GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕
Read free book «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕». Author - Adv. Prashant Mali
Implementing acts on standard contractual clauses
The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.
Immediately applicable implementing acts
The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.
Principle of subsidiarity and principle of proportionality
Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
Repeal of Directive 95/46/EC and transitional provisions
Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.
Consultation of the European Data Protection Supervisor
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012.
Relationship to Directive 2002/58/EC
This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council¹, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.
* * *
APPENDIX 2: EU/ EEA NATIONAL SUPERVISORY AUTHORITIES
c
Country
National Data Protection Authority
Website
1
United Kingdom
The Information Commissioner’s Office
https://ico.org.uk
2
Austria
Österreichische Datenschutzbehörde
www.dsb.gv.at
3
Belgium
Commission de la protection de la vieprivĕe
www.privacycommission.be
4
Bulgaria
Commission for Personal Data Protecton
www.cpdb.bg
5
Croatia
Croatian Personal Data Protection
www.azop.hr
6
Cyprus
Commissioner for Personal Data Protection
www.dataprotection.gov.cy
7
Czech Republic
The Officer for Personal Data Protection
www.uoou.cz
8
Denmark
Datatilsynet
www.datatilsynet.dk
9
Estonia
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
www.aki.ee/en
10
Finland
Office of the Data Protection Ombudsman
www.tietosuoja.fi/en
11
France
Commission Nationale de I’Informatique et des Libertĕs - CNIL
www.cnil.fr
12
Germany
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
www.bfdi.bund.de
13
Greece
Hellenic Data Protection Authority
www.dpa.gr
14
Hungry
Data Protection Commissioner of Hungry
www.naih.hu
15
Iceland
Icelandic Data Protection Agency
http://personuvernd.is
16
Ireland
Data Protection Commissioner
http://www.dataprotection.ie
17
Italy
Garante per la protezione dei dati personali
www.garanteprivacy.it
18
Latvia
Data Sate Inspectorate
www.dvi.gov.lv
19
Liechtenstei n
Data Protection Office
www.dss.llv.li
20
Lithuania
State Data Protection
www.ada.lt
21
Luxembourg
Commission Nationale pour la Protection des Donnĕes
www.cnpd.lu
22
Malta
Office of the Data Protection Commissioner
www.dataprotection.gov.mt
23
Netherland
Authoriteit Persoonsgegevens
https://authoriteitpersoonsgegevens.nl
24
Norway
Datatillsynet
www.datatilsynet.no
25
Poland
The Bureau of the Inspector General for the Protection of Personal Data – GIODO
www.giodo.gov.pl
26
Portugal
Comissão Nacional de Proteҫão de Dados - CNPD
www.cnpd.pt
27.
Romania
The National Supervisory Authority for Personal Data Processing
www.dataprotection.ro
28
Slovakia
Office for Personal Data Protection of the SlovakRepublic
www.dataprotection.gov.sk
29
Slovenia
Information Commissioner
www.ip-rs.si
30
Spain
Agencia de Protecciόn de Datos
www.agpd.es
31
Sweden
Datainspektionen
www.edoeb.admin.ch
32
Switzerland
Data Protection and Information Commissioner of Switzerland
www.edoeb.admin.ch
33
European Union
European Data Protection Supervisor
www.edps.europa.eu/EDPSWEB
APPENDIX 3: LOOPHOLES IN GDPR
The EU General Data Protection Regulation (GDPR) is an impressive act of legislation. Some people call it a great law.
The GDPR sets out to provide individuals with protection of their personal data. Secondary goals are to balance the rights of individuals against other rights (including public interest) and to ensure a consistent rule of law for personal data throughout the EU. These goals had to be translated into words that can be legally enforced. The law has ended up with a lot of words — more than 55,000 — the result of four years of negotiations between the many interested parties. Naturally, there are imperfections. Some businesses and others don’t like the law and would prefer to avoid it when they can. They will be exploring the imperfections, looking for loopholes.
FIVE LOOPHOLES — SUMMARY
‘Controllers’ outside the EU
The GDPR is meant to protect people in the EU when their personal data is controlled by organisations outside the EU, but it may not. Weaknesses in the wording of the law give the chance for organisations to collect data and ignore the GDPR. Once data ‘escapes’ from the GDPR, it can be passed on to others without legal protection. The GDPR states a couple of times in its recitals that protection of personal data of natural persons should take place “whatever their nationality or residence”. The previous data protection directive covered any organisation processing personal data in the EU but did not guarantee the protection of every person in the EU (when their data was processed by an organisation outside the EU). The authors of the GDPR set out to change this, to cover any organisation in the EU that handles personal data and any individual in the EU whose personal data is handled by an organisation, wherever that organisation is based.
The reasoning is obvious. An individual can enter a website and give their personal data, without knowing where their data will be processed. The legislators wanted to give people the assurance that EU law would protect them in all cases.
Take the analogy of going to buy something at a shop in the EU. The purchaser is protected by EU consumer law and doesn’t have to think twice about it — the shopkeeper cannot say “this product is from India and therefore we apply Indian laws of product safety and consumer rights”. The GDPR has set out to create the same situation in the online world: you are protected, full stop.
The devil is in the detail, in the wording of the law. The GDPR states that its territorial scope includes the processing of personal data of someone in the EU by organisations outside, “where the processing activities are related to the offering of goods or services” to that person. The phrase “the offering of goods or services” is subject to different interpretations.
You could reasonably ask, why doesn’t the regulation just say “related to the marketing or supply of goods or services” or perhaps even simpler “related to a data subject in the EU”? However, the GDPR was written by lawyers and this wording of “offering” originates from legalese applied in the context of EU competition law. There is ample case law regarding its interpretation, based on the definition of “undertaking” meaning an entity that carries on an “economic activity” and that the measure of an economic activity is “offering goods or services” (even if no payment occurs). The case law shows a broad interpretation of “offering goods or services” to cover sales, supply and even purchasing.
Therefore, the original drafters who decided to put in the words “offering goods or services” probably intended to cover any marketing or commercial activity that engages an individual in the EU (with the words “irrespective of whether a payment of the data subject is required” added later in the drafting process to ensure that it covers the new business models of online services such as social media).
Nevertheless, when the regulation was negotiated — and there was a lot of lobbying —
words were added to a recital (the ‘contextual’ paragraphs before the main articles of the regulation) which took a different point of reference for interpreting “offering goods or services”. Guided perhaps by the idea that an “offer” takes place before any transaction, the following words were added to Recital 23:
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
This wording says that the test is based on whether the organisation “envisages” offering goods and services, not on whether it does in fact offer, or supply, or simply obtain personal data.
This wording originates from a legal judgment that determines in which jurisdiction within the EU (in other words, in which EU country) a case should be heard in a court of law. This case, combining two different actions known as Pammer and Hotel Alpenhof, was judged in 2010 by the CJEU and therefore forms part of EU case law. However, the nature and effect of this case is quite different from the context used in the GDPR. Firstly, the court was asked to determine in which jurisdiction a court case should be held, not to determine the territorial scope of application of a law. Secondly, the result was to make a defendant’s claim subject to one of two
alternative member state courts, not to either award or deny the protection of a law. (Note: The GDPR contains explicit provisions for determining the jurisdiction, both for administrative and
Comments (0)