GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

 

Implementing acts on standard contractual clauses

The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.

 

Immediately applicable implementing acts

The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.

 

Principle of subsidiarity and principle of proportionality

Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

 

Repeal of Directive 95/46/EC and transitional provisions

Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.

 

Consultation of the European Data Protection Supervisor

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012.

 

Relationship to Directive 2002/58/EC

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council¹, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

* * *

 

APPENDIX 2: EU/ EEA NATIONAL SUPERVISORY AUTHORITIES

 

c

Country

National          Data         Protection Authority

Website

1

United Kingdom

The     Information      Commissioner’s Office

https://ico.org.uk

2

Austria

Österreichische Datenschutzbehörde

www.dsb.gv.at

3

Belgium

Commission de la protection de la vieprivĕe

www.privacycommission.be

4

Bulgaria

Commission       for    Personal      Data Protecton

www.cpdb.bg

5

Croatia

Croatian Personal Data Protection

www.azop.hr

6

Cyprus

Commissioner for Personal Data Protection

www.dataprotection.gov.cy

7

Czech Republic

The     Officer     for    Personal      Data Protection

www.uoou.cz

8

Denmark

Datatilsynet

www.datatilsynet.dk

9

Estonia

Estonian           Data          Protection Inspectorate                  (Andmekaitse Inspektsioon)

www.aki.ee/en

10

Finland

Office     of    the     Data     Protection Ombudsman

www.tietosuoja.fi/en

11

France

Commission            Nationale           de I’Informatique et des Libertĕs - CNIL

www.cnil.fr

12

Germany

Der Bundesbeauftragte für den Datenschutz               und              die Informationsfreiheit

www.bfdi.bund.de

13

Greece

Hellenic Data Protection Authority

www.dpa.gr

14

Hungry

Data Protection Commissioner of Hungry

www.naih.hu

15

Iceland

Icelandic Data Protection Agency

http://personuvernd.is

16

Ireland

Data Protection Commissioner

http://www.dataprotection.ie

17

Italy

Garante per la protezione dei dati personali

www.garanteprivacy.it

18

Latvia

Data Sate Inspectorate

www.dvi.gov.lv

19

Liechtenstei n

Data Protection Office

www.dss.llv.li

20

Lithuania

State Data Protection

www.ada.lt

21

Luxembourg

Commission       Nationale      pour     la Protection des Donnĕes

www.cnpd.lu

22

Malta

Office     of    the     Data     Protection Commissioner

www.dataprotection.gov.mt

23

Netherland

Authoriteit Persoonsgegevens

https://authoriteitpersoonsgegevens.nl

 

     

24

Norway

Datatillsynet

www.datatilsynet.no

25

Poland

The Bureau of the Inspector General for the Protection of Personal Data – GIODO

www.giodo.gov.pl

26

Portugal

Comissão Nacional de Proteҫão de Dados - CNPD

www.cnpd.pt

27.

Romania

The National Supervisory Authority for Personal Data Processing

www.dataprotection.ro

28

Slovakia

Office for Personal Data Protection of the SlovakRepublic

www.dataprotection.gov.sk

29

Slovenia

Information Commissioner

www.ip-rs.si

30

Spain

Agencia de Protecciόn de Datos

www.agpd.es

31

Sweden

Datainspektionen

www.edoeb.admin.ch

32

Switzerland

Data Protection and Information Commissioner of Switzerland

www.edoeb.admin.ch

33

European Union

European Data Protection Supervisor

www.edps.europa.eu/EDPSWEB

 

 

APPENDIX 3: LOOPHOLES IN GDPR

The EU General Data Protection Regulation (GDPR) is an impressive act of legislation. Some people call it a great law.

The GDPR sets out to provide individuals with protection of their personal data. Secondary goals are to balance the rights of individuals against other rights (including public interest) and to ensure a consistent rule of law for personal data throughout the EU. These goals had to be translated into words that can be legally enforced. The law has ended up with a lot of words — more than 55,000 — the result of four years of negotiations between the many interested parties. Naturally, there are imperfections. Some businesses and others don’t like the law and would prefer to avoid it when they can. They will be exploring the imperfections, looking for loopholes.

 

FIVE LOOPHOLES — SUMMARY

‘Controllers’ outside the EU

The GDPR is meant to protect people in the EU when their personal data is controlled by organisations outside the EU, but it may not. Weaknesses in the wording of the law give the chance for organisations to collect data and ignore the GDPR. Once data ‘escapes’ from the GDPR, it can be passed on to others without legal protection. The GDPR states a couple of times in its recitals that protection of personal data of natural persons should take place “whatever their nationality or residence”. The previous data protection directive covered any organisation processing personal data in the EU but did not guarantee the protection of every person in the EU (when their data was processed by an organisation outside the EU). The authors of the GDPR set out to change this, to cover any organisation in the EU that handles personal data and any individual in the EU whose personal data is handled by an organisation, wherever that organisation is based.

The reasoning is obvious. An individual can enter a website and give their personal data, without knowing where their data will be processed. The legislators wanted to give people the assurance that EU law would protect them in all cases.

Take the analogy of going to buy something at a shop in the EU. The purchaser is protected by EU consumer law and doesn’t have to think twice about it — the shopkeeper cannot say “this product is from India and therefore we apply Indian laws of product safety and consumer rights”. The GDPR has set out to create the same situation in the online world: you are protected, full stop.

The devil is in the detail, in the wording of the law. The GDPR states that its territorial scope includes the processing of personal data of someone in the EU by organisations outside, “where the processing activities are related to the offering of goods or services” to that person. The phrase “the offering of goods or services” is subject to different interpretations.

 

 

You could reasonably ask, why doesn’t the regulation just say “related to the marketing or supply of goods or services” or perhaps even simpler “related to a data subject in the EU”? However, the GDPR was written by lawyers and this wording of “offering” originates from legalese applied in the context of EU competition law. There is ample case law regarding its interpretation, based on the definition of “undertaking” meaning an entity that carries on an “economic activity” and that the measure of an economic activity is “offering goods or services” (even if no payment occurs). The case law shows a broad interpretation of “offering goods or services” to cover sales, supply and even purchasing.

Therefore, the original drafters who decided to put in the words “offering goods or services” probably intended to cover any marketing or commercial activity that engages an individual in the EU (with the words “irrespective of whether a payment of the data subject is required” added later in the drafting process to ensure that it covers the new business models of online services such as social media).

Nevertheless, when the regulation was negotiated — and there was a lot of lobbying —

 words were added to a recital (the ‘contextual’ paragraphs before the main articles of the regulation) which took a different point of reference for interpreting “offering goods or services”. Guided perhaps by the idea that an “offer” takes place before any transaction, the following words were added to Recital 23:

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

This wording says that the test is based on whether the organisation “envisages” offering goods and services, not on whether it does in fact offer, or supply, or simply obtain personal data.

This wording originates from a legal judgment that determines in which jurisdiction within the EU (in other words, in which EU country) a case should be heard in a court of law. This case, combining two different actions known as Pammer and Hotel Alpenhof, was judged in 2010 by the CJEU and therefore forms part of EU case law. However, the nature and effect of this case is quite different from the context used in the GDPR. Firstly, the court was asked to determine in which jurisdiction a court case should be held, not to determine the territorial scope of application of a law. Secondly, the result was to make a defendant’s claim subject to one of two

 

 

alternative member state courts, not to either award or deny the protection of a law. (Note: The GDPR contains explicit provisions for determining the jurisdiction, both for administrative and