GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) đź“–
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali
C-614/10, COMMISSION V. AUSTRIA, 16.10.2012 (“AUSTRIA”)
Infringement procedure against Austria, alleging that it incorrectly transposed the second paragraph of Article 28(1) of Directive 95/46 (the requirement for an independent Data Protection Authority (DPA)), insofar as the national legislation does not allow the Data Protection Commission (DSK) to exercise its functions “with complete independence.”
Independence of DPA: By failing to take all measures necessary to ensure that the Austrian national legislation meets the requirement of independence with regard to the DSK, Austria has failed to fulfill its obligations under the second subparagraph of Article 28(1) of Directive 95/46 and Article 8(3) of the EU Charter of Fundamental Rights and Article 16(2) TFEU. The establishment in Member States of independent supervisory authorities is thus an essential component of the protection of individuals with regard to the processing of personal data.
The words “with complete independence” must be given an autonomous interpretation. Supervisory authorities must enjoy an independence with allows them to perform their duties free from external influence, direct or indirect, which is liable to have an effect on their decisions. The fact that DSK has functional independence insofar as its members are “independent and [are not] bound by instructions of any kind in the performance of their duties” is an essential, but not sufficient, condition to protect it from all external influence. Here, the national legislation provides only for the operational autonomy of the supervisory authority, but does not preclude the DSK from performing its duties free from all indirect influence, for the following reasons:
The managing member of the DSK need not always be an official of the Federal Chancellery (although it always has been), and all day-to-day business is thus de facto managed by a federal official, who remains bound by the instructions issued by his employer and is subject to supervision. It is conceivable that the evaluation of the managing member by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of “prior compliance”. Moreover, the Chancellery is subject to the supervision of the DSK, so the DSK is not above all suspicion of partiality. The service-related link between the managing member of the DSK and the Chancellery affects the DSK's independence. The fact that the appointment of the managing member rests on an autonomous decision of the DSK does not protect the independence of the supervisory authority;
The office of the DSK is structurally integrated with the departments of the Federal Chancellery, and all DSK staff are under the authority of the Federal Chancellery and subject to its supervision. The DSK need not be given a separate budget to satisfy the criterion of independence. They can provide that the DPA comes under a specified ministerial department. However, the attribution of the necessary equipment and staff to DPAs must not prevent them from acting with complete independence. Here, since they are subject to supervision by the Chancellery, it is not compatible with the requirement of independence.
The Federal Chancellor has the right to be informed of all aspects of the work of the DSK. This precludes the DSK from operating above all suspicion of partiality.
C-614/10, COMMISSION V. AUSTRIA, 16.10.2012 (“AUSTRIA”)
Reference for a preliminary ruling by the Bundesgerichtshof, Germany. The applicant (Probst) is the recipient of internet services supplied by Verizon through, and billed by, Deutsche Telecom. The respondent (mr.nexnet) is the assignee of claims for payment for the supply of internet services by Verizon. The applicant failed to pay some of the charges. The contract between legal predecessors of the respondent and Verizon provided that personal data would be processed exclusively for the purpose of that contract, and deleted immediately thereafter.
Questions referred: Whether Directive 2002/58 permits the passing of traffic data from the service provider to the assignee of a claim for payment in respect of telecommunications services in the case where the assignment effected with a view to the collection of transferred debts includes, in addition to the general obligation to respect the privacy of telecommunications and to ensure data protection as provided for under the applicable legislation, contractual stipulations that: (1) the service provider and assignee undertake to process the personal data only within the framework of their cooperation and exclusively for the purpose of the contract; (2) as soon as the data is no longer required for such purpose, the data will be erased or returned; (3) each contracting party is entitled to check that the other has ensured data protection and security in accordance with the agreement; (4) confidential documents and information transferred may be made accessible only to such
employees as required for purposes of performing the contract; (5) those employees are required to maintain confidentiality; (6) on request or termination of the cooperation between the contracting parties, the data will be erased or returned.
Traffic data: Article 6(2) of Directive 2002/58 provides an exception to the confidentiality of communications, stating that traffic data necessary for purposes of subscriber billing and interconnection payments may be processed “up to the end of the period during which the bill may lawfully be challenged or payment pursued.” Thus, the provision covers the processing necessary for securing payment, including debt collection. Article 6(5) provides that traffic data processing authorized by Article 6(2) “must be restricted to persons acting under the authority of [the service] providers of the public communications networks and publicly available electronic communications services handling billing” and “must be restricted to what is necessary” for the purpose of such activity. Thus, the assignee of claims for payment is authorized to process the data on condition that it acts “under the authority” of the service provider and that it processes only traffic data which are necessary for the purpose of recovery of those claims. That provision seeks to ensure that such externalization of debt collection does not affect the level of protection of personal data enjoyed by the user. “Under the authority” must be strictly construed to mean that the assignee acts only on instructions and under the control of the service provider. The contract between the service provider and assignee must contain provisions ensuring the lawful processing of traffic data by the assignee and must allow the service provider to ensure at all times that those provisions are being complied with by the assignee.
C-131/12, GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.5.2014 (“GOOGLE”)
Reference for a preliminary ruling by the Audiencia Nacional (Spain). Mr. G, a Spanish national resident in Spain, sued Google Spain, Google Inc. and La Vanguardia newspaper, alleging that when an internet user entered his name in the Google search engine, he would obtain links to two pages of La Vanguardia newspaper on which an announcement with his name appeared for a real-estate auction connected with attachment proceedings for the recovery of social security debts. He requested inter alia that Google Spain or Google Inc. be required to remove or conceal the personal data relating to him so they ceased to be included in the search results and no longer appeared in the links to La Vanguardia. The DPA granted the request against Google Spain and Google Inc. Information indexed by Google Search following the location and sweeping of websites throughout the world by its web crawlers is stored temporarily on servers whose state of location is unknown. Google provides results with advertising associated with the user’s search terms. The subsidiary Google Spain promotes the sale of advertising in Spain, and was registered as the controller of related processing in Spain.
Questions referred: (1) Whether an “establishment” exists where one or more of the following circumstances arises: the undertaking providing the search engine sets up in a `Member State an office or subsidiary to promote and sell advertising space on the search engine, or when the parent designates a subsidiary in that Member State as its representative and controller for two specific filing systems which relates to the data of customers who have contracted for advertising, or when the office or subsidiary forwards to the parent, located outside the EU, requests and requirements addressed to it both by data subjects and DPAs; (2) Whether there is a “use of equipment …situated on the territory of the said Member State” under Article 4(1)(c) of Directive 95/46 when a search engine uses crawlers or robots to locate and index information contained in web pages located on servers in that Member State or when it uses a domain name pertaining to a Member State and arranges for searches and the results to be based on the language of that Member State; (3) Whether the temporary storage of the information indexed by internet search engines is a “use of equipment” under Article 4(1)(c); (4) Whether Directive 95/46 must be applied, in light of Article 8 of the CFR, in the Member State where the centre of gravity of the conflict is located; (5) Does the activity of Google Search fall within the concept of processing in Article 2(b) of Directive 95/46; (6) Whether the undertaking managing Goggle Search is a controller of the personal data contained in the web pages that it indexes; (7) Whether the DPA can directly impose on Google Search a requirement that it withdraw from its indexes an item of information published by third parties, without addressing itself in advance or simultaneously to the owner of the web page on which that information is located; (8) Whether the obligation of search engines to protect those rights would be excluded when the personal data has been lawfully published by third parties and is kept on the web page from which it originates; (9) Whether the rights of erasure, blocking and objection of Directive 95/46 extend to enabling the data subject to address himself to search engines in order to prevent indexing of the data, published on the third parties’ web pages, invoking his wish that such information should not be known to internet users when he considers that it might be prejudicial to him or he wishes it to be consigned to oblivion, even though it has been lawfully published by third parties.
Definition of processing: The operation of loading personal data on an Internet page must be considered processing (as the court held in Lindquist). In exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine “collects” such data which it subsequently “retrieves”, “records” and “organizes” within the framework of its indexing programmes, “stores” on its servers and, as the case may be, “discloses” and “makes available” to its users in the form of lists of search results, which constitute processing, regardless of the fact that the operator of the search engine also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data. This finding is not affected by the fact that those data have already been published on the Internet and are not altered by the search engine. It is not necessary that the personal data be
altered. While alteration of personal data constitutes processing under Article 2(b), the other operations mentioned there do not require the alteration of personal data.
The processing done by the search engine operator is distinguished from and in addition to that done by publishers of websites, consisting in loading those data on an Internet page.
Definition of controller: The search engine operator determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of the activity and is thus a controller. It would be contrary not only to the clear wording of Article 2(d) and to its objective, which is to ensure through a broad definition of the concept of controller, effective and complete protection of data subjects, to exclude the operator of
Comments (0)