European Union: Privacy
The right to privacy emerged after World War II and was initially enacted in the Universal Declaration of Human Rights, before finding expression in the European Convention on Human Rights (ECHR). Later, the right to data protection was recognised by the European Court of Human Rights (ECtHR) as part of the broadly interpreted concept of private life.
In the European Union, the right to data protection was first recognised by the Treaty on the Functioning of the European Union and was given the status of a human right by the Charter of Fundamental Rights of the European Union (CFR).
In 1995, to harmonise data protection laws, ensure a high level of protection and guarantee the free flow of personal data among member states, the European Commission (EC) adopted the Data Protection Directive, which had to be implemented in each member state. In parallel, the ePrivacy Directive was adopted in 2002 to address personal data in the specific context of electronic communication services and adapt the applicable rules to the digital age.
However, confronted with various challenges, in particular the persistent fragmentation of data protection laws throughout the European Union and increasing digitalisation, the European Union decided to review the legal framework. This led to the adoption of the General Data Protection Regulation (GDPR). Adopted in 2016, the GDPR became directly applicable in all member states on 25 May 2018. Reform of the ePrivacy Directive was also initiated, to align the framework for electronic communication services with the new GDPR rules.
Updates and trends
The GDPR, which is directly applicable in the member states, achieved a high degree of harmonisation for the data protection rules in the European Union. However, member states still have ‘margins of manoeuvre’ and can adopt national legislation to specify, restrict or expand the GDPR rules under certain circumstances (eg, for children’s consent or the scope of data subject rights).
Originally planned to come into effect on 25 May 2018, the ePrivacy Regulation has still not been adopted and discussions about key issues relating to electronic communications data or marketing communications continue.
After the Brexit transition period ends (on 31 December 2020), the GDPR will no longer be directly applicable in the United Kingdom. The United Kingdom’s national data protection legislation mirrors the GDPR’s key principles but some parts of the GDPR will no longer be relevant or apply to the United Kingdom. In particular, data transfers from the European Union to the United Kingdom might require specific safeguards; this will also depend on whether the United Kingdom can be considered a country with an ‘adequate level of data protection’ under the GDPR.
Focus on the GDPR
In the spirit of the ECHR and the CFR, the GDPR seeks to protect individuals’ personal data as an overarching, fundamental human right. Article 1 states that it shall protect fundamental rights and freedoms of natural persons and reduce barriers for businesses by facilitating the movement of personal data within the European Union. In addition, the GDPR aims to address the data protection risks associated with new technologies and their widespread use by imposing more stringent obligations. Finally, the GDPR aims to ensure effective protection of personal data by strengthening data subjects’ rights and the obligations of those who process personal data, and by establishing authorities to monitor and ensure compliance.
Scope of application
The GDPR applies to the ‘processing’ of ‘personal data’. Both concepts are to be interpreted very broadly. Processing covers every action that can be conducted with personal data, while personal data means any information relating to an identified or identifiable natural person. The fact that a person took part in a meeting or signed a specific document will for instance be considered personal data. Only anonymised data does not fall under the scope of the GDPR. However, anonymisation is quite hard to achieve in practice. In most cases where anonymisation is attempted, data will only be considered ‘pseudonymised’ (eg, identifiers or references to individuals are removed but it is still possible to re-identify data with additional knowledge from other sources). The GDPR fully applies to pseudonymised data.
The GDPR also recognises specific categories of personal data, namely ‘sensitive data’ (or ‘special category’ data) and ‘data relating to criminal convictions and offences’. Sensitive data is:
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The processing of those categories of data is subject to more stringent requirements. In most cases, the data subject’s consent is required.
Data processed in the course of a purely personal or household activity is explicitly exempted. However, the exemption has to be interpreted rather narrowly. Larger scale or more intrusive activities generally fall under the GDPR’s scope, even if the main purpose is personal.
The GDPR defines three ‘data protection roles’, namely:
- the data subject, who is the natural person whose information is being processed;
- the controller, who determines the purposes and means of the processing; and
- the processor, who processes the personal data on the controller’s behalf.
Controllers and processors are subject to specific requirements under the GDPR, whereas data subjects enjoy extensive rights.
The GDPR is very far-reaching: it applies to entities established in the European Union and to certain others without such an establishment. In the latter case, it applies to the processing of personal data of data subjects who are in the European Union, if the processing is related to offering goods or services or monitoring their behaviour (eg, online tracking) as far as their behaviour takes place within the European Union. Those entities must appoint an ‘EU representative’, which acts as a point of contact for authorities and data subjects.
Principles relating to personal data processing and accountability
Article 5 of the GDPR sets out the general principles with which controllers and processors must comply when processing personal data. These principles serve as the cornerstone of all subsequent GDPR provisions and they guide courts and authorities in their interpretation of the GDPR.
- Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes, must not be used for any purposes other than those notified to the individual and must not be further processed in any manner incompatible with those initial purposes.
- Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: personal data must be accurate, kept up to date and erased or rectified, if necessary.
- Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is being processed, and otherwise must be deleted or anonymised.
- Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (TOMs).
In accordance with the new principle of accountability, controllers are responsible for and must be able to demonstrate compliance with these principles. The GDPR therefore puts a particular emphasis on documentation, in particular through the maintenance of a record of processing activities. The principle of accountability also leads to a shift of the burden of proof in certain cases (ie, it is the controller’s responsibility to evidence GDPR compliance).
Lawfulness of data processing
Processing of personal data is lawful only if and to the extent it is based on one of the six legal bases listed in the GDPR. Whether a lawful basis for processing applies, and if so which, is to be determined with regard to the type of personal data and the purpose of the processing.
The most common lawful bases for processing are: (1) processing is necessary for the performance of a contract; (2) consent; and (3) the controller’s overriding legitimate interests, as set out below:
- To rely on the performance of a contract, the processing must be ‘necessary’ to the contract, meaning that if ‘there are realistic, less intrusive alternatives, the processing is not necessary’. For example, the use of a cloud storage application necessarily requires that personal data is stored in the respective cloud so that the controller can rely on the performance of a contract exemption. However, the use of the data for other purposes (eg, analysing data for marketing purposes) is not necessary and requires another legal basis.
- Consent is often regarded as the ‘method of choice’ but in practice it is very challenging to rely on this legal basis. The threshold for obtaining valid consent is very high. Indeed, consent has to be ‘freely given’, ‘specific’ and ‘informed’ and must express the unambiguous indication of the wishes of the data subject. The data subject must also be able to withdraw their consent, at any time, as easily as it was given. In particular, the requirement of freely given consent is sometimes hard to achieve (eg, when an employer asks employees for consent).
- Relying on overriding legitimate interests may also be quite challenging. First, the existence of a legitimate interest must be carefully assessed in each case. The GDPR does not provide a list of interests to be considered as such. However, for instance, the GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. Second, controllers have to balance these legitimate interests against the data subject’s fundamental rights and freedoms. Only when those rights do not override the controller’s legitimate interests is it possible to rely on this legal ground. In light of the ‘accountability principle’, controllers must generally document the balancing test.
The other three lawful bases also require the processing to be ‘necessary’ for a specific purpose, namely compliance with a legal obligation; protecting the data subjects’ vital interests; or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Regarding sensitive data, processing is, in principle, prohibited. To lawfully process this kind of data, the controller needs to both identify a lawful basis under article 6 and fulfil additional requirements under article 9, unless the processing is based on the data subject’s ‘explicit consent’.
The GDPR also regulates specific types of processing, such as automated decision-making, including profiling. Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to the individual, in particular to analyse or predict certain aspects. Although the GDPR permits this kind of data processing, it imposes certain requirements to ensure additional guarantees to protect personal data.
Rights of the data subject
The GDPR grants a wide range of rights to data subjects regarding the processing of their personal data, giving them more control over their personal data. Data subject rights can be classified into two groups.
The first group covers all information obligations imposed on controllers. These require a controller to:
- give the data subject specific information about the circumstances of the data processing, irrespective of whether the personal data is collected directly from the data subject or not. This information must be given at the time personal data is collected or before it is processed;
- inform the data subject before carrying out changes to the data processing;
- inform the data subject of personal data breaches where relevant; and
- take reasonable steps to inform other controllers of a right exercised by the data subject in some cases, such as if the data subject asks for their data to be erased and the data was made public by the controller.
The second group includes rights that must be exercised by the data subject for the controller to act. The data subject has the right to:
- access their personal data processed by the controller (right of access);
- obtain rectification of inaccurate or incomplete personal data (right to rectification);
- request restriction of processing, which means that personal data can still be stored but may not be used in certain situations (right to restriction of processing);
- request erasure of their personal data in particular circumstances (right to be forgotten);
- receive the personal data they provided in a structured and commonly used machine-readable format and request the controller to transmit this directly to another controller (right to data portability);
- object to the processing of their personal data on grounds relating to their particular situation (right to object). This right is not absolute: the controller must stop processing the data only if it cannot show compelling legitimate grounds for the processing that override the individual’s interests (although this does not apply where the personal data is processed for direct marketing purposes); and
- not be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects for the data subject. This right is also not absolute; it does not apply if automated decision-making is necessary for the performance of a contract between the controller and the data subject.
If a controller or processor breaches the GDPR, the data subject has the right to lodge a complaint with practically any data protection supervisory authority (DPA), including those established in a member state other than where they live, as well as the right to start judicial proceedings. The data subject may also file a claim for damages.
Oversight and enforcement
Each member state has established at least one DPA. The DPA, which must be independent in performing its tasks and exercising its powers, must contribute to the consistent application of the GDPR throughout the European Union. The DPA has a wide range of responsibilities and a broad scope of powers, including investigative and corrective powers. In particular, it can issue warnings, reprimands or fines (up to €20 million or 4 per cent of worldwide annual (group) turnover, whichever is higher); order data to be rectified, blocked or deleted; or impose a ban on processing. A DPA regulates controllers and processors established in its own member state, as well as data processing by those elsewhere if the processing affects data subjects in the member state or is otherwise connected.
If more than one DPA would have jurisdiction for a specific processing activity of a controller or processor established in the European Union (ie, for cross-border processing), the DPA of the entity’s ‘main establishment’ will act as ‘lead supervisory authority’. This ‘one-stop-shop mechanism’ ensures more efficient cross-border proceedings, but there is still some uncertainty over the definition of ‘main establishment’.
All DPAs are members of the independent European Data Protection Board (EDPB), along with the European Data Protection Supervisor. The EDPB is responsible for ensuring the uniform application of the GDPR throughout member states and efficient co-operation among DPAs. The EDPB can issue guidelines and recommendations, and make binding decisions on how DPAs should interpret the GDPR.
Updates and trends
On 25 May 2020, the GDPR celebrated its second anniversary. Shortly thereafter, the Commission published its report on the evaluation of the GDPR, concluding that ‘the GDPR has successfully met its objectives’ while acknowledging that ‘a number of areas for future improvement have also been identified’. In particular, the Commission noted that there is ‘still a degree of fragmentation’ regarding the implementation of the legal framework and invited members states to consider greater alignment. The Commission also encouraged more cooperation between DPAs, saying that ‘developing a truly common European data protection culture . . . is still an ongoing process’. Regarding new technologies – one of the main arguments for re-opening the GDPR – the Commission stated that the GDPR had been ‘conceived in a technology neutral way’ and argued that the GDPR had proved its flexibility during the covid-19 crisis.
Regarding the enforcement of the GDPR, the following developments are of particular importance for practitioners:
- DPAs have continued to impose very high fines and some have already adopted fining guidelines to facilitate enforcement activities while awaiting the EDPB’s harmonised fining guidelines.
- Data subjects have been lodging claims directly with civil courts (in parallel to their DPAs) for alleged GDPR infringements. As a result, data protection litigation in many European jurisdictions is on the rise. This trend is fostered by privacy activists who facilitate these claims. In this context, it will be interesting to see whether the Court of Justice of the European Union (CJEU), the highest court with authority to interpret the GDPR, decides that consumer protection associations and competitors may seek injunctions in their own name against controllers under the GDPR if national law allows.
The role of the data protection officer
The data protection officer’s (DPO) main responsibility is to monitor GDPR compliance and to ensure awareness-raising and training of staff involved in processing operations. The ultimate responsibility to comply with the GDPR lies, however, with the controller and its management.
The controller or the processor must appoint a DPO if their ‘core activities’ consist of the regular, systematic and large-scale monitoring of data subjects; or the large-scale processing of sensitive data or data relating to criminal convictions and offences. Member states can stipulate further cases where a DPO must be appointed.
Businesses must appoint the DPO on the basis of the person’s professional qualities, their expert knowledge of data protection, and their ability to fulfil the assigned tasks. Businesses may appoint an employee or an external provider (although, off the record, certain DPAs have expressed concerns over the appointment of external DPOs by businesses that process a significant amount of personal data). In both cases the DPO must be able to perform their tasks independently and without any conflict of interest.
Once designated, the DPO’s contact details must be published and communicated to the DPA. The DPO serves as a contact point both for data subjects and the DPAs.
Ensuring GDPR compliance of data processing operations
Data protection by design and by default
The controller must do the following:
- Implement appropriate TOMs to satisfy the general data protection principles under the GDPR and to integrate necessary safeguards in order to meet the GDPR’s requirements throughout the whole processing, from the initial to the final stages. For example, when a controller builds a new product, it must ensure that the product is developed with privacy in mind; this can, for example, be documented and achieved by adding ‘privacy gates’ into the product development cycle. TOMs must be implemented considering the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of individuals.
- Implement appropriate TOMs ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed (eg, some applications may require the functionality to turn certain data collection on and off, and the default setting should be ‘off’).
The controller must also regularly review and update the TOMs, to consider privacy by design and by default.
Appropriate TOMs to ensure data security
To keep personal data secure, controllers and processors must implement appropriate TOMs. Technical measures are precautionary measures relating to the processing itself, like a backup system or User-ID policy. Organisational measures cover the external framework conditions surrounding the processing, like employee training, policies or a safety plan.
The GDPR does not specifically define what security measures must be taken, but it does list criteria for the measures, to ensure a level of security appropriate to the risk. There is neither a one-size-fits-all solution, nor an ideal one, so controllers and processors must carry out a ‘balancing test’. The controller or processor has quite a broad margin of discretion, but its decision to implement certain TOMs might be closely scrutinised – for example, if there is a personal data breach investigation. So controllers and processors should assess the specific risks raised by their different processing and the protective effects of individual TOMs.
When assessing a risk, relevant factors are:
- the nature of the risk (eg, data destruction, unauthorised disclosure or unauthorised access);
- its likelihood, taking into account, for example, the data transfer method (eg, in the cloud, abroad) or the storage method (duration, location); and
- its severity, taking into account, for example, the importance of the data or the type of likely damage.
When assessing individual TOMs, the controller or processor must assess whether and how it can prevent the risk from occurring, given the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. It should focus on measures such as encryption and pseudonymisation, which may be considered state of the art in certain cases and for certain types of data. It must take measures that can ensure the ongoing confidentiality, integrity, availability and resilience of the processing, and restore the availability of and access to the data if there is an incident.
Data protection impact assessments
If data processing poses a high risk to the rights and freedoms of individuals, the controller must first carry out a data protection impact assessment (DPIA). A DPIA is an internal risk assessment to document any risks identified and any measures taken to mitigate the risks (eg, implementing TOMs or adding contractual safeguards with third parties).
In particular, a DPIA is required when: new technologies are used; there is a systematic and extensive evaluation of personal aspects based on automated processing; sensitive personal data is processed on a large scale; or there is systematic monitoring of a publicly accessible area on a large scale. There may be other cases where the processing is likely to result in a high risk.
EU guidelines suggest that a controller must consider the following criteria to determine the risk of processing, and a DPIA is generally required if two of these criteria are met:
- evaluation or scoring;
- automated decision-making with legal or similar significant effect for data subjects;
- systematic monitoring;
- sensitive data or data of a highly personal nature;
- data processed on a large scale;
- matching or combining datasets;
- data concerning vulnerable data subjects (eg, children);
- innovative use or applying new technological or organisational solutions; and
- when the processing in itself prevents data subjects from exercising a right or using a service or contract.
Finally, DPAs may establish non-exhaustive ‘blacklists’ or ‘whitelists’ of those activities that always require a DPIA and those that do not.
In the rare event that the risks identified in a DPIA cannot be mitigated, the controller must consult with the relevant DPA before processing.
Although the GDPR has increased the data processor’s responsibilities, the controller remains primarily responsible. The controller must only use processors that provide sufficient guarantees to ensure GDPR compliance; this requires appropriate processes for vendor management to document that the selection of processors is based on reasonable criteria. The controller must also conclude a binding contract with the processor setting out all the elements of the processing and certain restrictions, including that the processor may process data only upon the documented instructions of the controller, the controller has certain audit rights, and the processor must support the controller to ensure GDPR compliance.
Joint controllers must determine their respective responsibilities for GDPR compliance in a transparent manner, in particular as regards the exercise of data subject rights and the controllers’ respective duties to provide information to data subjects.
The GDPR includes restrictions regarding data transfers to countries outside the European Economic Area (EEA). Safeguards must be used to ensure an ‘adequate level of data protection’, unless the personal data is transferred to a country covered by an ‘adequacy decision’ – that is, where the Commission has found that the country has an adequate level of data protection.
If the recipient country is not covered by an adequacy decision, the transfer must be subject to ‘appropriate safeguards’, namely:
- binding corporate rules (ie, group internal data protection frameworks approved by the relevant DPA);
- standard contractual clauses (SCCs) adopted by the Commission or by a DPA;
- an approved code of conduct;
- an approved certification mechanism; or
- individual contractual clauses authorised by the DPA.
If the transfer is not covered by these safeguards, an exemption might apply, such as where the data subject has given explicit consent or where the transfer is necessary for the performance of a contract with the data subject.
Following the CJEU’s judgment in a case commonly referred to as Schrems II, the landscape relating to data exports is very likely to evolve. First, the EU–US Privacy Shield, a scheme that allowed data to flow from the EEA to US companies registered with the scheme, has been declared invalid as a basis for data exports (with no official grace period). Also, even though the SCCs may still be used, data exporters must review whether the recipient abroad can guarantee compliance with EU data privacy law. In practice, controllers are taking a pragmatic view on the available options while awaiting guidance from regulators.
Personal data breaches
Under the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. Any security incident affecting the confidentiality, integrity or availability of personal data is therefore a personal data breach. This could include, for instance, a lost USB stick, an intrusion by a hacker or the sending of an email to the wrong recipients.
If a controller suffers a data breach, it must implement certain remediation measures. If the breach poses a risk to data subjects, it must notify the relevant DPA without delay, and, where feasible, within 72 hours of becoming aware of the breach. Where there is a high risk, the affected data subjects must also be notified. In practice, these tight deadlines will be challenging for many businesses and the emphasis is often on assessing when a business can reasonably be said to be ‘aware’, bearing in mind the complexities of many data breach investigations.
A wide range of factors will be relevant to assess the level of risk: the type of breach; the nature, sensitivity and volume of personal data; the consequences for affected individuals; the number of affected individuals; and the likelihood and severity of the consequences on affected individuals, such as discrimination, identity theft or financial loss.
If the threshold for notifying or communicating has not been met, documentation about the breach and the reasons for not notifying or communicating must be retained.
Focus on specific requirements
In sectors like banking, healthcare, social security, post, telecoms and gambling, specific data protection requirements may apply that stipulate particular requirements or exemptions beyond the GDPR.
In 2016, the European Union adopted the Directive on Security of Network and Information Systems (the NIS Directive) in order to enhance cybersecurity standards for certain businesses with IT infrastructure in the European Union. The directive generally applies only to certain critical infrastructure where specific thresholds are met (eg, energy, health, transport, banking and digital infrastructure). Entities regulated under the NIS Directive must implement state-of-the-art cybersecurity measures and report breaches to national cyber regulators.
Communications and marketing
The 2002 ePrivacy Directive, which has been implemented into domestic member state law, applies to electronic communications in addition to the GDPR. It covers a wide range of issues, such as collection of traffic data, cookies and unsolicited communications. It goes beyond the GDPR; for example, certain cookies may be used only if the user has given consent, and certain marketing communications require that recipients have explicitly opted in to receive them. EU discussions to replace the directive with a regulation continue.
The GDPR has established a stringent and far-reaching data protection framework with a significant extraterritorial reach. As it is principles based and there is still limited guidance from courts or regulators, this shifts a lot of responsibility to businesses that process personal data. As a best practice, many businesses have set up privacy governance committees to manage their GDPR risk. This approach is now slowly extending to businesses that are not subject to the GDPR, because many countries have adopted or are in the process of adopting similar comprehensive privacy frameworks. Aligning different national requirements is difficult for businesses, not only because EU member states still have leeway to enact country-specific rules, but also because the approach taken in countries outside the European Union sometimes conflicts with the GDPR. That said, for those looking to implement global compliance programmes, developing principles-based policies and procedures with the GDPR as their bedrock is often a pragmatic solution.
1 Article 12 of the Universal Declaration of Human Rights.
2 Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.
3 ECtHR, 26 March 1987, case of Leander v Sweden; ECtHR, 4 May 2000, case of Rotaru v Romania.
4 Article 16 of the Treaty on the Functioning of the European Union.
5 Article 8 of the Charter of Fundamental Rights of the European Union.
6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
7 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
8 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
9 As at November 2020, only Slovenia had not yet adopted specific national legislation to supplement the GDPR.
10 The Data Protection Act 2018.
11 The GDPR is intended to help promote European economic development.
12 Article 2 of the GDPR.
13 Article 4 of the GDPR.
14 Article 3 of the GDPR. See also EDPB, Guidelines 3/2018 on the territorial scope of the GDPR.
15 Article 10 of the GDPR.
16 Article 9 of the GDPR.
17 The controller can be a natural or legal person, public authority, agency or any other body. When two or more controllers jointly determine the purposes and means of a processing activity, they are ‘joint controllers’.
18 The processor can be a natural or legal person, public authority, agency or any other body.
19 This is the ‘establishment criterion‘.
20 This is the ‘targeting criterion’.
21 Article 30 of the GDPR.
22 Article 6 of the GDPR.
23 For further information, see WP29, Guidelines 2/2019 on the processing of personal data under article 6(1)(b) GDPR in the context of the provision of online services to data subjects.
24 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679.
25 Recital 47 of the GDPR.
26 Article 9 of the GDPR.
27 Articles 12, 13 and 15 of the GDPR.
28 Article 15 of the GDPR.
29 Article 16 of the GDPR.
30 Article 18 of the GDPR.
31 Article 17 of the GDPR.
32 See WP29, Guidelines on the right to data portability, WP242 rev. 01.
33 Germany, as a federal country, has several DPAs. Where more than one DPA is established in a member state, that member state must designate the supervisory authority that is to represent the others at the EU level.
34 A register containing decisions taken by DPAs following the one-stop-shop mechanism is published by the EDPB.
35 The EDPB replaced the article 29 Working Party (WP29), which ceased to exist on 25 May 2018.
36 The European Data Protection Supervisor is the DPA for the EU institutions and bodies.
37 During its first plenary meeting, the EDPB endorsed some of the WP29 Guidelines, such as those on consent, transparency, personal data breach notification, the obligation to maintain records of processing activities and the application and setting of administrative fines.
38 See, for instance, the German DPAs’ and the Dutch DPA’s fining models.
39 See the German Federal Court of Justice’s (BGH’s) request for a preliminary ruling: BGH, decision of 28 May 2020, Ref. I ZR 186/17 (in German).
40 A group of undertakings may appoint a single DPO, article 37(2) of the GDPR.
41 Article 37(4) of the GDPR contains an opening clause allowing member states to impose other requirements for the appointment of a DPO. For instance, Germany has provisions in place that go beyond the general DPO requirement under the GDPR. Irrespective of a legal obligation, companies can also appoint a DPO voluntarily, and this has been recommended by several DPAs.
42 The DPO may also fulfil other tasks and duties as long as it is ensured that there is no conflict of interests.
43 Article 25 of the GDPR.
44 Article 24 of the GDPR.
45 Article 32 of the GDPR.
46 Article 35(3) of the GDPR.
47 WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, WP248 rev.01.
48 The EDPB publishes opinions on draft lists submitted to it by the DPAs.
49 Article 28 of the GDPR.
51 Article 26 of the GDPR.
52 Article 45 of the GDPR. So far, the Commission has recognised the following countries as providing an adequate level of data protection: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. Adequacy talks are ongoing with South Korea.
53 Article 46 of the GDPR.
54 See for instance the SCCs adopted by the Danish DPA.
55 On 16 July 2020, the CJEU in the ‘Schrems II’ case (C-311/18) invalidated the EU–US Privacy Shield and said that those who transfer data out of the EEA using the SCCs must review whether the recipient of data abroad can guarantee compliance with EU data privacy law. Both findings were based on the wide rights of US government agencies to access personal data and the lack of judicial redress for non-US citizens.
56 Article 4(12) of the GDPR.
57 One generally distinguishes between a confidentiality breach, an availability breach or an integrity breach.
58 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
59 The ePrivacy Directive also provides for exceptions but these are quite restrictive.
60 eg, Australia, Brazil, South Korea or California and Nevada in the United States.