Seminar 3+4 - Fundamental concepts, territorial and material scope of the GDPR

Question 1

What is an important principle when collecting a lot of data?

Answer 1

We shouldn’t connect more data than necessary. Minimizing principle.

Question 2

Name the 4 characteristics of GDPR regulation?

Answer 2

● Omnibus regulation - applies to all sectors etc. (and not sectoral regulation)
● Technologically neutral (in order to adapt to new technologies, cf. recital 15)
● Dual objectives, cf. GDPR art. 1 (protection of fundamental rights and free movement of data - try to reconcile)
● GDPR (alongside LED) is a harmonizing tool that creates greater unification than the previous DPD.

Question 3

Is the GDPR a harmonizing tool?

Answer 3

Yes, it creates unification.

Question 4

Where is the material scope found in the GDPR?

Answer 4

The material scope of the GDPR is listed in art. 2.

Question 5

What is the material scope in the GDPR?

Answer 5

“This regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”, cf. art. 2.

Question 6

What is “processing”? And where is the definition found in the GDPR?

Answer 6

“Processsing”: Art. 4(2): any operation or set of operations which is performed in personal data or sets of personal data, whether or not by automated means, such as collection, recording, deletion etc.

Question 7

Name two important cases when explaining what “processing” is?

Answer 7

1) Lindqvist where “loading” was processing

2) Schrems, where the transfer was enough.

Question 8

What is “personal data”? And where is the definition found in the GDPR?

Answer 8

“Personal data”: Art. 4(1):
■ Any information - both subjective and objective
■ Relating to - content/about
■ Identified or identifiable - the data subject is possible to identify

Question 9

What is the difference between: Anonymous data & Pseudonymous data?

Answer 9

● Anonymous data are not personal data (recital 26)

● Pseudonymous data are personal data if “reasonably likely” to be identifiable.

Question 10

Name an important case when explaining what the difference between Anonymous data and Pseudonymous data is?

Answer 10

Breyer (dynamic IP-address, where additional information was kept with a third-party internet provider). VS. static IP.

Identification requires a disproportionate effort in terms of time, cost and man-power, the risk of identification appears in reality to be insignificant.

Question 11

Name the 3 exceptions where this GDPR Regulation does not apply to the processing of personal data? And where is that found in the GDPR?

Answer 11

○ GDPR art. 2(2)(a): activities which falls outside Union law (national security)
○ GDPR art. 2(2)(b): activities which fall within Chapter 2 of Title V TEU (EU common foreign policy)
○ GDPR art. 2(2)(c): purely personal or household activity

Question 12

Name an important case when explaining the exceptions of where the GDPR does not apply to procession of personal data?

Answer 12

■ Rynes: “[t]o the extent that video surveillance […] covers, even partially, a public space (directed outwards from the private setting, it cannot be regarded as an activity which is a purely ‘personal or household’ […].”

Question 13

Why is it important to be aware of the difference between anonymous and pseudonymous data?

Answer 13

Anonymisation and pseudonymisation can be relevant, when discussing if something constitutes personal data as stated in art. 4(1) and therefore falls within the material scope of the GDPR (art. 2(1))

Question 14

What is pseudonymisation?

Answer 14

“personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such information is kept separately”

Question 15

What is anonymisation?

Answer 15

Data are anonymised if they no longer relate to an identified or identifiable individual, whereafter GDPR is no longer applicable.

Question 16

Where is the territorial scope found in the GDPR?

Answer 16

● GDPR art. 3(1): Main rule, controller and processor in the Union

Question 17

What does the territorial scope of the GDPR cover?

Answer 17

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Question 18

Name the 3 exceptions, when controller or processor is not established in the Union, but still needs to comply with GDPR?

Answer 18

○ GDPR art. 3(2)(a): offering goods or services to data subjects in the Union
○ GDPR art. 3(2)(b): monitoring of their behaviour within the Union
○ GDPR art. 3(3): controller not established in the Union, but in a place where Member State law applies by virtue of public international law (diplomatic and consular posts)

Question 19

How do we assess whether GDPR art. 3(1) applies (controller in the Union)? And what is that test called? (Establishment)

Answer 19

● Two-step test to determine if art. 3(1) applies:

1) Establishment
2) In the context of activities

Question 20

How do we assess whether GDPR art. 3(2) applies (controller established outside the Union)?

Answer 20

GDPR art. 3(2) applies to the processing of data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

• offering goods or services to data subjects in the Union
• monitoring of their behaviour within the Union

Question 21

If a data subject in the EU booked a hotel in California through an American online travel agent, then the EU law covers data processing operations connected with his stay in the USA. Therefore, the question arises whether such a situation should be acceptable?

Answer 21

• Excessive burden and uncertainty for foreign companies whether they will be caught by GDPR as it is the data subject’s choice, not the data controllers’, whether you would like to use their service → but the controller is liable under the GDPR.
• GDPR is not an international agreement, and in reality, there is no legitimacy to regulate the data processed outside the Union
- It seems difficult to accept that a US-based company that also happens to sell goods or services outside the USA, including to data subjects in the EU, is suddenly forced to obey EU law.

Question 22

If, for example, a European tourist is doing shop- ping on Fifth Avenue in New York, does the GDPR apply?

Answer 22

we do not see reasons why processing of his data in this context should ex lege fall within the territorial scope of the GDPR.

Question 23

What is teleological interpretation?

Answer 23

Method that legal provisions are not necessarily read literally but are understood in the light of the purpose, values, legal, social, and economic goals these provisions aim to achieve.

Question 24

What is one of the biggest problem European Data Protection is facing?

Answer 24

Lack of jurisdiction over third country’s data controllers processing substantial numbers of EU data subjects’ data.

Question 25

What does the replacement of the central notion of ‘territory’ with ‘jurisdiction’ do in convention 108?

Answer 25

The Council of Europe allows more flexibility in setting the scope of the Convention and for loosening the connection with the physical world.

Question 26

Is an IP address pseudonym?

Answer 26

• On one hand, no since it wasn’t personally selected by the user. And it’s not clear how easy it is to find the person behind the IP address.
• On the other hand it can be seen as an online alias.

Question 27

What is the definition of consent?

Answer 27

• Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

Question 28

What is the criteria in order for consent to be valid?

Answer 28

1. Clear and unambiguous indication of wishes
2. Freely given
3. Specific
4. Informed

Question 29

What is a controller?

Answer 29

Determines the purposes and means of processing of personal data.

Question 30

What is a processor?

Answer 30

Processes personal data on behalf of a controller.

Question 31

What is Data minimization?

Answer 31

Processing of personal data must be restricted to the minimum amount necessary.

Question 32

What is data subjects?

Answer 32

The persons protected by data protection law are referred to as data subjects.

Question 33

Does the general directive contain a definition of “data transfer”?

Answer 33

The general directive does not contain a definition of “data transfer”

Question 34

What does the Lindqvist case suggest about data transfer?

Answer 34

In the case of Bodil Lindqvist the European Court of Justice found that placing material on a server in the EU which was accessible worldwide via the internet did not constitute an international data transfer.

The Lindqvist case suggests that a data transfer should be an active act which involves sending data, and not just making it passively accessible. Specific facts.

Question 35

What is an “establishment”?

Answer 35

Recital 19 of the Directive defines establishment as implying the effective and real exercise of activity through stable arrangements, whereas the legal form of such establishment is not the establishing factor.

Question 36

What requirements are there to the processing of personal data?

Answer 36

Art. 6 (1) (a) of the General Directive requires that personal data to be processed “fairly and lawfully”.

Art. 6 (1) (b) requires that personal data be “collected for specified, explicit and legitimate purposes”.

Question 37

Give an example where processing of data was unlawfull?

Answer 37

• The Italian DPA found that the use of fingerprint readers to monitor employees’ presence at work was illegitimate and thus unlawful.

Question 38

Is placing information about individuals on an internet site “processing” of personal data?

Answer 38

Yes. The European Court of Justice has found that placing information about individuals on an internet site constitutes “processing” of personal data.

Question 39

What is the purpose limitation?

Answer 39

“data must be collected for specified, explicit and legitimate purposes”.

Question 40

What is special about sensitive data?

Answer 40

Sensitive Data grants special protections to sensitive data as, racial, ethnic origin etc.

Question 41

What are the facts of the Lindqvist case?

Answer 41

Mrs Lindqvist set up internet pages at home on her personal computer in order to allow parishioners preparing for their confirmation to obtain information they might need. At her request, the administrator of the Swedish Church’s website set up a link between those pages and that site.

The pages in question contained information about Mrs Lindqvist and 18 colleagues in the parish, sometimes including their full names and in other cases only their first names.

Question 42

Name an example of the material scope of the GDPR, cf. Art. 2?

Answer 42

Papers at the doctors offers arranged in a certain way with personal information:
o When it is structured in a certain way it would be processing and therefor covered by the GDPR art. 2.
o On the other hand if it’s not structured and papers are just laying it may not be processing.

Question 43

What is the house hold exemption?

Answer 43

The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (with no connection to a professional or commercial activity).

Question 44

Explain the house hold exemption with relations to the Lindqvist case?

Answer 44

The exception must be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing consisting in publication on the internet (data are made accessible to an indefinite number of people) (para 47)

Question 45

Mr X installed and used a camera system located under the eaves of his family home. The camera was installed in a fixed position and could not turn; it recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. As soon as it reached full capacity, the device would record over the existing recording, erasing the old material. No monitor was installed on the recording equipment, so the images could not be studied in real time. Only Mr X had direct access to the system and the dat.

Answer 45

• That is not covered by the household exemption due to the placement of the camera.

Question 46

A tourist is recording videos both through his mobile phone and through a camcorder to document his holidays. He shows the footage to friends and family but does not make it accessible for an indefinite number of people.

Answer 46

Covered by household exemption

Question 47

A downhill mountain biker wants to record her descent with a GoPro. She is riding in a remote area and only plans to use the recordings for her personal entertainment at home.

Answer 47

• Covered by household exemption.

- It’s hard to quantify number of limited friends.

Question 48

Is the following personal data? 1. Recording of the customers’ communication with an airline’s customer service.

Answer 48

a. Collect voice – yes personal data.

Question 49

Is the following personal data? 2. Images of individuals captured by a video surveillance system

Answer 49

a. Yes, personal data.

Question 50

Is the following personal data? 3. As a result of a neuro-psychiatric test conducted on a girl in the context of a court proceeding about her custody, a drawing made by her representing her family is submitted. The drawing provides information about the girl’s mood and what she feels about different members of her family.

Answer 50

a. Personal data. Depends on how detailed the drawing is.

Question 51

Is the following personal data? 4. The service register of a car held by a mechanic or garage contains the information about the car, mileage, dates of service checks, technical problems, and material condition. This information is associated in the record with a plate number and an engine number.

Answer 51

a. Reasonable means to identify a person. Identifiabilty. How easy is it to establish the link between the driver and the vechile. Egine number.

Question 52

“Youcannotaffordanappartmentincph” is a company which runs a property dealing website and has its registered office in Malmö.
Its activity involves the operation of that website which publishes advertisements for properties situated in Copenhagen.

One of the owners of the company is Danish who is residing in Copenhagen.

Explain the territoriality?

Answer 52

• DPD requires equipment etc.
• It’s the activity that is important – not where the company is registrered.
• GDPR regulation is the same in Denmark and Sweden.

Question 53

Does the GDPR apply in Greenland?

Answer 53

o GDPR doesn’t apply to Greenland.

Question 54

• Having covered a significant proportion of the interested population in Copenhagen with its offerings, F – no longer just a “start-up”- decided to look for an international challenge. In order to expand its business to North America, F registered the company in Delaware, US. It decided to move the headquarters there, leaving just two employees in the company’s tiny branch in Copenhagen, tasked with running the database of the company’s clients, advertising the company, answering calls, rerouting customers’ enquiries, giving interviews to the press, and maintaining deliveries to existing customers.

Answer 54

o Movement of HQ doesn’t change the establishment.

Question 55

Territorial application case:
1. An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing.
An Australian subscriber of the service travels to Germany on holiday and continues using the service.

Answer 55

• Company doesn’t need to comply with GDPR. It’s in Australia, exclusively to people in Australia. Not directed to data subjects in the Union.
• Not even if they travel to Germany – as a main rule. As it is meant to be used in Australia – they don’t have the intention to market it in the EU.

Question 56

Name the structure of the exam with regards to territorial/material scope?

Answer 56

• Is there Establishment
• Is there data processing
  o Can still be Art. 3(2) if
   Where they offer services or good
   Or target within the Unionen

Question 57

Territorial application case:
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome.

Answer 57

• There’s no establishment in the EU.

Question 58

Territorial application case:
3. U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market, evident by the app terms of use and the indication of US Dollar as the sole currency available for payment.

Answer 58

• Only offered to US customers – paid by $. Company wouldn’t have to comply with the GDPR.

Question 59

Territorial application case:
A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers.

Answer 59

• Activities aren’t within the EU – and nationalities doesn’t matter.

Question 60

Territorial application case:
The Canadian immigration authority processes personal data of EU citizens when entering the Canadian territory for the purpose of examining their visa application.

Answer 60

• Establishment is outside of the EU – and it’s immigration.

Question 61

Territorial application case:
A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in.

Answer 61

• Outside the EU – they are there temporarily – only process the reimbursements.
• Intention is not to monitor them – in connection with salaries, so art. 3 (2) doesn’t apply.

Question 62

Territorial application case:
A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany.

Answer 62

• Offering services and lots of inclusions that these are intended for English, german and French people. Art. 3(2) applies.

Question 63

Territorial application case:
8. A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level
European Data Protection Law - Fall 2021 Cases on Targeting Criterion (Art 3(2))
of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency.

Answer 63

Art. 3(2) - It doesn’t apply.

Question 64

Territorial application case:
9. The same as in 8, but the University also offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximize the courses’ attendance.

Answer 64

Yes, it does apply. They only want them to apply.

Question 65

Territorial application case:
10. A retail consultancy company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.

Answer 65

• Art. 3(2) apply – tracking.

Question 66

Territorial application case:
A Brazilian company sells food ingredients and local recipes online, making this offer of good available to persons in the Union, by advertising these products and offering the delivery in France, Spain and Portugal. In this context, the company instructs a data processor also established in Brazil to develop special offers to customers in France, Spain and Portugal on the basis of their previous orders and to carry out the related data processing.

Answer 66

Fall under both controller and processor – so art. 3(2) applies.

Question 67

Territorial application case:
A Turkish company offers cultural package travels in the Middle East with tour guides speaking English, French and Spanish. The package travels are notably advertised and offered through a website available in the three languages, allowing for online booking and payment in Euros and GBP. For marketing and commercial prospection purposes, the company instructs a data processor, a call center, established in Tunisia to contact former customers in Ireland, France, Belgium and Spain in order to get feedback on their previous travels and inform them about new offers and destinations.

Answer 67

• Fall under both controller and processor – so art. 3(2) applies.

Question 68

Article 4(1) of the Data Protection Directive. This provision lists two main criteria for determining whether the EU Member State law is applicable?

Answer 68

1. EU jurisdiction depends on localization of an ‘establishment’ of a data controller (Article 4(1)a) or
2. localization of an ‘equipment’ used for data processing purposes (Article 4(1)c)

Question 69

What does the Weltimmo case say about understanding the term “Establishment”?

Answer 69

In C-230/14 Weltimmo are the clarifications with regard to a possible base line for understanding the term ‘establishment’: ‘the concept of “establishment”, within the meaning of Directive 95/46, extends to any real and effective activity — even a minimal one — exercised through stable arrangements’.

Question 70

Give some examples from case law of what constitutes Personal Data?

Answer 70

• Lindquist (C-101/01) The name of a person in conjunction with his/her telephone number, and information about his/her working conditions or hobbies
• Satamedia (C-73/07) The surname and given name of certain natural persons whose income exceeds certain thresholds, as well as the amount of their earned and unearned income
• Bavarian Lager (C-28/08) Surnames and forenames. Thus the list of names of participants in a meeting is personal data, since persons can be identified.
• Scarlet (C-70/10) ISP addresses are protected personal data because they allow the related users to be precisely identified.
• Schwartz (C-291/12) Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows them to be identified with precision
• Worten (C-342/12) Data contained in the record of working time concerning, in relation to each worker, the daily work periods and rest periods
• Englebert (C-473/12) Data collected by private detectives relating to persons acting as estate agents

Question 71

Give two examples of teleological interpretation - and why?

Answer 71

C-230/14 Weltimmo and C-131/12 Google Spain are clear examples of teleological interpretation.

Question 72

What is the Discussion: Expansive jurisdiction of EU data protection regime (De Hert & Czerniawski) about?

Answer 72

• Excessive burden and uncertainty for foreign companies whether they will be caught by GDPR as it is the data subject’s choice, not the data controllers’, whether you would like to use their service → but the controller is liable under the GDPR.
• GDPR is not an international agreement, and in reality, there is no legitimacy to regulate the data processed outside the Union

GDPR art. 3

Question 73

What is the Breyer case about?

Answer 73

The court ruled that dynamic IP addresses may constitute ‘personal data’ even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual – but only under certain circumstances: The possibility to combine the data with this additional data must constitute a “means likely reasonably to be used to identify”