General Data Protection Regulation

Prof. Dr. Indra Spiecker gen. Döhmann; Prof. Dr. Vagelis Papakonstantinou; Prof. Dr. Gerrit Hornung; Prof. Paul De Hert

doi:10.5771/9783845276984

Summary

The General Data Protection Regulation has established a uniform European data protection law. The member states must directly apply European law standards and question their own interpretation criteria. The new major commentary on the GDPR is written by leading European lawyers who have extensively analysed the European and transnational academic discourse. The commentaries take into account the existing approaches to interpretation at national level, place them in a European legal environment and thus impress with new arguments that also offer new possibilities in contentious proceedings. The advantages at a glance New European law argumentation patterns for national interpretation and application practice European law classification of the Member States' scope for action, especially the scope of application of the GDPR Focus on current topics: - International data transfer and data processing, also in cloud computing - Right to be forgotten - One-Stop-Shop - Sanctions and supervisory measures - Profiling - Pseudonymisation and anonymisation - Consent and other authorisations for personal data processing by companies - Data protection audit and certification

Keywords

Search publication

Bibliographic data

Copyright year: 2023
ISBN-Print: 978-3-8487-3372-9
ISBN-Online: 978-3-8452-7698-4
Publisher: Nomos, Baden-Baden
Series: Kooperationswerke Beck - Hart – Nomos
Language: English
Pages: 1211
Product type: Comment

Titelei/Inhaltsverzeichnis No access Pages I - XXX
1. 1. 1. a) Legal origins and terminology No access
    2. 1. aa) Automated data processing No access
      2. bb) Necessary juridification of data protection No access
      3. cc) Cross-sectoral nature of data protection law No access
      4. dd) Data protection and the power of knowledge No access
  2. 2. The Population Census decision of the Federal Constitutional Court No access
2. 1. 1. a) Statutory origins and competing national regulatory models No access
    2. b) The influence of Convention 108 of the Council of Europe No access
    3. c) Consolidation and mutual learning processes No access
    4. d) The supranationalisation of data protection law No access
  2. 1. 1. aa) History and systematics of Convention 108 No access
      2. bb) Essential normative content No access
      3. cc) Organisational requirements No access
      4. dd) International data transfers No access
      5. ee) Mutual assistance No access
      6. ff) Modernisation of the Convention No access
      7. gg) Relationship with the Union and ongoing relevance of the Council of Europe’s regulations No access
    2. b) OECD No access
    3. c) United Nations No access
3. 1. 1. a) History No access
    2. b) Main content No access
    3. c) Implementation in national law No access
  2. 2. Further secondary legislation up to the GDPR No access
4. 1. 1. a) Competences Gerrit Hornung and Indra Spiecker gen. Döhmann No access
    2. 1. aa) The global and regional framework No access
      2. bb) EU primary law and the CJEU’s jurisprudence No access
      3. cc) EU secondary law No access
    3. 1. aa) The trigger for comprehensive reform No access
      2. bb) Consultation process No access
      3. cc) Comm draft No access
      4. dd) Mandate of the EP No access
      5. ee) Position of the Council No access
      6. ff) Trilogue No access
      7. gg) Evaluation and outlook No access
  2. 1. a) The GDPR as the core of data protection regulation No access
    2. 1. aa) JHA Directive No access
      2. bb) ePrivacy Directive and proposed ePrivacy Regulation No access
      3. cc) Other legislative measures No access
    3. c) Remaining competences of the Member States: Opening clauses No access
  3. 1. a) General aims and principles of data protection law No access
    2. b) In particular: the relationship between law and technology No access
    3. c) Concretisation of the abstract requirements of the GDPR No access
    4. d) The relationship of the GDPR to international developments No access
  4. 4. The application of the GDPR No access
5. V. Outlook No access
1. 1. I. Objective and function of the provision No access
  2. II. Legislative procedure and preceding regulations No access
  3. III. Systematic structure and position No access
  4. IV. Balance between different legal positions (para. 1) No access
  5. V. Protection of fundamental rights and freedoms (para. 2) No access
  6. VI. No restriction of the free movement of data (para. 3) No access
2. 1. 1. 1. When is data protection law applicable? No access
    2. 2. Legislative history No access
    3. 3. Relation to other provisions No access
  2. 1. 1. a) “Processing” of “personal data” No access
      2. b) Processing wholly or partly by automated means No access
      3. c) Processing other than by automated means No access
      4. d) Technologically neutral protection No access
    2. 1. a) Activity falling outside the scope of Union law (para. 2 lit. a) No access
      2. b) Activities within the scope of Chapter 2 of Title V of the TEU (para. 2 lit. b) No access
      3. c) Purely personal or household activity (para. 2 lit. c) No access
      4. d) Application of the LED; scope delineation between the two legal instruments (para. 2 lit. d) No access
      5. e) The processing of courts and other judicial authorities (recital 20) No access
    3. 3. Ultimate recourse: Convention 108+ and Art. 8 ECHR No access
    4. 4. The processing of personal data by EU organisations (para. 3) No access
    5. 5. The GDPR Relationship with the Directive on electronic commerce (para. 4) No access
3. 1. I. Aim and function of the provision No access
  2. II. Legislative history and predecessor provisions No access
  3. III. Systematic position No access
  4. IV. Law of the Member States No access
  5. 1. 1. a) Existence of an establishment No access
      2. b) Processing in the context of the activities of an establishment No access
      3. c) Applicability for controllers and processors No access
      4. d) Consequences for the applicability of national law and the competence of supervisory authorities No access
    2. 1. aa) Data of data subjects who are in the Union No access
        bb) No establishment in the Union No access
        cc) Irrelevance of the place of technical data processing; transit No access
      2. aa) Offering of goods and services to data subjects in the Union (lit. a) No access
        bb) Monitoring of behaviour in the Union (lit. b) No access
      3. c) Applicability for controllers and processors No access
      4. d) Consequences for the applicability of national law and the competence of supervisory authorities No access
    3. 3. Principle of application by virtue of public international law (para. 3) No access
  6. VI. Applicability of the GDPR in the EEA No access
  7. VII. Choice of law clauses No access
4. 1. I. Overview No access
  2. 1. 1. International instruments No access
    2. 2. The DPD and the legislative process No access
  3. 1. 1. Information No access
    2. 2. Natural person No access
    3. 3. Identification No access
5. 1. 1. 1. Overview: An easily-met criterion for GDPR applicability, that conceals these provisions’ true value No access
    2. 2. Legislative history No access
    3. 3. Relation to other provisions No access
  2. 1. 1. Processing operation or set of operations No access
    2. 2. “Personal data” against “sets of personal data”: An underlying but basic distinction in the GDPR No access
    3. 3. “Whether or not by automated means”; this is however not the time for examination of the means of the processing criterion No access
    4. 4. Processing operations, as listed in the GDPR: The importance of distinguishing among them No access
6. 1. I. Introduction No access
  2. II. Legal background No access
  3. III. Analysis No access
7. 1. I. General overview No access
  2. II. Legislative history No access
  3. III. The three elements of the EU-harmonised definition of profiling No access
  4. IV. The main guarantees specifically related to profiling No access
8. 1. I. General overview No access
  2. II. Legal context and historical developments No access
  3. III. Pseudonymisation and other forms of de-identification No access
  4. IV. Does the Regulation require pseudonymisation? No access
9. 1. 1. 1. Overview: the necessary filter to keep the GDPR scope in balance No access
    2. 2. Background No access
    3. 3. Relation to other provisions No access
  2. 1. 1. A “set of personal data” No access
    2. 2. Structure that permits accessibility through specific criteria No access
    3. 3. A single filing system, regardless of the location of the data No access
10. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Natural or legal person, public authority, agency or other body” No access
    2. 2. “Alone or jointly with others” No access
    3. 1. a) “Determines” No access
      2. b) Purposes No access
      3. c) Means No access
      4. d) “Of processing of personal data” No access
    4. 4. Controller determined by Union or Member State law No access
    5. 1. a) CJEU cases No access
      2. b) EDPB and WP 29 guidance No access
11. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Natural or legal person, public authority, agency or other body” No access
    2. 2. “Processes personal data” No access
    3. 3. “On behalf of the controller” No access
12. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. The role of the definition in the Regulation No access
    2. 2. “Natural or legal person, public authority, agency or body” No access
    3. 3. “To which the personal data are disclosed” No access
    4. 4. “Whether a third party or not” No access
    5. 5. Public authorities receiving personal data in the framework of a particular inquiry No access
13. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. The role of the definition in the Regulation No access
    2. 2. “Natural or legal person, public authority, agency or body” No access
    3. 3. “Other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data” No access
    4. 4. Third party and recipient No access
14. 1. 1. 1. Substantive elements of consent No access
    2. 2. Capacity to consent No access
    3. 3. Timing of consent No access
    4. 4. Consent, individual autonomy and the right to informational self-determination No access
    5. 1. a) Consent to the use of data as counter-performance in contractual relationships No access
      2. b) Impact of individuals’ consent on the rights of others or the public interest No access
      3. c) Consent and data protection principles No access
  2. 1. 1. Implied and explicit consent No access
    2. 2. The concept of consent in the ePrivacy-Directive No access
  3. 1. 1. a) Processing mandated by law No access
      2. b) Processing carried out by a public authority No access
      3. c) Processing where there is an imbalance of power between the controller and the data subject No access
    2. 2. Granularity of consent No access
    3. 3. Inability to refuse consent without suffering detriment No access
  4. 1. 1. a) Processing for specific purpose(s) No access
      2. b) Granularity No access
      3. c) Clear separation of consent information from information about other matters No access
      4. d) Processing of personal data by different controllers for the same purpose No access
    2. 2. Proxy consent through automated tools No access
  5. 1. 1. a) Minimum information requirements No access
      2. b) Layering No access
      3. c) Application of consumer protection law to consent requests considered to be “unfair” No access
      4. d) Information requirements where there are multiple controllers No access
    2. 2. Formal requirements No access
  6. 1. 1. a) Written or oral statement No access
      2. b) Clear affirmative action No access
      3. c) Consent through acceptance of a pre-formulated consent request No access
    2. 1. a) Inaction as consent No access
      2. b) Consent in an IoT environment No access
  7. VII. Enforcement No access
15. Art. 4(12) Definitions Alexander Dix No access Pages 216 - 218
16. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Personal data relating to the inherited or acquired genetic characteristics of a natural person” No access
    2. 2. “Which give unique information about the physiology or the health of that natural person” No access
    3. 3. “Which result, in particular, from an analysis of a biological sample from the natural person in question” No access
17. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Personal data resulting from specific technical processing” No access
    2. 2. “Relating to the physical, physiological or behavioural characteristics of a natural person […] such as facial images or dactyloscopic data” No access
    3. 3. “Which allow or confirm the unique identification of that natural person” No access
18. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Personal data related to the physical or mental health of a natural person, including the provision of health care services” No access
    2. 2. “Reveal information about his or her health status” No access
19. 1. I. Overview No access
  2. II. Legislative history No access
  3. 1. 1. Establishments in more than one Member State No access
    2. 2. Central administration in the Union No access
    3. 3. Main establishment in the case of a controller, lit. a No access
    4. 4. Main establishment in the case of a processor, lit. b No access
    5. 5. Change of the main establishment No access
    6. 6. Group of undertakings No access
    7. 7. Interaction of a controller and a processor No access
    8. 8. Joint controllers No access
    9. 9. Lack of a central administration in the Union No access
20. 1. I. Introduction No access
  2. II. Legal background No access
  3. III. Analysis No access
21. Art. 4(18) Enterprise Stefan Drewes and Sebastian Bretthauer No access Pages 239 - 239
22. Art. 4(19) Group of undertakings Stefan Drewes and Sebastian Bretthauer No access Pages 240 - 240
23. Art. 4(20) Binding corporate rules Peter Schantz No access Pages 241 - 241
24. Art. 4(21) Supervisory authority Sebastian Bretthauer No access Pages 242 - 243
25. 1. I. Overview No access
  2. II. Legislative history No access
  3. 1. 1. Establishment of the controller or processor on the territory of the Member State of that supervisory authority, lit. a No access
    2. 2. Substantial impact on data subjects residing in the Member State of the supervisory authority, lit. b No access
    3. 3. Submission of a complaint to the supervisory authority, lit. c No access
26. 1. I. Overview No access
  2. II. Legislative history No access
  3. 1. 1. Establishments in more than one Member State, lit. a No access
    2. 2. Establishment in one Member State with a substantial impact on data subjects in more than one Member State, lit. b No access
    3. 3. Ratio of exclusivity between lit. a and lit. b No access
27. 1. I. Aims, history, systematic No access
  2. II. Individual interpretation of the provision No access
28. 1. I. General overview No access
  2. II. Legislative history No access
  3. 1. 1. Service normally provided for remuneration No access
    2. 2. Service provided at a distance by electronic means No access
    3. 3. Individual request of a recipient of services No access
29. 1. I. Legal background No access
  2. II. Analysis No access
1. 1. I. Aim and function of the provision No access
  2. II. Legislative history No access
  3. III. Systematic position No access
  4. IV. Importance of the data protection principles No access
  5. 1. 1. Permissibility of data processing No access
    2. 2. Manner of data processing No access
    3. 3. Compromises to the principle of lawfulness No access
  6. VI. Principle of fair processing (para. 1 lit. a) No access
  7. 1. 1. Implementation of transparency No access
    2. 2. Form and means of transparency No access
    3. 3. Compromises to the principle of transparency No access
  8. 1. 1. Purpose No access
    2. 2. Purpose specification No access
    3. 3. Purpose limitation No access
    4. 4. Facilitated change of purpose No access
    5. 5. Compromises to the principle of purpose limitation No access
  9. 1. 1. Reasons for data minimisation No access
    2. 2. Scope of data minimisation No access
    3. 3. Minimising personal data No access
    4. 4. Minimising processing No access
    5. 5. Compromises to the principle of data minimisation No access
  10. 1. 1. Accurate and up-to-date data No access
    2. 2. Rectification measures No access
    3. 3. Compromises to the principle of accuracy No access
  11. 1. 1. Storage limitation No access
    2. 2. Exceptions from storage limitation No access
    3. 3. Compromises on storage limitation No access
  12. XII. Principle of integrity and confidentiality (para. 1 lit. f). No access
  13. 1. 1. Responsibility of fulfilling the principles No access
    2. 2. Demonstrating compliance No access
    3. 3. Compromises to accountability No access
  14. XIV. Outlook No access
2. 1. I. General overview No access
  2. II. Legislative history No access
  3. 1. 1. The concept of lawfulness No access
    2. 2. Prohibitions and permissions No access
  4. IV. Art. 6 para. 1 lit. a: consent of the data subject No access
  5. 1. 1. Performance of a contract No access
    2. 2. Taking steps prior to entering into a contract No access
  6. VI. Art. 6 para. 1 lit. c: compliance with a legal obligation No access
  7. VII. Art. 6 para. 1 lit. d: vital interests of the data subject or of another natural person No access
  8. VIII. Art. 6 para. 1 lit. e: performance of a task carried out in the public interest or in the exercise of official authority No access
  9. 1. 1. The concept of a legitimate interest No access
    2. 2. Necessity No access
    3. 3. Balancing No access
  10. X. Art. 6 para. 2: national laws No access
  11. XI. Art. 6 para. 3: authoritative sources No access
  12. XII. Art. 6 para. 4: processing for another purpose (“further processing”) No access
3. 1. I. Overview No access
  2. II. Defining content personalisation No access
  3. 1. 1. Personalisation and contract No access
    2. 2. Legitimate interest as grounds for content personalisation No access
    3. 3. Application-specific concerns No access
    4. 4. Content personalisation in online platforms No access
  4. IV. Data subject rights No access
4. 1. I. Overview/Introduction No access
  2. 1. 1. Opinion and marketing research as a legitimate purpose No access
    2. 2. Necessity of processing No access
    3. 3. The weighting operation No access
  3. III. Rights of the data subject: adapting GDPR rights to market and opinion research No access
5. 1. 1. 1. Introduction No access
    2. 2. Legal background – the DPD No access
  2. 1. 1. Marketing No access
    2. 2. Direct marketing No access
    3. 3. Profiling No access
  3. 1. 1. Legal criteria and principles No access
    2. 1. a) Legitimate interests regarding direct marketing No access
      2. b) Necessity of processing No access
      3. c) Weighting No access
  4. 1. 1. Overview No access
    2. 2. The ePrivacy-Directive No access
    3. 3. The interaction between the GDPR and the ePrivacy-Directive No access
  5. 1. 1. General rights under the GDPR No access
    2. 2. The right to object – Art. 21 para. 2 No access
6. 1. I. Introduction No access
  2. II. Legal background: EU and national laws No access
  3. III. Credit scoring in the GDPR No access
  4. IV. Legal bases for credit scoring No access
  5. V. Credit scoring and automated decision-making No access
  6. VI. Full harmonisation and national credit scoring laws No access
7. 1. 1. 1. Introduction No access
    2. 2. Uses, objectives, risks No access
  2. 1. 1. Framework No access
    2. 2. Optic-electronic devices No access
    3. 3. Processing of personal data No access
  3. 1. 1. Non-identifiable persons No access
    2. 2. Fake or non-functional video-surveillance No access
    3. 3. Automated processing No access
    4. 4. Application of the Law Enforcement Directive No access
    5. 5. Personal and household activities No access
  4. 1. 1. Legal criteria and principles No access
    2. 2. Legitimate interests – Art. 6 para. 1 lit. f No access
    3. 3. Necessity No access
    4. 1. a) Temporal and spatial scope No access
      2. b) Concealment of video-surveillance equipment No access
      3. c) Type of data No access
      4. d) Place of surveillance No access
      5. e) Disclosure to third parties No access
    5. 5. Safeguards to specific processing operations No access
  5. 1. 1. Right to information No access
    2. 2. Rights of access and erasure No access
    3. 3. Right to object No access
  6. VI. Legal consequences of inadmissible video surveillance No access
8. 1. 1. 1. Introduction No access
    2. 2. Consent in a digital environment No access
    3. 3. Addressing the power imbalance No access
  2. II. Legislative history No access
  3. 1. 1. a) Controller accountability No access
      2. b) Timing No access
      3. c) Inability to demonstrate consent No access
    2. 2. Obligation to demonstrate consent where there are multiple controllers No access
    3. 3. Proxy consent through automated tools No access
  4. 1. 1. a) Consent as approval of pre-formulated statement No access
      2. b) Clear and distinguishable information No access
      3. c) Invalidity of declaration No access
      4. d) Infringement of the GDPR through a faulty declaration No access
    2. 2. Clear and plain language No access
    3. 1. a) Practical ways to meet consent information requirements No access
      2. b) Consent information in an online context No access
  5. 1. 1. Right to withdraw consent No access
    2. 2. Effect of withdrawal No access
    3. 3. Withdrawal where processing is based on more than one legal ground No access
    4. 4. Form of withdrawal No access
  6. 1. 1. a) Distinction between necessary and unnecessary data No access
      2. b) Conditionality No access
      3. c) Data as counter-performance No access
      4. d) Application of Art. 7 para. 4 in non-commercial contexts No access
    2. 2. Controller obligations No access
    3. 3. Genuine choice No access
    4. 4. Burden of proof No access
9. 1. I. General overview No access
  2. II. Legislative history No access
  3. 1. 1. a) Consent by a child No access
      2. b) Parental consent No access
      3. c) Information society services No access
      4. d) Remuneration No access
      5. e) Information society services offered directly to a child No access
    2. 2. Art. 8 para. 2: Parental consent verification requirements No access
    3. 3. Art. 8 para. 3: Enforcement No access
10. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. “Special categories of personal data” (para. 1) No access
    2. 2. “Revealing” (para. 1) No access
    3. 3. “Shall be prohibited” (para. 1) No access
    4. 1. a) Data revealing racial or ethnic origin No access
      2. b) Data revealing political opinions, religious or philosophical beliefs No access
      3. c) Trade union membership No access
      4. d) Genetic data No access
      5. e) Biometric data No access
      6. f) Data concerning health No access
      7. g) Data concerning a natural person’s sex life or sexual orientation No access
    5. 1. a) Explicit consent No access
      2. b) Employment, social security and social protection law No access
      3. c) Vital interests No access
      4. d) Foundations, associations, not-for-profit bodies No access
      5. e) Data that are manifestly made public by the data subject No access
      6. f) Establishment, exercise, or defence of legal claims; courts acting in their judicial capacity No access
      7. g) Substantial public interest No access
      8. h) Health, social care, preventive or occupational medicine No access
      9. i) Public health No access
      10. j) Archiving, scientific and historical research, statistics No access
    6. 6. Professional secrecy (para. 3) No access
    7. 7. Opening clause (para. 4) No access
11. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. Personal data related to criminal convictions and offences or related security measures No access
    2. 2. Processing based on Art. 6 para. 1 No access
    3. 1. a) Control of official authority No access
      2. b) “Processing is authorised by Union or Member State law” No access
    4. 4. “Comprehensive register of criminal convictions” No access
12. 1. I. General remarks No access
  2. II. Legislative history No access
  3. 1. 1. Purposes for which a controller processes personal data (para. 1) No access
    2. 2. Ability to identify (para. 1) No access
    3. 1. a) Objective or relative identifiability No access
      2. b) Beyond pseudonymisation No access
    4. 4. No obligation to maintain, acquire or process additional information (para. 1) No access
    5. 1. a) Documentation of internal policies No access
      2. b) Documentation of implemented measures for de-identification No access
    6. 6. Obligations to inform accordingly (para. 2 sentence 1) No access
    7. 7. Additional information provided by data subjects (para. 2 sentence 2) No access
1. 1. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Requirements regarding form and intelligibility of information (para. 1, 1st sentence) No access
      2. II. Means of information (para. 1 2nd and 3rd sentences) No access
      3. III. Duty to facilitate the exercise of rights and impossibility to identify (para. 2) No access
      4. IV. Time limits to take measures according to Arts. 15–22 (para. 3) No access
      5. V. Obligation to give reasons for denial of request (para. 4) No access
      6. VI. Principle of Gratuitousness (para. 5, 1st sentence) No access
      7. VII. Consequences of an excessive exercise of rights (para. 5, 2nd sentence) No access
      8. VIII. Identifying the data subject (para. 6) No access
      9. IX. Information by icons (para. 7) No access
      10. X. Powers of the Commission (para. 8) No access
2. 1. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Primary obligations (para. 1) No access
      2. II. Additional obligations (para. 2) No access
      3. III. Notification of envisaged changes of purpose (para. 3) No access
      4. IV. Exemptions to the obligations to notify (para. 4) No access
      5. V. Enforcement and sanctions No access
  2. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Scope and primary obligations (para. 1) No access
      2. II. Additional Obligations (para. 2) No access
      3. III. Time of Information (para. 3) No access
      4. IV. Information on Envisaged Changes of Purpose (para. 4) No access
      5. 1. Impossibility (Art. 14 para. 5 lit. b, 1st alternative) No access
        2. Disproportionate effort (Art. 14 para. 5 lit. b, 2nd alternative) No access
        3. Archives, research and statistics No access
        4. Seriously impairing the achievement of objectives No access
        5. Obligation to take compensatory measures (Art. 14 para. 5 lit. b, 2nd sentence) No access
        6. Union or Member State Law (Art. 14 para. 5 lit. c) No access
        7. Professional secrets (Art. 14 para. 5 lit. d) No access
      6. VI. Enforcement and Sanctions No access
  3. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Area of application No access
      2. II. Entitled persons and obliged entities No access
      3. 1. Confirmation that personal data are processed (Art. 15 para. 1, 1st sentence) No access
        2. Access to the processed data (Art. 15 para. 1, 1st sentence) No access
        3. Purposes of processing (Art. 15 para. 1 lit. a) No access
        4. Categories of processed data (Art. 15 para. 1 lit. b) No access
        5. Recipients or categories of recipients (Art. 15 para. 1 lit. c) No access
        6. Duration of storage (Art. 15 para. 1 lit. d) No access
        7. Existing rights (Art. 15 para. 1 lit. e, f) No access
        8. Source of the data (Art. 15 para. 1 lit. g) No access
        9. Logic involved and consequences of the processing (Art. 15 para. 1 lit. h) No access
      4. IV. Access to information on appropriate guarantees in third countries (Art. 15 para. 2) No access
      5. V. Right to copies of personal data (Art. 15 para. 3) No access
      6. VI. Limits to the right to a copy (Art. 15 para. 4) No access
      7. VII. Exemptions No access
      8. VIII. Enforcement and sanctions No access
3. 1. 1. A. Preliminary remarks No access
    2. B. Legislative History No access
    3. 1. 1. Data No access
        2. Inaccuracy No access
        3. Time of rectification No access
      2. II. Right to complement (Art. 16, 2nd sentence) No access
      3. III. Exemptions, enforcement and sanctions No access
  2. 1. 1. Introduction No access
    2. 1. a) Initial discussions on the right to be forgotten (2010–2012) No access
      2. b) The long European debate and the pressure from multinational technology corporations against the right to be forgotten (2012–2016) No access
      3. c) The judgment of the CJEU in Google Spain No access
    3. 1. a) The right to obtain from the controller the erasure of personal data (para. 1) No access
      2. b) The obligation the controller to erase personal data (para. 2) No access
      3. c) The limits of the right to be forgotten (para. 3) No access
  3. 1. I. Overview No access
    2. II. Legislative history No access
    3. 1. 1. Contested accuracy of personal data (lit. a) No access
      2. 2. Unlawful processing with opposition to erasure (lit. b) No access
      3. 3. Legal claims (lit. c) No access
      4. 4. Exercising the right to object pending verification of overriding interests (lit. d) No access
    4. IV. Legal consequences of the exercise of the right to restriction (para. 2) No access
    5. V. Duty to provide information (para. 3) No access
    6. VI. Restriction of processing based on other reasons No access
    7. VII. Enforcement and sanctions No access
  4. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Obligation to notify (Art. 19, 1st sentence) No access
      2. II. Information about recipients (Art. 19, 2nd sentence) No access
      3. III. Exemptions No access
      4. IV. Enforcement and sanctions No access
  5. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Prerequisites No access
      2. II. Scope No access
    4. D. Right to have data transmitted directly (Art. 20 para. 2) No access
    5. E. Exemptions (Art. 20 para. 3, 2nd sentence, para. 4) No access
    6. F. Enforcement and sanctions No access
4. 1. 1. I. General remarks No access
    2. 1. 1. Reversal of the burden of proof (para. 1 sentence 2) No access
      2. 2. Extended and more detailed obligation to inform (para. 4) No access
      3. 3. Automated means (para. 5) No access
      4. 4. Introduction of a new specific right to object (para. 6) No access
    3. 1. 1. Applicable legal basis (para. 1 sentence 1) No access
      2. 2. Exemptions (para. 1 sentence 2) No access
      3. 3. Grounds relating to his or her particular situation (para. 1 sentence 1 and para. 6) No access
      4. 4. Demonstrating compelling legitimate grounds (para. 1 sentence 2) No access
      5. 5. Processing for direct marketing purposes (para. 2 and para. 3) No access
      6. 6. Obligation to inform (para. 4) No access
      7. 7. Information society services (para. 5) No access
      8. 8. Processing for scientific or historical research and statistical purposes (para. 6) No access
  2. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. A prohibition or a right? No access
      2. 1. The need for an automated individual decision-making No access
        2. The need for a decision based Solely on automated processing No access
        3. The legal effects or similarly significant impact on the data subject No access
    4. 1. I. The contractual derogation: Art. 22 para. 2 lit. a No access
      2. II. The statutory authorisation-derogation: Art. 22 para. 2 lit. b No access
      3. III. The explicit consent derogation (lit. c) No access
    5. 1. I. The Need for Suitable Measures No access
      2. II. The right to obtain human intervention No access
      3. III. The debate on a possible right to explanation No access
    6. F. Art. 22 para. 4: The qualified prohibition on decisions based on special categories of personal data No access
5. 1. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Restrictable rights and principles No access
      2. II. Union or Member State law No access
      3. III. Essence of the fundamental rights and freedoms No access
      4. IV. Necessary in a democratic society No access
      5. V. Proportionality No access
      6. 1. National security (Art. 23 para. 1 lit. a) No access
        2. Defence (Art. 23 para. 1 lit. b) No access
        3. Public security (Art. 23 para. 1 lit. c) No access
        4. Law enforcement (Art. 23 para. 1 lit. d) No access
        5. Other important objectives of general public interest (Art. 23 para. 1 lit. e) No access
        6. Judicial independence and proceedings (Art. 23 para. 1 lit. f) No access
        7. Breaches of ethics for regulated professions (Art. 23 para. 1 lit. g) No access
        8. Monitoring, inspection or regulatory functions (Art. 23 para. 1 lit. h) No access
        9. Protection of the data subject and other persons (Art. 23 para. 1 lit. i) No access
        10. Enforcement of civil law claims (Art. 23 para. 1 lit. j) No access
    4. 1. I. Purposes and categories of processing and data (Art. 23 para. 2 lit. a, b) No access
      2. II. Scope of restrictions (Art. 23 para. 2 lit. c) No access
      3. III. Safeguards against abuse and unlawful processing (Art. 23 para. 2 lit. d) No access
      4. IV. Specification of controllers (Art. 23 para. 2 lit. e) No access
      5. V. Storage periods and applicable safeguards (Art. 23 para. 2 lit. f) No access
      6. VI. Risks to data subjects (Art. 23 para. 2 lit. g) No access
      7. VII. Right to be informed about restrictions (Art. 23 para. 2 lit. h) No access
1. 1. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Responsibility of the controller(s) No access
      2. II. Risk assessment and scalability of the obligations (para. 1, sentence 1) No access
      3. III. Common measures for accountability No access
      4. IV. Review and update of technical and organizational measures (para. 1, sentence 2) No access
      5. V. Data protection policies and management (para. 2) No access
      6. VI. Accountability mechanisms: codes of conduct and certification (para. 3) No access
      7. VII. Responsibility, accountability, and … liability? No access
      8. VIII. The controller’s responsibility and member state law No access
  2. 1. I. General overview No access
    2. II. Legislative history No access
    3. III. Risk and vagueness in Art. 25 No access
    4. IV. Addressees of Art. 25 No access
    5. 1. 1. Data protection principles No access
      2. 2. Evaluating measures and safeguards No access
    6. 1. 1. Default measures No access
      2. 2. Choices and defaults No access
    7. VII. Art. 25 para. 3: certifying data protection by design and by default No access
    8. VIII. Enforcement and sanctions No access
  3. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Existence of controllership in general No access
      2. 1. Joint controllership through common decisions No access
        2. Joint controllership through converging decisions No access
        3. Degrees of joint control No access
        4. Situations that are not joint controllerships No access
    4. 1. I. Division of responsibility through an arrangement (para. 1 sentence 2, para. 2) No access
      2. II. Content of the arrangement (para. 1, para. 2) No access
      3. III. Communication of the essence of the arrangement to the data subject (para. 2, sentence 2) No access
      4. IV. Continued joint responsibility and liability (para. 3) No access
  4. 1. I. Aim and function of the provision No access
    2. II. Legislative history and predecessor provisions No access
    3. III. Systematic position No access
    4. IV. Obligation to designate a representative (para. 1) No access
    5. 1. 1. Limited processing, unlikely to result in a risk (lit. a) No access
      2. 2. Public authorities and bodies (lit. b) No access
    6. VI. Establishment of the representative (para. 3) No access
    7. 1. 1. Addressee and representative (para. 4, Art. 4 no. 17) No access
      2. 2. Obligation to act according to instructions No access
      3. 3. Own duties and responsibilities No access
      4. 4. Continuing responsibility of the represented entity in the third country (para. 5) No access
    8. VIII. Enforcement and penalties No access
  5. 1. I. Preliminary remarks No access
    2. II. Legislative history No access
    3. 1. 1. Appointment of processors providing sufficient guarantees (para. 1) No access
      2. 2. Sub-processors (para. 2) No access
      3. a) Contract or other legal act (sentence 1) No access
        aa) Processing on documented instructions (lit. a) No access
        bb) Confidentiality (lit. b) No access
        cc) Data security (lit. c) No access
        dd) Sub-processing (lit. d) No access
        ee) Assistance to the controller (lit. e) No access
        ff) Assisting the controller in ensuring compliance with the obligations pursuant to Art. 32 to Art. 36 (lit. f) No access
        gg) Deletion of the data by the processor; return of the data by the processor to the controller (lit. g) No access
        hh) Information necessary to demonstrate compliance; audits and inspections (lit. h) No access
        c) Information of an infringement to the controller (sentence 3) No access
      4. a) “Engages another processor for carrying out specific processing activities on behalf of the controller” No access
        b) “Same data protection obligations” No access
        c) “By way of a contract or other legal act under Union or Member State law” No access
        d) Sufficient guarantees No access
        e) Liability of the sub-processor No access
        f) Codes of conduct and approved certification mechanisms (para. 5) No access
        g) Standard contractual clauses (paras. 6, 7 and 8) No access
      5. 5. “In writing, including in electronic form” (para. 9) No access
      6. 6. “Processor shall be considered as a controller” (para. 10) No access
  6. 1. I. Preliminary remarks No access
    2. II. Legislative history No access
    3. 1. 1. The processor (acting under the authority of the controller) No access
      2. 2. Any person acting under the authority of the controller or the processor No access
      3. 3. “Unless required to do so by Union or Member State law” No access
  7. 1. I. General remarks No access
    2. II. Legislative history No access
    3. 1. 1. Contents of the records (para. 1 and para. 2) No access
      2. 2. Format of the records (para. 3) No access
      3. 3. Availability of records (para. 4) No access
      4. 4. Exemption for micro, small and medium-sized enterprises (para. 5) No access
  8. 1. I. Purpose and function of the provision No access
    2. II. Legal basis, structure and history No access
    3. III. Analysis No access
2. 1. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. Obligation to implement the appropriate technical and organisational measures (para. 1) No access
      2. II. Risk assessment (para. 2) No access
      3. III. Requirement to demonstrate compliance with the security obligations (para. 3) No access
      4. IV. Requirement to process personal data according to the instructions of the controller (para. 4) No access
  2. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. 1. “Having become aware” of the breach No access
        2. Addressees of the duty to notify and recipients of the notification No access
        3. Exemption: No risk to rights and freedoms of natural persons No access
        4. Other possible exemptions No access
      2. II. Time limit and consequences of late notification (Art. 33 para. 1, 2nd sentence) No access
      3. III. Processor’s duty to notify (Art. 33 para. 2) No access
      4. IV. Contents and form of the notification (Art. 33 para. 3) No access
      5. V. Phased notification (Art. 33 para. 4) No access
      6. VI. Documentation (Art. 33 para. 5) No access
    4. D. Enforcement and sanctions No access
  3. 1. A. Preliminary remarks No access
    2. B. Legislative history No access
    3. 1. I. High risk No access
      2. II. Addressees of the communication and of the obligation to communicate No access
    4. D. Form, contents and time of communication (Art. 34 para. 2) No access
    5. 1. I. Technical and organisational security measures (Art. 34 para. 3 lit. a) No access
      2. II. Subsequent measures (Art. 34 para. 3 lit. b) No access
      3. III. Disproportionate effort (Art. 34 para. 3 lit. c) No access
    6. F. Powers of the supervisory authority (Art. 34 para. 4) No access
    7. G. Enforcement and sanctions No access
3. 1. 1. I. Preliminary remarks No access
    2. II. Legislative history No access
    3. III. Personal and material scope (para. 1) No access
    4. 1. a) Concept of risk No access
        b) Evaluation criteria No access
      2. a) Profiling and automated processing (para. 3 lit. a) No access
        b) Large scale of special categories of data (para. 3 lit. b) No access
        c) Systematic monitoring of a publicly accessible area (para. 3 lit. c) No access
      3. 3. Lists provided by SAs (paras. 4 to 6) No access
      4. 4. Exceptions by law (para. 10) No access
    5. 1. 1. Time No access
      2. a) Involvement of the DPO (para. 2) No access
        b) Consultation of data subjects (para. 9) No access
      3. 3. Compliance with codes of conduct (para. 8) No access
      4. a) Systematic description (para. 7 lit. a) No access
        b) Assessment of the necessity, proportionality and risks (para. 7 lit. b and lit. c) No access
        c) Determination of measures envisaged to address the risks (para. 7 lit. d) No access
    6. VI. Legal consequences and sanctions No access
  2. 1. I. Preliminary remarks No access
    2. II. Legislative background No access
    3. 1. 1. Consultation by the controller (para. 1) No access
      2. 2. Consultation by the Member States (para. 4) No access
    4. 1. 1. Procedure, deadlines and information obligation No access
      2. 2. Legal consequences of the consultation No access
    5. V. Opening clause (para. 5) No access
4. 1. 1. A. General overview No access
    2. 1. 1. Obligation to designate a DPO for public authorities and public bodies (lit. a) No access
        a) Core activities and criticality of data processing No access
        b) Regular and systematic monitoring on large scale No access
        3. Obligation to designate a data protection officer when processing special categories of data (lit. c) No access
      2. II. Data protection officer of a group of companies (para. 2) No access
      3. III. Joint Data Protection Officer of public authorities or bodies (para. 3) No access
      4. 1. Data protection officer of an association No access
        2. Obligation to designate a data protection officer according to national data protection law No access
      5. V. Qualification of the data protection officer (para. 5) No access
      6. VI. Appointment of an internal or external data protection officer (para. 6) No access
      7. VII. Dismissal and termination of the activity as data protection officer No access
      8. VIII. Publication of contact details (para. 7) No access
  2. 1. A. General overview No access
    2. 1. I. Involvement of the DPO (para. 1) No access
      2. II. Support of the DPO (para. 2) No access
      3. 1. Freedom from instructions No access
        2. Prohibition of disadvantages No access
        3. Reporting to the highest management level No access
      4. IV. DPO as contact for data subjects (para. 4) No access
      5. V. Bound by professional secrecy or confidentiality (para. 5) No access
      6. VI. Conflict of interests (para. 6) No access
  3. 1. A. General overview No access
    2. 1. I. Informing and advising on data protection obligations (lit. a) No access
      2. II. Monitoring (lit. b) No access
      3. III. Advisory and monitoring function regarding DPIA (lit. c) No access
      4. IV. Cooperation with supervisory authorities (lit. d and e) No access
      5. V. Risk-oriented approach (para. 2) No access
      6. VI. Liability of the data protection officer No access
  4. 1. I. Aim and purpose of the provision No access
    2. II. History of origins No access
    3. III. Systematic position No access
    4. 1. 1. Codes of conduct No access
      2. 2. Obligation to encourage No access
    5. 1. 1. Associations and other bodies No access
      2. 2. Preparation, amendment, or extension No access
      3. 3. Subject-matters of codes of conduct No access
    6. VI. Codes of conduct for international transfer of personal data (para. 3) No access
    7. VII. Monitoring of compliance with codes of conduct (para. 4) No access
    8. 1. 1. Submission and evaluation No access
      2. 2. Opinion and approval No access
      3. 3. Binding power of codes of conduct No access
    9. IX. Registering and publishing codes of conduct (para. 6 and 11) No access
    10. X. Codes of conduct for several member states (para. 7 through 10) No access
    11. XI. Outlook No access
  5. 1. I. Aim and purpose of the provision No access
    2. II. History of origins No access
    3. III. Systematic position No access
    4. IV. Private monitoring bodies (para. 1) No access
    5. 1. 1. Accreditation procedure No access
      2. 2. Accreditation requirements (para. 2) No access
      3. 3. Revocation of accreditation (para. 5) No access
    6. VI. Criteria for accreditation (para. 3) No access
    7. VII. Corrective powers of the monitoring body (para. 4) No access
    8. VIII. Outlook No access
  6. 1. I. Rationale No access
    2. II. Legislative history No access
    3. III. Terminology No access
    4. 1. 1. Support for the establishment of certifications No access
      2. 2. Object of certification No access
      3. 3. Controllers and processors No access
    5. V. Certification as a ground for international data transfers (para. 2) No access
    6. VI. Voluntary and transparent process (para. 3) No access
    7. VII. Purpose to demonstrate compliance; responsibility (para. 4) No access
    8. 1. 1. Certification criteria and the European Data Protection Seal No access
      2. 2. Issuer: supervisory authorities or certification bodies No access
    9. IX. Obligation to cooperate (para. 6) No access
    10. X. Validity period, renewal and withdrawal (para. 7) No access
    11. XI. EDPB register (para. 8) No access
    12. XII. Effects of certification No access
  7. 1. I. Rationale No access
    2. II. Legislative history No access
    3. III. Terminology No access
    4. IV. Accreditation entity (para. 1) No access
    5. V. Conditions of accreditation (para. 2, 3) No access
    6. VI. Responsibility of the certification bodies; validity period (para. 4) No access
    7. VII. Information duties (para. 5) No access
    8. VIII. Publication of requirements, criteria, certification mechanisms and data protection seals (para. 6) No access
    9. IX. Revocation of accreditation (para. 7) No access
    10. X. Commission delegated and implementing acts (para. 8, 9) No access
1. 1. 1. I. Overview and legislative history No access
    2. II. Directive (EU) 2016/680 No access
  2. 1. I. Regulatory problem No access
    2. II. Regulatory goal: continuity of the level of data protection No access
    3. III. Regulatory approach: general prohibition of transfers with exceptions No access
  3. 1. 1. 1. Definition No access
      2. 2. Business enterprises and groups of undertakings No access
      3. 3. Processors No access
      4. 4. Data importer subject to the GDPR No access
      5. 5. Data collected directly from the data subject No access
      6. 6. Internet No access
      7. 7. Transfer to the EU No access
    2. II. Recipient No access
    3. III. Relationship to international treaties No access
  4. D. Closely related provisions of the GDPR No access
  5. 1. I. Policy underpinning and scope No access
    2. II. Legal consequences No access
  6. F. Interpretative principle No access
2. 1. A. Overview and legislative history No access
  2. 1. I. Content and legal effect (para. 1) No access
    2. 1. 1. Adequacy No access
      2. a) Legal system of the third country (lit. a) No access
        b) Independent supervisory authority (lit. b) No access
        c) International commitments (lit. c.) No access
    3. III. Procedure (para. 3) No access
  3. 1. I. Monitoring and review by the commission (para. 4) No access
    2. II. Repeal, amendment or suspension (para. 5 and 6) No access
    3. III. Legal consequences of a repeal (para. 5, 7) No access
  4. D. Publication (para. 8) No access
  5. E. Existing adequacy decisions No access
  6. 1. I. Powers of the supervisory authorities No access
    2. II. Legal review No access
  7. 1. I. Different approaches to information privacy in the EU and the United States No access
    2. 1. 1. Functioning No access
      2. 2. Surveillance measures and judicial review No access
    3. III. EU-US Data Privacy Framework No access
3. 1. I. Purpose No access
  2. II. Legislative history No access
  3. III. Relation to adequacy decisions No access
  4. 1. 1. Appropriate safeguards No access
    2. 2. Enforceable data subject rights No access
    3. 3. Effective remedies No access
    4. 4. Independent supervision No access
    5. 5. Legal order of the third country No access
    6. 6. Termination of appropriate safeguards No access
    7. 1. a) Supervisory authorities No access
      2. b) Judicial remedies of the data subject No access
      3. c) Judicial remedies of the controller or processor No access
  5. 1. 1. Legally binding and enforceable instruments between public authorities and bodies (lit. a) No access
    2. 2. Binding Corporate Rules (BCR) (lit. b) No access
    3. 1. a) Effects No access
      2. b) Adoption No access
      3. c) Scope of application No access
      4. aa) Scope of application No access
        bb) Data protection safeguards No access
        cc) Rights of the data subject No access
        dd) Liability No access
        ee) Supervision No access
        ff) Effective legal redress No access
        gg) Legal obligations of the recipient in the third country and access by public authorities No access
        hh) Choice of law and forum No access
        ii) Termination No access
        jj) Sub-processing No access
    4. 4. Codes of conduct (lit. e) No access
    5. 5. Approved certification mechanism (lit. f) No access
  6. 1. 1. Ad-hoc contractual clauses (lit. a) No access
    2. 2. Non-binding administrative arrangements (lit. b) No access
  7. VII. Appropriate safeguards authorized under DPD (para. 5) No access
4. 1. I. Rationale No access
  2. II. Legislative history No access
  3. III. Scope No access
  4. 1. 1. Competent supervisory authority (para. 1) No access
    2. 2. Subject matter and effect of the approval No access
    3. 3. Withdrawal No access
  5. 1. 1. Internally binding nature (para. 1 lit. a) No access
    2. 2. Externally binding nature (para. 1 lit. b) No access
    3. 1. a) Structure and contact details (lit. a) No access
      2. b) Data transfers or set of transfers (lit. b) No access
      3. c) Internally and externally binding nature (lit. c) No access
      4. d) Application of data protection principles (lit. d) No access
      5. e) Rights of the data subject (lit. e) No access
      6. f) Liability (lit. f) No access
      7. g) Information provided to the data subjects (lit. g) No access
      8. h) Compliance monitoring (lit. h) No access
      9. i) Complaint procedure (lit. i) No access
      10. j) Verification of compliance (lit. j) No access
      11. k) Changes to BCR (lit. k) No access
      12. l) Cooperation with supervisory authorities (lit. l) No access
      13. m) National regulations of third countries (lit. m) No access
      14. n) Data protection training (lit. n) No access
  6. VI. Implementing acts (para. 3) No access
5. 1. I. Purpose No access
  2. II. Legislative history No access
  3. 1. 1. Request for the disclosure of transfer of data No access
    2. 2. Addressee of the request No access
  4. 1. 1. No recognition or enforcement No access
    2. 2. Exception: international agreements No access
    3. 3. Recourse to other grounds for transfer pursuant to Chapter V No access
6. 1. 1. 1. Purpose No access
    2. 2. Legislative history No access
    3. 3. Interpretative guidelines No access
  2. 1. 1. a) Explicit No access
      2. b) Information on the possible risks of a transfer No access
      3. c) Freely given No access
      4. d) Limits of consent No access
    2. 1. a) Performance of a contract No access
      2. b) Pre-contractual measures No access
    3. 3. Conclusion or performance of a contract concluded in the interest of the data subject (subpara. 1 lit. c) No access
    4. 1. a) Scope No access
      2. b) Important reasons of public interest No access
      3. c) Necessity No access
    5. 1. a) Scope No access
      2. b) Necessary No access
    6. 6. Vital interests of a person (subpara. 1 lit. f) No access
    7. 7. Public registers (subpara. 1 lit. g and para. 2) No access
    8. 1. a) Requirements (subpara. 2 sentence 1) No access
      2. b) Procedural safeguards (subpara. 2 sentences 2 and 3 and para. 6) No access
  3. III. Limitations to transfers by the Member States (para. 5) No access
7. 1. I. Introduction No access
  2. II. Background No access
  3. III. Analysis No access
1. 1. I. Purpose and importance of the provision No access
  2. II. Legislative history and systematic position No access
  3. 1. 1. The duty to provide for one or more independent public authorities (para. 1) No access
    2. 2. The duty to cooperate with a view to contributing to the application of the GDPR data protection in the EU (para. 2) No access
    3. 3. The case of multiple SAs (paras. 1 and 3) No access
    4. 4. Notification to the Commission (para. 4) No access
2. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. a) Complete independence and its elements (para. 1) No access
      2. b) Direct and indirect influence (para. 2) No access
      3. c) “In performing its tasks and exercising its powers” (para. 1 and para. 2) No access
    2. 2. Conflicts of interest (para. 3) No access
    3. 1. a) Provision of necessary resources No access
      2. b) Separate public annual budget and financial oversight (para. 6) No access
    4. 1. a) The notion of organizational independence No access
      2. b) Choosing the staff of the authority; distinguishing between staff and members of the SA No access
      3. c) Exclusive direction of the member or members of the authority No access
3. 1. I. Introduction No access
  2. II. Legislative history No access
  3. 1. 1. Appointment of members of Supervisory Authorities (para. 1) No access
    2. 2. Prerequisites for appointment and reasons for leaving office (paras. 2 to 4) No access
4. 1. I. Introduction No access
  2. II. Structure and legislative history No access
  3. 1. 1. A list of specifications to be implemented by Member States in their national laws (para. 1) No access
    2. 2. Obligation to confidentiality (para. 2) No access
5. 1. I. Introduction No access
  2. II. Legislative history No access
  3. 1. 1. Territorial competence (para. 1) No access
    2. 2. Exclusive competence for public tasks (para. 2) No access
    3. 3. Competence and the judiciary (para. 3) No access
6. 1. I. Introduction No access
  2. II. Legislative history No access
  3. 1. 1. The concept of the lead SA (para. 1) No access
    2. 2. The exception to the exception (para. 2) and procedural issues (paras. 3 to 5) No access
    3. 3. The notion of the sole interlocutor (para. 6) No access
7. 1. I. Introduction No access
  2. II. Legislative history No access
  3. III. Analysis No access
8. 1. I. Introduction No access
  2. II. Legislative history No access
  3. III. Analysis No access
9. 1. I. Introduction No access
  2. II. Legislative history No access
  3. III. Analysis No access
1. 1. 1. 1. 1. Overview: The one-stop-shop mechanism as a sentinel of the GDPR No access
      2. 2. Legislative history No access
      3. 3. Relation to other provisions No access
    2. 1. 1. The principle of consensus and the exchange of information (paras. 1 and 12) No access
      2. 2. Other cooperation instances (para. 2) No access
      3. 3. The mechanics of the OSS (paras. 3 to 11) No access
      4. 4. Dispute resolution No access
  2. 1. I. Preliminary remarks No access
    2. II. Legislative history No access
    3. 1. 1. What does mutual assistance among SAs comprise (para. 1)? No access
      2. 2. Minimal requirements for the requesting SA with no space allowed to the requested SA to assess the request (paras. 3, 4 and 5) No access
      3. 3. An obligation to react promptly placed upon the requested SA (paras. 2, 5 and 8) No access
      4. 4. The technicalities of the mutual assistance mechanism (paras. 6, 7 and 9) No access
  3. 1. I. Preliminary remarks No access
    2. II. Legislative history No access
    3. 1. 1. A functional role for Art. 62 (paras. 1 and 2) No access
      2. 2. Operational matters, including indemnity obligations (paras. 3 to 6) No access
      3. 3. An obligation to react promptly (para. 7), that should be read in combination with Art. 61 para. 8 No access
2. 1. 1. I. History, subject, purpose and systematic No access
    2. II. History of legislation No access
    3. 1. 1. Applicability of the consistency mechanism No access
      2. 2. General remarks No access
      3. 3. Cooperation between the supervising authorities No access
      4. 4. Cooperation of the supervisory authorities with the Commission No access
      5. 5. Cooperation of the supervisory authorities and the EDPB No access
      6. 6. Outlook No access
  2. 1. I. Systematic, history and purpose No access
    2. 1. 1. General information No access
      2. 2. Adoption of a list of the processing operations subject to the requirement for a data protection impact assessment according to Art. 35 para. 4 (lit. a) No access
      3. 3. Draft, amendments or extension of codes of conduct according to Art. 40 para. 7 (lit. b) No access
      4. 4. Accreditation of a body pursuant to Art. 41 para. 3 or a certification body pursuant to Art. 43 para. 3 or criteria for certification (lit. c) No access
      5. 5. Determination of standard data protection clauses (lit. d) No access
      6. 6. Approval of contractual clauses (lit. e) No access
      7. 7. Adoption of binding corporate rules (lit. f) No access
    3. III. Opinion upon request (para. 2) No access
    4. 1. 1. The Boards opinion (para. 3) No access
      2. 2. Information of the supervising authorities and the Comm (para. 4) No access
      3. a) During an (ongoing) opinion procedure (para. 5 lit. a) No access
        b) After conclusion of the opinion (para. 5 lit. b) No access
      4. 4. Blocking period towards the competent supervisory authority (Abs. 6) No access
      5. 5. Decision of the supervisory authority (para. 7) No access
      6. 6. Non-compliance of the opinion (para. 8) No access
    5. V. Legal Protection No access
  3. 1. I. Aims, purposes and systematic No access
    2. II. History No access
    3. 1. 1. Divergent opinions of the supervisory authorities (para. 1 lit. a) No access
      2. 2. Disputes on competence concerning lead (para. 1 lit. b) No access
      3. 3. Failure to give an opinion and non-compliance with an opinion (para. 1 lit. c) No access
    4. 1. 1. Decision of the Board (para. 2) No access
      2. 2. Extension of time limit and simple majority (para. 3) No access
      3. 3. Blocking period (para. 4) No access
      4. 4. Information of the parties (para. 5) No access
      5. 5. Adoption of the final decision (para. 6) No access
    5. 1. 1. Legal protection against decisions of the Board No access
      2. 2. Remedies against the final decision of the supervisory authority No access
  4. 1. I. Aims, history and systematic No access
    2. 1. 1. Competence No access
      2. 2. Preconditions No access
      3. 3. Interim measures No access
      4. 4. Maximum period of validity No access
      5. 5. Territorial limits of the interim measure No access
      6. 6. Duty to notify (para. 1 sentence 2) No access
    3. III. Necessity of a definitive measure (para. 2) No access
    4. IV. Failure to act of the competent supervisory authority (para. 3) No access
    5. V. Opinions and decisions in the urgency procedure (para. 4) No access
    6. VI. Remedies against interim measures No access
  5. 1. I. Aim, history, systematic No access
    2. II. Content No access
    3. III. Remedies No access
3. 1. 1. I. Legal background No access
    2. II. Analysis No access
  2. 1. I. Introduction No access
    2. II. Case law No access
    3. III. Analysis No access
  3. 1. I. Introduction No access
    2. II. Analysis No access
  4. 1. I. Background No access
    2. II. Analysis No access
  5. 1. I. Introduction No access
    2. II. Analysis No access
  6. 1. I. Legal background No access
    2. II. Analysis No access
  7. 1. I. Introduction No access
    2. II. Legal background No access
    3. III. Analysis No access
  8. 1. I. Introduction No access
    2. II. Legal background No access
    3. III. Analysis No access
  9. 1. I. Introduction No access
    2. II. Legal background No access
    3. III. Analysis No access
1. 1. A. General overview No access
  2. B. Legislative history No access
  3. 1. I. The data subject as right holder No access
    2. II. The data subject’s choice of the competent SA No access
    3. 1. 1. The lack of a European definition of what is a complaint No access
      2. 2. The lack of a European clarification on the need for preliminary steps before the complaint No access
      3. 3. The broad object of the complaint No access
      4. 4. The form of the complaint No access
      5. 5. The lack of explicit temporal requirements to complain No access
      6. 6. A free of charge complaints No access
  4. 1. I. The important margin of manoeuvres of the SA No access
    2. II. Art. 77 para. 2: The obligation of the SA regarding processing of the complaint No access
2. 1. A. General overview No access
  2. B. Legislative history No access
  3. C. Article 78 para. 1: The general rightThis general right could be seen as the counterpart of the increasement of the powers of the SAs; it is thus also mentioned in Art. 58 para. 4 of the GDPR. to a... No access
  4. D. Article 78 para. 2: The particular right to an effective judicial remedy in case of failure by the SA No access
  5. E. The determination of the competent jurisdiction No access
  6. F. Article 78 para. 4: The obligation of the SA to forward an EDPB opinion or decision No access
3. 1. A. General overview No access
  2. B. Legislative history No access
  3. 1. 1. 1. The choice between the judge or the SA No access
      2. 2. The availability of national administrative or non-judicial remedies No access
    2. II. An effective judicial remedy No access
    3. 1. 1. Some violations regarding the processing of a data subject’s personal data No access
      2. 2. The expansion of the judicial remedy to the processor (para. 1) No access
  4. 1. I. The criterion of the establishment of the processor or the controller No access
    2. II. The criterion of the habitual residence of the data subject No access
    3. III. The choice given to the data subject No access
    4. IV. The implicit prohibition of other jurisdiction clauses No access
4. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. 1. I. The particulars of the agent No access
    2. II. The purposes of the representation No access
  4. D. Art. 80 para. 2: The possibility of representation granted by Member States No access
  5. E. Some examples of the early use of the opening clause by Member States (France, Germany and the UK) No access
5. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. C. Art. 81 Para. 1: The contact between courts dealing with the same matter No access
  4. D. Art. 81 para. 2: The suspension of the proceedings to the benefit of the court first seized No access
  5. E. Art. 81 para. 3: Declining jurisdiction to the benefit of the court first seized No access
6. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. 1. I. The rightholder: “Any person” No access
    2. 1. 1. An infringement of the GDPR rules by controllers or processors No access
      2. 2. Damage No access
      3. 3. The causality between the infringement and the damage No access
  4. 1. I. The difference in nature of the liability of the controller and of the processor No access
    2. II. A strict liability regime without condition of fault No access
    3. III. The joint liability situations No access
    4. IV. The tighter exemption possibility No access
    5. V. The use of a data protection agreement to transfer the liability between controller and processor No access
  5. E. The competent jurisdiction (para. 6) No access
7. 1. A. Preliminary remarks No access
  2. B. Legislative History No access
  3. 1. I. The flexible power of the SAs to impose administrative fines No access
    2. II. The variety of the addressees of administrative fines No access
  4. 1. I. Criteria on the gravity of the infringement No access
    2. II. Criteria on the behaviour of the controller or the processor No access
  5. 1. I. The determination of the amount in case of several infringements: Art. 83 para. 3 No access
    2. II. The graduation according to the infringement of the provision of the GDPR (para. 4 and para. 5) No access
    3. III. The emphasis on the situation of non-compliance with an order by a SA, Art. 83 para. 6 No access
    4. IV. The determination of the fine upper limit: Art. 83 para. 4, para. 5 and 6 No access
    5. V. A mixed review after two years of GDPR application No access
  6. F. Procedural safeguards: Art. 83 para. 8 No access
  7. G. National particularities: Art. 83 para. 7 and para. 9 No access
8. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. 1. 1. 1. The full competence of the Member States regarding criminal penalties No access
      2. 2. The share competences of Member States regarding administrative sanctions No access
    2. II. The common principles of the regime of national penalties (para. 1 phrase 2) No access
  4. D. The notification of these national provisions to the commission (Art. 84 para. 2) No access
1. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. C. Structure and scope of the provision No access
  4. D. Regulatory program of the Member States (Art. 85 para. 1) No access
  5. E. Exemptions or derogations for privileged purposes (Art. 85 para. 2) No access
  6. F. Duty to notify to the Commission (Art. 85 para. 3) No access
2. 1. I. Preliminary remarks No access
  2. II. Legislative history No access
  3. 1. 1. The need for setting a balance between the access to official documents and the right to personal data No access
    2. 2. “Personal data in official documents” No access
    3. 3. “Held by a public authority or a public body or a private body for the performance of a task carried out in the public interest” No access
    4. 4. “May be disclosed by the authority or body” No access
    5. 5. “In accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal... No access
3. 1. 1. I. Purpose No access
    2. II. Legislative history No access
  2. 1. I. National Identification Numbers and identifiers of general application No access
    2. II. Sensitivity of data No access
    3. III. Processing of NINs and identifiers of general application (phrase 1) No access
    4. IV. Appropriate safeguards (phrase 2) No access
  3. C. National implementation No access
4. 1. 1. I. Purpose of Art. 88 No access
    2. II. Evolution of employee data protection law at EU level No access
    3. III. The drafting of Art. 88 No access
    4. IV. Specificities of data protection in the employment context No access
  2. 1. I. Personal scope of application No access
    2. II. Material scope of application No access
    3. III. Specific rules on data protection in the employment context No access
    4. IV. Specific rules by law or by collective agreements No access
  3. 1. 1. 1. Transparency of data processing No access
      2. 2. Groups of undertakings No access
      3. 3. Monitoring systems at the workplace No access
      4. 4. Other forms of employee data processing No access
    2. II. Sanctions No access
  4. D. Duty to notify No access
5. 1. I. General remarks No access
  2. II. Legislative history No access
  3. 1. 1. a) Archiving purposes in the public interest No access
      2. b) Scientific research purposes No access
      3. c) Historical research purposes No access
      4. d) Statistical purposes No access
    2. 2. Appropriate safeguards (para. 1) No access
    3. 3. Derogations from specified rights (para. 2 and para. 3) No access
    4. 4. Union or Member State law may provide for derogations (para. 2 and para. 3) No access
    5. 5. Subject to the conditions and safeguards referred to in para. 1 of this Article (para. 2 and para. 3) No access
    6. 6. Such derogations are necessary, and purposes are likely to be rendered impossible or seriously impaired (para. 2 and para. 3) No access
    7. 7. Processing serves another purpose at the same time (para. 4) No access
6. 1. A. Preliminary remarks No access
  2. B. Legislative history No access
  3. 1. I. Requirements regarding the duty of professional secrecy: confidential information received during the course of the professional duties (para. 1) No access
    2. II. Requirements regarding the duty of professional secrecy: balance between right to protection of personal data against obligations of secrecy (para. 1) No access
    3. III. Duty to notify (para. 2) No access
7. 1. 1. 1. Purpose No access
    2. 2. Position of the DPD and travaux préparatoires to Art. 91 No access
    3. 3. Practical relevance of Art. 91 para. 1 No access
  2. 1. 1. Scope of application No access
    2. 2. Respect of the GDPR No access
    3. 3. Legal effects of Art. 91 para. 1 No access
    4. 4. The reference date No access
  3. III. Specific independent SAs (Art. 91 para. 2) No access
1. 1. I. Introduction No access
  2. II. Legal background No access
  3. 1. 1. Nature of delegated acts No access
    2. 2. Requirements and delegation procedure No access
2. 1. I. Introduction No access
  2. II. Legal background No access
  3. III. Analysis No access
1. 1. I. Preliminary note No access
  2. 1. 1. General remarks No access
    2. 2. Consequences for previously lawful data processing operations No access
    3. 3. Consequences for national implementation legislation No access
    4. 4. Continued validity of Commission decisions and supervisory agencies’ approvals No access
  3. 1. 1. References to the GDPR (sentence 1) No access
    2. 2. References to the former Art. 29 WP, sentence 2 No access
2. 1. I. Introduction No access
  2. II. Legal background No access
  3. 1. 1. Scope of application No access
    2. 2. Relationship with the ePrivacy-Directive No access
3. 1. I. Introduction No access
  2. II. Legal background No access
  3. III. Analysis No access
4. 1. I. Introduction No access
  2. II. Legal background No access
  3. III. Analysis No access
5. 1. I. Overview No access
  2. II. Legislative history No access
  3. III. Legislation concerning data protection approved with the GDPR No access
  4. 1. 1. Regulation 45/2001 and Regulation 2018/1725 No access
    2. 2. ePrivacy-Directive and the ePrivacy Regulation proposal No access
    3. 3. Other EU legal acts No access
6. 1. I. Preliminary note No access
  2. II. Entry into force of the GDPR (para. 1) No access
  3. III. Application of the GDPR (para. 2) No access
Index No access Pages 1169 - 1211