European Data Protection Law & Practice Outline

Section I: Introduction to European Data Protection

 Origins and Historical Context of Data Protection Law
o Rationale: increase of computers for comms 1970s
o Trans-border trade
 Balance between national concerns for personal freedom and privacy, and the ability to
support free trade at EEC level
 This is also where the EU gets the authority to regulate privacy (free movement)
o Human Rights Laws
 UDHR 1948
 “the inherent dignity and the equal and inalienable rights of all members of the
human race in the foundation of freedom, justice, and peace in the world”
 ART 12: right to privacy
 ART 19: right to freedom of information/transfer info
 ART 29(2): balance the rights
 ECHR
 Council of Europe, Rome 1950 (entered into force 1953)
 European Court of HR (Strasbourg)=> system of enforcement, binding decisions
o May also give advisory opinions on ECHR
 ART 8: right to privacy
o Necessity and proportionality, public interest, not an absolute right
 ART 10: right to freedom of expression/information
 ART 10(2): balance, reasons to breach rights
o Necessary in a democratic society
o National security
o Territorial integrity
o Public safety
o Prevention of disorder or crime
o Protection of health or morals
o Protection of the reputation or the rights of others
o Preventing disclosure of information received in confidence
o Maintaining the authority and impartiality of the judiciary
o Early/predecessor laws
 1960s-1980s: countries with laws controlling use of personal info by gov’t and large
companies
 National leg didn’t adequately protect right to privacy w/emerging tech
o Recc 509 on HR and modern sci and tech developments
 1973/4: CoE Resolutions 73/2 and 74/29: principles of data protection in
automated databanks
 OECD Guidelines (on the Protection of Privacy and Transborder Flows of Personal Data)
 to facilitate the harmonization of data protection law between countries
 not legally binding
 no distinction between personal info gathered electronically or not
 notice or consent
 specific purpose for collection
 individual rights to obtain information from data controller

1
  balance privacy and free flow of information/trade
 domestic laws may have higher standards
 Convention 108 (1981)
 CoE Convention (for the Protection of Individuals with regard to Automatic
Processing of Personal Data)
 Open to signature by countries outside Europe!
 Legally binding: first binding international instrument to set standards for
personal data and balance with free flow of info for int’l trade
 Those using personal information have social responsibility to safeguard such
personal data
 Based on principles of CoE 73/22 and 74/29
 Exceptions allowed for signatories when necessary measure in democratic
society (e.g. state security or crim investigation) **proportionality
 ***FREE FLOW OF INFO AMONG SIGNATORIES b/c min level of protection
 Additional Protocol addresses transfers to countries that are not signatories
o Legitimate interests of the individual
o In the public interest
o Transfer based on contractual clauses approved by supervisory
authority
 Mutual assistance with supervisory authorities
 Still the only binding legal instrument with a worldwide scope of application in
field of data protection open to any country
o Harmonization in Europe
 Data Protection Directive (95/46/EC)
 European Commission called on European Parliament in 1976, in force 1995
 Directives are legislation, but leave implementation methods to member states
 Based on Convention 108
 Differences in results in member states (incorrect implementation, different
standards)
o E.g., requirement to notify local DPAs of processing details
o Fixed with GDPR
 Charter of Fundamental Rights
 EU, 2000 in Nice, consolidates fundamental HR in Europe
 Specifically refers to protection of personal data (unlike ECHR, which just has
the right to privacy)
 ART 7: right to privacy
 ART 8: data protection rights
o Fairly for specified purpose, consent or some other legitimate interest
laid down by law
o Basic values: (1) fair, (2) specified purpose, (3) legit basis for processing,
(4) individual right to access and rectify personal data, (5) supervisory
authority to oversee compliance
 ART 10: right to transfer of information
 ART 52: necessity and proportionality (balance)
 Treaty of Lisbon
 TEU and TFEU
 TFEU ART 16(1): everyone has right to protection of personal data

2
  ART 16(2): all EU institutions must protect individuals when processing personal
data
o National DPAs may also have jurisdiction
 Treaty of Maastricht didn’t mention fundamental rights at all, sig development
 GDPR
 Commission launched review of current legal framework in 2009/2010 to
strengthen data protection rules
 Regulations binding in their entirety and apply directly to member states
immediately=> maximize consistency of approach
o Member states can still enact more specific laws in some cases
 Already specific laws in place (e.g. retention of employee data)
 Archiving purposes in the public interest, scientific, or historical
research purposes, statistical purposes
 Processing of special categories of data
 Processing in compliance with legal obligation
 KEY CHANGES
o Stronger rights for individuals (especially online)
o Data protection by design and by default (new tech developed)
o Accountability: organizations must be able to demonstrate compliance
with GDPR
o Increased powers for supervisory authorities
o One-stop shop
o Broader application to anyone targeting EU consumers
 Law Enforcement Data Protection Directive
 Protection of natural persons with regard to the processing of personal data by
competent authorities for the purposes of prevention, investigation, detection,
or prosecution of criminal offenses or the execution of criminal penalties
 Member states have until May 6, 2018, to put into national law
 ePrivacy Directive
 Data processing across public communications networks (not company intranet)
 GDPR does not impose additional obligations on top of those in this directive
o ePrivacy Directive must be reviewed and amended to ensure
consistency
 European Union Institutions
o Treaty of Lisbon (2009): with the enlargement of the EU, must streamline decision-making
process to improve efficiency and speed of EU
 European Council and ECB=institutional status, can making binding decisions
 Charter of Fundamental Rights= same legal status as treaties, legally binding
 Poland and UK= Charter only applies when it contains laws and practices already
recognized in these countries
 Czech Republic also with special provision
o European Parliament
 Members directly elected by citizens of the EU
 4 responsibilities: (1) legislative development, (2) supervisory oversight of other
institutions, (3) democratic representation, (4) development of the budget
 Works with Commission to bring forth new legislation

3
 o Can call upon Commission to submit legislation proposal to Council of
EU; invite Commission to consider amending existing policies and
developing new ones
 Power to censure Commission: Commission must submit reports to Parliament regularly
 6-96 members per state, sit in Europe-wide political groups (rather than by member
states)
 Group must have a minimum of 25 members with at least ¼ member state
represented within the group
 Prepare report for plenary session
 In plenary session, Parliament examines, amends, and votes on proposed
legislation
 Voting= simple majority
 Shares legislative powers with Counsel of Europe
 Ordinary Procedure: both institutions must assent to legislation
 Consultation procedure: Council must consult Parliament but is not bound
 Consent procedure: important decisions, Parliament’s consent is required
 ROLE IN DATA PROTECTION: all data protection legislation adopted under ordinary
legislative procedure-> Parliament with big and equal role in adopting
 Vocal advocate of right to privacy
o European Council
 Gathering of Heads of State, executive institution
 Meets 4 times per year so Heads of State can discuss issues affecting the community
o Council of the EU
 One minister per state, co-legislates with Parliament
 Main decision-making body, writes legislation proposed by Commission
 Concludes international agreements negotiated by Commission
 Council has been criticized for being undemocratic and lacking transparency-> now
meetings held in public
 Rotating presidency
 Qualified majorities
o European Commission
 Created from merger of Eur Coal and Steal Comm and Eur Atomic Energy Comm
 Executive body, implements EU’s decisions and policies
 Ensure application of the Treaties and measures adopted by institutions
 Application of EU law under control of ECJ
 Execute budget and manage programs
 Initiates legislation
 EU legislation can only be adopted when proposed by Commission
 Power to take legal and administrative action, including imposing fines against Member
States that don’t comply with laws; supervisory authority over other institutions
 Independent commissioners without allegiance to Member States who send them
 Selected on basis of “general competence and European commitment”
 ROLE IN DATA PROTECTION: creates legislation; can adopt “adequacy findings” on
which non-EU Member States provide adequate levels of data protection; enforces
Charter of HR, so ensures high level of protection of individual’s rights to privacy and
data protection
o European Court of Justice

4
  Based in Luxembourg, set up with Treaty of Paris 1951
 Jurisdiction
 Cases brought by Commission or by Member State against Member State’s
failure to fulfil treaty obligations
 Actions brought by Member States, an EU institution, or a natural or legal
person to review the legality of acts by an EU institution
 Actions brought by Member States, an EU institution, or natural or legal persons
against EU institutions for failure to act
 Actions begun in national courts from which references are made fro a
preliminary ruling to the ECJ on issues of interpretation or validity of EU law
 Opinions on the compatibility of EU international agreements with treaties
 Appeals of points of law from the CFI (lower court of ECJ)
 Makes decisions on EU law and enforces European decisions based on:
 Actions taken by the Commission against a Member State
 Actions taken by individuals to enforce their rights under EU law
 28 government-appointed judges with 6 year terms; one president among the 28,
elected by judges every 3 years
 8 advocates general (give ECJ non-binding opinions to help ECJ decide cases)
 ROLE IN DATA PROTECTION: involved in cases on data protection (ECJ Decisions related
to Data Protection)
 Brought in national courts, brought by Commission against Member States
 UK case for not fully implementing EU rules on confidentiality of electronic
communications
 Google Spain vs. AEDP (2014), right to be forgotten
 Digital Rights Ireland v. Ireland (2014): Data Retention Directive’s invalidity with
regards to Articles 7, 8, and 11 of the Charter
 Smaranda Bara v. CNAS (ANAF case, 2015): personal data may not be
transferred between public administrative bodies of a Member State without
the individual being informed of the transfer
 Weltimmo v. Hungarian DPA (2015): cross-border transfers within EU
 Schrems v. Data Protection Commissioner (2015): invalidated U.S. Safe Harbor
as inadequate
o European Court of Human Rights* (founded by CoE, not EU)
 Not an EU institution, no powers of enforcement
 Judgments are binding, countries obligated to comply with them
 ECtHR decisions can provide reparations to injured parties
 Number of judges=numbers of members of the CoE that have ratified the Convention,
but do not represent any states
 Chambers of 7 judges hear cases, expenses borne by CoE
 Jurisdiction
 All cases regarding interpretation or application of ECHR
 Cases may be referred by contracting states or European Commission of HR
o States who citizens are alleged to be a victim of a violation of the ECHR,
states that referred the case to the Commission, and states against
which a complaint has been lodged (if compulsory jurisdiction of ECtHR
or consent to case being heard by ECtHR) can bring cases
o Violation must have been committed by a state bound to the ECHR

5
  ECtHR does not have power to overrule national decisions or to annul national
laws; no powers of enforcement (CoE handles after a decision has been made)
 ROLE IN DATA PROTECTION: ensure right to privacy (not data protection!) protected;
ECtHR has been active in data protection
 Three French Cases (2009): Court reaffirmed fundamental role of protection of
personal data, but held that automated processing of data for police purposes,
and more specifically “the applicants’ inclusion on the national police database
of sex offenders was not contrary to Article 8.”
 MM v. UK (2012): indiscriminate and open-ended collection of criminal record
data is unlikely to comply with Article 8
 Copland v. UK (2007): monitoring applicant’s email at work is contrary to Article
8, since no provision made for this in the law
 Gaskin v. UK (1989): restriction of the applicants access to his file contrary to
Article 8
 Haralambie v. Romania: obstacles placed in applicant’s way when he sought
access to the secret service file on him drawn up in days of Communist rule was
contrary to Art 8
 Legislative Framework
o Convention 108 (1981)
 First legally binding international instrument in field of DP
 Reasons for C108: (1) MS failure to respond to CoE’s ’73 and ’74 Resolutions concerning
protection of privacy, and (2) need for reinforcement of principles found in those
resolutions with binding instrument
 Open for signing on Jan 28, 1981
 Noteworthy for 3 reasons
 Based on series of principles that address main concerns relating to DP
(accuracy and security of PD, right to access) that found their way into the
Directive and GDPR
 Both ensures appropriate protections for individual privacy and also recognizes
importance of free flow of PD for commerce and exercise of public functions
 Legally binding instrument: requires signatory states to implement principles by
enacting national legislation
 Purpose: to achieve greater unity between signatory states and to extend safeguards for
individuals’ rights and fundamental freedoms
o Data Protection Directive (95/46/EC) (1995)
 Came about because only a small number of States ratified C108 and MS laws took on a
fragmented approach in implementing it: became an impediment to privacy rights
 Marked the starting point of the EU’s leadership in European DP and the relative
downgrading of importance of C108
 EU unable to make standalone HR laws, unlike CoE: must base on specific provision
under Treaty of Rome=> ***BASED ON INTERNAL MARKET HARMONIZATION MEASURE
 Regulates the free flow of personal data between MS
 As a Directive, created different interpretations adopted by MS across Europe
 Necessity and adequacy key concepts in Directive (lawful grounds for processing and no
transfer to countries not offering adequate level of protection)
 Treats manual and automated data the same
 Key principles:

6
  Fair and lawful processing
 Collected for specific and legitimate purpose, not processed in manner
incompatible with that purpose
 Adequate, relevant, not excessive
 Accurate and kept up to date
 Not kept longer than necessary
 Processed in accordance with rights of individual
 Appropriate technical and organizational measures
 Only transferred outside EEA to countries w/ adequate levels of data protection
 Only applied to data controllers established in EU MS, or where C makes use of data
processing equipment on the territory of an MS (req to appoint representative)
 Special categories of data identified: race, ethnicity, politics, religion, trade union
membership, health and sex life info
 Establishment of DPAs, with WP29 being an independent body composed of DPA reps
 Scrapped for GDPR in an attempt to have more consistent application and interpretation
 3 factors of overhaul: divergence of national measures and practices in
implementation, impact on businesses and individuals, developments in tech
 Primary goals: protecting individual’s data, reducing red tape for businesses,
guaranteeing free circulation of data within EU
 Key Changes from Directive to GDPR:
 Admin reqs removed (e.g. notification reqs, unduly costly to businesses)
 Increased responsibility and accountability for processing PD
 Lead authority/main DPA
 Individuals greater control over data (more explicit consent required)
 Improved portability to improve competition among servicers
 Right to be forgotten
 Ensure EU rules are applied when EU data handled abroad or services marketed
to EU citizens
 Strengthening of DPA powers and penalties
 Principles and rules for police and judicial cooperation in criminal matters
 Trilogue process among Commission, Parliament, and Counsel of Ministers with multiple
drafts to agree upon final Regulation
o GDPR (2018)
 Essential step to strengthen citizens’ fundamental rights in the digital age and facilitate
business by simplifying rules for companies in the digital single market
 Contains both operative law and Recitals which assist in interpreting the law
 Main changes from Directive:
 Application of law: directly applicable across all MS without enacting nat’l leg
o Not limited to data controllers
 Long-arm reach of statute (establishment not required)
o Determined by location of data subject, if offered goods or services or
behavior monitored
o Tracking DS on the Internet to analyze or predict their personal
preferences will trigger application of Regulation, including tracking
cookies or app usage
 Putting individuals in control of their data: strengthening consent and DS rights

7
 o Consent cannot be bundled with T&Cs, can be withdrawn at any time in
an easy way, explained to individuals before consent obtained
o Child restriction
 Newer and stronger individual rights
o Transparency obligations, rights to data portability, restriction of
processing, right to be forgotten
o Retention of existing rights: subject access, rectification, erasure, right
to object, right to charge a fee has been removed
 New accountability regime: make businesses more accountable for their data
practices
o Businesses implement data protection policies
o Data Protection by Design and Default
o Record-keeping obligations
o Cooperation with DPAs
o DPIAs
o Prior consultation with DPAs in high-risk situations
o Mandatory DPOs for certain Cs and Ps
 New Data Processor Obligations
o May not subcontract with sub-P without consent of C
o Many similar obligations as C, or obligation to help C comply with GDPR
 International Data Transfers: restrictions continue to exist
o Place appropriate safeguards, on condition that enforceable rights and
effective legal remedies for individuals exist
o BCRs now explicitly mentioned, alongside SCCs, codes of conduct,
certification mechanisms, other DPA-approved contracts
o Consistency mechanism for DPAs
 Security: appropriate technical and organization measure to protect personal
data
o Report data breaches to DPA w/in 72 hr, report high risk breaches to DS
 Enforcement and risk of noncompliance way up
o Individuals have right to compensation, may compel a DPA to act on a
complaint
o Rights can be exercised by consumer bodies on behalf of individuals
o Potential for severe sanctions, especially for violations of basic
principles (consent), DS rights, lawful international data transfers,
obligations under MS laws, and orders by DPAs
o LEDP (2008)
 Protection of PD in police and judicial cooperation in criminal matters
 3 main objectives:
 (1) better cooperation between law enforcement authorities, improving
cooperation on the fight against terrorism and other serious crime in Europe,
 (2) better protection of citizens’ data, using principles of necessity,
proportionality, and legality with appropriate safeguards and supervision by
independent national DPAs with judicial remedies available, and
 (3) clear rules for international data flows to ensure protection for EU
individuals not undermined
o ePrivacy Directive (2002)

8
 Replaced the 1997 Directive to reflect process of convergence, emerging Internet
 EU telecommunication laws widened to include all electronic communications
 Need for consistent and equal protection regardless of technologies used
 Reforms intended to encourage greater industry competition, consumer choice and
protections, stronger consumer right to privacy
 Applies to “the processing of PD in connection with the provision of publicly available
electronic communication services in public communication networks” in the EU
 Private network like company intranet generally not covered (thought principles
of Directive still apply if PD is processed)
 Key Provisions:
 Technical and organizational measure to safeguard security of their services;
service provider under greater obligation to inform subscriber of data breach
 MS required to ensure confidentiality of comms and traffic data generated
o Exceptions: user consent to interception and surveillance, or such
authorized by law
 Most forms of digital marketing require prior (opt-in) consent
o Limited exception for existing customers for similar products and
services, opt-out provision instead
 Processing of traffic and billing info restricted
 Location data may only be processed if anonymized or with consent and for
necessary duration
 Subscribers must be informed before being placed in any directory
 Balance data privacy rights with free movement of data, MS should avoid imposing too
many technical requirements that would impede free movement
 Amendments
 Mandatory notification for personal data breaches by service providers to DPAs
and relevant individual where breach is likely to adversely affect the personal
data or privacy of a subscriber or individual
 Individuals and ISPs can bring actions against unsolicited communications
(spam)
 Cookies: only allowed on the condition that the user concerned has given their
consent, having been provided with clear and comprehensive information, in
accordance with the Directive
o Exceptions: technical storage or access is for the sole purpose of
carrying out the transmission of a communication over an electronic
communications network, or it is strictly necessary for the provision of
an information society service explicitly requested by the subscriber or
user
 Means by which consent must be obtained not specified: unambiguous consent may be
inferred from certain actions when the actions lead to an unmistakable conclusion that
consent is given provided consent meets standard of being freely given, specific, and
informed (implied consent)
 Reform of ePD
 ePrivacy Regulation being discussed to replace ePD, harmonize framework and
ensure consistency with GDPR
 Key features:
o Wider application (all providers of electronic communication services)

9
 o Single set of Rules
o Confidentiality of E-Comms (access of content disallowed without
consent of user, exception to safeguard public interest)
o Consent to process comm content and metadata: anonymized or
deleted if users do not give consent, except for billing purposes
o New business opportunities: enable telecoms operators to have more
opportunities to use data and provide additional services
o Cookies: currently an overload of consent requests, streamline process
 Allow users to be more in control of settings
 No consent needed for non-privacy intrusive cookies improving
Internet experience (e.g. remembering shopping cart history)
 Cookies set by website on number of visitors no longer req
consent
o Protection Against Spam: bans unsolicited electronic comms by any
means, register on do-not-call list, marketing calls will have to ID
themselves
o Enforcement: responsibility of national DPAs
 Breach consequences: mirrors GDPR
 Proposal to introduce “legitimate interests” as another justification for
processing data
o Data Retention Directive (2006)
 Designed to ensure availability of traffic and location data for serious crime and
antiterrorism purposes
 2014: CJEU ruled Directive invalid on grounds that it was disproportionate in scope and
incompatible with rights to privacy and DP under EU Charter of Fundamental Rights
o Impact on Member States
 Consistency and timely implementation a problem with Directives
 Allowed MS freedom to determine precisely the conditions under which
processing of PD lawful
 Used different mechanisms in different MS
 Controllers in multiple MS had to comply with conflicting obligations such as
notifications, international data transfers, and direct marketing reqs
 MS have time limit as to when they can implement a Directive
o Commission enforces and ensure implemented properly, and can take
action if implementation contravenes EU law
o If MS doesn’t implement in time, action taken against it
 Direct effect = individuals can immediately rely upon it to bring actions against
governments in national courts
 MS and their courts must interpret their laws in light of ht etext and purpose of
the Directive, even if not yet implemented
 Direct Effect of Regulation
 National Dp acts will cease to be relevant for all matters falling within scope of
GDPR
 Regulations directly applicable in member states, do not require further
implementation, applies immediately throughout EU as of May 25, 2018

Section II: European Data Protection Law and Regulation

10
 Data Protection Concepts
o Developments in technology have changed the way businesses operate and require protections
for personal data now
 New definition of personal data to include online identifiers
o Personal Data (broad, applies even when link with person is tenuous)
 Four building blocks: (1) any information (2) relating to (3) an identified or identifiable
(4) natural person
 Any information
 Look at nature, content, and form
 Statements about a person, both objective and subjective
 Does not need to be true to be personal data
 Information about individual’s private life and information regarding any activity
undertaken by the individual; also online identifiers (create profile)
 Information available in any form: processed by automated means, but also
manual means if part of a filing system (intended to be technology neutral)
 Relating to
 About an individual
 Could relate to objects, processes, or events: driven by purpose of processing
(e.g. information about a car in order to process a person’s bill)
 Content (information about an individual), purpose (processed to evaluate,
consider, or analyze a person), result (processing has an impact on individual’s
rights and interests)
 Identified or Identifiable
 Not that someone is identified but that it is possible to do so by combining data
with other pieces of information (even if other information not retained by data
controller (jigsaw identification)
 Hypothetical identification not enough, it should be reasonably likely
(considering costs, available tech, and tech developments)
 E.g. CCTV: purpose is to identify individuals
 Dynamic IP addresses may be linked with the help of ISPs, so they are PD
 GDPR does not apply to anonymous information; pseudonymization provides
middle ground but does not remove organization from GDPR
o Measure to ensure PD not attributable to individuals is good security
o Safeguards help with data minimization
 Aggregation for statistical purposes results in nonpersonal data, but context
may allow identification of sample size not large enough
 Natural Person
 Regardless of country of residence; does not apply to deceased people or
organizational data
o Sensitive Personal Data (special categories)
 Information where processing could create significant risks to individuals’ fundamental
rights and freedoms
 Categories: race, ethnicity, political opinion, religion, trade union membership, genetic
or biometric data (to uniquely ID natural person), health data, sexual orientation, sex life
 Health= past, present, or future health status, physical or mental health
o Registration for or provision of health services, information derived
from testing or examination of the body or bodily substance

11
  Processing of photographs (may reveal race, ethnicity, physical disability=health)
o Controllers and Processors
 Controller: determines purpose and means of processing data, key decision maker
 Responsibility to ensure processing has legitimate basis, DS rights are honored,
and determine whether notifying DPAs or DS is necessary when there’s a breach
 Likely to be first target of enforcement by DPAs, not Ps
 ID’ing the C helps determine which DPA has authority over processing activity
 May be a natural person, but generally the organization or company rather than
a particular person appointed by the controller
o If processing takes place outside scope and control of C, individual can
become controller
 Jointly: if same set of data/processing means and purposes determined by two
separate controllers, may be jointly (same set of information can be processed
separately by different controllers and not make it join processing)
o Parent companies may become joint controllers with subsidiaries
o Determine respective responsibilities for GDPR compliance at the outset
so that joint controllership doesn’t evolve over time; clearly allocate
responsibilities for possible data breach
o Joint controllers must make essence of relationship available to DS; DS
rights may be exercised against each of the Cs
 Cs determine purposes and means of processing: factual elements or
circumstances likely to become decisive (Ps can become Cs)
o Why and how of processing: why is processing happening and what is
the role of parties involved in processing
 Ps have some discretion in carrying out the how without
becoming Cs: “means” is not just the technical way of
processing but also which data is processed, which 3rd parties
have access, which data is deleted, how long it is kept, etc
 Ps can determine technical and organizational tings like what
type of software to use for processing
 Essential elements of processing are with C
 3 sources of control: explicit legal competence, implicit competence, factual
influence
 Processor: may only process data based on documented instructions from the Controller
 Natural or legal person, public authority, agency, or other body which processes
personal data on behalf of the controller
 GDPR P reqs: security, record-keeping, notifying Cs of data breaches, and
ensuring compliance with restrictions on international data transfers
o Obligations relating to purpose like lawful ground and respecting DS
rights only imposed on Cs
 Ps must only process data based on C instructions and have a contract or
binding legal act regulating the relationship between C and P in writing
 **New for non-EEA Ps, if processing for EEA-C must still follow GDPR
 P contract reqs: process data only based on documented instructions from C,
including instructions on transfers; ensure authorized access personnel agree to
confidentiality; take all means for security of processing; respect conditions for

12
 sub-processing; assist C with appropriate tech and org security measures; assist
C with complying with obligations in Art 32-36
 Sub-contracting: prior authorization of C (may be general or specific, with
opportunity to object to addition or replacement of processors), contract
between P and sub-Ps must include mandatory processor provisions, and initial
P remains fully liable to C for performance of its sub-Ps
 Cs and Ps should determine degree of independent judgment P can exercise, monitoring
by the C of execution of the service, visibility/image portrayed by C to individual, and
expertise of parties
o Processing
 Any operation or set of operations performed on personal data or sets of data, whether
or not by automated means, such as collection, recording, etc
 Difficult to ID times when use of PD is not processing, broad definition
 Conditions: (1) processing must be wholly or partially carried out by automated means,
or (2) if not automated means, must concern PD that forms part of filing system
(structured set of PD that is accessible according to specific criteria
o Data Subject: identified or identifiable natural person, related to personal data
 GDPR does not extend to legal entities or apply to dead people
 Territorial and Material Scope of the GDPR
o Territorial scope
 EU-established organizations
 If EU-established, doesn’t matter where the processing takes place
 Establishment: effective and real exercise of activity through stable
arrangements (Weltimmo)
o Broad concept of establishment: website directed at people in a
country, using their language, representative available, PO Box = this is
enough!
o Nationality of DS irrelevant
o “An organization may be established where it exercises ‘through stable
arrangements in the territory of that member state, a real and effective
activity even a minimal one.’”
 “In the context of the activities”
o GDPR will apply regardless of whether processing takes place in Union
or not
o Google v. Spain: sufficient connection between activities of Google
Spain and Google, Inc.- inextricably linked because of profits
o Any organization with EU sales offices that promote or sell advertising
or marketing, or target individuals in the EU, will fall within scope (also
overseas companies with EU offices)
o Not explicitly used to determine which member state laws should apply:
if exemptions or derogations differ between member states, law of
member state to which C is subject should apply
o ***Data processors with EU establishment fall under GDPR as well,
even if C, DS and processing takes place outside EU!! Crazy broad
 Long-arm, orgs that sell goods or services to, or monitor behaviors of, EU individuals
 DS must be in EU, but EU residency is not necessarily a pre-req
 Targeting EU DS

13
 o Ascertain whether C or P envisages offering services to DS in EU (if
inadvertently sells something to EU individual, not necessarily under
GDPR)
o Relevant factors: (1) use of EU language, (2) display of prices in EU
currency, (3) ability to place orders in EU languages, and (4) reference to
EU users or customers
o Intention to target EU customers may be shown by “patent” evidence
(e.g., money to a search engine to facilitate access within EU member
states) and other factors such as international nature of activity (tourist
activities), mentions of telephone number with country code, use of
country domain name (.de, .fr, .uk, .eu), itineraries originating in a
Member State, and mentions of international clientele including
customers in Member States
 Monitoring behavior
o Behavior must occur within EU
o Tracking of individuals online to create profiles, analyzing or predicting
personal preferences (cookies)
 Public International law
o Processing in a place where public law allows Member State jurisdiction
(e.g. embassies and consulates of EU Member States, airplanes, ships)
o Material Scope
 Matters outside GDPR (everything else is in)
 Public Security, Defense, National security, Common foreign and security policy
of the EU
 Household exemption: purely personal or household activity, not connected to
professional or business activities (e.g. social networking and online activities)
o Cs and Ps providing means of processing household activities still within
scope
o Lindqvist: exemption doesn’t apply to processing a publication on the
Internet so that the data was made accessible to an indefinite number
of people
 WP29= publication of information to world at large rather than
small group of friends may be a factor in the applicability of the
exemption
 Prevention, detection, and prosecution of criminal penalties (police powers)
o Law Enforcement Data Protection Directive covers PD in these cases
o LEDP applies to “competent authorities”: public authority competent for
prevention, investigation, detection, or prosecution of criminal offenses,
OR any other body or entity entrusted by MS law to exercise public
authority for the above purposes
o If data processed for different purposes, competent authority may be
subject to both GDPR and LEDP
o Data transferred to another body that is not a competent authority will
be subject to GDPR
 EU Institutions
 ePrivacy Directive

14
  GDPR shall not impose additional obligations on persons already subject to
ePrivacy Directive if the Directive already addresses an area
 Consent for direct marketing under ePD may be stricter under GDPR now
 Commission wants to achieve full coherence between GDPR and ePD
 E-Commerce Directive
 GDPR is without prejudice to rules in ECD, particularly with regards to
intermediary service providers
 However, ECD states that issues related to the processing of PD are excluded
from its scope and solely governed by relevant data protection legislation
 Data Processing Principles
o Stem from Convention 108 and Data Protection Directive
o Lawfulness, fairness, and transparency
 Lawfulness: legal grounds for processing the data
 Consent
 Contract performance with data subject
 Legal obligation (in the EU/Member State)
 Vital interests (life or death)
 Public interest (exercising official authority)
 Legitimate interest: necessary for the legitimate interest of the controller or
third party, and interests are not overridden by interests or fundamental rights
and freedoms of data subject (balance!)
 Fairness
 DS must be aware data is being processed, how data will be collected and used
 In certain cases, processing automatically permitted by law and deemed fair
 Look at how processing affects DS: if negative impact and impact is not justified,
processing will be considered unfair
o E.g. when travel sites raise prices of places you’ve looked at several
times based on cookies, processing is unfair
o E.g. when police officer sees someone he pulled over for speeding
already has multiple speeding tickets and increases the fine, that is fair
 Transparency
 C must be open and clear with DS about processing (how and why, source)
o This is why req to notify DPA eliminated: did not help DS at all
 Exemption for duty to inform when data collected directly from DS and DS is
already aware of relevant information
 Exemption when C obtains data from another source AND: providing
information will be impossible or require disproportionate effort, to protect DS
legitimate interest, and to preserve confidentiality of information
 Requires information to be conveyed in a timely manner (see notification
chapter)
 Info must be clear, concise, and easy to understand, and provided in accessible
manner
o Take into account following circumstances: type of data, manner in
which it is collected, and whether info directly or indirectly collected
o Consider whether DS is a child (simple and plain language req), whether
technical jargon will be involved, try to use plain language; use short
and ad-hoc privacy notices with links to longer texts

15
  Use of standardized icons contemplated
o Purpose limitation
 Only process data to accomplish specified, explicit, and legitimate purposes, do not
process beyond such purposes unless further processing compatible for original purpose
data was collected. To determine compatibility, consider:
 Link between purposes of processing
 Context in which PD collected, reasonable expectations of DS
 Nature of PD (special categories?)
 Consequences of further processing to DS
 Existence of appropriate safeguards
 First identify particular purpose for processing PD
 If further processing compatible with original use, original legal basis may be used; if
incompatible, a separate legal basis is necessary and C must give notice to DS
o Data minimization
 Data must be relevant, necessary, and adequate to accomplish the purpose for which it
is processed
 Necessity: suitable and reasonable for purposes of processing
 Of a nature necessary to attain the purpose
 Adequate if the nature or amount of PD is proportionate in relation to purposes
 Determining whether purpose can be achieved by anonymizing data could help
with necessity evaluation (stripped of all unique identifiers)
 Proportionality
 Consider amount of data collected: large amount of data without any
restrictions will be disproportionate
 Consider potentially adverse impact of the means of processing and verify
whether any alternatives exist
 Applies to big data projects as well
o Accuracy
 Cs must take reasonable measures to ensure data is accurate and kept up to date
 Implement processes to prevent inaccuracies during data collection process and
ongoing data processing
 Cs must evaluate how reliable a source is from which they collect information
 When data collected for statistical or historical purposes, C only needs to maintain PD as
it was originally collected
 Accuracy may require keeping records of errors corrected
 Cs must respond to DS who requests information be corrected
o Storage limitation (time): data not kept for longer than necessary for purposes PD is being
processed
 PD may be stored for longer if anonymized or processed solely for archiving purposes in
the public interest, scientific or historic research purposes, or statistical purposes
 Cs may only keep PD for unlimited time when data irreversibly anonymized, or
other reasons above
 Time limits should be established for erasure or periodic review
 Cs review personal records of employees when relationship comes to an end, determine
what must be kept for legal purposes
 When law is silent, internal data retention policies must be set to meet this principle
o Integrity and Confidentiality

16
  Protection against unauthorized or unlawful processing, and against accidental loss,
destruction, or damage using appropriate technical and organizational measures
 Use pseudonymization and encryption of data
 Assign sufficient resources to develop and implement an information security policy
framework
 Use legal and technical data security experts and set aside a dedicated budget
o Also, accountability, added in GDPR!
 Lawful Processing Criteria
o Processing must be done lawfully, fairly, and in a transparent manner
o Baseline: processing unlawful! C must demonstrate legal basis for processing or show exception
(journalism or research where free speech interest may prevail)
o Processing normal personal data
 Consent (to specific purposes)
 Must be freely given, specific, informed, and unambiguous
o Freely-given=genuine choice, with ability to refuse or withdraw
 Not freely given if bundled with other issue (e.g. purchasing a
service)
 Request for consent must be presented in manner clearly
distinguishable from other matters
 If performance of contract conditioned on processing consent,
and processing not necessary for performance of contract,
consent will not be valid
 Consent should not be relied on when clear imbalance between
DS and C (employer-employee relationship, valid consent only
possible if employee has real possibility to withhold without
suffering prejudice: employers should not rely on consent)
 Freedom to revoke: therefore, Cs should consider whether
consent is the best condition for long-term processing
o Specific=related to particular processing operation
 C should clearly explain proposed use of data to DS
 If multiple purposes, consent should be given for all of them
 If processing activity changes, new consent may need to
be obtained
 For scientific research, if not possible to fully ID purposes, DS
can give consent to certain areas of scientific research
o Informed=DS given all necessary details of processing activity in
language and form they can understand, know how processing will
affect them
 DS should at least be aware of ID of controller and purposes of
processing
o Unambiguous=DS statement or affirmative act must leave no doubt as
to their intention to give consent
 Cannot have consent tick box pre-selected, require DS to
actively tick a selection box
 Silence or pre-ticked boxes do not constitute consent
 If consent pre-formulated, must be in an intelligible and easily accessible form
using clear and plain language and with no unfair terms, in line with consumer
protection requirements

17
  Sometimes consent is required, so employers could rely on consent plus
another legitimate processing condition to create buy-in
 If valid consent obtained, ongoing interactions with DS may provide continued
consent
 Timing: consent must be obtained before C processes PD
 Cs must demonstrate that DS has given consent to processing operation, keep
record of consents given by particular DS
 Consent not the same as giving opportunity to opt out, requires express
indication of wishes and some sort of affirmative action
 Consent obtained through duress or coercion is not valid
o Certain types of vulnerable people may not be able to give consent
(minors-require consent by holder of personal responsibility over the
child)
 Where parental consent required, C must make reasonable
efforts to verify consent given by parent or guardian
 Minimum age of consent rule only in the context of (1)
information society services offered directly to a child, and (2)
where the C relies solely on consent or cannot rely on another
criterion
 **Cs should consider another criterion to process child’s PD
 Necessity
 Close and substantial connection between processing and purposes (merely
convenient does not count)
 Not sufficient for C to consider processing necessary for its purposes, must be
an objective test whether processing strictly necessary for stated purpose
 Performance of Contract where DS is party
 When DS purchases product or service from C
 Processing of PD must be unavoidable to complete contract
 Necessary for Compliance with Legal Obligation to which C is Subject
 Required to comply with law, like tax or social security obligations in the EU
 Subject to additional MS laws
 To Protect Vital Interests of DS or another Natural Person
 Life or death situations, only relevant in rare emergency situations when DS
cannot give consent (unconscious), provision of urgent medical care
 Only applies with another processing basis does not exist
 Necessary for Performance of Task Carried out in the Public Interest, or Exercise of
Official Authority Vested in Controller
 MS or EU legislation will determine which tasks are carried out in public interest
 DS have right to object to use of their data
o If C receives objections, C must demonstrate it has compelling
legitimate grounds to process data, sufficient to override interests,
rights, and freedoms of data subject, or for the establishment, exercise,
or defense of legal claims
 Subject to additional MS laws
 Necessary for Legitimate Interests Pursued by C or Third Party
 Except where interests overridden by interests or fundamental rights and
freedoms of DS (in particular where DS is a child)

18
  **Balancing test
 Public authorities cannot rely on legitimate interest ground, legislators must
provide legal basis for public authorities to process personal data
 Requirements to rely on this basis: (1) necessary for the purpose, (2) purpose
must be a legitimate interest of C or 3rd party, and (2) legitimate interest cannot
be overridden by DS interests or fundamental rights and freedoms
 Consider reasonable expectations of DS
 Legitimate interests can exist where there is a relevant and appropriate
relationship between DS and C, like where DS is client or in service of C
 Processing PD to prevent fraud constitutes legitimate interest
 Direct marketing, internal admin purposes, may be legitimate interests
 Processing strictly proportionate and necessary to ensure network and info sec
 This basis may be understood differently by DPAs across EU (e.g. ICO= establish
legitimacy of interest pursued, then show processing is not unwarranted in any
particular case through prejudice to individual concerned)
o Even if there is prejudice that relates to one particular individual due to
unique circumstances, does not necessarily prejudice entire processing
 Using this criterion, DS have right to object to use of their data: when there’s a
justified objection from DS, C must cease processing data
o Processing sensitive personal data
 Photographs should not systematically be considered sensitive data, since only count as
biometric data when processed by specific technical means that allows unique ID or
authentication of individual
 Use of these data categories can, by their nature, pose a threat to privacy
 Personal data that is particularly sensitive in relation to fundamental rights and
freedoms merits specific protection since the context could create significant risks
 Influenced by anti-discrimination laws (explains by SSN and credit card numbers not
included)
 In some jurisdictions, Cs must obtain permission from DPAs before processing at all
 Cs must meet conditions under both articles 6 and 9 to process sensitive data; ensure
proper and full notification to Ds about how data used in accordance with Art 12-14
 Starting point= processing prohibited unless exception can be found
 EXCEPTIONS
 Consent (unless EU or MS law says prohibition on processing cannot be lifted by
DS: then another criterion must be used)
o Unambiguous, freely given, specific, informed, and explicit
 May be explicit on paper or in electronic form with digital
signatures, clicking on icons, or confirmation email
 Consent must explicitly set forth purpose of processing (actually
refer to categories of data that will be processed)
 Consent in writing and/or a permanent record may be required
o Statement or clear affirmative action required
 Necessary for Purposes of Carrying Out Obligations and Exercising Specific
Rights of the C or DS in field of Employment and Social Security and Social
Protection Law
o Necessary for C to comply with legal obligation under employment, soc
sec, or soc protection law

19
 o Relevant to DS candidates, employees, and contractors
o Necessity test, extent of criterion depends on local employment law
 Necessary to protect Vital Interests
o Where DS physically or legally incapable of giving consent
o Expected to attempt to seek consent before relying on this
 Carried out in course of legitimate activities with appropriate safeguards by a
foundation, associate, or other non-profit body with Political, Philosophical,
Religious, or Trade Union Aim
o And on condition that the processing relates solely to members or
former members, or to persons who have regular contact with the org
in connection with its purposes, and that the PD is not disclosed outside
the body without consent of DS
o Churches, political parties, etc
o Processing must only take place (1) in the course of legitimate activities,
(2) with appropriate safeguards, and (3) in connection with specific
purposes
 Personal Data Manifestly Made Public by DS
o Media interviews, potentially social networking platforms
 Necessary for Establishment, Exercise, or Defense of Legal Claims, or when
Courts acting in Judicial Capacity
o Requires C to establish necessity: close and substantial connection
between processing and purposes
o All such processing still subject to DP principles set out under Art 5
 Substantial Public Interest
o On the basis of EU or MS law which shall be proportionate to aim
pursued, respect the essence of the right to data protection and provide
for suitable and specific measures to safeguard fundamental rights and
interests of DS
o MS can law down laws, but processing must be (1) proportionate to aim
pursued and (2) show respect for essence of right to data protection
o Public Interest defined by some MS (not defined by GDPR)
 Not required to notify derogations to EC as under Directive
o UK has further criteria for processing in public interest: processing must
be necessary for purposes of preventing or detecting any unlawful act
or to discharge any function designed to protect the public against
dishonest, seriously improper conduct, or mismanagement in the
administration of any organization or association
 Necessary for purposes of Preventive or Occupational Medicine, for Assessment
of Working Capacity of Employee, Medical Diagnosis, Provision of Healthcare, or
Pursuant to contract with Health Professional, and subject to conditions and
additional safeguards
o Medical or social care purpose
o Processing may be carried out on basis of either EU or MS law, or under
contract with health professional
o Exception mainly applies to doctors, nurses, or others involved in
healthcare professions

20
  Exception does not mean these people are except from rest of
GDPR
o Also allows for things like drug testing employees to ensure fit to work
 Necessary for reasons of Public Interest in areas of Public Health
o Such as protection against serious cross-border threats to health, or
ensuring high standards of quality and safety of health care and of
medicinal products or medical devices
o Public health: all elements related to health, namely health status,
including morbidity and disability, the determinants having an effect on
that health status, health care needs, resources allocated to health care,
the provision of, and universal access to health care as well as
healthcare expenditure and financing, and the causes of morality
o Such processing should not result in PD being processed for other
reasons by third parties (e.g. employers, insurance or banking
companies)
o Allows for supervision of drugs and medial devices to ensure quality and
safety
 Necessary for archiving purposes in public interest, scientific or historical
research, or statistical purposes
o To rely on this criterion, necessary that processing must have
appropriate safeguards and must be necessary for one of the purposes
base don EU or MS law, which must be proportionate, respect the
essence of the right to DP, and provide for suitable safeguards
o **Anonymization reflects best practices
o Pharmaceutical companies and academic institutions should explore
parameters of this exception
o Data on Offenses, Criminal Convictions, and Offenses and Security Measures
 Warrants greater level of protection
 May only be processed under control of an official authority or when the processing is
authorized by EU or MS aw providing for appropriate safeguards for rights and freedoms
of DS
 Private sector controller will need to examine rules under EU or local law around
processing data
 **NOT considered category of sensitive data under Art 9
o Processing that does not require Identification
 If C doesn’t need to ID DS when processing data, C not obliged to maintain, acquire, or
process additional information in order to identify DS for the sole purpose of complying
with GDPR
 C doesn’t need to comply with obligations regarding certain rights of DS unless DS
provides additional information to allow their identification
 Information Provision Obligations
o Transparency
 Data must be transferred “lawfully, fairly,” and in a transparent manner
 Make clear to data subjects their personal data being processed, make aware of their
rights and the risks, rules and safeguards related to processing
 DS informed of existence of processing and its purpose
 If basis of processing is consent, must be informed (transparency!)
 DS must be aware of ID of controller

21
  Inaccurate or incomplete information will not meet transparency standard
 Legitimate interest basis for processing: can a DS reasonably expect at the time and in
the context of the collection of PD that processing for this purpose might take place
 General DPA notification requirement removed!!
o DS right to receive certain info from Cs regardless of from where info collected
o Article 13: provision of information to DS when info collected directly
 Following information required to provide:
 ID and contact details of C
 Contact details of DPO (if applicable)
 Purposes and legal basis for processing
 If using legitimate interest, what is the legitimate interest purusued
 Recipients or categories of recipients of data
 Whether C intends to transfer to 3rd country or IO, and whether EC adequacy
decision exists, and if not, what suitable safeguards are in place for the transfer
 Art 13(2): to ensue fair and transparent processing, also provide following data (only
needs to be provided when necessary to ensure PD processed fairly: might be always)
 Period PD will be stored, or criteria used to determine that period
 DS rights in relation to data: (1) rt to request access, rectification or erasure, (2)
rt to request restriction of processing, (3) object to processing, (4) rt to data
portability
o NB not unconditional rights, not in all circumstances, exceptions exist
 If processing based on consent, rt to withdraw consent
 Rt to lodge a complaint with supervisory authority
 Whether provision of PD is a statutory or contractual req, or req necessary to
enter a contract
 Whether DS is obliged to provide PD and the consequences if they don’t
 Existence of automated decision-making aka profiling
o Art 14: info to provide DS when info received indirectly
 Everything with Article 13, plus categories of personal data concerned and the source of
the data
 No req to inform DS whether provision is based on statutory or contractual req,
or to explain whether DS obliged to provide info and consequences of not doing
so
 Provide info unless an exemption applies
o Additional Information to Provide
 Art 15: DS right to request info
 Right to require C to restrict processing
 Right to object to processing on basis of C legitimate interests, necessity to carry
out processing for public interest, or direct marketing
 Right to object to profiling
 International Data Transfers
 On basis of legitimate interest: informed of transfer and what the interest is
 On basis of consent: possible risks of transfer and appropriate safeguards
 On basis of BCR: info in BCR, DS rights of processing, and liability arrangements
 New Purpose of Processing
 DS must be informed of reason for processing beyond original reason
 Multiple Controllers

22
  Essence of arrangement should be “made available” to DS (different from
“provide”)
 Personal Data Breaches: sometimes must provide info
o When to provide information
 Information obtained directly from DS: provide info at time PD obtained
 Obtained indirectly: within a reasonably amount of time after obtaining (within 1
month), if used for comms then at the time of the first comm with DS, and if disclosed to
another recipient at latest when PD first disclosed
 If new processing takes place, DS must be informed before new processing
 DS right to object must be provided at least at the time of the first comm with the DS
 Info on right to withdraw consent must be given before consent is given
o How to provide information
 Concise, transparent, intelligible, and easily accessible form
 Consider audience (different for children)
 Same form as info given (e.g. electronically, on website, by email, etc)
 Clear and plain language
 Fair processing info may be given orally if requested, as long as ID of DS proven by other
means
 Free of charge
 Visualization/standard icons may be used
 Requests for consent
 Presented in manner clearly distinguishable from other matters
 Intelligible and easily accessible form
 Clear and plain language
 Right to object to processing must be brought to attention of DS clearly and separately
from other info
o Exemptions on obligation to provide information
 New purpose of processing: no need to inform if
 DS already has this info
 If obtaining or disclosing PD in Member state law to which C is subject and
which provides appropriate measures to protect DS’s legitimate interests
 PD must remain confidential subject to an obligation of professional secrecy
regulated by EU or Member state law, OR
 Provision of info would be impossible or involve a disproportionate effect, or for
archiving purposes, in the public interest, scientific or historical research, or
statistical purposes (if conditions and safeguards for processing such info are
met OR provision of fair processing info likely to render impossible or seriously
impact achievement of objectives of the processing)
 C should take appropriate measures to protect DS rts, freedoms, and legit interests
 Defining “disproportionate effect”: number of data subjects, age of PD, compensatory
measures applied (appropriate safeguards adopted)
 Notifying well-known individuals about holding data about them is nonsensical
 DS still entitled to request data processing information, even if an exemption to the
obligation to provide the information applies
 Art 23: exceptions for things related to law enforcement, public interest, and national
security

23
  Right of data subjects to be informed of restrictions unless doing so would
prejudice the purpose of the restriction
 Member states can create legislation with exemptions for media and art
o ePrivacy Directive Reqs
 Relevant to use of cookies, etc
 Only consent available: may place cookies, collect info, only with consent
 Info about the cookie must be given to the user, and the user must consent
before the cookie is placed on their device
o Fair Processing Notices
 Cs must provide information or specifically bring it to the attention of/inform the DS
 Factors in whether to “provide” or “make available” information
 Level of information already available to DS
 Element of collection or processing DS would find unexpected or objectionable
 Whether consequences of (not) supplying their personal data are clear, and
what the consequences are
 Nature of PD collected (special categories??) and type of individuals (vulnerable)
 Method by which data is collected
 Right to object must be brought to attention of DS not just provided
 Information must be provided:
 Clear, concise, and easy to understand in simple, unambiguous and direct
language
 Genuinely informative
 Accurate and up to date
 In an appropriate manner
 Forward looking but realistic (do not need to list every possible use of data in
future, but those reasonably foreseeable)
 Commercial benefits to provision of information
 DS place trust in organization, creates customer loyalty and retention
 DS likely to provide more and more valuable personal data
 Risk of complaints and disputes that may arise from using PD will be reduced
 Ways to provide notices:
 Layered fair processing notices: short initial notice with click-throughs to more
complete form, DS knows info available if want it (appropriate form, like toll-
free number to call if not online)
o 3 recommended layers
o Cs should provide key information and details of processing which may
be unexpected or objectionable immediately and prominently
o First should be ID of C and high-level purpose of processing
o Benefits: help DS who can only take in certain amount of data,
space/time limitations, longer notices impair readability
o Ensure info that must be brought to DS attention not buried
 Just-in-time notices: provision of information at specific points of processing
 Privacy dashboards: can allow DS to control how PD being processed
 Alternative formats: visualization, standardized icons, animations for children
 Make an un-layered version available as well if DS needs to refer to it
 Diverse technologies (e.g. CCTV, drones)

24
  Post signs and information sheets where used in a specific area notifying
individuals of the use, list place for contact information and longer notice (QR
code)
 Use social media, etc, if to be used at events
 Make processing information available on operator’s website
 Ensure drone/cameras are visible and the operate is also clearly visible with
signage ID’ing as drone operator
 Data Subjects’ Rights
o Bolstering rights one main ambition of EC with GDPR
 C should use reasonable efforts to identify DS
 Time frames to honor DS requests set: at least acknowledge receiving request and
confirm or clarify what is requested within one month starting with receipt of request
(can be extended to 2 more months for cases of specific situations and/or especially
complex requests)
 If organization decides not to proceed, must notify DS and advise to
opportunities to lodge complaints
 Electronically-received requests should be answered electronically, unless DS
wants something else
 Transparency is fundamental: DS rights cannot be assured if they are not properly
informed about C’s activities
o Right to Information (about personal data collection and processing)
 C’s ID, reasons and purposes of processing, legal basis, recipients of data, transfer to 3rd
countries, other info to ensure fair and transparent processing of the data
 Source of data if indirect
o Right of Access
 DS has right to obtain confirmation from C whether PD being processed, and if so, also
the following information
 Purposes of processing
 Categories of PD
 Recipients (including transfer)
 Envisaged period for which PD will be stored
 Right to erasure or rectification
 Right to lodge a complaint
 Source of data if indirect
 Existence of automated decision-making
o Right to Rectification: rectify inaccurate data
 C must ensure inaccurate or incomplete data is erased, amended, or rectified
o Right to Erasure (Right to be Forgotten)
 Right to erasure if data no longer needed for original purpose and no new lawful
purpose exists, OR lawful basis is consent and consent is withdrawn without additional
lawful grounds for processing, OR DS exercises right to object and C has no grounds for
overriding, OR data has been processed unlawfully OR erasure necessary for compliance
with EU or national member state law
 If C has made data public and third parties are processing, must inform 3rd parties that
DS exercised this right (exempt if impossible to comply with or would require
disproportionate effort)
 Exemptions, if processing is necessary

25
  For exercising right of freedom of expression and information
 For compliance with legal obligation of EU or Member State law OR for the
performance of a task carried out in public interest (public health, archiving,
scientific or historical research, or statistical purposes)
 Establishment of, exercise of, or defense against legal claims
 Strengthens right to be forgotten in online environment
o Right to Restrict Processing
 Right to restrict if accuracy of data contested (restrict until accuracy verified), processing
is unlawful (DS may request restriction instead of erasure), C no longer needs data for
original purpose, but still req to establish, exercise, or defend legal rights, OR
verification of overriding grounds is pending in context of an erasure request
 How to accomplish this: move data to another processing system, restrict access, make
unavailable to users, temporarily remove from website
o Right to Data Portability
 Right to obtain data in structured, commonly used, and machine-readable format to
transfer to another controller, or ask for it to be transferred directly where technically
feasible
 Right to transmit data to another C without hindrance from current C
o Right to Object
 If C using “legitimate interests” as lawful grounds, DS can object to processing
 After objection, C must demonstrate compelling legitimate grounds for
processing-> sufficiently compelling to override the interests, rights, and
freedoms of the data subject (e.g., to establish, exercise, or defend against legal
claims)
 Related to processing for scientific and historical research or statistical purposes, DS
may only object if processing is not considered necessary for the performance of a task
carried out in the public interest
o Right to not be subject to Automated Decision-Making
 Only applies if such a decision is based solely on automated processing and produces
legal effects concerning the DS or similarly significantly affects them
 Even if processing falls under this Article, allowed if authorized by law, necessary for
preparation or execution of a contract, or done with the DS’ explicit consent, provided C
has put in sufficient safeguards
 Security of Personal Data
o Why is security important
 (1) state of security often a pre-req to achieving compliance with other DP principles
 (2) serious cases of insecurity guarantee negative media coverage
 (3) poor security controls= different features of scale and harm compared to other DP
breaches
 Harms: fraud and identity theft
 Cybersecurity and data security have the attention of national leaders because of the
harm they could cause
 Tensions between security and right to privacy (national security and law
enforcement)
o Security Principle
 Article 5(1)(f): Integrity and confidentiality of the data
 5(2): controllers must be able to demonstrate compliance

26
  Article 32: appropriate technical and organizational measures
 Cs and Ps req to implement controls to protect against complex technological
threats as well as guard against negligent employees
 Does not require absolute security
o Regulators cannot assume legal failure from operational failure
 Risk-based approach: Risk assessments
o Nature of data to be processed
o Reasonably foreseeable threats
o State-of-art test
o Consideration of cost
 Cannot rule out a measure based on cost alone
o Industry best practices (e.g. encryption because industry standard, not
legal requirement, but failing to implement became issue against best
practices)
 Art 32(4): People under control of/working for Cs and Ps
 Confidentiality issues
 All people who have access to PD through work have a duty of confidence
 Insider threat: Cs and Ps should have robust policies alerting employees to their
responsibilities handing PD, provide with regular training, and make clear
consequences for violating policy
 Art 28: Processors and the relationship between Cs and Ps
 28(3)(h): processors must be able to demonstrate compliance
 28(1): flow-down the security principles from C to P and further to sub-Ps
 Cs only allowed to use Ps who can provide sufficient guarantees of
implementation of appropriate technical and organizational measures
o Proof before signing contract, audits for assurance
o Ps can only act on instructions of Cs, or else risk becoming a C!
 P duty to provide assistance to C in compliance and reduction of risk
o E.g. PD breach notifications, effective incident detection and response
 Art 30: Controllers and processors must maintain records of processing activities under
their responsibility
o Breach Notification: Controller requirement to notify DPA
 Transparency mechanism, encourages mitigation of loss and damage, helps society
understand causes of failure, enables development of responses to minimize risk of
future events and their impact
 Regulators can apply adverse scrutiny (regulatory enforcement proceedings and
compensation claims)
 If reporting entity engaged in appropriate security measures, no further action
taken
 Art 4(12): must be an actual breach of security leading to a negative outcome-> risks of
security breaches don’t count, though the security principle itself looks to prevent risks
 Art 33: notifying regulator
 Trigger: detection of PD breach (C becomes aware of breach)
o Cannot avoid putting measures in place to detect (Art 5(1)(f) reqs for
security)
 Breach that will cause risk to rts and freedoms of individuals must provide
notice to DPA

27
 o NOTIFY WIHTOUT UNDUE DELAY: 72-hour limit
 Incident response plan for C
 Concept of risk not subject to severity threshold, because concept of rights and
freedoms is broad
 C must document every time data breach occurs, hold records forever,
especially if decide doesn’t meet DPA reporting threshold (also record ones that
are reported)
 **Ps must notify Cs of personal data breaches without undue delay
 Art 34: communicating with data subject
 Breaches that present high risks to rts and freedoms of data subjects must
provide data subjects notifications
o Severity threshold not present in Art 33
o What is a “high” risk? Impact to large number of data subjects, or a
particularly large amount of damage to certain individuals
 Exceptions
o Measures taken to render PD unintelligible (e.g., through encryption
o C has taken steps to prevent high risks from materializing
o Breach disclosure would involve disproportionate effort (e.g., if C
unable to ID all individuals affected by breach)
 If this is the case, broad public announcement appropriate
 Regulators can req Cs to engage in these comms
o Delivering on Security
 Business members must work together across the board to ensure security: connect all
facets of business with security experts in organization
 Risk-assessment, accountability, and privacy by design
 Factors to consider when designing incident response (among others):
 Threat and vulnerability assessments
 Human factors
 Incident detection and response
 Create data mapping and inventory exercise to pinpoint areas of data capture and data
entry=> plot flow of data through org until redundancy, when info is deleted or
destroyed
 Effective management is key: take seriously departures from policy and other incidents
 Consider consequences of serious security breach: adverse third-party scrutiny
 Insider risk awareness and mitigation
 Culture of risk awareness, respect for PD to create good security
 Key components of a good culture for security include:
o Understanding people risks (risk assessment and mitigation, training)
o Recruitment process: show value of security and confidentiality even
with job candidates
o Offer letter and contract of employment: embed company’s culture
o Acceptance of job offer: recruit should affirm read privacy framework
o Induction: new employee induction program with more training
o Continuous training
o Adequate processes to deal with failure, disciplinary measures
o End of employment: return physical components, ensure access rights
and privileges terminated

28
  Security paperwork
 Written policy, rules for security
 Adequacy of paperwork is one of first things regulators will consider in
investigation
o Inadequate paperwork can lead to a bad impression, and in the case of
security breaches and data loss can give regulators sufficient grounds to
find noncompliance
 Policy-based regulation much easier to control and police, cheaper, quicker,
more efficient
 Data protection by design, DPIAs, and accountability principle all presuppose
creation and distribution of records
 LAYERED APPROACH: top layer contains high-level policy statements, middle-
layer has controls implemented to achieve policies, and bottom layer includes
operating processes and procedures (the why, what, and how)
 Ensure technology stacks robust: antivirus, antispam, firewalls, data loss prevention, etc
 Some jurisdictions (Germany) have legal reqs to work with works councils
before deploying technologies
 Fully tested by penetration testers (ethical hackers)
 Physical environment: CCTV, clean desk policies, etc
 Risk management of Ps, suppliers, and vendors
 Cs must: (1) choose reliable processors, (2) maintain QC and compliance
throughout relationship, and (3) frame relationship in contract that contains
necessary provisions requiring P to maintain security, act only on C’s
instructions, cooperate with C on compliance, and cascade reqs through supply
chain
 Conduct audits and evaluate 3d parties before engaging with them
 How Cs can shield themselves from Art 28 compliance issues
o Checklist of issues to consider in the pre-K DD stage
o Risk assessment to understand threats and challenges posed by
outsourcing
o Contract should contain framework for ongoing assurances (on-site
audits, inspections, testing, period assessments of ongoing compliance)
o Incident Response
 Create incident response plan
 Approval by senior leadership (get buy-in)
 Address anticipatory aspects of the incident and response aspects of incident response
 Include principles for decision-making, list of who will be involved
 Templates for public messaging and comms
 Benchmarking against peers in marketplace
 Analyze what is realistic for the organization and its incident response team
 Gap analysis, discovery exercise to find out what is being done already, review
previous events for past successes and failures
 Incident detection: determine whether org has already been compromised (many
hackers invade and don’t act for years)
 Ensure proper classification of incidents (if misclassified, may lead to incorrect
treatment and breach disclosure decisions)
 Create playbook for handling incidents most likely to occur

29
  Create plan to handle the fallout, dealing with media, law enforcement, data subjects,
insurers, vendors
 How to handle breach disclosure
 Develop litigation posture
 Accountability Requirements
o In General, what is changing
 Accountability means DPAs can check in whenever they want for compliance with 6 DP
principles (new in GDPR)!
 Organizations must embed DP issues within their business and operations, promote a
culture of data protection within company
 DPAs may publish Privacy Standards for effective DP programs (internal and external
policies, DPOs, audits): if follow CNIL Standards, receive privacy seal
o Responsibility of the Controller
 Technical and organizational measures: take into account nature, scope, context, and
purposes of processing, and the risks to rights and freedoms of the individuals
 The higher-risk the processing (damage to reputation, discrimination, economic
or social disadvantages, deprivation of rights and freedoms) the greater the
measure to reduce risk required by the C
 Having and implementing policies is the easiest way to prove compliance to DPA (no
policy= unlikely to have compliance), but this is not sufficient alone: 3 key areas
 Internal policies: key matters that should be addressed
o Scope: to whom and types of activities to which it applies
o Policy Statement: commitment to PD protections, descriptions of
purposes for processing and legitimate business purpose
o Employee Responsibilities: what each role is permitted to do with data,
limitations around use, steps to follow, security and access obligations,
transfer of PD prohibited unless legitimate grounds established (steps
employees should take before transferring data), training programs
 Information security policies: best practice to base on industry
standards (ISO 27001/2) but not required
o Management Responsibilities: develop protocols to ID and address risks,
responsibilities should be clearly allocated to individual roles
o Reporting Incidents: employees should be expressly required to
immediately report incidents of data breaches (time is of the essence:
72 hours to report to DPA); establish an incident response plan and
team, and test regularly
o Policy Compliance: employees who fail to comply subject to internal
discipline, company and individuals involved could be subject to criminal
and civil penalties, indemnity and liquidated damages for third party
contracts for services
 Internal Allocation of Responsibilities
o Cs must be able to demonstrate DP management resources to DPAs
o Facilitate supervision by DPAs, allow DS to exercise rights, enable
policies to be regularly updated
o Create a privacy management team or council, appoint DPO
 Training
o Internal programs to inform employees of legal DP obligations

30
 o Create flexible training programs tailored to particular roles
o Document and monitor rolling out of training programs
o Data Protection by Design and Default (integrate safeguards into all processing)
 Privacy by Design
 Embed DP into design specifications of new systems and technologies
 Applies to all stages of a project or product, not just planning and execution
stages of new developments
o Create products with built-in ability to manage and fulfil all GDPR
obligations
 Privacy by Default
 Implement appropriate technical and organizational measure to ensure only PD
necessary for each purpose are processed
 Limit or minimize data collected, greater controls over extent of processing
 PD must by default only be kept for time necessary to provide product or
service
 Explicit obligation to implement appropriate technical and organizational
measures to deliver this requirement
 How to comply: consider state of the art, cost of implementation, nature, scope,
context, and purposes of processing, as well as risks of varying likelihood and severity
for rights and freedoms of natural persons
 Types of techniques to comply: minimizing PD processed, pseudonymization, allowing
DS greater control over their data
 Ensure PD easy to search and find, correct, collage early; set up systems for automated
deletion of PD; ensure excessive PD not collected initially; ensure PD structured in
commonly used, machine-readable, and interoperable format
o Documentation and Cooperation with Regulators
 GDPR: notification and registration requirements abolished!
 Instead, Cs must keep detailed records of processing operations in writing to be
made available to DPAs upon request
 DP records that must be kept (similar to notification reqs)
 Cs name and contact details, DPOs, purposes of processing, cats of DS and PD,
cats of recipients, anticipated transfers, appropriate safeguards, retention
periods, security measures
 Ds must maintain contact details, DPO, name and contact of each C P processes
for, cats of processing details of transfers and safeguards, security measures
 Exemption for companies with fewer than 250 employees
 Exemption does not apply if processing is likely to result in risk to rights and
freedoms of DS, is frequent and not occasional, or involves special cats of data;
also does not apply to data related to criminal convictions and offenses
o Data Protection Impact Assessment (DPIA)
 Companies use DPIA to identify and address DP issues that may arise when developing
new products or services, or undertaking new processing activities
 Required under GDPR when processing activity might pose high risk to rights and
freedoms of DS; also before proceeding with risky PD processing activities
 When risks identified, take appropriate actions to prevent or at least minimize risks
 ICO considers DPIA a best practices tool
 How to determine whether DPIA is necessary and how to carry out

31
  Is processing “high risk”?
o Systemic and extensive profiling that produces legal effects or
significantly affects individuals; special cats of PD on a large scale;
systematic monitoring of a publicly accessible area on a large scale (e.g.
CCTV and drones)
 What if processing is high risk and a DPIA is required?
o First, seek advice of DPO
o DPIA must include at least following: systematic description of
envisaged processing activities, purposes, legit interest; assessment of
necessity and proportionality in relation to purposes; assessment of
risks to rights and freedoms of individuals; measure to address the risks,
including safeguards and security measures and mechanisms
 What if processing still high risk?
o No sufficient measure to mitigate the risk, C required to consult with
DPA before processing (allow DPAs up to 8 weeks to consider referral)
o Data Protection Officer
 Formally recognized but not required
 Required when: processing carried out by public authority, core activities are regular
and systematic monitoring of individuals on a large scale, OR processing special
categories of personal data on a large scale
 Core activities: key operations necessary to achieve C’s or P’s goals, DP is
inextricable part of C’s or P’s activities
 Large-scale factors: number of DS concerned, volume of data, range of data
items, duration or permanence, geographical extent
 Regular and systematic monitoring: all forms of Internet-based tracking and
profiling
o Regular: ongoing or at particular intervals for a particular period,
recurring or repeated, constantly or periodically
o Systematic: according to a system, pre-arranged, organized or
methodical, part of general plane for data collection, carried out as part
of strategy
 DPO must be appointed if required by MS law (Germany= at least 9 employed in
automated processing of PD, or at least 20 people in non-automated processing)
 France: no requirement but potential advantages for companies with DPOs
 Group-wide appointments allowed: DPO must be easily accessible to each undertaking
 Role of DPO: involved properly and in a timely manner on all issues which relate to
protection of PD; operate independently (can have other roles that don’t give rise to
conflict of interest); no limit of tenure
 Must have a direct reporting line to highest management level of company, and access
to company’s data processing operations
 Sufficient technical knowledge and expertise required, appointed based on experience
and abilities in field of privacy
 Must be able to: inform and advise company of obligations with GDPR, monitor
compliance with GDPR and company policies, provide advice on DPIAs, cooperate with
DPA, and act as point of contact for DPAs
 May be an employee of the company or third-party service processor

32
 o Other measures: BCRs-> ensures same high level of protection of PD complied with by all
members of a group with single set of binding and enforceable rules
 Gold standard because to achieve them, companies must demonstrate privacy
compliance framework upon application to DPA; DPA also monitors ongoing compliance
 International Data Transfers (Countries and international organizations)
o Transfers do not include transit, must include processing outside EEA
 Technical routing, such as email and web pages, may involve random data movement
around the world in transit
 Electronic access to personal data by travelers who are physically in another place for a
short period of time does not count
o Transfers only under 1 of 3 conditions
 (1) Adequate level of protection offered by country (as recognized by EU Commission,
with periodic reviews of adequacy every 4 years)
 Country follows rule of law, protects human rights, has legislation protecting
data processing (including legislation about transfers) and has effective
administrative and judicial remedies for data subjects whose data is transferred
 Independent supervisory authorities including adequate enforcement powers,
AND
 International commitments third country or IO has entered into in relation to
personal data protection are taken into consideration
 **11 countries and territories currently recognized
 (2) C or P provides appropriate safeguards with enforceable data subject rights and
effective legal remedies, OR
 (3) Transfer fits within one of the derogations for specific situations
o EU law applied extra-territorially
 Large MNCs must apply EU law in all of their processing globally
o United States
 Safe Harbor
 Provided adequacy ruling for orgs to sign onto and self-certify for EU-US
transfers
o Parties weren’t performing required annual compliance checks, and FC
did not enforce
 Snowden revelations showed Safe Harbor ineffective
o Did not want to suspend because of importance of data transfer
between US and EU for international trade as well as law enforcement
and national security: started looking into other mechanisms
(“Rebuilding Trust in the EU-U.S. Data Flow”)
o Schrems I: ECJ invalidated Safe Harbor
 Privacy Shield
 4 broad priorities from Commission: (1) transparency, (2) redress, (3)
enforcement, (4) access to data by U.S. authorities
o Sticking point for US: national security exception was only to be applied
when strictly necessary and proportional according to EC
 7 principles: (1) notice, (2) choice, (3) accountability, (4) security, (5) data
integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and
liability
 Documentation more detailed than Safe Harbor, higher standards put in place

33
 o Letters of assurances restricting access by U.S. gov’t agencies, checks
and balances
 WP29 Opinion concerns: did not include key DP principles from EU law, no
protection for onward data transfers, redress mechanism for individuals too
complex, documentation didn’t exclude massive/indiscriminate data collection
by US intelligence agencies, new ombudsperson not sufficiently independent or
powerful
 US businesses subject to FTC or DOT can join by filing online registration with
DOC (does not cover banks or telecom companies!!)
o PS companies take certain steps to demonstrate compliance, including
(1) internal compliance assessments, (2) registration with 3rd party
arbitration provider, and (3) adopt Privacy Shield notice and publish
online
o Providing adequate safeguards
 Model Clauses
 C to C or C to P
 Pre-approved by Commission, put on file with DPA
o DPAs can also adopt their own SCCs or approve ad-hoc contracts
presented to them by parties for transfers (provides greater flexibility,
allows to adopt more realistic contract obligations that they are less
likely to breach)
 Codes of conduct and certification: new idea with GDPR
 Binding Corporate Rules: now expressly in GDPR
 Higher standards, legitimizes all transfers within corporation as adequate
o Must be submitted to and approved by DPAs
o Cost effective for large MNCs
 Multinational organizations draw up and follow voluntarily, and national
regulators approve in accordance with their own legislations
 DPAs must approve following the consistency mechanism
 Full set of BCRs must include the following
o Structure and contact details of corporate group and members
o Data transfers (categories, type of processing, purposes, type of data
subjects affected, ID third country or countries
o Legally binding nature
o Application of general DP principles (Art 5)
o Rights of data subjects and means to exercise those rights
o Acceptance by C or P established in territory of a member state of
liability for any breaches of BCR by any member concerned not
established in EU
o How information on BCR provided to data subjects
o Tasks of DPO
o Complaint procedures
o Mechanism to verify compliance with BCR
o Mechanisms for reporting and recording changes to the rules
o Cooperation mechanism with DPA

34
 o Mechanisms for reporting to DPA any legal reqs which a member of the
corporate group is subject in a 3rd country that may have a substantial
adverse effect on the guarantees provided in the BCR
o Appropriate training to personnel having contact with data
 Derogations
 Consent: explicit, specific and informed (including informed of possible risks)
 Contract performance
o Transfer may be carried out if necessary for performance of contract
(e.g. purchasing contract)
o Contract entered into at individual’s request or in their interests
o May apply for employment contracts, but evaluate whether transfer
necessary based on goods and services provided, not exporter’s choice
of organization
 Public Interest: crime prevention, national security, tax collection
 Legal Claims
 Vital interests: life or death situation (usually medical records)
 Public registers: if information is available, extracts can be transferred
 Non-repetitive transfers: limited number of data subjects, necessary for
purposes of compelling legitimate interests of the C if not overridden by the
interests or rights and freedoms of the data subject
o +C must also provide suitable safeguards to protect PD
o C must inform supervisory authority and data subject of the transfer
and the compelling legitimate interests
 Supervision and Enforcement
o Related to accountability
o Self-Regulation
 Demonstrated compliance with DP principles, appointment of DPO, and heightened
focus on codes of conduct and certification= methods of self-regulation
 Cs have regulatory functions over their Ps, Ps over sub-Ps, creates supervision and
enforcement
 Pre-contractual DD, contract formation, post-contractual requirements
 Cs expected to ID risks and then sent to address them
 Demonstrable proof of compliance through testing and similar activities, include testing
as part of business activities
 Notification of PD breaches to DPAs and sometimes to individuals: deterrence is key to
enforcement
 Effective, proportionate, and dissuasive administrative penalties
 DPIAs when processing likely to result in high risk to rts and freedoms of individuals
 DPOs: clear supervisory and enforcement position, immune from dismissal, more like
quasi-DPA than employee-> duty of cooperation with DPA and extension of regulator
 Codes of conduct, certificates, and seals: industry associates can create codes and
certifications, Cs and Ps must undertake to apply for them and should be monitored for
compliance
 Representative bodies can submit draft codes to DPA for approval
 ***Consistency mechanism when draft code will affect at least 2 MS

35
  Monitoring bodies must prove independence, expertise, and avoid conflicts;
have procedures for issuing, reviewing, and revoking seals and marks if
applicable, and procedure for handling compliants
 Cs and Ps can be fined by DPA for breaching reqs of code in serious cases
 DPAs can revoke monitoring body’s accreditation
o Regulation by the Citizen
 Citizens have driven must of the non-legislative change in PD laws (see: Google v. Spain
and right to be forgotten)
 Civil Society Organizations (CSOs) also have power in litigation
 Primary risk of adverse scrutiny from citizens as litigants rather than DPAs
 Data Subject Rights
 Right to transparency, access to data, rectification, erasure, restriction of
processing, data portability, object, informed of serious data breaches
 **No requirement that DS pursue rights against C before pursuing complaints
and remedies before DPAs or courts! In many cases, rights don’t provide direct
and obvious route to controller (see: DP principles, like confidentiality)
 Remedies for breach of obligations
 Take complaints to DPAs or courts, pursue these remedies and with the C at the
same time
 Turning to DPAs for remedies is the low-risk option
 Individuals can always pursue remedies with home court or DPA, regardless of C
or P place of establishment
 Class/Representative Actions
 GDPR Class Action Right under Article 80
 Individuals can elect to be repp’ed by not-for-profit orgs (CSO), privacy
advocates, or pressure groups: can act on behalf of one or many
o MS can give orgs powers independent from mandates of individuals
 Liability and Compensation Claims
 DS can pursue compensation claims if suffer damage b/c of noncompliance
 Cs and Ds can claim not being responsible for event that gave rise to damage as
defense
o If multiple parties at fault, any individual C or P that is responsible for
any damages can be held liable for all the damage-> then compensating
party can seek indemnity from other Cs and Ps
 What does damage mean? Financial loss, maybe distress or non-pecuniary harm
o “Non-material damage” clearly means distress
 Regulating the Regulators
 If individual puts complaint before DPA but not dealt with, or if hear nothing for
3 months, can take action against DPA before courts to force the issue
o This is how Schrems I happened against Irish DPA
 Primary purpose is to enable appeals against DPA corrective action
o Individuals can also use against DPAs they feel failed to take the right
type of corrective action, or have been too lenient in sanctioning
o Administrative Supervision and Enforcement
 DPAs are the only bodies equipped with administrative supervisory and enforcement
powers (CNIL, ICO, AEPD): all EU countries already have DPAs

36
  MS required to designate independent public authorities to monitor implementation of
GDPR, act with complete independence, with sufficient skills and resources
 Consultation requirement, give regulators influence over legislative agendas, task and
empower DPAs to provide advice and guidance to their parliaments and govs on DP
 DPA tasks
 Promote awareness and understanding of DP
 Handle complaints and carry out investigations
 Support consistent application of GDPR internationally, applying consistency
mechanism
 Monitor development of information and comms tech and commercial practices
 Receiving and dealing with complaints: citizens has most day-to-day contact
with Cs, so in best position to actually affect compliance; citizens need official
champion, that is the DPA
 DPIAs: DPAs publish lists of situations where DPIAs should be carried out and
where not required; Cs must also consult with DAPs when DPIA indicates activity
would result in high risk to rights and freedoms of individuals
 Codes, certificates, seals, and marks: encourage development, provide opinions
on draft codes, amendments or extensions (whether comply with GDPR),
approve draft code etc if it provides sufficient safeguards, withdraw certficates
where reqs no longer met
 Approve SCCs and BCRs: can also create their own SCCs and approve unique
contracts for transfers
 Records of infringements and actions taken: GDPR requires this record keeping,
already standard practice in many MS
 DPAs cannot charge DS or DPOs for their services, but can charge back admin
costs on manifestly unfounded or excessive requests
 Activity Reports: regulation must be conducted transparently to promote
confidence in regulatory system and provide society critical insight into trends
and developments within regulation
 Regulator’s Powers
 Investigatory Powers: access all necessary evidence, materials, and facilities to
enable to deliver on tasks, along with mechanism to start investigations, notify
Cs and Ps of alleged breaches
o DPAs will be able to obtain access to any relevant docs held by
organization under investigation, including 3rd party papers, reports, and
audit reports (unless privileged)
o DPAs may carry out operational reviews
 Corrective Powers: Enable DPAs to warn Cs and Ps about dubious processing
activities, enforce financial penalties, and order Cs and Ps to stop data
processing
 Authorization and Advisory Powers: codes, certifications, seals, and marks
 Litigation by Regulators: DPAs must be able to force compliance through courts
 Protecting Cs and Ps from precipitous regulatory action: natural and legal persons
affected by DPA decisions can take legal proceedings to protect their positions
 Obligation of prof secrecy on DPAs and their staff with confidential info they access
o Competence and International Cooperation
 Who has authority to impose regulatory supervision and enforcement?

37
 Competence
 DPAs can act of the territory of their own Member State
 DPAs can regulate Cs and Ps established in their territory
 If C or P established in multiple territories, or there is cross-border processing,
lead authority has competence
o “Main establishment” of C or P applies: where the decision-making for
processing of personal information is done, usually at the central
administration (but if decision-making at a different location, main
establishment is there)
o Lead authority req to regulate situations of cross-border processing
 Entities established in only one MS can still engage in cross-
border processing
 Lead authority is the sole interlocutor of that cross-border
processing
o Non-lead authorities can take action in cross-border situations where
the complaint (1) relates only to their territory or (2) if it substantially
affects individuals only in their territory
 DPA asserting competence needs to notify lead authority (may
trigger battle of competence)
 If lead authority rejects assertion of competence of
other DPA and takes up matter itself, procedure in Art
60 must be followed
 If lead authority accepts other DPA’s assertion of
competence, 2ndary DPA can proceed subject to rules
about mutual assistance and joint operations
o Disputes and challenges about competences most likely following a
complaint by an individual: may make complaint to DPA in MS of their
habitual residence, place of work, or where alleged infringement took
place
 Cooperation
 Lead authority rule only applies to cross-border processing: if comes into play,
cooperation procedures of Article 60 apply
o Usually starts with request for mutual assistance and joint operations,
but may also start by non-lead DPA asserting competence
 Lead DPA supplies draft decision to other concerned DPAs
o Could trigger comments, a reasoned objection, or simple agreement
o If reasoned objection, lead authority can accept or reject objection
 If accepted, issues revised draft decision, which other DPAs can
accept or make further reasoned objections
 If further reasoned objections, cycle continues until
impasse broken (can be done with referral to EDPB)
 If rejected, lead authority must follow consistency mechanism
o If no objections, lead authority and other DPA in agreement and draft
decision is binding
 If draft decision accepted, lead authority shall adopt it and
notify C or P at main establishment, the other concerned DPAs,
and the EDPB

38
  If trigger of complaint from individual to non-lead DPA, the
relevant DPA should notify complainant of outcome
 Burden shifts to C or P to deliver compliance, including
reporting back to lead authority on how that is achieved
o **Article 60 has timetable for these key events
 Mutual Assistance: mandates cooperation and exchange of information
o DPAs must put in place appropriate measures to provide assistance
without undue delay (one-month long stop)
o DPA must comply with requests except when they lack competence to
provide assistance or need to avoid illegality
o If receiving DPA doesn’t provide assistance within one month,
requesting DPA can adopt a provisional measure which triggers urgency
procedure
 Joint Operations: designed to ensure all concerned DPAs properly represented
in supervisory and enforcement work
o When Cs and Ps established in multiple territories, or processing affects
significant number of individuals in multiple territories, all concerned
DPAs have the right to participate in joint operation
o Obligation rests on competent authority to invite other DPAs to
participate
 Consistency Mechanism
 EDPB: successor to WP29
 Opinions of the EDPB
o EDPB must issue opinions on the lists of circumstances when DPIAs are
required, on the adoption of proposed codes that affect multiple MS,
the criteria for accreditation of monitoring and certifying bodies, SCCs
approved by DPA, and BCR authorizations
 Opinions provided after DPAs do their initial work
 Any DPA, EDPB chairperson, or the EC can request opinions on
matters of general application or producing effects on multiple
MS
 Dispute Resolution by EDPB
o Key part of consistency mechanism, triggered whenever lead authority
rejects reasoned objections to draft decision concerning cross-border
processing, whenever there is a dispute between DPAs about who is
competent for a main establishment, or DPA fails to refer its decisions
(above) to EDPB
o Outcome= adoption of binding decision
 When related to draft decision dispute, lead authority or other
DPA is required to adopt final decision on basis of binding
decision
 Urgency Procedure
o Exceptional circumstances where DPA should take urgent action to
protect rights and freedoms of individuals
 If urgency great enough, may not be enough time to pursue
cooperation or consistency mechanism

39
  DPA may immediately adopt provisional measures, subject to
three-month lifespan, and have to be referred by DPA with
reasons to other DPAs that have a concern in the matter, to the
EDPB, and to the Commission
 End of 3 months, provisional measures lapse unless DPA
thinks final measure need to be urgently adopted, in
which case it can request urgent opinion or urgent
binding decision from EDPB
o Sanctions and Penalties
 Administrative fines based on nature of contravention and status of entity fined (non-
undertakings: public authorities, organizations not engaged in econ activity; versus
undertakings: companies)
 Level 1
o Contraventions: children consent, data protection by design and
default, engagement of Ps by Cs, records of processing, cooperation
with regulators, security, breach notification, DPIAs, DOPs, codes and
certifications
o Up to 10M € or 2% of total worldwide annual turnover in preceding year
 Level 2
o Contraventions: data protection principles, lawfulness of processing,
consent, processing special categories of data, DS rights, international
transfers, failure to comply with DPAs’ investigatory and corrective
powers
o Up to 20M € or 4% of total worldwide annual turnover in preceding year
 Factors to consider before imposing fines
 Effective, proportionate, and dissuasive
 Serious breaches of GDPR can be met with multiple responses
 Total amount of fine cannot exceed amount specified for most serious breach
 Article 83(2) factors:
o Nature, gravity, and duration of infringement, nature, scope, or purpose
of processing concerned, number of DS affected, level of damage
o Intentional or negligent character of infringement
o Actions taken to mitigate DS damage
o Degree of responsibility, taking into consideration technical and
organizational measures
o Previous infringements
o Degree of cooperation with DPA
o Categories of PD affected
o Whether DPA notified of infringement
o Compliance with measures previously ordered against Cs and Ps
o Adherence to approved codes of conduct
o Any other aggravating or mitigating factors
 Undertaking: an entity engaged in commercial activity (companies)
 Public authorities and unincorporated associates are non-undertakings
 MS can take public authorities completely out of fining regimes
 Undertaking is a single entity, does not discuss groups of undertakings

40
 o ***Company part of group of companies can only be fined up to
percentage of individual company turnover, not group’s turnover
o Law Enforcement Data Protection Directive: mirror supervision and enforcement regime, except
with absence of lead authority concept (and related cooperation and consistency mechanisms)
and financial penalties

Section III: Compliance with European Data Protection Law and Regulation
 Employment Relationships
o Tricky area because intersection of data privacy and employment law
 Consult with jurisdictional employment law and works councils
 Member State rules for employee’s PD include measure to safeguard DS human dignity,
legit interests, and fundamental rights with regards to transparency of processing and
transfer, as well as monitoring and controlling
 Employees must have right to access their personal data
o Legal Bases for Processing Employee Personal Data
 Consent
 Must be freely given, hard to say in employment circumstances because uneven
power
o Not a good basis for employers to rely on
 Sometimes local law stipulates consent cannot be given in this
circumstance
 Consent should not be relied on unless withdrawal of consent
would not be problematic for lawfulness of processing or
detrimental to employee’s employment
 Freely given, specific, informed, and unambiguous
 Able to withdraw consent without suffering any detriment
 Some EU countries require consent, and in writing
 Fulfilment of employment contract
 For example, to pay employee (name and bank details)
 Necessary to comply with (EU) legal obligation (e.g., taxes)
 Employer’s legitimate interests
 For example, when employer changes structural systems to migrate employee
data from old payroll system to a new one, this is processing on a legit interest
 Public authorities cannot rely on this ground at all
o Sensitive Employee Data
 If processing this data, employer should be within an Art 9 exception
 Includes consent, but should be employer’s last resort
 In some jurisdictions, extent to which sensitive employee data can be processed
depends on accompanying employment or labor laws
 E.g., in Portugal, must get authorization from DPA
 May be necessary to establish, exercise, or defend legal claims (e.g., claim for unlawful
dismissal, discrimination)
o Providing notice for processing
 Employers must provide notice on processing of data, purposes, who to contact, and
what the DS rights are
 May be done with employee handbook or specific notification document
 Employees must be notified whenever a new purpose arises

41
  Notice must provide, in detail, legal basis, what the legit interests are (if used),
recipients of data, where data will be transferred, and how long it will be retained
o Storage of personnel records
 Should not be retained longer than necessary, though throughout employment is
normal, probably protected under a legit reason
 Post-employment, may need records for compliance with company law, employment
law, health & safety law, tax law, and social security law, etc
 Should be securely archived
o Workplace monitoring and of data loss prevention
 Rights of employees balanced against legitimate company rights to operate
 Background checks
 Must be conducted to avoid hiring unscrupulous persons
 Employees must be sure not to compile blacklists during background checks
(generally illegal) or compile lists of individuals it will not employ
 Data Loss Prevention
 DLP tools use third parties to operate, involves processing employee data but
main purpose is preventing loss of data
 Employee Monitoring
 Must comply with local employment laws as well as data protection laws
 Ensure compliance with following principles: necessity, legitimacy (lawful
grounds), proportionality, and transparency
 Ensure data held securely and only accessed by those with legitimate reason to
view it
 Necessity
 Consider other less-intrusive measures for its purpose first
 Must carry out DPIA when monitoring likely to result in high risk to rights and
freedoms of individuals
o DPIA required if monitoring is systemic and extensive evaluation of
personal aspects of individuals based on automatic processing, and on
which decisions are based that produce legal effects or similarly
significantly affect the individuals
 Legitimacy
 Must have a lawful basis for monitoring
 Legitimate interest balancing test: legitimate interest of employer versus
infringement on rights and freedoms of individual
 Consent for monitoring very limited in its usefulness
 Monitoring that involves collection of sensitive personal data likely problematic
 EU has strict laws on what is considered legitimate employee monitoring,
consider collective agreements and consult works councils
o Agreements between works council and employers may list what
monitoring is permitted
 Screening of emails to prevent viruses and monitoring time online not working
are legitimate employer activities
o Cannot screen content of what employees are doing
o Find less intrusive alternatives: block certain websites, prevention of
viruses over detection
 Proportionality

42
  Determine whether proposed monitoring proportionate to employer’s concern
 Reasoned and realistic response to a potential or known threat
o Data minimization: personal data must be adequate, relevant, and
limited to what is necessary regarding the purpose of processing
o Actually opening emails is disproportionate
 If collective agreements approve monitoring, proportionality likely struck
 Transparency
 Employers must provide sufficient information about monitoring activity
 Setting expectations helps ensure monitoring is lawful: if employees have not
been told about monitoring, may have expectation of greater level of privacy
 Law acknowledges that employees enjoy a certain degree of privacy at work
 Acceptable Use Policy for communications equipment, including how much
private use of employer equipment is permissible: employees have right to
limited private use of employer equipment
 Private communications should not be opened or monitored
 Sometimes covert monitoring is necessary: sometimes it is not permitted or
limited use permitted and police should be involved
 Information to be Provided by Employers
 Company email/Internet policy
 Reasons and purpose for surveillance being carried out
 Details of surveillance measures taken
 Enforcement procedures
 Whether use of webmail accounts permitted at work
 Arrangements in place to access contents of workers’ emails
 Storage period for backup copies of messages
 Info on when emails deleted from servers
 Involvement of workers’ reps in formulating policies
 Conditions on which private use of Internet is permitted
 Systems implemented to prevent misuse of Internet and access to certain sites
 Info about involvement of employer’s representatives in creating and
implementing policies
 Notify employees when misuse is detected; may also need to notify works
councils
 Rights of Accused Employee: don’t accuse right away, misclicks common
 Unlawful monitoring
 Hard to justify monitoring that collects sensitive PD or is particularly intrusive
 Covert monitoring unlawful w/o prior permission from DPA or an exception
 Emails marked as private generally shouldn’t be read
o Works Councils
 Obligation to safeguard employees’ rights
 Country-specific: UK only has trade unions which don’t get a say on how employers use
PD, whereas Germany and France have strong works councils
 E.g. German WCs can object to use of employee monitoring devices
 Employers engage with WCs by (1) notifying WC, (2) Consulting with WC, or (3) seeking
approval of WC
 If WC rejects a decision, employers’ only option may be to challenge in local
courts

43
  Sometimes DPA may not approve processing unless and until WC has been involved
o Whistle-Blowing Schemes
 SOX: US companies with EU subsidiaries bound by SOX
 Company required to facilitate ability of employees to make allegations about
wrongdoing (can conflict with EU data laws)
 Point of law is to make companies more responsible and accountable, especially
with regards to internal controls
 Companies encourage those with information of potential or actual fraud to
come forward and provide confidential reports
o May use independent 3rd party agencies for whistle-blowers to contact
 Concern: subject of a complaint cannot confront the person making the
allegation, and anonymity could lead to abuse of function
 Issues for GDPR Compliance
 DPIA should be conducted for whistle-blowing scheme
 Liaison with WCs before implementing method
 3rd party processor contracts outside EU must comply with EU processing laws
 Mechanisms for data transfer outside EEA must comply with laws
 Consent from employees may be required
 Whistle-blowing policy and procedure should be transparent to employees
 Whistle-blowing policy should cover specific elements:
 Individuals reporting (limit who can report based on who has direct knowledge)
 Individuals incriminated (only those known to the person reporting)
 Confidentiality over anonymity of reporting (knowing reporter’s ID will result in
more accurate and thorough investigation)
 Scope of reports (limit scope of reportable matters to those affecting company’s
governance)
 Data retention: strict policy following completion of investigation, and delete
any reports found to be unsubstantiated
 Information provision: meet GDPR requirements for transparency and notice
 Rights of incriminated persons: DP rights may be limited if affects investigation
 Transfers outside EEA: state mechanism used to legitimize transfers
o Bring Your Own Device Policy
 Employer remains responsible as a controller for any personal data processed on
employee’s device for work-related purposes using work email settings
 Companies should establish a policy for personal devices used for work
 Consider how to manage personal data held on the device once the employee leaves
the company, or the device is lost or stolen
 Surveillance Activities
o Need to balance need for surveillance in the national security interest, and individual’s right to
privacy
 Internet means more and more info about private citizens available for surveillance
 Are societies becoming surveillance societies?
o Technology: new tech to make our lives safer, but also generates more data
 Now, surveillance activities undertaken on a daily basis, by both public and private
sectors, for a host of lawful purposes
 CCTV and GSP part of surveillance

44
o If surveillance results in invasion of privacy, check whether invasion is necessary, lawful, fair, and
proportionate
o Regulating Surveillance
 Public and state agencies or private entities may carry out surveillance (national
security, law enforcement, private purposes like employment law)
 Individual rights may be restricted if the restriction respects the essence of the
fundamental rights and freedoms, and is a necessary and proportionate measure in a
democratic society
 National and public security, prevention and detection of crime, and protection
of DS and rights and freedoms are reasons for restriction to be applied
 LEDP Directive applies to law enforcement activities
 Although processing of personal data must be lawful, fair, and transparent, this
should not prevent law enforcement authorities from carrying out activities
such as covert investigations or video surveillance
 Activities can be carried out as long as they are laid down by law and constitute
a necessary and proportionate measure in a democratic society with due regard
for the legitimate interests of the natural person concerned
 Private sector entities may be under an obligation to retain and/or share PD
with law enforcement agencies
o Communications Data
 Modern surveillance usually occurs by electronic means, generating comms content and
metadata
 Metadata= data about data, information generated and processed as a
consequence of a communication’s transmission
o Traffic data: type, format, time, duration, origin, destination, routing,
protocol used, and originating and terminating networks of a
communication
o Location data: lat, long, altitude of user’s equipment, network cell
o Subscriber data: name, contact details, payment information
 Metadata can provide complete picture of communication and can be used to
ID individual (therefore, falls under GDPR)
 Difficulty balancing competing legal interests: duration limitation of GDPR versus
telecom law requiring providers to maintain call data longer than necessary for
processing
 In this case, CJEU ruled in 2014 Directive was invalid for disproportionately
infringing on privacy rights
o Video Surveillance (CCTV)
 Contains images of individuals that may be used to identify an individual: this is
considered processing!
 Any time an individual’s image is captured, it is considered biometric data
 Article 9 Special Categories of Data exemption must apply
o C may be able to rely on MS law to conduct surveillance in the public
interest for a public area, or in the exercise of public authoirty
 Cs likely have to rely on legitimate interest balancing test for lawful basis, unlikely to get
consent
 CCTV’s use must not override rights and freedoms of individuals

45
  DPIA required if: surveillance considered high risk, involves systematic monitoring of
publicly accessible area on a large scale, or if video surveillance included in list by
relevant DPA
 DPIA will need to describe: processing to be carried out, purposes of processing,
legitimate interests pursued, assessment of why surveillance is necessary and
proportionate, assessment of the risks to the rights and freedoms of impacted DS, and
measures required to address those risks
 If DPIA indicates high risks cannot be sufficiently mitigated, C must consult with
DPA prior to use of video surveillance
o When public interest is the lawful basis, MS may make DPA consultation
mandatory
 Proportionate and adequate, relevant, and not excessive solution to problem it
addresses, using CCTV should only happen if other less-intrusive solutions that do not
require image acquisition have been considered and found to ne inapplicable or
inadequate for the purpose
 Proportionality also extends to choice of system and technology (e.g. facial
recognition and zoom technology)
 Proportionality also means determining whether aspects of CCTV used and
processing of footage are proportionate to purpose CCTV system used for
o Operational and monitoring arrangements: key operational aspects
(types of cameras, positioning of cameras), see if monitoring of specific
spaces can be minimized; use of particular features (zoom, freeze)
o Retention of CCTV footage: only retain for as long as strictly necessary
o Need to disclose to third parties, such as law enforcement
o Whether CCTV footage will be combined with other info to ID
individuals
o Surveillance of areas with high expectation of privacy (changing rooms,
bathrooms): only allowed in most exceptional circumstances with need
to deal with very serious concerns, make individuals aware they are
under surveillance
 Other measures: staff training, disciplinary and legal sanctions for misuse, CCTV policy
(written document addressing important privacy issues), regular reviews to ensure
compliance and reconsider whether use of CCTV remains justified
 DS rights and CCTV
 Transparency requirements still apply, especially when cameras cover large
public space
o Information should be visible and placed within reasonable distance of
monitored area
o Identify purpose of surveillance and C with contact details
 Subject to Art 15 right of access by DS: CCTV retained for short periods of time,
so it may be more difficult to use this right
o If footage contains images of others, measures should be taken to
safeguard their privacy like blurring images
o Biometric Data
 Personal data resulting from specific technical processing relating to the physical,
physiological or behavioral characteristics of a natural person, which allow or confirm
the unique identification of that natural person

46
  E.g. DNA, fingerprints, palms, vein patterns, odor, voice, face, handwriting, gait
 May be in its raw form or biometric template form: template must include sufficient
detail to allow an individual to be ID’ed from population of individuals stored in
biometric system
 Main uses of systems: identification and authentication
 To fall under Art 9 special category, purpose for processing biometric data must be to
uniquely ID a natural person
o Location Data
 Location-based services, rely on technical ability to localize a portable device
 Derived from satellite network-generated data (GPS), cell-based mobile data (Cell ID),
chip-card generated data (payment cards)
 3 broad categories of location data Google uses to deliver its services: implicit location
information (using search query etc); Internet traffic info (IP address, allows for
application of correct language); Device-based location services (turn-by-turn
navigation)
 Location data is an identifier, as it may identify or lead to the identification of an
individual: considered personal data under this definition
 Even if users switch off location services on their device or for an app,
vulnerabilities in a mobile app can be exploited to access location
 App developers need to decide whether apps using location result in high risks
to rights and freedoms of individuals, in which case a DPIA is necessary
 Location history may be used to make inferences about individual, such as
homes of friends, religion, health status, political affiliation, etc
 Concerns about retention and access by public authorities or employers
o If employer using to track fleet of vehicles not tied to individuals, not
personal data: if data used for any purpose related to employee, then
falls under GDPR
 Direct Marketing
o In General
 DM: any form of sales promotion, including DMs from charities and pol orgs for
fundraising-purposes
 Does not need to offer something for sale, could be a free promotion or just
promoting the organization generally
 Directed to particular individuals (DP laws apply when individuals’ PD is
processed to communicate marketing message to them)
 Most DM subject to DP laws as well as consumer protection laws and advertising laws,
which vary between MS
 Applicable law may be where sender or recipient is located, or both
 Often includes data collected through consumer’s device: cookies, location data
 Push-messages and in-app messages are DM!
 Untargeted marketing (website banners) and purely service-related messages (inform
about status of an order) are not DM
 ePrivacy Directive will apply when marketing sent by electronic comm networks: does
not apply to postal marketing
 Cs must satisfy all GDPR requirements: lawful basis for processing (usually consent or
legitimate interests), provision of fair processing information (transparency),

47
 appropriate technical and organizational measures to protect data, no transfer outside
EEA
 DS must have specific right to refuse or opt out of DM sent by C; if based on consent,
can be withdrawn at any time; if based on legit interests, opt-out required still
 DS must be informed of right to opt out, presented clearly and separately from
other information
 DS must be able to opt out across all marketing channels
 Cs must honor opt out requests in a timely fashion, at no cost to DS
 PD must be deleted unless retention strictly required
o Exceptions: necessary for establishment, exercise, or defense of legal
claims, compelling legitimate grounds for continued processing
outweighing privacy interests of DS
 Profiling data must be removed without an exemption on which to rely
 If individuals request to opt out, Cs should suppress rather than delete contact
details: prevents re-acquiring details later and resuming DM
o C should retain record of DS who should not be sent marketing comms
 National Opt-Out Lists (“Robinson List”)
o MS may require Cs to cleanse DM list against Robinson Lists as well as
internal opt-out records before sending marketing materials: failure to
do so not a data breach, just violation of national laws
o Later opt-in consent overrides Robinson List
 ePrivacy Directive
 Imposes consent and information reqs on marketing by phone, fax, email, SMS,
instant messages, push notifications, and other electronic messages
 Requires prior opt-in consent of recipient
o Exemptions for email marketing on opt-out basis where C obtained DS
info through sale of product or service
 Addresses location-based marketing and OBA cookies
 Sometimes enforced by telecoms regulator instead of DPA
o By Post (ePrivacy Directive does not apply)
 Even though not electronic, still ensure following GDPR/DP principles (lawful processing,
transparency, opt-out requests, other DS rights)
 Consent Requirements
 No direct req in GDPR, but some national rules require for postal DM: if not req,
usually rely on legitimate interests with balancing exercise
 Balancing factors: existing customer of C, nature of product and services, has DS
been previously told it would not receive postal DMs
 If legitimate interest basis not available, consent required
 In some MS, must cleanse Dm list against national opt-out register, unless valid opt-in
consent from DS
o By Phone (ePrivacy Directive applies)
 Consent Requirements
 No express requirement to obtain consent, except for automated calling
systems (always req opt-in consent)
o Automated systems may still be used to dial numbers to facilitate
person-to-person conversations
 MS laws can determine whether allowed on opt-in or opt-out basis

48
 o DS must be able to opt-out for free
o Most MS have national opt-out registers for telemarketing
o Some MS require telemarketers to mention national opt-out register in
each call and offer individual right to register with it immediately at no
charge
 DP conditions don’t always apply, laws generally vary from State to State
 Only one-size-fits-all approach is getting consent across the board
 Automated calling systems: some MS req ID and contact details of caller
 Some MS have more relaxed approach to B2B telemarketing
 GDPR still applies, especially when processing employees’ PD for B2B DM
 ePrivacy Directive applies equally to B2B and B2C telemarketing
o By Email/SMS (ePrivacy Directive applies)
 Must satisfy general GDPR reqs, such as transparency and lawful processing
 Electronic mail: any text, voice, sound, or image message sent over a public comms
network which can be stored in the network or in the recipients’ terminal equipment
until it is collected by the recipient (technology-neutral definition)
 C must obtain prior opt-in consent and provide a fair processing notice when data will
be collected
 Limited opt-out exception when DS contact details obtained in context of sale of
a product or service
o Some MS require sale to have been made, whereas others allow during
contact generally (no sale made)
 For exemption, C must only send DM to individuals about C’s own similar
products or services than the ones purchased, AND
o Details cannot be shared with third parties
o Cannot market products or services differently from the one connected
with DS
 C must have clearly and distinctly given individuals opportunity to opt out of
marketing by email in a simple and free manner at the time data initially
collected, and in each marketing comm
o Usually done through tick box when collecting data
 Must send DS with valid address to request opt-out, via appropriate medium by which
marketing communication was sent
 C must not conceal or disguise ID of sender, ensure message is clearly
identifiable as commercial comm, ensure any promo offers are clearly
identifiable and conditions for them easily accessible and unambiguous, and
that promo games or competitions clearly identifiable and conditions for
participation easily accessible and presented clearly/unambiguously
o By Fax (ePrivacy Directive applies)
 GDPR, including transparency and lawful processing requirements apply
 Consent requirement: must obtain prior opt-in consent before sending fax
 Present with fair processing notice when data is collected
 Where MS currently permit B2B fax marketing on opt-out basis, Cs may be req by
national law to cleanse intended fax marketing contacts against opt-out register
o Location-based (ePrivacy Directive applies)

49
  Location data: any data processed in an electronic communications network or by an
electronic communications service, indicating the geographic position of the terminal
equipment of a user of a publicly available electronic communications service
 Includes lat/long, altitude, direction of travel
 Only applies to data showing position of terminal equipment, not location of
person-> posting location on Facebook doesn’t apply (but GDPR will still apply,
just no ePD)
 Either based on smartphone location data (passing by a store) or uploading to social
networks
 Location-based data is personal data, so GDPR applies: transparency and lawful
processing requirements apply
 Consent: opt-in required for “value-added service”
 Exemption: anonymized data, but this is unlikely to apply realistically
 DS must first be informed of: types of location data collected and processed, purposes
and duration of processing, and whether transmitted to third party
 Often difficult to provide in friendly-to-use manner, best practice is to include
info about using location data for marketing in app’s privacy policy
 C must offer DS ability to withdraw consent to use location for DM, and must be
available throughout period DS location data being processed
 Must offer both comprehensive right to opt out and right to temporarily opt out
on each connection to network or for each communication
o Online Behavioral Advertising (OBA) – Cookies! (ePrivacy Directive applies)
 Website advertising that is targeted at individuals based on observation of behavior
over time, delivers advertising more relevant to individuals’ rights and interests,
improves ad effectiveness and click-through rate
 Cs may make recommendations to DS based on previous interactions with a website
 Advertising networks can track behavior over multiple, unaffiliated websites to
target advertising on all sites
 Cookie placed on computer to collect information, record preferences and send
back to network
o Eventually a profile is assigned to that user (new mother, young
professional)
 Question is whether online profile without knowing the actual individual should qualify
as PD and therefore fall under GDPR
 Considered “profiling”
 OBA allows tracking of users of a specific computer, even when dynamic IP
addresses are used, so users can be singled out even if real names aren’t known
 Which entity is the data controller?
 Ad networks often qualify because they have complete control over purpose
and means for which website visitors’ info is processed: ad networks rent space
from website publishers, set and read cookie-related info, and collect IP
addresses and other data
 Website publisher may be a joint-controller with ad network by engaging ad
networks to observe OBA through their websites
o Network and publishers should agree contractually who will notify
visitors that personal data being used for OBA, and how visitors will be
offered ability to refuse

50
  Advertisers may be independent data controllers: advertiser monitors
individual’s subsequent browsing activity and combines it with targeting profile
relating to the individual
 **All parties involved may have compliance requirements
 ePD applies regardless of whether GDPR is considered to apply
 Explicit mention of cookies in ePD
o Use of cookies only allowed on condition that individual has given
consent, having been provided with clear and comprehensive info (prior
informed consent)
o Consent must be specific indication of their wishes, freely given and
revocable: active participation of user required, opt-out passive
mechanisms insufficient
 Use of browser settings usually insufficient to obtain consent
o Potentially if browser setting default is no cookies and user actively
changes it to accept cookies, that could potentially apply
 Most OBA solutions imply use of third-party cookies: link to third party privacy policy
o Enforcement
 Fines and administrative sanctions by DPAs
 Civil and sometimes criminal liability
 ePrivacy Directive: judicial remedies, liabilities, and sanctions of the GDPR applied to
ePD infractions
 May be enforced by consumer protection and telecom regulators instead of
DPAs
 New right established for individuals and businesses with legitimate interest in
cessation or prohibition of spam to bring private right of action against
noncompliant marketers (expectation that ISPs will bring these claims)
 Internet Technology and Communications
o Cloud Computing
 The provision of IT over the Internet (software, infrastructure, hosting, platforms)
 Service models: Infrastructure, Platform, or Software as a Service
 Service’s structure is shared among supplier’s customers in a number of countries
 ARTICLE 3 PROBABLY APPLIES: activities of EU establishment of the controller OR
offering goods or services to individuals in EU, or monitoring their behavior
 Weltimmo (1st test): establishment depends on degree of stability of
arrangements, and whether there is an effective exercise of activities
o Website targeting Hungary, using Hungarian language, with a rep in
Hungary for court proceedings/debt collection, a letter box in Hungary,
and a Hungarian bank account is sufficient for establishment in Hungary
o Minimal activities can constitute establishment
 Google v. Spain : economic link between non-EU data C processing PD and EU-
based establishment can mean C activities subject to regulation
 2nd test: no need to determine whether establishment in EU
o ***Ps may get pulled into EU law based on processing: even if P is not
directly subject to laws under these two tests, if customer falls under EU
law, P will have to follow it as well!
 C v. P: C determines how and why PD is processed, P is acting on instructions of C

51
  If P determines some substantial and essential elements of processing, like data
retention, they could become a C
 Relevant as cloud computers look to make use of personal data collected by
customers for their own purposes
 Service contracts regulated by GDPR with detailed list of obligations on processor:
 Include info on subject matter, duration, nature and purpose of processing, with
type of personal data and categories of DS
 PD is only processed on documented instructions, including data transfers
 Individuals processing data subject to confidentiality obligation
 More prescriptive security measures
 Cs given notice of sub-Ps and have right of objection
 All sub-Ps have same contractual obligations as Ps
 Measures taken to ensure Cs can meet all their obligations with help of Ps (e.g.
notify DS of data breach, conduct DPIA, etc)
 All PD is deleted or returned once provision of services is complete
 Monitoring of compliance with contract allowed
 Cs also seek normal contract provisions, such as indemnification for misuse of
PD by P
 ***ALSO P not responsibly for C’s regulatory obligations
 International Data Transfers
 Cs must be able to show safeguards for protection of transferred PD: options
o Geographic limitations (may defeat cloud’s purpose, increase costs)
o Choose Privacy-Shield certified suppliers in US
o Use Model Clauses
 Difficult to constructor for transfers to multiple parties
 Must be updated as process evolves
 Are inflexible
o Tailored data transfer agreements (must be approved by regulators)
o BCRs for Ps (allows Cs to use when info transferred by Ps)
o Codes of Conduct and Certification (new with GDPR)
o Derogation of Art 49: includes consent
o Cookies
 Cookie: a small text file that is delivered by a website server onto the computer of
visitors to its website (device fingerprinting)-> limited on mobile devices and w/apps
 Help to tailor website offerings and maintain security of individuals while logged into
website, also facility targeted advertising
 Linked to info not personally identifiable (IP addresses, time of a website visit, etc) but
putting this information together can create an identity profile of browsing habits: this is
personal data under GDPR because cookies collect PD to develop profile!
 If link profile to name, email, or address, definitely personal data
 Pseudonymous data includes profiles that can be linked to an individual, even if C does
not intend to make the link
 Vidal-Hall v. Google: profiles of browsing habits used to create profiles for target ads
 English Ct of Appeal ruled that profiles were PD and Google’s use of profiles was
objectionable because even if Google didn’t know who the individual was,
others using the device likely knew and would gain information about individual
based on targeted ads

52
  IP addresses now explicitly considered PD in GDPR
 EU law applied to non-EU websites because of 2nd prong of Art 3 test
 ePrivacy Directive applicable as well
 Storing of info or gaining access to info only allowed if consent given based on
clear and comprehensive info (exemption for necessary cookies)
o Info about sending and purpose of cookies must be given to user
o User must consent before cookie is placed
o User must have choice to consent and provide active indication that
consent is given
 Debate on whether consent given through browser settings is sufficient
o Sufficient IF: (1) browser default rejects cookies, (2) settings provide
clear, comprehensive and fully visible info about use and purpose of
cookies, and how to refuse them, (3) users must take positive steps to
accept setting of cookies and ongoing retrieval of data from cookies,
and (4) it is impossible to bypass choices made by users in their settings
 Websites should provide full and transparent disclosure about their use of cookies
 IP addresses are PD, because ISP can link address to a particular customer
 Organizations can still build profile of IP user and distinguish based on IP
address, and can ask ISPs to ID IP users
 Breyer v. Germany (dynamic IP addresses)
o Both static and dynamic IP addresses can constitute PD in the hands of
organizations other than ISPs
o Search Engines
 Process large amounts of volumes, including User IP addresses, cookies (used to
personalize and improve services), user log files (what they have previously searched
for), Third party webpages
 When making profiles, like user log files, and managing 3rd party web pages, Search
Engines are Cs for the PD
 3rd party web pages because SEOs, etc
 2 prong of Art 3 generally applies, usually outside EEA but monitoring behavior
nd

 Also could be subject as processor when 3rd party pages Cs subject to GDPR
 Google v. Spain: Activities of Google Spain and Google, Inc., were “inextricably linked”
because of Google Spain’s role of selling ad space necessary to make Google, Inc.’s,
search engine economically viable
 Further issues
 Data retention: must comply with proportionality requirement, max 6 months,
then delete or irreversibly make anonymous
 Further processing for different purpose: parameters must be clearly defined
and users made aware of the purpose (e.g. if user data correlated across
platforms and services, user consent must be obtained)
o If Search Engines link data across sources, may be unlawful if individuals
do not receive necessary fair processing information when data is
collected and provided right to opt out of profiling
 Compliance with DS rights: registered and unregistered users, correction or
deletion of cached personal data (right to be forgotten)
o Social Networking
 SNS providers= Cs, even if outside EEA (same considerations as Search Engines)

53
  SNSs must ensure 3rd party applications also comply with GDPR
 SNS users may be exempt under “household exception” or exception for use of PD for
journalistic, artistic, or literary purposes
 Will not apply if SNS used by organization (users are Cs under GPDR)
 If user knowingly extends access to personal data beyond selected contacts
(also operating as C in this case)
 Information that must be provided by SNS providers
 Notice that PD will be used for marketing and opt out (if applicable)
 Notice that PD will be shared with specific third parties
 Explanation of profiling conducted
 Info about processing sensitive PD
o Explicit consent of DS required to make available on internet
o SNS should make clear providing data entirely voluntary
o Photos may review sensitive data, but unless purpose is to reveal that
data, won’t usually be captured under this area
 Warnings about risks to privacy
 Warning about consent of 3rd parties needed when uploading others’ data like
photos
 If SNS gathers and aggregates PD of non-users (e.g. user uploading contacts list), and
then creates profile, this processing is unlawful under GDPR because person who profile
is created about not in a position to learn about the processing
 CHILDREN
 Under age 13-16 (country-dependent), consent of parent must be given
 Legitimate interest grounds for processing may not be available
 Cs must have regards for best interests of the child
 Awareness-raising activities and fair and lawful processing
 Sensitive PD should not be requested, default privacy-friendly settings should be
adopted, and minors should not be targeted with direct marketing
o Mobile Apps
 Apps have accessed to stored mobile data, used to offer innovative services to users,
can be sent back to app developers and associated with a particular device (including
location, photos, emails, Internet browsing history, altitude, audio, video, speed, user
interactions)
 Special PD can be revealed by location as well (e.g. repeated visits to a church)
 Data collected in apps likely to be considered personal data
 ePrivacy Directive also applies, especially if cookies applied and used
 Cookies generally only available from within the app setting them
o Because of this, advertisers have developed new tracking methods
o Whenever new methods used, they also require consent by DS
 App developer likely to be C of data, unless app processes data on phone but does not
send back to the developer
 Many other parties likely to be involved as processors as well
 Third parties may also turn into controllers
 App access to things like contacts and photos requires user consent
 Notice: adequate information difficult within a small space
 Icons or visual symbols may be better tools
 Layered notices with links to complete information

54
  Notice and privacy policy may need to be given before app downloaded
 Consent: ePrivacy Directive requires consent before storing information on a device,
which includes downloading an app
 May be required as lawful ground, other grounds may not be available (like
legitimate interest for intimate information about location)
 Consent for data processing that is not essential for provision of app functions
generally not valid if user has to give it in order to use the app
 Consent must be specific, no umbrella consent for any processing by app
 Data minimization: personal data shall be adequate, relevant, and limited to what is
necessary in relation to purpose for which it is processed
o Internet of Things
 General things in life connected to internet (Home Nest, Alexa, etc)
 Sensors frequently collect info about identifiable individuals
 C v. P: same considerations as mobile devices
 Security challenging because large number of objects connected to the same network
(large number of points for malicious entry) and software less likely to be kept up to
date with security patches
 Networks should be designed in a secure manner, implement data protection by
design when designing things
 Notice and choice
 How to give individuals fair notices required by GDPR (stickers?)
 Consent usually most appropriate ground for processing: consent mechanisms
may need to be built into devices themselves

55