Reading Week 2

Question 1

How are the right to respect private life and right to protection of personal data closely related?

Answer 1

Both strive to protect similar values, i.e. the autonomy and human dignity of individuals, by granting them a personal sphere in which they can freely develop their personalities, think and shape their opinions. They are thus an essential prerequisite for the exercise of other fundamental freedoms, such as freedom of expression, freedom of peaceful assembly and association, and freedom of
religion.

Question 2

How do the right to respect private life and right personal data protection differ?

Answer 2

The two rights differ in their formulation and scope. The right to respect for private life consists of a general prohibition on interference, subject to some public interest criteria that can justify interference in certain cases. The protection of personal data is viewed as a modern and active right,4 putting in place a system of checks and balances to protect individuals whenever their personal data are processed. The processing must comply with the essential components of personal data protection,
namely independent supervision and the respect for the data subject’s rights.

Question 3

What does article 8 if EU Charter of Fundamental rights say?

Answer 3

Article 8 of the EU Charter of Fundamental Rights (the Charter) not only affirms the right to personal data protection, but also spells out the core values associated with this right. It provides that the processing of personal data must be fair, for specified purposes, and based on either the consent of the person concerned or a legitimate basis laid down by law. Individuals must have the right to access their personal data and to have it rectified, and compliance with this right must be subject to control by
an independent authority.

Question 4

When does the right to personal data protection come into play?

Answer 4

The right to personal data protection comes into play whenever personal data are processed; it is thus broader than the right to respect for private life. Any processing operation of personal data is subject to appropriate protection. Data protection concerns all kinds of personal data and data processing, irrespective of the relationship and impact on privacy. Processing of personal data may also infringe on the right to private life, as shown in the examples below. However, it is not necessary to
demonstrate an infringement on private life for data protection rules to be triggered.

Question 5

When does the right to privacy concern situations?

Answer 5

The right to privacy concerns situations where a private interest, or the “private life” of an individual, has been compromised. As demonstrated throughout this handbook, the concept of “private life” has been broadly interpreted in the case law, as covering intimate situations, sensitive or confidential information, information that could prejudice the perception of the public against an individual, and even aspects of one’s professional life and public behaviour. However, the assessment of whether or not there is, or has been, an interference with “private life” depends on the con-
text and facts of each case.

Question 6

Can the one right imply the other?

Answer 6

By contrast, any operation involving the processing of personal data could fall under the scope of data protection rules and trigger the right to personal data protection.

Question 7

How does the United Nations recognize personal data protection?

Answer 7

The United Nations framework does not recognise personal data protection as a fundamental right, although the right to privacy is a long-established fundamental right in the international legal order

While earlier resolutions focused on the negative effects of mass surveillance and the responsibility of states to constrain the powers of intelligence authorities, more recent resolutions reflect a key development in the debate on privacy in the United Nations.12
The resolutions adopted in 2016 and 2017 reaffirm the need to limit the
powers of intelligence agencies and condemn mass surveillance.
Thus, in addition to the responsibility of state authorities, the resolutions point to the private sector’s responsibility to respect human rights, and call for companies to inform users about the collection, use, sharing and retention of
personal data and to establish transparent processing policies.

Question 8

How is the respect for private life not an absolute right in ECHR?

Answer 8

The respect for private life is not an absolute right, as the exercise of the right to privacy could compromise other rights, such as freedom of expression and access to information and vice versa. Hence, the Court strives to find a balance between the different rights at stake. It has clarified that Article 8 of the ECHR not only obliges states to refrain from any actions that might violate this convention right, but that they are in certain circumstances also under positive obligations to actively secure effective respect for private and family life.

The fundamental right to personal data protection under Article 8 of the Charter is not an absolute right, “but must be considered in relation to its function in society”

The right to respect for private life is not an absolute right, but must be balanced against, and reconciled with, other legitimate interests and rights, be they of
other persons (private interests) or of society as a whole (public interests)

Question 9

What is convention 108 of Council of Europe?

Answer 9

In 1981, a Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108)21 was opened for signature.
Convention 108 was, and still remains, the only legally binding international instru-
ment in the data protection field.

Convention 108 applies to all data processing carried out by both the private and public sectors, including data processing by the judiciary and law enforcement authorities. It protects individuals against abuses that may accompany the processing of personal data, and seeks, at the same time, to regulate the transborder
flows of personal data.
As regards the processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and
automatic processing of data, for specified legitimate purposes.
They also concern the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality), as well as accurate.

Question 10

Why did the GDPR emerge?

Answer 10

The adoption of the General Data Protection Regulation in 2016 modernised EU data protection legislation, making it fit for protecting fundamental rights in the context of the digital age’s economic and social challenges. The GDPR preserves and develops the core principles and rights of the data subject provided for in the Data Protection Direc-
tive.
Under EU law, regulations are directly applicable; there is no need for national implementationWha

Question 11

What does the GDPR lay down?

Answer 11

the General Data Protection Regulation lays down general rules to protect individuals in relation to the processing of their personal data, and to ensure the free
movement of such data within the EU

Question 12

What does the CJEU do?

Answer 12

The CJEU has jurisdiction in determining whether or not a Member State has fulfilled its obligations under EU data protection law, and in interpreting EU legislation to
ensure its effective and uniform application throughout the Member States

Question 13

What are the cumulative conditions under which an interference could be justified are:

Answer 13

1. in accordance with the law
   According to the case law of the ECtHR, an interference is in accordance with the law if it is based on a provision of domestic law that has certain qualities.
2. pursuing a legitimate aim
   Legitimate aims that could justify an interference are, pursuant to Article 8 (2) of the ECHR, the interests of national security, public safety or the economic well-being of a country, the prevention of disorder or crime, the protection of health or morals, and the protection of rights and freedoms
   of other persons
3. necessary in a democratic society
   The ECtHR has stated that “the notion of necessity implies that the interference corresponds to a pressing social need and, in particular, that it is proportionate to the legitimate aim pursued”.50
   When assessing whether a measure is necessary to
   address a pressing social need, the ECtHR examines its relevance and suitability in relation to the pursued aim. To this end, it may take into consideration whether the interference tries to address an issue which, if not addressed, could have a detrimental effect on society, whether there is evidence that the interference may mitigate such detrimental effect, and what the broader societal views on the issue at
   stake are. 5

Question 14

According to Charter article 52, when is the exercise of the right to the protection of personal data admissible?

Answer 14

1. are provided for by law and
   Limitations on the right to personal data protection must be provided for by law.
2. respect the essence of the right to data protection and
3. subject to the principle of proportionality are necessary and
   A limitation may be necessary if there is a need to adopt measures for the public interest objective pursued – but necessity, as interpreted by the CJEU, also implies that the measures adopted must be less intrusive compared to other options for
   achieving the same goal

Proportionality means that the advantages resulting from the limitation should outweigh the disadvantages the latter causes on the exercise of the fundamental
rights at stake.

4. meet objectives of general interest recognized by the Union or the need to protect the rights and freedom of others

It is immaterial whether the personal data in question relate to an individual’s private life, are sensitive, or whether the data subjects have been inconvenienced in any way. To be lawful, the interference has to comply with all the conditions listed in Article 52 (1) of the Charter.

Question 15

What is the relationship between Charter and ECHR?

Answer 15

Despite involving different wording, conditions for lawful limitations on the rights in Article 52 (1) of the Charter are reminiscent of Article 8 (2) of the ECHR concerning the right to respect for private life. In their case law, the CJEU and the ECtHR often refer to each other’s judgments, as part of the constant dialogue between the two
courts to seek a harmonious interpretation of data protection rules

Question 16

How is personal data defined?

Answer 16

Under EU law as well as under CoE law, ‘personal data’ is defined as information relating to an identified or identifiable natural person

Question 17

What is a data subject?

Answer 17

If data about such a person are being processed, this person is called the ‘data subject’.

Question 18

What are the definitions of a data subject under EU law?

Answer 18

Under EU law, natural persons are the only beneficiaries of data protection rules138 and only living beings are protected under European data protection law.139
The
General Data Protection Regulation (GDPR) defines personal data as any information
relating to an identified or identifiable natural person.

EU data protection law does not cover data processing which concern legal persons, and in particular does not concern undertakings established as legal persons

Question 19

What is personal data?

Answer 19

Any kind of information can be personal data provided that it relates to an identified or identifiable person.

Personal data covers information pertaining to the private life of a person, which also includes professional activities, as well as information about his or her public life.

Question 20

Does the form in which data is stored, relevant for the data production law?

Answer 20

As to the form in which the personal data is stored or used, it is important to note that it is not relevant to the applicability of data protection law. Written or spoken communications may contain personal data as well as images.

As long as the data relate to the individual’s inherited or acquired
genetic characteristics, provide unique information about their health or physiology,
and result from an analysis of a biological sample from that person.

Question 21

Which categories are considered as sensitive data under GDPR and Modernised Convention 108, article 6?

Answer 21

Within the framework of Modernised Convention 108 (Article 6) and the GDPR (Article 9), the following categories are considered sensitive data:
* personal data revealing racial or ethnic origin;
* personal data revealing political opinions, religious or other beliefs, including philosophical beliefs;
* personal data revealing trade union membership;
* genetic data and biometric data processed for the purpose of identifying a person;
* personal data concerning health, sexual life or sexual orientation.

Question 22

How is personal data related to criminal convictions within the framework of GDPR?

Answer 22

Within the framework of the GDPR, personal data relat-
ing to criminal convictions and offences or related security measures are not men-
tioned as such in the list of special categories of data, but are dealt with in a separate article

Question 23

What is the concept of data processing?

Answer 23

The concept of personal data processing is comprehensive under both EU and CoE law: “‘processing of personal data’ […] shall mean any operation […] such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”191
of personal data

Question 24

What is automated data processing and its place in GDPR?

Answer 24

Data protection under Modernised Convention 108 and the GDPR fully applies to automated data processing.

In practical terms, this means that any personal data processing through automated means with the help of, for example, a personal computer, a mobile device, or a router, is covered by both EU and CoE data protection
rules.

Question 25

How is non-automated data processing understood

Answer 25

Accordingly, under EU law, data protection applies to processing personal data in a manual filing system, that is, a specially structured paper file.201
A structured filing
system is one which categorises a set of personal data, making them accessible
according to certain criteria.

Question 26

What is a controller under EU law?

Answer 26

Under EU law, a controller is defined as someone who “alone or jointly with others determines the purposes and means of the processing of personal data”.220
A con-
troller’s decision establishes why and how data shall be processed.

Question 27

What is a controller under CoE law?

Answer 27

Under CoE law, Modernised Convention 108 defines a ‘controller’ as “the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has the decision-making power with respect to data processing”.221
Such decision-making power concerns the purposes and means of the processing, as well as the data categories to be processed and access to the data.222
Whether this power derives from a legal designation or from factual circum-
stances must be decided on a case-by-case basis

Question 28

Where must the controller or processor be located?

Answer 28

When a controller or processor is established outside of the EU, that company needs to appoint, in writing, a representative within the EU.229
The GDPR underlines that
the representative must be established “in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods and services to them, or whose behaviour is monitored”.230
If no representative is
designated, legal action can still be initiated against the controller or the processor
themselves.231

Question 29

What is joint controllership?

Answer 29

The GDPR provides that where two or more controllers jointly determine the purpose and means of processing, they are considered joint controllers. This means that they decide together to process data for a shared purpose.232
The Explanatory
Report of Modernised Convention 108 states that multiple controllers or co-control-
lership is also possible within the CoE framework

joint controllership leads to joint responsibility for a processing activity.237 Within
the framework of EU law, this means that each controller or processor can be held fully liable for the entire damage caused by processing under joint controllership, to
ensure that the data subject is effectively compensated

Question 30

What is a processor under EU law?

Answer 30

A processor is defined under EU law as someone who processes personal data on behalf of a controller.242
The activities entrusted to a processor may be limited to a
very specific task or context or may be quite general and comprehensive.

Question 31

What is a processor under CoE law?

Answer 31

Under CoE law, the meaning of a processor is the same as under EU law.

Processors, besides processing data for others, will also be data controllers in their own right in relation to the processing they perform for their own purposes, for
example, the administration of their own employees, sales and accounts.

Question 32

What is the relationship between controller and processor?

Answer 32

As we have seen, the controller is defined as the one who determines the purposes and the means of processing. The GDPR clearly states that the processor may only process personal data on instructions from the controller, unless the EU or Member State law requires the processor to do so.244
The contract between the control-
ler and the processor is an essential element of their relationship, and is a legal
requirement.

If the power to determine the means of processing is delegated to a processor, the controller must nonetheless be able to exercise an appropriate degree of control over the processor’s decisions regarding the means of processing. Overall responsibility still lies with the controller, who must supervise the processors to ensure that
their decisions comply with data protection law and with its own instructions.

Question 33

What is the difference between a recipient and third parties?

Answer 33

The difference between these two categories of persons or entities, which were introduced by the Data Protection Directive, lies mainly in their relationship to the controller and, consequently, in their authorisation to access personal data held by
the controller.

The employees of a controller or processor may be recipients of personal data without further legal requirement if they are involved in the processing operations of the controller or processor. Whereas, a third party, being separate from the controller or processor, is not authorised to use the personal data a controller processes, unless on specific legal grounds in a specific
case.

Question 34

Who is a third party?

Answer 34

A ‘third party’ is someone who is different from the controller and the processor. According to Article 4 (10) of the GDPR, a third party is “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”. This means that persons working for an organisation which is different from the controller – even if it belongs to the same group or
holding company – will be (or belong to a) ‘third party’

Question 35

What is a recipient?

Answer 35

Recipient’ is a broader term than ‘third party’. In the meaning of Article 4 (9) of the GDPR, a recipient means “a natural or legal person, public authority, agency or another body, to which data are disclosed, whether a third party or not”. This recipi-
ent may either be a person outside the controller or processor – this would then be a third party – or someone inside the controller or processor, such as an employee or another division within the same company or authority.