Law
Read books online » Law » GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali



1 ... 7 8 9 10 11 12 13 14 15 ... 71
Go to page:
of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Suitable Recitals

Right to object; (70) Right to object to direct marketing.

COMMENTARY:

According to Article 21 of the Regulation, the right to object may be exercised on grounds relating to the data subject’s particular situation and for processing based on:

Article 6 (1), e), i.e., “the processing is necessary to the performance of a task in the public interest or in the exercise of the official authority vested in the controller”;

Article 6 (1), f), i.e., when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It should be noted in extreme is that these assumptions included the profiling done on these grounds. In other words, the right to object, as it was initially provided for in the Directive, can be invoked in both cases of lawfulness of processing covered and not, for example, when the processing is based on the data subject’s consent. While the Directive to the Member States provides at least the application of the right to object in these two cases of processing, the Regulation seems opposed to the extension of the scope of the right to object any further, as provided for in some national laws under the Directive.

This restriction seems to be partially compensated by the possibility to withdraw the consent to processing at any time, which will require the controller to refuse to continue the processing, knowing that the withdrawal of consent does not question the lawfulness of the processing prior to the withdrawal (Art. 7 (3)). Furthermore, the controller may refuse to implement the right to object of the data subject when

establishing the existence of compelling and legitimate grounds justifying the processing, which take priority over the data subject’s interests or rights and freedoms, or for the recognition, exercise or defence of a legal right. The Regulation also provides that the data subject may object at any time the processing of their personal data for marketing purposes, including profiling done for this purpose (Art. 21 § 2).

The existence of these rights to object must be brought to the knowledge of the data subject, clearly and separately from any other information, at the time of the first communication with the data subject at the latest. The notification can be made by automated means as part of an offer of the use of an information society service and notwithstanding the Directive 2002/58/EC. Finally, the controller may refuse to proceed with the right to object of the data subject when the data are processed for historical, statistical or scientific purposes in the meaning of Article 89, if he or she can demonstrate that the processing is necessary for the performance of a task of public interest.

The right to object by the person concerned by a processing of personal data was already provided by Article 14 of the Directive. Such right allowed any person to object to the processing of his or her data, by referring to "compelling legitimate grounds relating to his particular situation", at least when the processing was necessary for the performance of a public controller (Article 7 (e)) or when the processing was based on the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed (Article 7 (f)). In addition, this right allowed anyone to object to the processing of his data for marketing purposes, regardless of the basis for processing.


Art. 22 GDPR Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Paragraph 1 shall not apply if the decision:

Is necessary for entering into, or performance of, a contract between the data subject and a data controller;

Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

Is based on the data subject’s explicit consent.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(2)(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Suitable Recitals

(71) Profiling; (72) Guidance of the European Data Protection Board regarding profiling; (91) Necessity of a data protection impact assessment.

COMMENTARY:

Article 15 of the Directive already recognized the right of individuals not to be subject to a decision which produces legal effects concerning him/her or significantly affects him/her and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him or her, such as their performance at work, creditworthiness, reliability, conduct, etc. However, exceptions were provided under conditions once the decision was taken as part of the conclusion or performance of a contract or was authorised by a law providing safeguards for the legitimate interest of the person.

Do not impose a decision based solely on automated means, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects him or her; unless, is necessary for entering into, or performance of a contract between the DC and Data Subject or is based Data Subject’s explicit consent or is authorised by Union or Member State Law.

In any case, such a processing should be subject to suitable safeguards. Which should include at a minimum, the provision of specific information to the Data Subject, the right to obtain human intervention, to the possibility of the Data Subject to express his/her point of view, to obtain an explanation of the decision and to be able to challenge it. This measure should not concern a child.


Section 5: Restrictions Art. 23 GDPR Restrictions

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

National security;

Defense;

Public security;

The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

Other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

The protection of judicial independence and judicial proceedings;

The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

The protection of the data subject or the rights and freedoms of others;

The enforcement of civil law claims.

In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

The purposes of the processing or categories of processing;

The categories of personal data;

The scope of the restrictions introduced;

The safeguards to prevent abuse or unlawful access or transfer;

The specification of the controller or categories of controllers;

The storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

The risks to the rights and freedoms of data subjects; and

The right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Suitable Recitals

Restrictions of rights and principles.

COMMENTARY:

Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal

penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Under the Directive (Art. 13), the Member States were already allowed to limit the scope of the rights and obligations provided for in Article 6 on the quality of the data; in Articles 10 and 11 relating to the information to be provided to the data subject; Article 12 on the right to object and article 21 on the publicizing of processing. However such limitations are measures necessary for the implementation of exhaustively listed interests, for example, for ensuring the national security, defense, public security or prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics in the case of the regulated professions.

***

CHAPTER 4: CONTROLLER AND PROCESSOR


Section 1: General obligations

Art. 24 GDPR Responsibility of the controller

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Suitable Recitals

Responsibility and liability of the controller; (75) Risks to the rights and freedoms of natural persons; (76) Risk assessment; (77) Risk assessment guidelines.

COMMENTARY:

Controller

The term of controller is under both frameworks from high importance, the party who is considered to be controller is responsible for ensuring compliance with the law.

The DPD defines controller in Art.2(d) as: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws. The definition is divided in the elements “determines”, “purposes and means of processing” and “natural person, legal person or any other body” and “alone or jointly with others”. “Determines” shall stem from the factual elements of the circumstances of the case. The questions needed to be asked, to find out if somebody “determines” are: who sets the purposes?, If processing is taking place?, Who initiated it?

In the element of “purposes and means of processing” the

1 ... 7 8 9 10 11 12 13 14 15 ... 71
Go to page:

Free ebook «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment