn. 1105). Until further guidance on the interpretation of GDPR, art. 7, para 4 is issued, businesses should avoid interconnections in order to minimise the risk of administrative fines (see section C.II.3.a)bb)(2), → mn. 447). e) Tell-a-friend

1142

“Tell-a-friend” or “refer-a-friend” advertising is often used in the context of online marketing. It is a form of advertising by recommendation. Website visitors are asked to enter the e-mail address of a third person to whom the company will then send e-mails for their own marketing purposes. In this constellation, the company uses the e-mail address for direct marketing purposes without the data subject’s consent. However, consent is required pursuant to ePrivacy-Directive, art. 13, para 1. Therefore, this form of marketing is considered unlawful.131 Since the consent requirement of ePrivacy-Directive, art. 13, para 1 will

262

Eva Irene Wille

E. Practical examples

most likely remain, no fundamental changes are to be expected in this regard under the ePrivacy Regulation. f) Address trading

Even though not a form of marketing itself, address trading is of great impor- 1143 tance in the context of advertising. Neither the ePrivacy-Directive, nor the GDPR contain special provisions for address trading. Consequently, the general requirements of the GDPR apply (see section E.IV.4., → mn. 1083 et seqq.). As a result, a legal basis under GDPR, art. 6, para 1 is necessary for process- 1144 ing of personal data for the purpose of address trading and downstream purposes pursued by the purchasers of such addresses. In practice, list brokers often claim that the data subjects consented the use of their personal data. However, obtaining valid consent pursuant to GDPR, art. 6, para 1, subpara a) in this context could prove to be very difficult. The data subject would have to be informed, inter alia, about the specific processing purposes which are pursued by the recipients of his data. In most cases, this will not be manageable by the company selling the address data (regarding the requirements for valid consent see section E.IV.5. (→ mn. 1102) and section C.II.3. (→ mn. 429). Legitimate interests pursuant to GDPR, art. 6, para 1, subpara f) can, in the context of address trading, be seen in the list brokers’ own business purposes or the purchasers’ interests. Nevertheless, the interests of the data subject and the legitimate interests of the controller or the third party need to be weighed in a balancing test on a case-by-case basis (see section C.II.2.e)(cc), → mn. 405 et seqq.). Even though the balancing test is very dependent on the facts of the individual case, it can be assumed that the interests of the data subjects often override such legitimate interests in the context of address trading. In particular, where the data subjects do not reasonably expect the use of their personal data for address trading or downstream marketing measures their interests are likely to prevail. In any event, a legitimisation based on legitimate interests will not be suffi- 1145 cient where consent is obligatory pursuant to national provisions implementing ePrivacy-Directive, art. 13, para 1 for advertising by means of electronic communications. Consequently, data subjects must consent to the processing of their data for the specific marketing purposes pursued by the purchaser of e.g. their e-mail addresses. Due to the strict requirements for obtaining valid consent, address trading will likely be of greater significance if an opt-out regime is applicable to the respective marketing strategy (e.g. voice-to-voice direct marketing calls or postal direct marketing).

131 See the UK Information Commissioner’s Office (ICO): https://ico.org.uk/for-organisations/ guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/ (as of 7 April 2017); the Spanish data protection authority (AEPD), 20.2.2008, Resolución: R/00139/2008, Procedimiento Nº PS/00323/2007; the German Federal Court of Justice (Bundesgerichtshof), 12.9.2013 – I ZR 208/12 –, GRUR 2013, 1259.

Eva Irene Wille

263

E. Practical examples

V. Profiling

As technology advances, profiling as a form of automated processing of personal data provides businesses with new possibilities to store and process data en masse. Big data becomes more and more relevant in practice. “For example, in the field of marketing and advertisement, big data can be used to analyse or predict the personal preferences, behaviour and attitudes of individual customers and subsequently inform ‘measures or decisions’ that are taken with regard to those customers such as personalised discounts, special offers and targeted advertisements based on the customer’s profile”.132 Other examples where big data plays an important role are smart home systems or smart traffic management technologies. In order to provide functionality of these systems and technologies, a large amount of data has to be processed. 1147 The Art. 29 Working Party made clear that the data protection principles under Directive 95/46 are applicable to all processing operations, including big data activities. It states that “[i]n particular, upholding the purpose limitation principle is essential to ensure that companies which have built monopolies or dominant positions before the development of big data technologies hold no undue advantage over newcomers to these markets”.133 The principles of purpose limitation and data minimisation which limit the possibilities of big data remain under the GDPR and should be interpreted in a strict manner until further clarification is provided by the Board, the ECJ or the European legislator (cf. see section C.I.2. and section C.I.3.). 1148 Though the bulk processing of individual information is of growing significance, the GDPR mentions profiling only in some of its provisions and does not provide detailed regulations on the lawfulness. Pursuant to GDPR, recital 72 profiling is generally “subject to the rules of [the GDPR] governing the processing of personal data, such as the legal grounds for processing or data protection principles”. Accordingly, the general provisions of the GDPR apply and a legal basis under GDPR, art. 6, para 1 is required for any profiling activity to be lawful. Furthermore, pursuant to GDPR, recital 72 the “European Data Protection Board established by [the GDPR] (the ‘Board’) should be able to issue guidance in that context.” Thus, further guidance on profiling is to be expected. 1146

1. Definition of profiling 1149

GDPR, art. 4, no. 4 defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. 132 WP 203, 45. 133 WP 221, 2 f.

264

Eva Irene Wille

E. Practical examples

As the term was not yet used in Directive 95/46, profiling is now for the first 1150 time defined in the GDPR. One central aspect of the definition in GDPR, art. 4, no. 4 is data evaluation for the purpose of analysis and prognosis. The definition is worded very broadly so that credit scoring and screening (dragnet investigation e.g. for fraud prevention) will fall under the definition as well. Profiling can be regarded as composed of the collection of data and the analysis of the collected data. Data analysis, i.e. using of personal data to evaluate certain personal aspects relating to a natural person, can fall under the scope of ‘automated individual decision-making’, with the consequence that GDPR, art. 22 is applicable (cf. GDPR, recital 71, on automated individual decision-making see section D.IV.9., → mn. 691 et seqq.). 2. General requirements

In the context of profiling, some general requirements of the GDPR are of 1151 particular importance. In addition, pursuant to GDPR, recital 38 “specific protection should, in particular, apply to the use of personal data of children for the purposes of […] creating personality or user profiles”. a) Data protection impact assessment

GDPR, art. 35, para 3, subpara a) states that an impact assessment is re- 1152 quired in case of “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”. Data protection impact assessments serve to identify high risks to the rights of individuals prior to the start of new data processing operations and to identify possible counter-measures, safeguards and mechanisms to mitigate such risks. To evaluate whether a data protection assessment is required for a specific processing operation can be a challenge in itself. Special care should be taken whenever decisions are based on aspects derived from profiling. For more information on data protection impact assessments see section D.I.9., → mn. 547 et seqq. b) Purpose limitation

The principle of purpose limitation requires that the purposes of processing, 1153 including profiling, have to be sufficiently defined, unambiguous, clearly expressed and in accordance with the law (see section C.I.2., → mn. 261 et seqq.). Where data are processed for profiling even though they have initially been collected for another purpose (change of purpose), GDPR, art. 6, para 4 requires that the new purpose is compatible with the initial purpose (see section C.I.2.b), → mn. 279). One of the key factors to consider when conducting the compatibility test is the existence of appropriate safeguards which may include pseudonymisation.

Eva Irene Wille

265

E. Practical examples

c) Data minimisation 1154

The principle of data minimisation requires that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Since profiling is often designed to gather as much data as possible, it appears to be contradictory to the aim of data minimisation. However, possibilities to comply with this requirement exist. Controllers should, for example, carefully review whether the purpose can also be achieved by anonymisation or pseudonymisation of personal data. For more information on data minimisation (see section C.I.3., → mn. 315). d) Obligation to inform

General information obligations are set forth in GDPR, art. 12 f. (see section D.IV.2., → mn. 619 et seqq.). Pursuant to GDPR, recital 60 the data subject should, in particular, be informed of the existence of profiling and the consequences of such profiling. This information has to be provided before the processing of the data subject’s personal data. Furthermore, where applicable, the data subject has the right to obtain communication with regard to the logic involved in any automated decision-making and, at least when based on profiling, the significance and consequences of such processing (cf. GDPR, art. 13, para 2, subpara f), art. 14, para 2, subpara g), art. 15, para 1, subpara h) and recital 63). Businesses should review existing privacy policies and notices to ensure compliance with the GDPR. Since the scope of information to be provided is broader than under Directive 95/46, it is very likely that amendments are necessary. 1156 Regarding the right to obtain information pursuant to GDPR, art. 15, GDPR (to this right of access see section D.IV.3., → mn. 631 et seqq.), GDPR, recital 63 states that a data subject shall specify his request for information if the controller processes a large quantity of information concerning him. Profiling activities often require the processing of large quantities of information on data subjects. However, GDPR, recital 63 cannot be seen as an exception to the right of access. If the data subject requests all information concerning him, full access has to be granted. 1157 In this context, it should be noted that pursuant to GDPR, recital 57, the data controller is not obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of the GDPR (e.g. the right to obtain information). This can be especially relevant if anonymised data are used for profiling. 1155

e) Right to object 1158

Even though this was proposed by the European Parliament, there is no absolute right to object to profiling (unless it is related to direct marketing, cf. GDPR, art. 21, para 2). The adopted version of GDPR, art. 21, para 1 contains a

266

Eva Irene Wille

E. Practical examples

right to object to the processing of personal data which is based on GDPR, art. 6, para 1, subparas e) or f) (public or legitimate interests), including profiling based on those provisions (see section D.IV.8.a)). If the data subject exercises his right to object, the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject and continue processing the data. The burden of proof for such compelling legitimate grounds lies with the controller. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to GDPR, art. 89, para 1, GDPR, art. 21, para 6 grants a right to object unless the processing is necessary for the performance of a task carried out for reasons of public interest (see section D.IV.8.e), → mn. 689). f) Privacy by design and by default

GDPR, art. 25 stipulates the principle of data protection by design and by 1159 default. Data protection by design (GDPR, art. 25, para 1) entails the implementation of compliance procedures and systems at the outset of product or process developments. Data protection has to be a core issue from the very beginning of planning new products and services in the future. This requirement also applies for the developing of profiling mechanisms. Potential data protection infringements must be taken into account and prevented at an early stage through suitable design of the profiling mechanism. Data protection by default (GDPR, art. 25, para 2) imposes the obligation on the controller and developer to implement appropriate technical and organisational measures that safeguard the principle of data minimisation. In order to minimise the collection of personal data, ‘do not collect’ options and other privacy-friendly features to limit or disable the collection of personal data should be offered to the data subjects (cf. see section D.I.7., → mn. 529 et seqq.).134 It will also serve the aim of data minimisation to anonymise or pseudonymise personal data as soon as possible. 3. Cookies (and similar technologies)

The basis for many profiling processes in the online environment is the set- 1160 ting of cookies on the data subjects’ terminal device, such as their computers or mobile phones. Cookies are often set to track users as they leave their digital trail over the Internet. Businesses use the information gathered from the use of cookies to create user profiles which serve, inter alia, for behavioural advertising. Cookies are small files sent by websites which are stored on the device of the user accessing the website. Whenever the user returns, the cookies are sent back to the server, so that the website recognises the user’s device. Cookies can contain user-specific unambiguous identifiers of different kinds which may be

134 WP 240, 19.

Eva Irene Wille

267

E. Practical examples

used, for example, to load the user’s preferred settings on the web page (e.g. language settings). 1161 A technique used for the same purpose is device fingerprinting. A device fingerprint is “a set of information elements that identifies a device or application instance”.135 The data to identify the device can derive from the configuration or data exposed by the use of network communications protocols (e.g. installed fonts, installed plugin information, JavaScript objects etc.).136 One technical approach is to generate a browser fingerprint of the browser configurations. Hereby, the tracking mechanism detects enough information to render over 90% of the browser fingerprints unique.137 As a result, the device can be recognised when returning to the same website. a) ePrivacy-Directive

The relevant legal framework regarding the use of cookies is primarily laid down in ePrivacy-Directive, art. 5, para 3. It states that the “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent.” The wording is technically neutral and therefore does not only apply to cookies. Parties “who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must [pursuant to ePrivacy-Directive, art. 5, para 3] first obtain the valid consent of the user”.138 It has to be pointed out that ePrivacy-Directive, art. 5, para 3 is applicable irrespective of whether the information stored or accessed in the user’s terminal equipment contains personal data or not.139 The Art. 29 Working Party proposes to rephrase ePrivacy-Directive, art. 5, para 3 as technologically neutral as possible to cover any kind of tracking techniques and to clarify that “data do not necessarily have to be stored inside of the terminal equipment, but can also be processed (including collected and stored) elsewhere and made available through the device, and in these situations Article 5(3) will apply”.140 1163 ePrivacy-Directive, art. 5, para 3 sets forth two exceptions to the requirement to obtain the user’s consent: either if the cookie usage is “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (e.g. setting cookies to identify the communication endpoints)141 or if it is “strictly necessary in order for the provider of an information 1162

135 See WP 224, 4, which refers to Cooper, Privacy Considerations for Internet Protocols, 2013 (see: https://tools.ietf.org/html/rfc6973 (as of 6.4.2017)). 136 WP 224, 4 f. 137 Henning Tillmann, Browser Fingerprinting: Tracking ohne Spuren zu hinterlassen, 2013, 85. 138 WP 224, 11. 139 WP 188, 8. 140 WP 240, 11. 141 WP 194, 3.

268

Eva Irene Wille

E. Practical examples

society service explicitly requested by the subscriber or user to provide the service” (e.g. cookies to save language settings or selected products in an online shopping basket). Cookies used for analytical or advertising purposes are examples of non-nec- 1164 essary cookies. For the processing of non-necessary cookies, consent of the data subject will be necessary pursuant to ePrivacy-Directive, art. 5, para 3. It should be noted that the Art. 29 Working Party recognises the need for a new exception to the consent requirement for first party analytic cookies (i.e. cookies set by the website the user visited).142 Accordingly, the Commission’s Proposal for an ePrivacy Regulation published in January 2017 provides for an exception if cookies are “necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user” (cf. Commission’s Proposal for an ePrivacy Regulation, art. 8, para 1, subpara d)). In addition, the Art. 29 Working Party suggests to consider “other circumstances in which consent would not be required, because the processing would have little or no impact on the right of users to protection of their communication secrecy and private life” when revising the ePrivacy-Directive.143 b) Consent to the use of cookies

The Art. 29 Working Party specifically addresses the legal requirements for 1165 obtaining consent for cookies in its WP 208.144 It notes that the practical implementations of the consent requirements vary among website operators across the Member States.145 Amongst others, website operators use immediately visible notices explaining that by using the website, the user agrees to cookies or mechanisms by which the user can choose to accept all or some or decline cookies.146 However, according to the Art. 29 Working Party, “should a website operator wish to ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely”.147 This corresponds to requirements for valid consent set forth in the GDPR. It is therefore likely that the position of the Art. 29 Working Party will not change in this regard. Specific information means that the user should be informed about the dif- 1166 ferent types of cookies, their purposes, retention periods and possible third parties involved as well as how the user can accept or decline cookies or change his

142 143 144 145 146 147

WP 194, 10. WP 240, 12. WP 208. WP 208, 2. WP 208, 2. WP 208, 2 f.

Eva Irene Wille

269

E. Practical examples

options later on. The information can be given for example through a static banner on top of the website or a splash screen on entering the website.148 The cookie notice template published by the Commission can serve as a guideline.149 1167 Consent should be obtained before cookies are set (prior consent). Furthermore, consent has to be indicated by an active behaviour of the user in form of an action like clicking on a link or button or ticking a box, provided that the user was informed which action will signify consent to cookies.150 While staying on the landing page cannot be deemed active behaviour, scrolling down in order to make use of the website’s services may be. Furthermore, pop-up windows cannot fulfil the requirement because many users block such windows through the configuration of their browser settings. It is also not sufficient if website visitors use a browser or another application which by default enables the collection and processing of their information.151 A browser setting may only be seen as consent if it was set by default to reject all cookies and the data subject changed the settings to affirmatively accept cookies about which he was fully informed.152 1168 A free choice regarding the use of cookies can only be made if the user can decide to accept some or all or to decline some or all cookies. Website operators should refrain from ‘take it or leave it’ mechanisms (e.g. so-called cookie walls that deny access to the website if users do not consent to cookies) because they may not meet the requirements for freely given consent, as defined in GDPR, recital 43. The Art. 29 Working Party proposes to incorporate specific prohibitions on practices that undermine the principle of freely given consent in the ePrivacy Regulation.153 1169 From a practical perspective, it is worth noting that even though the consent required to set cookies and the consent necessary to have a legal ground for the processing of personal data apply simultaneously, the two types of consent can be merged in practice, provided that the user is made unambiguously aware of what he is consenting to.154 The requirements for valid consent to the use of cookies correspond to the requirements for valid consent under GDPR, art. 6, para 1, subpara a).

148 WP 188, 9. 149 See: http://ec.europa.eu/ipg/docs/cookie-notice-template.zip (as of 6.4.2017); see also for general information on cookies: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm (as of 6.4.2017). 150 WP 208, 4. 151 WP 171, 14. 152 Cf. WP 171, 23. 153 WP 240, 16. 154 WP 202, 14.

270

Eva Irene Wille

E. Practical examples

4. Use cases a) Statistical and aggregate data

Data are often processed for statistical purposes. Statistical purposes mean “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person” (GDPR, recital 162). If anonymised data are processed for statistical purposes, the GDPR is not applicable (GDPR, recital 26, see section B.I.2.d), → mn. 97 et seqq.). However, to the extent personal data are used, the requirements of the GDPR and its data protection principles must be observed. GDPR, recital 162 states that “Union or Member State law should, within the limits of [the GDPR], determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality”. Due to the applicability of the GDPR, a legal basis is necessary to legitimise the processing of personal data for statistical purposes. In most cases, GDPR, art. 6, para 1, subpara f) will serve as the legal basis as statistical purposes can constitute legitimate interests. Nonetheless, balancing these legitimate interests against the interests of the affected data subjects is still required (on the balancing test see section C.II.2.e)(cc), → mn. 405). The rights and freedoms of the data subjects must be protected by appropriate safeguards. Processing for statistical purposes is privileged under the GDPR. In case of a change of purpose, further processing of personal data for statistical purposes is not considered to be incompatible with the initial purpose of the collection (GDPR, art. 5, para 1, subpara b); see section C.I.2.b(bb), → mn. 283). It remains unclear whether the exception from the requirement to conduct a compatibility test applies to statistical operations in the public interest only or also applies to statistical operations in a commercial interest (e.g. analytical tools of websites or big data applications aimed at market research; see section C.I.2.b) (cc), → mn. 285). Given this uncertainty, businesses should not rely on this exception and conduct the compatibility test when pursuing commercial interests until further guidance is issued by the future Board, the ECJ or the European legislator.

1170

1171

1172

1173

b) Online Behavioural Advertising

Profiling is often used for online behavioural advertising. Online be- 1174 havioural advertising can be qualified as “the tracking of users when they surf the Internet and the building of profiles over time, which are later used to proEva Irene Wille

271

E. Practical examples

vide them with advertising matching their interests”.155 Such user profiles can be created by analysing the browsing behaviour of data subjects including e.g. the number of website visits or interactions or searched keywords.156 Specific characteristics of the data subject, such as gender and age, can be deduced from this analysis. Furthermore, the location of the data subject, derived from the originating IP address, contributes to target profiling. Usually, cookies are stored on the terminal equipment of the user for the purpose of tracking his online behaviour (for more information on the use of cookies see section E.V.3., → mn. 1160 et seqq.).157 aa) Roles and responsibilities

In many cases, the party analysing the behaviour of data subjects is different from the website owner. The party analysing the data subjects’ behaviour can be an ad network provider that controls the targeting technology and associated databases. In this constellation, the website owner acts as the publisher. Publishers display the advertisement on their websites and receive payments for providing space on their websites for third-party content. The party that wishes to promote its products or services through such advertising is considered the advertiser.158 If the advertiser collects data from users directed to the advertiser’s website, the advertiser is to be considered an independent data controller for these processing activities.159 1176 The roles of the ad network provider and the publisher very much depend on the individual facts. The ad network provider sets the cookies and collects data from the website users. As a result, the ad network provider is responsible under ePrivacy-Directive, art. 5, para 3 and required to obtain informed consent of the data subjects for the use of cookies (to the specific obligations see section E.V.3., → mn. 1160 et seqq.).160 Due to the fact that the ad network provider determines the purposes and means of the processing of personal data, he also acts as the data controller.161 However, in some cases, the publisher will be a joint controller (to joint controllers, see section D.I.2., → mn. 494 et seqq.) depending on the specific situation and the conditions of collaboration between the publisher and the ad network provider. The publisher can be considered as a (joint) controller for specific processing operations (e.g. transfer of IP addresses, name, age or location of the data subject)162 and needs to adhere to the respective obligations under the GDPR. 1175

155 156 157 158 159 160 161 162

272

WP 171, 3. WP 171, 4. WP 171, 7. Cf. WP 171, 5. WP 171, 12. Cf. WP 171, 10. WP 171, 10 f. WP 171, 11 f.

Eva Irene Wille

E. Practical examples

In practice, businesses acting as publishers should carefully review whether 1177 they qualify as joint controllers with regard to the resulting risks (e.g. joint and several liability) and requirements. As joint controllers, ad network providers and publishers must work together to ensure compliance with data protection regulations. The roles and responsibilities of both parties should be set forth in a service agreement between them.163 bb) Legal basis

As for any processing of personal data, a legal basis pursuant to GDPR, art. 1178 6, para 1 is required. If online behavioural advertising is based on consent, from a practical perspective, it may make sense to merge the consent required to set cookies (or to use other tracking techniques that require consent) and the consent necessary to have a legal ground for the processing of personal data under the GDPR (see section E.V.3.b), → mn. 1165 et seqq.). Such consent requires an affirmative action by the data subjects indicating their consent not only to the acceptance of cookies but also to the subsequent monitoring and analysis of their online behaviour for the purposes of sending tailored advertising. Besides consent, processing on the ground of legitimate interests pursuant to 1179 GDPR, art. 6, para 1, subpara f) may serve as a legal basis for the processing of personal data for the purposes of online behavioural advertising. Although targeted advertising may have economic benefits for companies and constitute a legitimate interest, the interests and fundamental rights and freedoms of the data subjects must be taken into account and weighed against such economic interests. Since profiling of the data subjects’ behaviour can be a severe intrusion into the data subjects’ privacy, especially where a data subject is tracked across various websites to build extensive profiles, profiling for behavioural advertising basically carries high privacy risks. Thus, the balancing test will often lead to the result that the interests of the data subjects prevail and exclude the use of GDPR, art. 6, para 1, subpara f) as a legal ground for profiling activities in practice. cc) Obligation to inform

It is sufficient if the information required pursuant to GDPR, art. 13 is provid- 1180 ed by one of the involved controllers. According to the Art. 29 Working Party it is, from a user’s perspective, more intuitive if the notice is provided on the publisher’s website (e.g. if the publisher provides space on its website, in which ad providers can display the required information).164 This can be agreed upon in the service agreement between the publisher and the ad network provider. 1181 The data subjects should, inter alia, be informed about:165

163 WP 171, 12, 19. 164 WP 171, 19. 165 Cf. WP 171, 17, 19.

Eva Irene Wille

273

E. Practical examples

– the identity of the ad network provider; – the purposes of the processing; – that cookies will allow the ad network provider to collect information about visits to other websites, the advertisements they have been shown, the advertisements they have clicked on etc.; – a simple explanation on the use of cookies to create profiles in order to serve targeted advertising (e.g. the fact that the cookie will enable the user’s identification across multiple websites); – the period of data retention. A minimum of information should be easily accessible and highly visible directly on the screen, if appropriate through layered notices (see section E.IV.4.c), → mn. 1093 et seqq.).166 Moreover, the data subject should be periodically reminded that monitoring is taking place.167 Therefore, icons could be created and displayed on all websites that use tracking technologies with links to additional information.168 1183 In general, the scope of information to be provided by controllers under the GDPR is broader than under Directive 95/46 (for details see section D.IV.2.a), → mn. 619 et seqq.). Controllers should carefully review their existing privacy notices and make amendments if necessary. 1182

dd) Further obligations 1184

General requirements such as a mechanism to enable data subjects to exercise their rights (see section D.IV.1., → mn. 603 et seqq.), appropriate technical and organisational measures (see section D.I.8.b, → mn. 685 et seqq.) and compliance with the principles of purpose limitation and data minimisation (see section C.I.2. and C.I.3., → mn. 315 et seqq.) must be adhered to. Furthermore, where processing is based on consent and carried out by automated means, data subjects have a right to data portability (see section D.IV.7., → mn. 663 et seqq.). Data should be stored in a structured, commonly used and machine-readable format. c) Customer Relationship Management

1185

Customer Relationship Management (CRM) can be defined as “[t]he infrastructure that enables the delineation of, and increase in customer value, and the correct means by which to motivate valuable customers to remain loyal”.169 CRM systems can serve various purposes. Amongst others, they can be used for quality management and targeted advertising. The data in CRM systems

166 167 168 169

274

WP 171, 24. WP 171, 18. WP 171, 24. Jill Dychée, The CRM Handbook: A Business Guide to Customer Relationship Management (2002), Part 1 – Defining CRM.

Eva Irene Wille

E. Practical examples

can be used as a basis for profiling, e.g. to analyse the personal preferences of customers and targeted advertising. The profiling of customers is usually not necessary for the performance of a 1186 contract pursuant to GDPR, art. 6, para 1, subpara b). Besides consent, legitimate interests pursuant to GDPR, art. 6, para 1, subpara f) may provide a legal basis. It can be considered as a legitimate interest of a company to e.g. know their customers’ preferences in order to personalise their offers.170 A balancing test (see section C.II.2.e)(cc), → mn. 405 et seqq.) is required which takes into account the facts of the individual case. While creating complex profiles of the customers’ personalities and preferences without their knowledge is likely to be unlawful,171 more limited profiling activities based on few data (e.g. last purchase of the customer) may lead to the conclusion that the interests of the controller prevail. It is important to note that the general requirements of the GDPR, including the requirements for a change of purpose where the data were initially collected for another purpose (see section C.I.2.b), → mn. 279), apply. VI. Company Website

A company website is, inter alia, used to provide (potential) customers with 1187 information and to advertise the companies’ products and services. Data protection is not only relevant where companies are in direct contact with customers (e.g. through online shops or contact forms) but also where web analytics and social media are used with the aim to direct more users to the website. 1. Web analytics

Analysing the behaviour of website visitors often serves to understand and 1188 improve web usage. It can also serve direct advertising purposes (see section E.V.4.b), → mn. 1174) or help to measure the effectiveness of marketing campaigns. In most cases, cookies (or similar tracking techniques) are used. Consequent- 1189 ly, the requirements for the lawful use of cookies apply (see section E.V.3., → mn. 1160 et seqq.). In this context, it should be noted that the Art. 29 Working Party proposed to add a new exception to the consent requirement in the ePrivacy-Directive for first party analytic cookies which “are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes”.172 It remains to be seen whether the ePrivacy-Directive will be amended accordingly.

170 Cf. WP 217, 25. 171 Cf. WP 217, 26. 172 WP 240, 11.

Eva Irene Wille

275

E. Practical examples

2. Social media 1190

Companies often use social media to improve their image and increase the awareness of their brands. The most common ways are creating a company page on social networks (e.g. facebook, LinkedIn) and embedding social plugins into a company’s own website. Both methods involve the use of personal data and raise special issues. a) Social media page

When companies use social networks to create a company page, the question arises whether the company or the social network provider is responsible for data processing activities in connection with the company page. The company and the social network provider could both be qualified as (joint) controllers or the social media provider could be qualified as a processor acting on behalf of the company. Usually, the social network provider pursues its own economic interests (e.g. revenue through personalised advertisements) and processes user data by determining the purposes and means of the processing. Therefore, the social network provider must be considered as controller for most of the processing operations. However, the company using the network qualifies as controller for the processing carried out solely for its own purposes (e.g. using personal data received via social media to answer requests of the users). 1192 The responsibility for the processing of personal data in the context of company pages was discussed controversially under Directive 95/46. The question was raised whether a company is responsible when the social network provider processes personal data via the company page. This question has not been answered conclusively yet. On 25 February 2016, the German Federal Administrative Court decided to obtain a preliminary ruling of the ECJ.173 In the particular case, facebook stored cookies on the users’ devices in order to provide the company with anonymised statistical information about the users as a non-negotiable part of services. For the company, the only way to prevent this processing of the users’ data was to delete the company page on facebook. 1193 This illustrates the problems that may arise in multi-tiered provider relationships, such as are characteristic of social networks, where a company, through the decision to set up a company page, provides a social network with the possibility to collect personal data but has no control over the actions of the social network (i.e. the parties do not jointly determine the purposes and means of processing as joint controllers). The GDPR contains no specific provisions for these multi-tiered provider relationships. While Directive 95/46 is very vague in this regard, the GDPR lays down in detail the powers of the supervisory authorities (cf. GDPR, art. 58) and refers to controllers and processors as defined in GDPR, art. 4, paras 7 and 8 only. As a result, there should not be room for a 1191

173 German Federal Administrative Court (Bundesverwaltungsgericht), 25.2.2016, 1 C 28.14, ZD 2016, 393.

276

Eva Irene Wille

E. Practical examples

responsibility of a party which is neither one nor the other. However, businesses should monitor if a clear opinion on this topic will evolve under the GDPR (e.g. no responsibility of the company or responsibility as (joint) controller) and adapt their use of social media accordingly. b) Social plugins

The most common social plugins are ‘share’, ‘follow’ ‘comment’ or ‘like’ buttons (e.g. for facebook or twitter) which can be embedded into any website. Social plugins allow users to share content from other websites on social networks (e.g. facebook, twitter or google+). Companies embed social plugins in order to initiate such postings which can have a promotional effect. It is debatable whether website operators that embed social plugins into their websites qualify as controllers with regard to the processing of personal data through these social plugins. The website operators merely (however, via their websites) enable the collection of data by social network providers which determine the purposes of the processing. As some supervisory authorities and courts have taken a strict view on this topic under Directive 95/46 and as long as there is no legal certainty under the GDPR, it is advisable to assume that website operators are fully responsible for the processing of personal data collected via their websites. At a minimum, the users must be informed about the use of social plugins in the privacy policy on the website. Furthermore, the requirements for setting cookies must be observed if cookies are used in the context of social plugins (see section E.V.3., → mn. 1160 et seqq.). Social plugins have been the object of criticism in those cases where those users who are not members of the respective social network and do not even try to interact with these platforms via the social plugin are tracked on third party websites (e.g. by setting cookies). Thus, obtaining consent in particular from users who are not members of or logged-out of the social network is required as they do not expect and have not consented to the use of cookies for these purposes elsewhere. Consequently, to make sure that cookies are not set without consent, a solution which requires website visitors to activate the social plugin function (and the setting of cookies) before they are able to use it (so-called “double click solution”) should be implemented. Against the background of severe administrative fines under the GDPR (see section D.VII.1., → mn. 802), it is advisable to implement safeguards such as the double click solution or to refrain from social plugins completely until guidance on this topic is issued by e.g. the Board. As an alternative to social plugins, website operators could choose to set a link (so-called social bookmark) which directs the user to the social network (only). This ensures that no personal data are collected on their own websites.

Eva Irene Wille

277

1194

1195

1196

1197

E. Practical examples

3. Privacy policy

If a company processes personal data on its company website, it has to ensure that website visitors are provided, at the time when personal data are collected, with the information listed in GDPR, art. 13 (to the obligations to inform in general see section D.IV.2., → mn. 619 et seqq.). As it is currently common practice, the information should be provided in a separate privacy policy on the website. To be easily accessible it should be available at any sub-page of the website and be highly visible (e.g. separate button “privacy policy”). To enhance transparency, layered notices (see section E.IV.4.c), → mn. 1093) and standardised icons (see section D.IV.1.b), → mn. 606 et seqq.) may be used. 1199 The privacy policy must be adapted to the individual circumstances and be kept up to date. Templates should not be used without careful review and amendments if necessary. This applies in particular where special features such as an online-shop or similar functions are offered. It should be transparent as to which data are necessary for the specific function and to what extent personal data may be provided on an optional basis. Before drafting a privacy policy, businesses should therefore clarify if it is intended to 1198

– – – – 1200

embed social plugins into the website; use web analytics / tracking tools; offer an online-shop; offer blogs, forums, customer accounts or other special functions.

The scope of information to be provided by controllers under the GDPR is broader than under Directive 95/46 (for details see section D.IV.2.a), → mn. 619 et seqq.). Controllers should carefully review their existing privacy policies and make amendments if necessary. 4. Right to be forgotten

1201

Pursuant to GDPR, art. 17, para 1 data subjects have the right to obtain erasure of personal data concerning them if there is no or no longer a legal basis for the processing (see section D.IV.5., → mn. 648 et seqq.). GDPR, art. 17, para 2 stipulates that “where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”. GDPR, recital 66 clarifies that these obligations shall strengthen the right to be forgotten especially in the online environment. Consequently, website operators that have made personal data public must take reasonable steps to forward requests of the data subjects to any other controllers which also process the relevant personal data.

278

Eva Irene Wille

E. Practical examples

VII. Apps

Apps have become a part of everyday life. Millions of apps are available for 1202 various types of smart devices and a wide range of purposes. In most cases, apps require access to user generated data stored on the device (e.g. contacts), sensor data (e.g. of the camera or microphone) and other data that may be available through application programming interfaces (APIs). The possibilities to access and collect large quantities of personal data (e.g. location, contacts, unique device identifiers or browsing history) raise privacy concerns. Furthermore, app developers from all over the world contribute their apps to app stores and are often unaware of European data protection requirements. Key issues are a potential lack of transparency and awareness of the end users, poor security measures and disregard for the principles of purpose limitation and data minimisation.174 As, at least in this regard, the requirements and principles already known under Directive 95/46 remain essentially unchanged under the GDPR, these concerns and risks remain as well. In addition, the new principles of data protection by design and by default and the right to be forgotten will play a great role and bring about new challenges. 1. Roles and Responsibilities

Several actors in the app ecosystem which can be subject to different require- 1203 ments are involved: app developers and owners, app stores, operating system (OS) and device manufacturers and other third parties (e.g. analytics or advertising providers).175 An entity can be involved at multiple stages, e.g. when the OS and device manufacturer also controls the app store (e.g. Apple Inc. as app store (Apple Store), device manufacturer (iPhone) and OS manufacturer (iOS)).176 a) App developers

App developers create apps and offer them to users. This category also in- 1204 cludes those companies that choose to delegate the development and programming to a third party or to outsource some or all of the actual data processing to a data processor (including e.g. a cloud computing provider for data storage).177 To the extent the app developer determines the purposes and means of the processing of personal data via the app, the developer must be considered as controller and is required to fully comply with the provisions of the GDPR (on data processors see section B.II.2. (→ mn. 152) and section E.II.1.) (→ mn. 965) .178

174 175 176 177 178

WP 202, 5 f. WP 202, 5. WP 202, 9. WP 202, 9, 10. Cf. WP 202, 9.

Eva Irene Wille

279

E. Practical examples

Not surprisingly, the Art. 29 Working Party, in its opinion on apps and smart devices, addresses most of it recommendations to app developers that “have the greatest control over the precise manner in which the processing is undertaken or information presented within the app”.179 However, it is also noted that, “in order to achieve the highest standards of privacy and data protection, they have to collaborate with other parties in the app ecosystem”.180 1206 App developers that process personal data are, inter alia, required to adhere to the principles of the GDPR including 1205

– purpose limitation: specific and legitimate purposes of the data processing must be defined; – data minimisation including privacy by design and privacy by default: only personal data necessary for the functioning of the app should be processed; data protection should be taken into account at all stages of the development; privacy-friendly default settings should be implemented; retention periods must be defined; – transparency: users must be informed in a comprehensible manner, understandable for an average user, about, inter alia, the controller(s), the precise categories of personal data that will be processed, for what purpose(s), whether data will be disclosed to third parties and how users may exercise their rights; – integrity and confidentiality: appropriate technical and organisational measures must be implemented (e.g. secure authentication mechanisms). b) App store operators 1207

App store operators distribute apps and usually act as controllers for data processed for the registration of a user, app purchases (e.g. credit card number) and combining data with usage behaviour and usage history (e.g. previously purchased apps).181 Even to the extent they do not act as controllers, app store operators are in an important position to cooperate with app developers and enable them to inform users about the app and the data that they process before downloading the app. According to the Art. 29 Working Party, app stores should enforce data protection by their admission policies and respective controls.182 c) OS and device manufactures

1208

OS and device manufacturers can be considered as controllers if they process personal data for their own purposes (e.g. the smooth running of the device) or if they provide additional functionalities (e.g. backups).183 OS and device

179 180 181 182 183

280

WP 202, 2. WP 202, 2. WP 202, 11 f. WP 202, 12, 20. WP 202, 10 f.

Eva Irene Wille

E. Practical examples

manufacturers are also responsible for the API which enables the processing of personal data by apps on the smart device.184 According to the Art. 29 Working Party, they should ensure that the app developer can control that access is granted only to those data that are necessary for the functioning of the app and that access can be revoked easily.185 They should also make available encryption algorithms, support appropriate key lengths and secure authentication mechanisms.186 The principle of privacy by design and privacy by default must be considered from the very beginning when designing the device. Appropriate mechanisms “to inform and educate the end user about what apps can do and what data they are able to access, as well as providing appropriate settings for app users to change the parameters of the processing”187 should be available. Other third parties can be analytics providers or advertisers. They can act 1209 on behalf of the app developer (e.g. to provide functions within the app) as processors or process personal data for their own purposes (e.g. behavioural advertising) as controllers. Where these third parties set cookies (or use similar technologies), additional requirements apply (see section E.V.3., → mn. 1160 et seqq., for more information on direct marketing and profiling see section E.IV. and E.V.). 2. Legal basis

Typically, possible legal grounds for the processing of personal data in the 1210 context of apps are GDPR, art. 6, para 1, subpara a) (consent), subpara b) (necessary for the performance of a contract) and subpara f) (legitimate interests). However, it is important to note that ePrivacy-Directive, art. 5, para 3 re- 1211 quires that Member States “ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent […]”. Information in the meaning of ePrivacy-Directive, art. 5, para 3 can be any information, the scope is not limited to personal data. As a result, where consent is required pursuant to national provisions implementing ePrivacy-Directive, art. 5, para 3, consent pursuant to GDPR, art. 6, para 1, subpara a) is de facto the only legal ground for the processing of personal data. a) Consent

Apps often access functions of and data stored on a smart device which are 1212 not necessary for the functioning of the app and provision of the service, including access to the camera, pictures, messages, contacts in the address book and 184 185 186 187

WP 202, 11. WP 202, 11. WP 202, 21. WP 202, 21.

Eva Irene Wille

281

E. Practical examples

other personal files. An example may be an app with a very simple function (e.g. an alarm clock app) which, however, requests access to contacts and pictures clearly unnecessary for rendering the service. As a result, informed consent from the user is required pursuant to ePrivacy-Directive, art. 5, para 3, and potentially also pursuant to the GDPR before information is stored on or retrieved from the device (see section E.V.3.a), → mn. 1162 et seqq.). 1213 Although it must be differentiated between consent required to store or read information on the device and consent necessary to have a legal ground for the processing of personal data pursuant to the GDPR, both are subject to the same requirements and can be merged in practice, either during the installation process or before the app starts to collect personal data from the device, provided that the user is made unambiguously aware of what he is consenting to.188 The Art. 29 Working Party states in this context that while clicking an “install” button in an app store to download the app may, in some circumstances, fulfil the consent requirement of ePrivacy-Directive, art. 5, para 3, “it is unlikely to provide sufficient information in order to act as valid consent for the processing of personal data”.189 Rather, granular consent for each type of data the app intends to access (e.g. contacts, pictures) should be obtained.190 b) Processing necessary for performance of a contract 1214

The consent requirement resulting from ePrivacy-Directive, art. 5, para 3 to lawfully read or write information and consequently process personal data cannot be replaced by using another legal ground under GDPR, art. 6, para 1.191 However, subsequent processing of personal data in the context of the app developer’s business model can be based on other legal grounds under GDPR, art. 6, para 1 (unless sensitive data are concerned).192 Typically, this will be GDPR, art. 6, para 1, subpara b) which allows processing of personal data if the processing is necessary for the performance of a contract. If, for example, a user has installed a mobile banking app offered by his bank, in order to fulfil his requests to effect payments, the bank does not have to obtain separate consent to disclose the user’s name and bank account number to the recipient of the payment. In this case, the processing of personal data is necessary for the performance of the contract between the bank and the user and lawful pursuant to GDPR, art. 6, para 1, subpara b). Another example would be the disclosure of a user name or e-mail address to recipients of messages sent over a communication app.193

188 189 190 191 192 193

282

WP 202, 14. WP 202, 14. WP 202, 15. WP 202, 14. WP 202, 16. Cf. for the corresponding legal ground of processing necessary for the performance of a contract under Directive 95/46, art. 7, para b): WP 202, 16.

Eva Irene Wille

E. Practical examples

c) Legitimate interests

Marketing purposes, prevention of fraud or ensuring network and information 1215 security often require the use of personal data. These purposes can constitute legitimate interests of the controller. However, GDPR, art. 6, para 1, subpara f) also requires an assessment on a case-by-case basis whether the legitimate interests of the controller or a third party are overridden by the interests or fundamental rights and freedoms of the data subject (balancing test; see section C.II.2.e)(cc), → mn. 405 et seqq.). In addition, an assessment of compatibility pursuant to GDPR, art. 6, para 4 must be conducted where a change of purpose is intended (see section C.I.2.b)(dd), → mn. 293). 3. Geolocation

Many apps use geolocation, the practice of identifying the location of a de- 1216 vice (and as a result, of its user) e.g. based on WiFi access points or GPS signals. Geolocation enables or improves services such as navigation, augmented reality games or weather information. It is often associated with the risk that movement or behavioural profiles are created. Furthermore, geolocation cannot only help to easily reveal where a person lives or works, it can also reveal sensitive data such as visits to hospitals or religious places.194 ePrivacy-Directive, art. 9, para 1 requires that consent is obtained for the 1217 processing of location data. However, this provision applies to the providers of electronic communications services (telecom operators) only. It does not apply to the processing of location data by information society services or other parties, even when such processing is performed via a public electronic communication network.195 As a result, the requirements of the GDPR are applicable when location data are processed by e.g. app developers or OS manufacturers. It should be noted, though, that the legal framework may change under the 1218 new ePrivacy Regulation. The Art. 29 Working Party proposes “to create a harmonised consent requirement for the processing of metadata such as traffic and location data. This consent requirement should apply to all traffic and location data, also when they are generated through sensors in a user device. The new rule should apply to all parties collecting and processing these data”.196 It is argued that not only telecom operators, but also other service providers, such as app developers, may obtain a “very detailed overview of a user’s travel and communication patterns, while they may not be subjected to the obligations of the current [ePrivacy-Directive] (as long as they do not read information stored in the terminal equipment of users)”.197 On the other hand, it is also proposed to create more specific exceptions from the consent requirement for circumstances 194 195 196 197

WP 185, 7. WP 185, 9. WP 185, 14. WP 185, 13.

Eva Irene Wille

283

E. Practical examples

where there is only little or no impact on the rights of the users. Businesses should monitor carefully if the consent requirement of ePrivacy-Directive, art. 9, para 1 for processing location data will be amended in the new ePrivacy Regulation. 1219 In practice, the processing of location data will in most situations only be lawful on the basis of consent pursuant to GDPR, art. 6, para 1, subpara a) or the necessity for the performance of a contract under GDPR, art. 6, para 1, subpara b). Legitimate interests pursuant to GDPR, art. 6, para 1, subpara f) will usually not provide a legal basis for the processing of location data due to the fact that the interests of the data subject are likely to override the legitimate interests of the controller or a third person. In particular, the risk that behavioural patterns are created and that other intimate details about the private life of the user are revealed will often outweigh other interests.198 1220 Adequate and sufficient information must be provided to the users about the processing of their personal data including location data (see section E.VII.4., → mn. 1221 et seqq.). The Art. 29 Working Party specifies this general requirement with regard to geolocation. The information must be aimed at a broad audience and age-adapted if a younger audience is attracted.199 Users must be kept informed as long as location data are processed (e.g. via a permanently visible reminder).200 They must also enable their customers to continue or revoke their consent. The right to access includes access to possible profiles based on location data and the information must be provided in a human readable format (e.g. in geographical locations instead of abstract numbers of base stations).201 4. Privacy Policy

Similar to the processing of personal data on company websites (see section E.VI., → mn. 1187 et seqq.), information obligations (see section D.IV.2., → mn. 619 et seqq.) apply if personal data are processed via an app. 1222 It is important that the information is available before any personal data are processed, thus, before installation. Consequently, the privacy policy should be available in the app store, next to the offered app. In addition, the information must also be easily accessible within the app after installation.202 The privacy policy has to be specifically adapted to the modalities of the app. A general privacy policy tailored to processing activities on a website would not be sufficient. 1223 Furthermore, “it is crucial that every app has a single point of contact, taking responsibility for all the data processing that takes place via the app. It must not be left to the end user to research the relations between app developers and other parties processing personal data through the app”.203 1221

198 199 200 201 202

284

WP 185, 14, 20. WP 185, 18. WP 185, 18. WP 185, 18. WP 202, 23.

Eva Irene Wille

E. Practical examples

If an app contains content directed at children, the information should be in 1224 such clear and plain language that the child can easily understand (GDPR, recital 58). Not only when the privacy policy is directed at children, it can be helpful to use icons (see section D.IV.1.b), → mn. 609 et seqq.). Icons can solve the problem that typically small screens (e.g. on smartphones) make it difficult to comply with the requirement to provide transparent and easily accessible information. The use of icons can be combined with the use of layered notices.204

203 WP 202, 22. 204 WP 202, 24.

Eva Irene Wille

285

Index Numbers refer to the margins. Accountability 242, 352 Accuracy 242 Accurate data 325 Active behaviour 1167 Ad network provider 1175 ff. Address trading 361, 1073, 1141, 1143 Adequate level of protection 845, 971 Ad-hoc contract 1008 Administrative fines 509, 528, 537, 546, 565, 578, 610, 618, 630, 641, 657, 678, 690, 699, 712, 742, 747, 749 ff., 754 ff., 774, 802, 1027 – amount 601 Advertising 1076, 1086, 1102, 1112, 1175, 1209 Advertising by recommendation 1142 Age confirmation 468 Anonymisation 97, 320 Anonymous information 97 Anti-money-laundering laws 377 App developers 1204 App store 1213, 1222 App store operators 1207 Applicability – direct 17, 27 Appropriate safeguards 306, 866 Approved codes of conduct and approved certifications 980 Archiving obligations 341 Archiving purposes 286 Authorisation and advisory powers 746 Automated calling 1078, 1132 Automated decision-making 620, 632 Automated processing 551, 602, 691, 1146, 1149, 1152 Balancing of interests 1082 Balancing test 405, 1119, 1121, 1144, 1179, 1186, 1215 Behavioural monitoring 202 Big data 1146 f., 1173 Binding Corporate Rules 870, 874, 879, 978 – for processors 1003 Biometric data 1030, 1034 Black lists 555 Board 567, 580, 728 f., 731 f., 752

Breaches of data protection law 802 Call centre 1136 Catch-all clauses 1098 Categories of data 385 Certification 813, 902, 970, 993, 1005, 1023 Certification bodies 586 Certification mechanisms 357 Change of purpose 295, 1153, 1173, 1186, 1215 Children 419, 459, 568, 607, 649, 696, 1093, 1151, 1224 Clear affirmative action 435 Cloud client 1015 Cloud computing 1011, 1062 Cloud provider 1015 Code of conduct 357, 566, 731, 813, 897, 970, 993, 1005, 1023, 1075 Cold calling 1132 Commission Decision 2000/520/EC 858 Commission Decision 2001/497/EC 886 Commission Decision 2004/915/EC 886 Commission Decision 2010/87/EU 887, 973 Companies – with an establishment in the EU 189 – without any establishment in the EU 192 Company page 1191 f. Compatibility 310 Compatibility assessment 296 Compatibility test 279, 293, 296, 1100, 1101, 1153, 1173 Compensation of damages 824 Competent authority – one stop shop 713 Completion 646 Concept of lead and concerned authority 718 Confidentiality 348 Consent 431, 620, 665, 695, 697 f., 915, 1102, 1104, 1126, 1134, 1162, 1178, 1212, 1217 – by electronic means 438 Consistency mechanism 726 f., 906 Contract 367 – between processor and sub-processor 993

287

Index Controller 115, 120, 127, 492, 770, 866, 965, 1204 – not established in the European Union 520 Cookie walls 1168 Cookies 1160, 1189, 1196 – consent to the use of 1165 Cooperation between authorities 725 Cooperation between companies and the supervisory authorities 713 Correction 644 Corrective powers 746 Credit scoring 1150 Criminal penalties 753 Cross-border-processing 717, 720 Customer profiling 371 Customer Relationship Management 1185 Data breach notification to data subject 700 Data breach notification to the supervisory authorities 736 Data concerning health 1036 Data minimisation 242, 315, 533, 1147, 1206 Data portability 663 Data processing 131 Data processing agreement 976 Data protection by default 322, 357, 533, 1202 Data protection by design 322, 357, 529, 1202 Data protection certifications 580 Data protection impact assessment 357, 547, 1067, 1152 Data protection officer 174, 357, 758 Data protection seals and marks 597 Data relating to criminal convictions and offences 769 Data security 541 Data subjects 104 Device fingerprint 1161 f. Direct advertising 1188 – by mail 1140 Direct application 205 Direct marketing 374, 684, 1071, 1073, 1158 – definition 1072 – voice-to-voice calls 1132 Directive 2002/58/EC 1077 Domain 198 Do-not-track 1088

288

Door-to door flyer advertising 1139 Double click solution 1196 Double-opt-in 468, 474, 1128 DPIA 731 Duties of the controller 602 Duty to cooperate 734 Effects doctrine 188 Electronic mail 1078 e-mail 1079, 1125, 1128, 1142 Employment relationships 208 Encryption 103, 307, 710 Enforcement 816 – empowerments 746 Engaging a processor 162 ePrivacy Regulation 1080, 1103, 1126, 1130, 1168 ePrivacy-Directive 1076 ff., 1089, 1102, 1125 f., 1130 f., 1134, 1140, 1142, 1162, 1211, 1217 Erasure 334 European Data Protection Board 35 Exercise of official authority 387 Explicit consent 485, 1039 Explicit purpose 272 External debt collection 372 Factual influence 129, 158 Fairness 252 Fax 1078 Federation of European Direct Marketing 1075 Filing system 56 Fraud prevention 371 Free choice 1168 Free movement of personal data 14 Free of charge 614, 686, 745 Fundamental rights 23, 403 Further processing 283, 284 General prohibition – with exceptions 249 General provisions – applicable to sub-processing 988 Genetic data 1030, 1033 Geolocation 1216 Group of undertakings 511, 776, 809, 870 Group privilege 510 Group-DPO 776 Guidelines 34 Harmonisation 3

Index Household exemption 63 Hybrid or community clouds 1013 Icons 1182, 1224 Identifiability 82 Identity of the data subject 610 Imbalance 1105 Implied consent 440, 485 Inaccurate data 326 – updating 330 Incompatibility 280, 308 Indication 434 Individual authorisation of contractual clauses 906 Information duties 619 Information obligations 1155, 1221 Information requirements 1095 Information society service 459, 1088, 1163, 1217 Infrastructure as a service 1014 Integrity 348 – and confidentiality 242 Interconnection 1141 Interest of the data subject 924 Investigative powers 564, 746 IP address 93, 1174 Joint controller 139, 227, 494, 513, 721, 771, 967, 1176, 1193 Joint processing 831 Joint responsibility 139 Lawful processing 358 Lawfulness 248 – fairness and transparency 242 Layered notice 1096, 1182, 1198, 1224 Legal claims 931 Legal grounds 360 Legal obligation 218, 375 Legal persons 110 Legislative power 20 Legislative procedure 1 Legitimate interests 395, 413, 1118, 1158, 1172, 1186, 1215 Legitimate purpose 275 Level 1 infringements 805 Level 2 infringements 807 Liability 508, 802 Limited to what is necessary 315, 365, 430 List broker 1144

Marketing – direct 361 Material scope of application 44 Monitoring 766 Natural person 104 Necessity 315, 339 Newsletter 1128 Obligation to appoint a DPO 761 Obligation to inform 1155, 1180 Obligations of processors 171 One-stop-shop 16, 719, 721, 722 Online advertising 1095 Online and electronic communication services 231 Online behavioural advertising 1174 Online-shop 1199 Opening clauses 9, 206, 695 Opinion poll 1135 Opt-in 1089, 1126, 1130, 1134 Opt-out 426, 436, 1089 Oral consent 437 OS and device manufacturers 1208 Outsourcing 961, 1062 Performance of a contract 371, 921, 1219 Periodic review 330 – mechanisms 331 Personal data 66 – related to criminal convictions and offences 304, 420, 489 – special categories 481 Personal data breach 702 Personal scope of application 114 Photographs 1035 Platform as a Service 1014 Postal advertising 1138 Pre-contractual relations 367, 374 Principle of data minimisation 1154 Principle of lawfulness 1037 Principle of purpose limitation 134, 261 Principle of transparency 1093 Principles 241 Prior authorisation 989 Privacy by default 1208 Privacy by design 1159, 1208 Privacy notice 1095 Privacy policy 619, 1195, 1198, 1221 Privacy seals 580 Privacy Shield 853, 859, 860

289

Index Private clouds 1013 Privileged status 786 Processing 51 – by manual means 55 – on a large scale 765 Processing contract 166 Processor 115, 772, 866, 965, 969 Processor BCRs 979 Processors – in third countries 971 – not established in the European Union 520 Profiling 225, 551, 602, 620, 632, 680, 684, 691, 696, 1122, 1149 Pseudonymisation 99, 307, 320 Public bodies 235 Public clouds 1013 Public health 650, 1051 Public interest 218, 387, 698, 927, 1049 Public register 953 Publicly available personal data 420 Public-private partnerships 376 Publisher 1175, 1177 Purpose limitation 242, 261, 1147, 1153, 1206 – principle of 1097 Purpose specification 1098 Purposes and means 125 Reasonable expectations 301, 419 Records of processing activities 175, 357, 525 Rectification 334, 642 Refer-a-friend 1142 Register for certifications 597 Remote access 636 Restriction 334 Restriction on interconnection 447, 1106 Retention 341 Retention obligations 1092 Right not to be subject to automated individual decision-making 691 Right of access 631, 1156 Right to be forgotten 649, 652, 1090, 1201 Right to object 679, 1084, 1089, 1111, 1158 Right to obtain erasure 649, 1090 ff., 1201 Right to restriction of processing 658 Right to review 697 Right to withdraw consent 1094, 1110 Rights of data subjects 13, 602

290

Risk assessment 418 Risk based approach 527, 548, 761, 766 Risk evaluation 542 Robinson list 686, 1086 Safe Harbour 853 – principles 855 Sarbanes-Oxley Act 378 Satisfaction survey 1135 Schrems Judgment 858 Scientific or historical research purposes 286 Scoring 361, 1150 Screening 1150 Secrecy obligation 785 Self-certification 860 Sensitive data 304 Sensitive nature 420 Sensor data 1202 Social bookmark 1197 Social media 1190 Social media page 1191 Social network 1190, 1192, 1194 Social plugin 1194, 1199 Software as a Service 1014 Special categories – of data 385, 736 – of personal data 304, 767 Special categories of data 551 Special categories of personal data 420, 698, 1030 Specific prohibition with exceptions 1037 Specified, explicit and legitimate purposes 264 Specified purpose 267 Standard contractual clauses 977, 994, 1001 Standard data protection clauses 883, 892 Standardised icons 609 Statement 435 Statistical and aggregate data 1170 Statistical purposes 286, 1158, 1170 Statutory exceptions 1042 Storage limitation 242, 337 Sub-processing 984 Sub-processors 1024 Sweepstake 1141 Targeted advertising 694, 1179, 1185 Tasks of a DPO 797 Tasks of the supervisory authorities 743

Index Technical and organisation measures 813 Telecom operators 1217 Telemarketing 1132 Tell-a-friend 1142 Territorial applicability 188 Territorial scope of application 188 Third countries 840 Third country transfers 996 Tracking 1161 f., 1174, 1189, 1199 Transparency 255, 1024, 1026, 1206 Two-step-test 841, 940 Undertaking 809

Unfair Commercial Practices Directive 1076, 1081, 1125, 1133, 1139 Uniform interpretation 30 Unsolicited communications 1077, 1136 US Department of Commerce 860 User generated data 1202 Video surveillance 361 Vital interests 383, 950 Web analytics 1199 Webside 1187 WhatsApp 1089, 1127 White lists 555

291