GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) đź“–
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali
Scope of Directive 95/46:
Google Spain is an “establishment” within the meaning of Article 4(1)(a). It engages in the effective and real exercise of activity through stable arrangements in Spain, and is a subsidiary of Google Inc. on Spanish territory.
The processing of personal data by the controller is also “carried out in the context of the activities” of an establishment, even though Google Spain is not involved in the processing at issue (which is carried out exclusively by Google Inc.) but rather only in advertising in Spain. Article 4(1)(a) does not require that the processing in question be carried out “by” the establishment concerned, but only “in the context of the activities” of the establishment. In light of the objective of effective protection of fundamental rights, those words cannot be interpreted restrictively. The activities of the search engine and those of its establishment in the Member State are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that engine is the means enabling those activities to be performed.
Data subject rights: The non-compliant nature of processing may arise from the breach of any conditions of lawfulness imposed by the Directive, including data quality and legitimacy. Here, the grounds for legitimacy were those specified in
Article 7(f), which permits processing where necessary for the purposes of the legitimate interests pursued by the controller or third party to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights of the data subject. This requires a balancing of interests. Balancing provided in Article 14 allows account to be taken of all circumstances surrounding the data subject’s particular situation.
Interest of the data subject: The search of the individual’s name enables any internet user to obtain, through a list of results, a structured overview of the information relating to that data subject that can be found on the internet. This may potentially concerning a vast number of aspects of his private life enabling a detailed profile. Without the search engine, this data could not have been interconnected or only with great difficulty. The interference with the rights of the data subject is heightened because of the important role played by the Internet and search engines in modern society.
The interests of the search engine: These are economic interest, which cannot justify the potential seriousness of the interference with the data subject’s rights.
Interests of the internet users: The data subjects’ rights generally override those of internet users, but the balance may depend on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, which may vary by the role played by the data subject in public life. The interference may be justified by the preponderant interests of the general public in having access to the information.
The Supervisory authority or judicial authority may order the search engine operator to remove the link from the list of results without presupposing the previous or simultaneous removal of the underlying information from the web page on which it was published. Requiring the data subject to obtain erasure from web pages would not provide effective and complete protection of data subject, especially because publishers may not be subject to EU data protection law or publication may be carried out “solely for journalistic purposes” and thus benefit from derogation. Further, balancing would be different for processing by the search engine and processing by the web publisher.
Right of erasure: The search engine operator must erase information and links concerned in the list of results if that information appears, having regard to all circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine. Here, having regard to the sensitivity for data subject’s private life of information contained in announcements and the fact that the initial publication occurred 16 years earlier, the data subject has established that the links should be removed.
C-141/12 AND C-372/12, MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“M”)
Reference for a preliminary ruling by the Rechtbank Middelburg and the Raad van State. Several third country nationals applied for a residence permit for a fixed period in the Netherlands. One applicant asked for a residence permit for a fixed period, which was denied, the other asked for the same, which was granted. Both asked for a copy of the minute, which explained the decision, and both were denied access.
Questions referred (partial listing): (1) Whether the second indent of Article 12(a) of Directive 95/46 should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if a full summary, in an intelligible form, of such data is provided; (2) Whether the words “right of access” in Article 8(2) CFR should be interpreted to mean there is a right to a copy of documents; (3) Whether a legal analysis, as set out in a “minute”, can be regarded as personal data; (4) Whether protection of the rights and freedoms of others under Article 13(1)(g) of Directive 95/46 can cover the interest in an internal undisturbed exchange of views within the public authority concerned.
Definition of personal data: The data relating to the applicant for a residence permit included in the minute (applicant’s name, DOB, nationality, gender, ethnicity, religion and language) constitute personal data. The legal analysis in the minute may contain personal data but it does not in itself constitute such data. The legal analysis is not information relating to the applicant, but at most, in so far as not limited to a purely abstract interpretation of the law, is information about the assessment and application by the competent authority of that law to the applicant’s situation. This interpretation is consistent with the language of Article 2(a) and the objective and general scheme of Directive 95/46.
Right of access: Regarding the right of access, protection of the fundamental right to respect for private life means that the data subject may be certain that the personal data concerning him are correct and that they are processed lawfully. It is in order to carry out the necessary checks that the data subject has, under Article 12(a), a right of access, which is necessary to obtain rectification, erasure or blocking of his data (Article 12(b)). The legal analysis is not in itself liable to be the subject of a check of its accuracy by the applicant and rectification, while the facts are. Moreover, the right of access is not designed to ensure the greatest possible transparency of the decision-making process of public authorities and to promote good administrative practices (as is the case for the right of access to documents).
To comply with the right of access under Article 12(a) and Article 8(2) of CFR, it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents.
C-288/12, COMMISSION V. HUNGARY, 8.4.2014 (“HUNGARY”)
Infringement procedure against Hungary for failure to fulfil obligations under Article 258 TFEU. Mr. J was appointed for 6 years as DPA. However, pursuant to transitional measures related to revision of data protection law, Hungary prematurely ended his term and appointed a new DPA for 9 years.
Independence of DPA: Establishment in a Member State of an independent supervisory authority is an essential component of the protection of individuals with regard to the processing of personal data. Operational independence of supervisory authorities, in that members are not bound by instructions of any kind in the performance of their duties, is an essential condition that must be met to respect the independence requirement, but this is not sufficient.
The mere risk that the state could exercise political influence over decisions of a supervisory authority is enough to hinder independence. If it were permissible for the Member State to compel the supervisory authority to vacate office before serving his/her full term, even if this comes about as a result of restructuring or changing of the institutional model, the threat of such premature termination could lead the supervisory authority to enter into a form of prior compliance with the political authority. This is incompatible with the requirement of independence, and the supervisory cannot be regarded as being able to operate above all suspicion of partiality. Member States are free to adopt or amend the institutional model they consider most appropriate for supervisory authorities. However, they must ensure that the independence of the authority is not compromised, which entails the obligation to allow that authority to serve his/her full term.
1.22. C-291/12, SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Reference for a preliminary ruling by the Verwaltungsgericht Gelsenkirchen (Germany). Applicant applied to Stadt Bochum for a passport, but refused to have his fingerprints taken, and Stadt therefore refused his application. He brought an action before the referring court to have a passport issued without taking his fingerprints.
Questions referred (partial listing): Is Article 1(2) of Regulation 2252/2004 to be considered valid, on the ground that it breaches certain fundamental rights of the holders of passports issued in accordance with that provision.
Definition of personal data: Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows them to be identified with precision.
Definition of processing: Taking and storing fingerprints constitute processing.
Articles 7 and 8 CFR: Taking and storing of fingerprints by national authorities, governed by Article 1(2) of Regulation 2252/2004, constitute a threat to the rights of respect for private life and protection of personal data.
Article 52(1) allows for limitations on exercise of rights in Articles 7 and 8 CFR as long as limitations are provided for by law, respect the essence of those rights, and respect proportionality (necessary and genuinely meet objectives of general interest recognised by EU or need to protect rights and freedoms of others). Here, taking of fingerprints for passports is provided by Regulation 2252/2004 to prevent falsification of passports and fraudulent use thereof, and illegal entry into the EU. Therefore, the provision pursues an objective of general interest recognised by the EU.
Consent: It is essential for citizens of the EU to own a passport in order to travel to a third country, and a passport must contain fingerprints. Therefore, citizens are not free to object to processing of their fingerprints, and thus persons applying for passports cannot be deemed to have consented to that processing.
Necessity/proportionality: Storage of fingerprints on a highly secure storage medium is likely to reduce risk of passports being falsified and to facilitate the work of the authorities responsible for checking the authenticity of passports at EU borders, although it is not wholly reliable. Thus, it is appropriate.
The action involves taking
Comments (0)