European Data Protection Law in Practice

Philip Laue; Judith Nink; Sascha Kremer

doi:10.5771/9783748944065

Summary

The Practitioner’s Guide clearly explains European data protection law in practice. It provides operators, especially in companies and consultancies, data protection and compliance officers, works council members, HR managers and lawyers, with the necessary updates to draw the right conclusions for the corporate organisation. Written in a comprehensible manner, supplemented by numerous examples and references, and consistently aligned with the case law of the ECJ, the authors explain how the (new) regulations affect the practical implementation of the GDPR in practice: The new EU-U.S. Data Privacy Framework in the everyday business setting Artificial intelligence and data protection The new obligations under the Whistleblower Protection Directive Cookies and co.: Implementing the requirements of the ePrivacy Directive

Keywords

Search publication

Bibliographic data

Copyright year: 2025
ISBN-Print: 978-3-7560-1744-7
ISBN-Online: 978-3-7489-4406-5
Publisher: Nomos, Baden-Baden
Language: English
Pages: 343
Product type: Comment

Titelei/Inhaltsverzeichnis No access Pages I - XVIII
1. A. General No access
2. 1. 1. 1. Processing of data No access
    2. 2. Storage in a filing system for non-automated processing No access
    3. 1. aa) Anonymous data No access
        bb) Pseudonymised data No access
        cc) Encrypted data No access
      2. b) Natural person No access
  2. II. Personal scope No access
  3. 1. 1. aa) Effective and actual exercise of an activity No access
        bb) Processing in the context of the establishment’s activities No access
        cc) Place of processing No access
      2. aa) Offer of goods and services No access
        bb) Behavioural observation No access
      3. c) Processing outside the scope of Art. 3 para. 2 GDPR No access
    2. 1. a) Domicile principle No access
      2. b) Territoriality principle No access
      3. aa) Art. 8 para. 1 No access
        bb) Art. 9 para. 2 letter a No access
      4. d) Choice of law clauses No access
  4. 1. 1. Opening clauses in individual regulations No access
    2. 2. Processing in the employment context No access
    3. 1. a) Data minimisation and right to object No access
      2. b) Privileges No access
    4. 4. Delegated acts and implementing acts of the EU Commission No access
    5. 5. General Data Protection Regulation and ePrivacy Directive No access
  5. V. Processing principles and accountability obligation No access
1. 1. 1. 1. a) Form of consent No access
      2. b) Opt-in or opt-out? No access
      3. c) Transparency No access
      4. d) Withdrawal of consent No access
      5. aa) Dependency relationship No access
        bb) Separation rule No access
        cc) Prohibition of coupling No access
      6. f) Consent of children No access
      7. g) Temporal validity of consent No access
    2. 2. Performance of a contract and pre-contractual measures (Art. 6 para. 1 sentence 1 letter b GDPR) No access
    3. 3. Legal obligation (Art. 6 para. 1 sentence 1 letter c GDPR) No access
    4. 4. Processing for the protection of vital interests (Art. 6 para. 1 sentence 1 letter d GDPR) No access
    5. 5. Processing in the public interest or in the exercise of official authority (Art. 6 para. 1 sentence 1 letter e GDPR) No access
    6. 6. Processing after balancing of interests (Art. 6 para. 1 sentence 1 letter f GDPR) No access
    7. 7. Further processing for a different purpose (Art. 6 para. 4 GDPR) No access
    8. 8. Direct marketing and address data trading No access
    9. 9. Video surveillance No access
  2. 1. 1. Balancing of interests in the case of a children’s data (Art. 6 para. 1 sentence 1 letter f GDPR) No access
    2. 1. a) Information society services No access
      2. b) Offer aimed directly at children No access
      3. aa) Age limits No access
        bb) Documentation obligation No access
        cc) Practical implementation No access
        dd) General contract law No access
        ee) Other consents of children No access
2. 1. I. General processing ban No access
  2. 1. 1. Consent (Art. 9 para. 2 letter a GDPR) No access
    2. 2. Processing for archiving, historical, statistical and scientific purposes (Art. 9 para. 2 letter j GDPR) No access
  3. III. Professional secrecy of data concerning health (Art. 9 para. 2 letter h GDPR in connection with Art. 9 para. 3 GDPR) No access
  4. IV. Opening clause (Art. 9 para. 4 GDPR) No access
3. C. Data on criminal convictions and offences (Art. 10 GDPR) No access
4. D. Protection of freedom of expression and freedom of information No access
5. E. Processing without identification (Art. 11 GDPR) No access
6. 1. 1. 1. Scope of Art. 22 para. 1 GDPR No access
    2. 2. Authorisation of automated decision-making in individual cases No access
    3. 3. Obligations of the controller No access
  2. 1. 1. Concept of profiling No access
    2. 1. a) Scoring and credit agencies No access
      2. b) Lawfulness of profiling No access
      3. c) Obligations in profiling No access
7. 1. I. Purpose of storing and reading information on the end device No access
  2. II. Permissibility of storing or reading information on the end device No access
  3. III. Practical implementation No access
8. H. Paying with data for consumer contracts No access
1. A. Ratio of information obligations No access
2. 1. 1. 1. a) Contact details (Art. 13 para. 1 letters a and b GDPR, Art. 14 para. 1 letters a and b GDPR) No access
      2. b) Statement of legitimate interests (Art. 13 para. 1 letter d, Art. 14 para. 2 letter b GDPR) No access
      3. c) Notification of recipients or categories of recipients (Art. 13 para. 1 letter e GDPR, Art. 14 para. 1 letter e GDPR) No access
    2. 1. a) Right to object (Art. 13 para. 2 letter b GDPR, Art. 14 para. 2 letter c GDPR) No access
      2. b) Withdrawal of consent (Art. 13 para. 2 letter c GDPR, Art. 14 para. 2 letter d GDPR) No access
      3. c) Automated decision-making and profiling No access
      4. d) Change of purpose No access
    3. 3. No direct collection/third party collection No access
  2. 1. 1. Exceptions in Art. 13 para. 4 GDPR (Art. 14 para. 5 GDPR) No access
    2. 2. Exceptions under national law No access
  3. III. Timing of the information No access
  4. 1. 1. a) Written and other form No access
      2. b) Oral No access
    2. 2. Form (style) No access
    3. 3. Pictograms No access
    4. 4. Language No access
  5. V. Costs No access
  6. VI. Overview of information obligations No access
3. C. Infringements No access
1. A. Overview No access
2. 1. 1. 1. Reasonable means of identity verification No access
    2. 2. No retention of identification data No access
  2. 1. 1. Form of transmission of messages No access
    2. 2. Facilitation of the exercise No access
    3. 3. Procedure and deadlines No access
    4. 4. Non-remuneration and misuse fee No access
3. 1. 1. 1. Concretisation of the request for information No access
    2. 2. Provision in a common electronic format No access
    3. 1. a) Rights and freedoms of third parties No access
      2. b) Restrictions imposed by national law No access
  2. 1. 1. Content of the access No access
    2. 2. Provision of multiple copies No access
  3. III. Access from medical records No access
4. 1. I. Correction of inaccurate personal data No access
  2. II. Completion of accurate personal data No access
  3. III. Burden of proof and evidence No access
5. 1. I. Requirements for the right to restriction No access
  2. II. Consequences of the right to restriction No access
  3. III. Exceptions to the right to restriction No access
  4. IV. Burden of proof and evidence No access
6. 1. I. Ratio No access
  2. II. Scope No access
  3. III. Direct transfer to other controllers No access
  4. IV. Technical requirements No access
  5. V. Restrictions and exceptions No access
7. 1. 1. 1. General right to object due to a special situation No access
    2. 2. Right to object to direct marketing No access
    3. 3. Exercise by means of automated processes No access
  2. II. Consequences of the objection No access
  3. III. Burden of proof and evidence No access
1. A. General No access
2. 1. I. Natural or legal person No access
  2. 1. 1. Legal attribution No access
    2. 2. Actual influence No access
  3. 1. 1. Conditions for joint control No access
    2. 2. Legal consequences No access
3. 1. 1. 1. Processing for traditionally external specialised services No access
    2. 2. Processing as an accessory to a main service No access
    3. 3. Incidental processing in the provision of a main service No access
    4. 4. Processing for IT testing or maintenance services No access
    5. 5. Processing by entities with special responsibilities No access
  2. II. Obligations of the processor No access
  3. III. Lawfulness of processing by a processor No access
  4. IV. Selection of the processor No access
  5. V. Formal requirements of processing by a processor No access
  6. 1. 1. Instructions No access
    2. 2. Confidentiality No access
    3. 3. Use of other processors (subcontractors) No access
    4. 4. Termination of the mandate No access
    5. 5. Checks and inspections No access
  7. VII. Consequences of infringements No access
4. D. Micro, small and medium-sized enterprises No access
5. E. Representative No access
1. A. General No access
2. 1. I. General No access
  2. II. EU-US Data Privacy Framework No access
3. 1. 1. 1. Content requirements No access
    2. 2 Authorisation procedure No access
  2. II. Standard data protection clauses No access
  3. III. Approved codes of conduct and certification procedures No access
  4. IV. Other approved contracts No access
  5. 1. 1. Effectiveness of the transfer instrument No access
    2. 2. Selection and application of additional measures No access
4. D. Judgements and decisions from third countries (Art. 48 GDPR) No access
5. 1. I. Consent No access
  2. II. Contractual obligations No access
  3. III. Legal disputes No access
  4. IV. Catch-all provision (Art. 49 para. 1 subpara. 2) No access
1. A. Overview No access
2. 1. 1. 1. Overview of reasons for erasure No access
    2. 2. Omission of the processing purpose No access
    3. 3. Withdrawal of consent No access
    4. 4. Objection to processing No access
    5. 5. Unlawful processing No access
    6. 6. Data collected from children in relation to information society services No access
  2. 1. 1. Erasure of personal data No access
    2. 2. Right to be forgotten in the narrower sense No access
    3. 3. Notification to recipients and right of access (Art. 19 GDPR) No access
  3. III. Exceptions to the right to erasure No access
  4. IV. Burden of proof No access
  5. V. Processing of erasure requests in practice No access
3. 1. I. Overview No access
  2. 1. 1. Compliance with sets of rules when creating erasure concepts No access
    2. 2. Technical and organisational measures for performance of erasure No access
    3. 3. Defining the responsibility for creating the erasure concept No access
    4. 4. Time for the creation of the erasure concept No access
    5. 5. Steps for creating the erasure concept No access
    6. 6. Procedure for the implementation of erasure concepts No access
    7. 7. Defining the responsibility for implementing the erasure concept No access
    8. 8. Updating the erasure concept No access
  3. 1. 1. Determination of the retention periods No access
    2. 2. Definition of erasure rules and erasure classes No access
  4. IV. Documentation of the performed erasure No access
  5. V. Control of the performed erasure No access
  6. VI. Obligations of the processor to erase No access
1. A. Role of the data protection officer No access
2. 1. 1. 1. Designation obligation under the General Data Protection Regulation No access
    2. 2. Designation obligation under Union or Member State law No access
    3. 1. a) Designation by parent company No access
      2. b) Easy accessibility from all establishments No access
    4. 4. Internal and external data protection officer No access
    5. 5. Publication and communication of contact details No access
  2. 1. 1. Expert knowledge No access
    2. 2. Ability to fulfil tasks No access
3. 1. I. Obligation of the controller or processor to provide support No access
  2. 1. 1. Freedom from instructions No access
    2. 2. Non-discrimination No access
    3. 3. Reporting obligation to the highest management level No access
  3. III. Maintaining secrecy or confidentiality No access
  4. IV. Contact persons for data subjects No access
4. 1. I. Monitoring data protection compliance No access
  2. II. Cooperation with the supervisory authority No access
  3. III. Risk-based performance of the tasks No access
5. E. Liability of the data protection officer No access
1. 1. 1. 1. Addressees of the provision No access
    2. 1. a) Data protection by design No access
      2. b) Data protection by default No access
  2. 1. 1. Regulatory addressees No access
    2. 2. Content requirements No access
  3. III. Practical implementation No access
2. 1. I. Subject of certification No access
  2. II. Certification standard No access
  3. III. Certification procedure No access
  4. IV. Certification body No access
  5. 1. 1. Facilitation of proof for obligations under the General Data Protection Regulation No access
    2. 2. Legal consequences of infringements No access
1. 1. 1. 1. Notifiable events No access
    2. 2. Notification period No access
    3. 3. Content and form of the notification and other documentation obligations No access
    4. 4. Support obligation of the processor No access
  2. 1. 1. a) Extent of potential damage No access
      2. b) Likelihood of potential damage No access
    2. 2. Communication period No access
    3. 3. Content and form of communication No access
    4. 4. Exceptions to the obligation to communicate No access
2. 1. I. Regulatory addressees No access
  2. 1. 1. a) Statutory rule examples No access
      2. b) Lists of supervisory authorities No access
    2. 2. Exemption from impact assessment for certain processing situations No access
  3. 1. 1. a) Preparation phase No access
      2. b) Assessment phase No access
      3. c) Measure phase No access
    2. 2. Summary of similar processing operations No access
    3. 3. Documentation No access
    4. 4. Codes of conduct No access
    5. 5. Involvement of the data protection officer No access
    6. 6. Involvement of the supervisory authority No access
    7. 1. a) Where appropriate No access
      2. b) No conflicting commercial or security interests No access
    8. 8. Review No access
3. 1. I. Records of the controller No access
  2. II. Records of the processor No access
4. 1. I. Authorised bodies No access
  2. II. Subject of codes of conduct No access
  3. III. Authorisation procedure No access
  4. IV. Monitoring by private monitoring bodies No access
  5. 1. 1. Binding effect for supervisory authorities No access
    2. 2. Facilitation to demonstrate compliance under the General Data Protection Regulation No access
    3. 3. Legal consequences of infringements of codes of conduct No access
1. 1. I. Possible scope of “more specific regulations” in the employment context No access
  2. II. Limits to the content of “more specific regulations” No access
2. 1. I. Processing for the detection of criminal offences No access
  2. II. Secret processing No access
3. 1. I. Content requirements No access
  2. II. Limits of collective agreements No access
1. A. General No access
2. B. European Data Protection Board No access
3. C. Tasks of the supervisory authorities No access
4. D. Cooperation of controllers and processors with supervisory authorities No access
5. 1. I. Investigative powers No access
  2. II. Corrective powers No access
  3. III. Authorisation and advisory powers No access
6. 1. 1. 1. a) Determination of the lead supervisory authority No access
      2. b) Several establishments or one establishment in the Union No access
      3. c) Deviating jurisdiction for matters in one Member State No access
    2. 2. One-stop shop No access
  2. 1. 1. Procedure under the responsibility of the lead supervisory authority No access
    2. 2. Mutual assistance and joint operations No access
    3. 3. Urgency procedure No access
  3. III. Consistency mechanism No access
1. 1. I. Infringement No access
  2. II. Damage No access
  3. III. Claimant No access
  4. IV. Liable parties No access
  5. V. Responsibility and possibility of exculpation No access
  6. VI. Joint and several liability No access
  7. 1. 1. Injunctive relief and claims for removal by data subjects No access
    2. 2. injunctive relief and claims for removal by competitors No access
2. 1. 1. 1. Discretion of the supervisory authorities No access
    2. 2. Categories of infringements and fines No access
    3. 3. Fines for groups of undertakings No access
  2. II. Penalties by the Member States No access
3. 1. 1. 1. Right to lodge a complaint No access
    2. 1. a) Proceedings against supervisory authorities No access
      2. b) Proceedings against controllers or processors No access
  2. II. Remedies of controllers, processors, et al. No access
  3. 1. 1. Representation of data subjects No access
    2. 2. Right to lodge a complaint by organisations or associations No access
  4. IV. Suspension of proceedings No access
  5. V. Remedies against EDPB decisions No access
1. 1. I. Definitions No access
  2. II. AI laws No access
  3. III. Applicability of data protection laws No access
  4. IV. Roles and responsibilities No access
  5. V. AI in the employment relationship No access
2. 1. I. Lawfulness of the data processing No access
  2. II. Further data protection principles No access
3. 1. I. Data protection by design No access
  2. II. Data security No access
  3. III. Data protection impact assessment No access
4. D. Rights of the data subject No access
Index No access Pages 331 - 343