GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) π
Read free book Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ». Author - Adv. Prashant Mali
finding remains factually and legally justified. Account must be taken of the circumstances that have arisen after the adoption of the decision. The Commissionβs discretion as to adequacy is reduced and is subject to strict scrutiny, in view of the important role played by data protection in the light of the fundamental right to respect for private life and the large number of persons potentially concerned by transfers.
Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or case law. Self-certified US organisations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain sufficient findings regarding US measures which ensure adequacy by reason of domestic law or international commitments.
Interference with fundamental right: Decision 2000/520 enables interference with the fundamental right to respect for private life of persons whose personal data is or could be transferred from the EU to the US.
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organisations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that US authorities could access the personal data transferred and process it in a way incompatible with the purposes for which it was transferred, and beyond what was strictly necessary and proportionate for the protection of national security, and data subjects had no redress regarding their rights of access, rectification and erasure. Legislation permitting public authorities to have generalized access to the content of electronic communications compromises the essence of the fundamental right to respect for private life. Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access, rectification or erasure of his own personal data does not respect the essence of the fundamental right to effective judicial protection.
Thus, Article 1 of the Decision does not ensure adequacy and the decision is consequently invalid.
Articles 1 and 3 are inseparable from 2 and 4 and the annexes, thus the entire Decision 2000/520 is invalid.
DECISIONS
T-320/02, ESCH-LEONHARDT AND OTHERS V EUROPEAN CENTRAL BANK, 18.2.2004 (βESCH-LEONHARDTβ)
Application for annulment of ECB decision to include in applicants' personal files a letter concerning their use of the internal e-mail system for transmitting union information, and for damages.
Definition of processing: Inclusion of the letters in the personal files constitutes processing by saving data in a personal data filing system as provided in Article 2(a),
(b) and (c) of Regulation 45/2001.
Necessity/proportionality: The ECB may be entitled to consider that inclusion of the letters is necessary for the performance of their contracts of employment. Insofar as the letters send a warning to those concerned, they relate to their administrative status and may become relevant for a report on their conduct in the service; thus it is appropriate to include them. A shortened version, omitting reference to relations between those concerned and the trade union, would not be sufficient for proper management of personal files. The fact that the staff in question contravened rules on the use of the ECB's internal email system by using it, as members of trade union, for purposes of that union, and not for gainful purposes, is liable to influence the assessment of their conduct in the service.
Sensitive data: Inclusion of the letters does not infringe Article 10(1) as it concerns data, which the persons themselves have manifestly made public within the meaning of Article 10(2)(d).
T-198/03, BANK AUSTRIA CREDITANSTALT AG V COMMISSION OF THE EUROPEAN COMMUNITIES, 30.5.2006 (βBANK AUSTRIAβ)
Application for annulment of decision of Commission's hearing officer to publish the non-confidential version of a Commission decision in a cartel case. The applicant (a legal person) argued, inter alia, that in numerous passages of the decision, it was possible to identify natural persons who participated on its behalf in meetings, the purpose of which was to restrict competition, which contravenes Regulation 45/2001.
Legal person: A legal person does not belong to the circle of persons which Regulation 45/2001 is intended to protect. That conclusion cannot be invalidated by the applicant's arguments of its supposed obligations towards directors and employees under Member State law, given that they consist of unsubstantiated contentions. These arguments are not sufficient to demonstrate the applicant's personal interest in relying on a breach of Regulation 45/2001.
T-259/03, NIKOLAOU V. COMMISSION, 12.9.2007 (βNIKOLAOUβ)
Action for non-contractual liability based on acts and omissions of OLAF. OLAF had disclosed certain information about its investigation concerning the applicant: a leak of information to a journalist; its annual report with information about the investigation; and its press statement. The applicant had requested access to the file and the final case report.
Non-contractual liability: Normal rule is that the burden of proof is on the applicant to establish: i) the illegal action of an institution; ii) damages; iii) proof that the damages were caused by the illegal action of the institution. However, the burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. The Court concluded that the OLAF staff member leaked information (including PD) to a journalist, which was published, and OLAFβs press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles.
Definition of personal data: The information published in the press release was personal data, since the data subject was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity.
Definition of processing: 1. the leak (unauthorised transmission of personal data to a journalist by someone inside OLAF) and
the publication of press release each constitute processing of personal data.
Lawfulness: The leak constitutes unlawful processing in violation of Article 5 of Regulation 45/2001 because it was not authorized by the data subject, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because the leak is an unauthorized transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Regulation 1073/99. In the absence of such proof, OLAF (the Commission) must be held responsible. No concrete showing was made of an internal system of control to prevent leaks or that the information in question had been treated in a manner that would guarantee its confidentiality.
Publication of the press release was not lawful under Article 5(a) and (b) because the public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.
Damages: A violation of Regulation 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. The objective of the Regulation is to confer such rights on DSs.
A leak of personal data is necessarily a grave and manifest violation. The Director has a margin of appreciation on prevention, but here no showing was made regarding the exercise of the margin.
OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.
3000 euros damages were awarded.
T-161/04, JORDANA V. COMMISSION, 7.7.2011 (βJORDANAβ)
Action for annulment of Commission decision refusing the applicant's request under Regulation 1049/2001 for access to the reserve list of successful candidates for a competition, in which he was himself a successful candidate, and for individual decisions nominating officials of grade A6 from 5.10.1995. The Commission had declined his request, based on the exception in Article 4(1)(b) of Regulation 1049/2001 regarding the right of privacy and integrity of the individual. The Commission reasoned that the candidates had not been informed in the notice of competition that the list of laureates would be published, and thus it would violate their private life to provide him with the list. The Commission stated in its reply that it may be possible for the applicant to gain access on the basis of Regulation 45/2001, and invited the applicant to present a request under that Regulation to the controller. The applicant's confirmatory application was also rejected. (The EDPS intervened in the case).
Article 4(1)(b): This provision is indivisible, and requires that the violation of private life and the integrity of the individual are always analyzed in conformity with the right to protection of personal data. Thus it establishes a specific regime where personal data may be communicated to the public. Since this case concerns the processing of personal data, the request must be analyzed under Regulation 45/2001. In rejecting the application for access to documents, the Commission had failed to apply Regulation 45/2001 in its analysis, and thus erred.
Definition of personal data: The first and last names of the persons on the reserve list and the officials mentioned in the individual decisions of appointment to grade A6 can be considered to fall within the personal data definition.
Definition of processing: Transfer of the data constitutes processing.
T-82/09, DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (βDENNEKAMP Iβ)
Application for annulment of European Parliament decision refusing to grant access to documents under Regulation 1049/2001 relating to the affiliation of certain MEPs to the additional pension scheme. Parliament had refused access on the ground that disclosure would be incompatible with Regulation 45/2001. At the hearing, the applicant submitted that he needed to have access to the personal data on grounds of public interest in accountability, transparency and control over public expenditure.
Balancing fundamental rights: Regulation 1049/2001 and Regulation 45/2001 do not contain any provisions granting one primacy over the other, therefore full application of both should, in principle, be ensured.
Article 8(b): Where a request based on Regulation 1049/2001 seeks access to documents containing personal data, Regulation 45/2001 becomes applicable in its
entirety, including Article 8. The applicant cannot claim that the processing he requested was lawful on the basis of Article 5(b) and this suffices, since Article 8(b) applies without prejudice to Article 5.
In order to obtain disclosure of the personal data contained in the documents, the applicant would have had to demonstrate, by providing express and legitimate justifications, the necessity for the requested personal data to be transferred, so that the Parliament could weigh up the various interests of the parties concerned and determine whether legitimate interests of MEPs might be prejudiced by the transfer. The applicant failed to establish why he needed the names to obtain his objectives. He did not explain with
Comments (0)