lecture 7 Flashcards
„Classical“ Data Subject Rights
Art. 12-19
- Information:
Art. 12.
In general Ex ante
Art 13/14
Direct vs. Indirect
collection
Art. 15 Access
Ex post - Rectification
- Erasure
- Restriction
- Objection
On Top data subject rights
- Right to be forgotten (Art. 17)
- Data Protability (Art. 20)
- No automated Decision Making (Art. 22)
Right to be forgotten
- Principle (Art. 17 par 1)
- The data subject shall have the right to obtain from the controller the erasure of
personal data concerning him or her without undue delay and the controller shall
have the obligation to erase personal data without undue delay - Obligation to transfer information to third parties (Art. 17 par 2)
◦ Where the controller has made the personal data public and is obliged
pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take
reasonable steps, including technical measures, to inform controllers which are
processing the personal data that the data subject has requested the erasure by
such controllers of any links to, or copy or replication of, those personal data.
◦ Not applicable if processing is necessary for
- Obligation to transfer information to third parties (Art. 17 par 2)
- exercising the right of freedom of expression and information (Art. 17 par 3)
Right to be forgotten – Google Spain, C-131/12
- Data processing
- Within territorial Scope
- It depends
Data Portability (Art. 20)
- Principle (art. 20 par 1)
◦ The data subject shall have the right to receive the personal data
concerning him or her, which he or she has provided to a controller, in a - structured,
- commonly used and
- machine-readable format and
◦ have the right to transmit those data to another controller without
hindrance from the controller to which the personal data have been
provided - Exception (art. 20 par 4)
◦ The right shall not adversely affect the rights and freedoms of others.
Automated Decision Making (Art. 22)
processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate
interests; or
c) is based on the data subject’s explicit consent.
The answer to the machine … (Art. 25)
Taking into account
◦ the state of the art,
◦ the cost of implementation and
◦ the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity
for rights and freedoms of natural persons posed by the processing,
* the controller shall,
◦ both at the time of the determination of the means for processing and
◦ at the time of the processing itself,
* implement appropriate technical and organisational measures, such as pseudonymisation, which are
designed to implement data-protection principles, such as data minimisation, in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation
and protect the rights of data subjects.
* 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of
their storage and their accessibility. In particular, such measures shall ensure that by default personal data
are not made accessible without the individual’s intervention to an indefinite number of natural persons.
DPO (Art. 37)
- Compulsory, whenever
◦ a) the processing is carried out by a public authority or body, except for courts
acting in their judicial capacity;
◦ (b) the core activities of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their purposes,
require regular and systematic monitoring of data subjects on a large scale; or
◦ (c) the core activities of the controller or the processor consist of processing on
a large scale of sensitive data and data relating to criminal convictions and
offences - In other cases: voluntary (art. 37 par 4) (if bot provided otherwise by member
states law)
Data Security (Art. 32)
- Principle
◦ Taking into account - the state of the art,
- the costs of implementation and
- the nature,
- scope,
- context and
- purposes of processing
- as well as the risk of
- varying likelihood and
- severity for the rights and freedoms of natural persons,
- the controller and the processor shall implement
- appropriate
- technical and
- organisational measures
◦ to ensure a level of security - appropriate to the risk
Ex ante control – DPIA (Art 35)
Principle
◦ Where a type of processing in particular using new technologies, and
taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall, prior to the processing, carry out an
assessment of the impact of the envisaged processing operations on the
protection of personal data
Transfer
- Art 44 et seq.
*
„All provisions in this Chapter shall be applied in order to ensure that the
level of protection of natural persons guaranteed by this Regulation is not
undermined.”
Options
Adequacy Decision
* Appropriate Safeguards
◦ Standard Data Protection Clauses
◦ BCR
◦ Code of Conduct
◦ …
◦ In very rare cases: explicit consent (derogations, art. 49)
Supervisory Authorities
- Art. 51 et seq.
- Cooperation: Art. 56, Art. 60 et seq.
- EDPB
Compensations, Fines
- Art. 82 et seq.
- Please read C-300/21
Regulatory Regime for non-personal Data
- Regulation (EU) 2018/1807 of the European Parliament and of the Council
of 14 November 2018 on a framework for the free flow of non-personal
data in the European Union
Art 2. (2)
In the case of a data set composed of both personal and non-personal data,
this Regulation applies to the non-personal data part of the data set. Where
personal and non-personal data in a data set are inextricably linked, this
Regulation shall not prejudice the application of Regulation (EU) 2016/679.
Free movement of data within the Union
- Principle (1): Free Movement
- Principle (2): Access for authorities everywhere
- Article 4 (1)
◦ Data localisation requirements shall be prohibited, unless they
are justified on grounds of public security in compliance with
the principle of proportionality. The first subparagraph is
without prejudice to paragraph 3 and to data localisation
requirements laid down on the basis of existing Union law. - Art. 5 (1)
◦ This Regulation shall not affect the powers of competent
authorities to request, or obtain, access to data for the
performance of their official duties in accordance with Union or
national law. Access to data by competent authorities may not
be refused on the basis that the data are processed in another
Member State.
Self Regulation
- Art. 6 (1)
- The Commission shall encourage and facilitate the development of selfregulatory codes of conduct at Union level (‘codes of conduct’), in order to
contribute to a competitive data economy, based on the principles of
transparency and interoperability and taking due account of open
standards […]
Article 5 Data availability for competent authorities
- This Regulation shall not affect the powers of competent authorities to
request, or obtain, access to data for the performance of their official
duties in accordance with Union or national law. Access to data by
competent authorities may not be refused on the basis that the data
are processed in another Member State. - Where, after requesting access to a user’s data, a competent authority
does not obtain access and if no specific cooperation mechanism exists
under Union law or international agreements to exchange data
between competent authorities of different Member States, that
competent authority may request assistance from a competent
authority in another Member State in accordance with the procedure
set out in Article 7.
Platforms
(DSA)
* (DMA)
* Regulation (EU) 2018/1807 of the European Parliament and of the Council
of 14 November 2018 on a framework for the free flow of non-personal
data in the European Union
* Directive 2019/790 of the European Parliament and of the Council of 17
April 2019 on copyright and related rights in the Digital Single Market and
amending Directives 96/9/EC and 2001/29/EC
* Regulation (EU) 2019/1150 of the European Parliament and of the Council
of 20 June 2019 on promoting fairness and transparency for business
users of online intermediation services
The 90ies-Principles (Directive 2000/31/EC)
Information Society Service (Provider)
◦ Electronic
◦ Distance
◦ Individual Request
◦ As a rule against renumeration
* Country of Origin
* Electronic Contracts
* Safe Harbor (Notice and Take Down)
The Traditional Principle
E-Commerce Directive (2000/31/EC)
* Liability limitations for intermediaries
◦ Mere Conduit (art. 12)
◦ Caching (art. 13)
◦ Hosting (art. 14)
* Principle: No general obligation to monitor (art. 15)
◦ Member States shall not impose a general obligation on providers, when providing the
services covered by Articles 12, 13 and 14, to monitor the information which they transmit or
store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
◦ Member States may establish obligations for information society service providers promptly
to inform the competent public authorities of alleged illegal activities undertaken or
information provided by recipients of their service or obligations to communicate to the
competent authorities, at their request, information enabling the identification of recipients of
their service with whom they have storage agreements.
