Indranath Gupta

Sherin Sarah Philip

Paarth Naithani

Introduction
to Data
Protection
Law
Cases and Materials from the EU
Introduction to Data Protection Law
Indranath Gupta · Sherin Sarah Philip ·
Paarth Naithani

Introduction to Data
Protection Law
Cases and Materials from the EU
Indranath Gupta Sherin Sarah Philip
Jindal Global Law School Jindal Global Law School
O. P. Jindal Global University O. P. Jindal Global University
Sonipat, Haryana, India Sonipat, Haryana, India

Paarth Naithani
Jindal Global Law School
O. P. Jindal Global University
Sonipat, Haryana, India

ISBN 978-981-97-6354-2 ISBN 978-981-97-6355-9 (eBook)

https://doi.org/10.1007/978-981-97-6355-9

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature
Singapore Pte Ltd. 2024

This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore

If disposing of this product, please recycle the paper.

Acknowledgments

We are extremely grateful to all those who have taken time out of their busy schedule
and ensured the timely completion of this project. This book was inspired by the
course “GDPR: A European Example of Data Protection Law” offered by O.P. Jindal
Global University to their postgraduate law students, whose enthusiasm motivated us
to undertake this project. This has been made possible because of the extraordinary
efforts of Pranav Ramakrishnan, who spent several hours of his precious time on this
project. We would also like to thank our family and colleagues at O.P. Jindal Global
University (JGU) for their constant encouragement. It is towards all of them that
we owe our gratitude. We admire the unconditional support of our Vice Chancellor,
Prof. C. Raj Kumar.

v
Contents

1 Introduction to EU Data Protection Law . . . . . . . . . . . . . . . . . . . . . . . . . 1

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Revisiting Trust in Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Data Protection Directive 1995 and the OECD Guidelines . . . . . . . . . 4
4 Basic Concepts: Data Protection Framework . . . . . . . . . . . . . . . . . . . . . 5
4.1 Data Controller and Processing of Personal Data . . . . . . . . . . . . . 5
4.2 Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3 Legal Basis of Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5 ePrivacy Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.1 Scope of Article 15(1) of the ePrivacy Directive . . . . . . . . . . . . . 43
5.2 ePrivacy vis-à-vis Intellectual Property Infringement . . . . . . . . . 53
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2 EU Data Protection Law Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2 Principles of Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.1 Purpose Specification and Collection Limitation . . . . . . . . . . . . . 60
2.2 Accuracy and the Option to Update Personal Information . . . . . 61
2.3 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
2.4 Limited Storage and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3 Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.1 Orange Romania SA v Autoritatea Naţională de
Supraveghere a Prelucrării Datelor cu Caracter Personal
(ANSPDCP) Case C—61/19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.2 Bundesverband der Verbraucherzentralen und
Verbraucherverbände — verbraucherzentrale
Bundesverband eV v Planet49 GmbH Case C-673/17 . . . . . . . . . 78
3.3 Dutch Data Protection Authority Decision Against TikTok . . . . 82
3.4 Explicit Consent and Ordinary Consent . . . . . . . . . . . . . . . . . . . . . 83

vii
viii Contents

4 Exemptions Under Data Protection Framework . . . . . . . . . . . . . . . . . . . 84

4.1 Personal or Household Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.2 Journalistic Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3 Transparency and Rights of the Data Subject . . . . . . . . . . . . . . . . . . . . . 97
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
2 The Principle of Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.1 Connecting Transparency with Purpose Limitation
Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3 The Requirement of Transparent Information . . . . . . . . . . . . . . . . . . . . 103
4 Compliance Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.1 Transparency and Consent Framework: The Case
of Dutch Data Protection Authority and IAB Europe . . . . . . . . . 107
5 Right of Access Under the GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.1 RW v Österreichische Post AG Case C-154/21 . . . . . . . . . . . . . . 113
6 The Right to Erasure (Right to Be Forgotten) . . . . . . . . . . . . . . . . . . . . . 115
6.1 The Idea of the Right to Be Forgotten . . . . . . . . . . . . . . . . . . . . . . 115
7 The Right to Data Portability and Right to Object to Processing . . . . . 137
7.1 The Data Portability Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.2 Right to Object to Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
8 Compliance Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
8.1 Virgin Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
8.2 We Buy Any Car Limited (WBAC) . . . . . . . . . . . . . . . . . . . . . . . . 144
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4 Duties and Responsibilities of Controller and Processor . . . . . . . . . . . . 149
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
2 Fashion ID C-40/17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
3 Design and Default Approach to Protecting the Privacy . . . . . . . . . . . . 155
3.1 Guidelines 4/2019 on Article 25 Data Protection
by Design and by Default (DPDD) . . . . . . . . . . . . . . . . . . . . . . . . . 158
3.2 Implementing Data Protection Principles in the Processing
of Personal Data Using Data Protection by Design
and by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4 Role of Controllers and Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
4.1 Controllers Outside the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
4.2 Mandates Under GDPR for Data Controllers/Processors . . . . . . 163
4.3 Processing Under the Authority of a Data Controller . . . . . . . . . 164
5 Security Standards in Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
5.1 Security of Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
5.2 Breach of Security Standards in Personal Data: The ICO
Decision in Marriott Hotels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
5.3 What Is Pseudonymisation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Contents ix

6 Data Protection Impact Assessment (DPIA) . . . . . . . . . . . . . . . . . . . . . . 172

6.1 Necessity of a Data Protection Impact Assessment
Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
6.2 The Idea of Data Protection Impact Assessment . . . . . . . . . . . . . 174
6.3 European Data Protection Board (EDPB) Guidelines
on Data Protection Impact Assessment Adopted on
4 April 2017 (Excerpts from the Guideline) . . . . . . . . . . . . . . . . . 175
6.4 The Role of a Data Protection Officer (DPO) . . . . . . . . . . . . . . . . 177
7 Standardisation of Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.1 Drawing up of Codes of Conduct by Organisations
and Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.2 The Consultation Route in Drawing up Codes . . . . . . . . . . . . . . . 180
7.3 The Overall Exercise of Finalising the Codes . . . . . . . . . . . . . . . . 180
7.4 Monitoring of Approved Codes of Conduct . . . . . . . . . . . . . . . . . 181
7.5 Initiating the Process of Certification . . . . . . . . . . . . . . . . . . . . . . . 183
7.6 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.7 Certification Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
5 Transfer of Personal Data to Third Countries . . . . . . . . . . . . . . . . . . . . . 187
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
2 Legal Structure on the Rules of Transfer of Personal Data . . . . . . . . . . 187
2.1 Transfers Subject to Appropriate Safeguards . . . . . . . . . . . . . . . . 190
2.2 Binding Corporate Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
3 Guidelines 2/2020 on Articles 46 (2) (a) and 46 (3) (b)
of Regulation 2016/679 for Transfers of Personal Data Between
EEA and Non-EEA Public Authorities and Bodies . . . . . . . . . . . . . . . . 194
3.1 The Idea of Appropriate Safeguards . . . . . . . . . . . . . . . . . . . . . . . . 194
3.2 Transfer Based on Article 46 GDPR . . . . . . . . . . . . . . . . . . . . . . . 196
4 Adequacy Through the Lens of Law Enforcement Directive
(LED) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.1 Transfers on the Basis of an Adequacy Decision . . . . . . . . . . . . . 197
5 EU Standards for Adequacy in the Police Cooperation
and Judicial Cooperation in Criminal Matters . . . . . . . . . . . . . . . . . . . . 199
6 Transatlantic Data Transfer: EU-US Standards . . . . . . . . . . . . . . . . . . . 200
6.1 Validity of Safe Harbour Regime . . . . . . . . . . . . . . . . . . . . . . . . . . 200
6.2 Validity of Privacy Shield Regime . . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3 EU-US Privacy Framework Agreement . . . . . . . . . . . . . . . . . . . . . 220
7 Tracking the Development of Standard Contractual Clauses
Adopted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
6 Enforceability, Remedies, Liabilities and Penalties . . . . . . . . . . . . . . . . . 225
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
2 Supervisory Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
2.1 Structure and Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
x Contents

2.2 Weltimmo Case, C-230/14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

2.3 European Data Protection Board . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
3 Remedies, Liability and Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
3.1 Enforcing GDPR: Lodging a Complaint . . . . . . . . . . . . . . . . . . . . 235
3.2 The Issue of Compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
3.3 Guidelines on the Application and Setting
of Administrative Fines for the Purpose of Regulation
2016/679 [Article 29 Data Protection Working Party] . . . . . . . . . 241
4 How Are Fines Calculated Under GDPR? . . . . . . . . . . . . . . . . . . . . . . . 243
4.1 Guidelines 04/2022 on the Calculation of Administrative
Fines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Suggested Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
About the Authors

Indranath Gupta is Professor of Law at Jindal Global Law School and Dean,
Office of Data, Innovation and Technology of O. P. Jindal Global University (JGU).
He held the Jean Monnet Chair in Multi-dimensional Approaches to the Under-
standing of the EU Data Protection Framework. He is Director, Jindal Initiative on
Research in I.P. and Competition (JIRICO) and Senior Fellow at the Jindal Insti-
tute of Behavioural Sciences (JIBS) and International Institute for Higher Education
Research and Capacity Building (IIHEd). Prof. Gupta holds a Ph.D. from Brunel
University, London, and two LL.M. degrees (taught and research) from the Univer-
sity of Aberdeen, UK, and the University of East Anglia, UK. He specializes in
technology law and aspects of intellectual property law. Prof. Gupta has published
many books on IP Law with Springer and is currently heading the major reference
work project titled Handbook on Originality in Copyright.

Sherin Sarah Philip is Assistant Professor at Jindal Global Law School. She
acquired her LL.M in International Commercial Law in 2018 from University College
of Dublin, Ireland, where she chose corporate governance and white collar crime as
an area to work on. She also has a diploma in “Entrepreneurship Administrative
and Business Laws”. Her interests include corporate law, IP law, and data protection
laws.

Paarth Naithani is Lecturer at Jindal Global Law School, O.P. Jindal Global Univer-
sity. Paarth holds an LLM in Intellectual Property and Technology Law. He has an
academic interest in data protection law and has published on data protection in
journals, including the International Review of Law, Computers and Technology,
Tilburg Law Review, European Data Protection Law Review, and the Journal of Data
Protection and Privacy. Paarth has been Research Fellow with the Jean Monnet Chair
in Multi-dimensional Approaches to the Understanding of the EU Data Protection
Framework [2020–2023] at O.P. Jindal Global University.

xi
Chapter 1
Introduction to EU Data Protection Law

1 Introduction

The idea of data protection amongst citizens generally stems from the insecurity
that prevails in the age of advancing technology. This insecurity originates from the
rise of the commercial internet and the exponential technological developments and
growth. The idea of protecting data and creating a data protection framework is not
new and has a considerable lineage in the European Union (EU). The EU General
Data Protection Regulation or GDPR1 has worked as a source of inspiration across
jurisdictions. GDPR has been cited as a global benchmark for the digital economy.
In the words of UN Secretary General António Guterres in 2019, GDPR
“set an example […] inspiring similar measures elsewhere […][and] urge[d] the EU and
its Member States to continue to lead to shape the digital age and to be at the forefront of
technological innovation and regulation.”2

But, the widely known GDPR2 is not the beginning of the data protection measures
adopted in the European Union. Before the GDPR, there was a Directive enacted
in 19953 (Directive of 1995), now repealed after the passage of the GDPR. This
Directive has significantly influenced emerging jurisprudence from the European
Court of Justice (ECJ)/Court of Justice of the European Union (CJEU).

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
OJ L 119, 4.5.2016, p. 1–88.
2 European Commission, ‘Communication From The Commission To The European.

Parliament And The Council - Data protection as a pillar of citizens’ empowerment and the EU’s
approach to the digital transition - two years of application of the General Data Protection Regula-
tion’ (24 June 2020). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020D
C0264. Accessed 25 June 2024.
3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the

protection of individuals with regard to the processing of personal data and on the free movement
of such data OJ L 281, 23.11.1995, p. 31–50.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 1
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_1
2 1 Introduction to EU Data Protection Law

Therefore, it is worthwhile to discuss the GDPR in the background of the histor-

ical events and narratives that developed in the EU. For instance, the 1995 Directive
was enacted to remove the inconsistency and uncertainty concerning data protection
within the EU Member States. It had its limitations and shortcomings, and the first
assessment of the Directive4 captured its failure to meet the overall objective of data
protection. The main identified weaknesses of the Directive included (1) inconsistent
and ineffective measures for providing transparency through information and noti-
fication, (2) cumbersome tools providing for transfer of data to third countries, (3)
inconsistent role of data protection authorities in accountability and enforcement and
(4) unclear link between the concept of personal data and real privacy risks.5 There
were many academic discussions on the limitations of Directive 95/46/EC before it
was replaced by the GDPR.6
Parallel to the Directive of 1995, the ePrivacy Directive7 was introduced in the
European Union. This Directive addressed concerns about surveillance and tracking
mechanisms employed by those processing personal data. This Directive also signif-
icantly brought about several critical judgements concerning the use of proportion-
ality principle at the time of processing personal data. Some of these judgements
discussed the issue of national security and rights and freedom of natural persons
assigned under the Charter of Fundamental Rights in the EU.8
The ePrivacy Directive 2002 was revised in 2009 and now functions parallel to
the GDPR. Other important developments are the OECD Guidelines of 19809 and
the OECD Guidelines of 2013.10 Both these Guidelines, act as a foundation towards
the development of data protection legislation in the EU over the years.
This chapter thus covers conceptual elements connected with the data protection
framework and briefly looks at the history and avenues of such framework in the EU.
To begin with, it discuss the element of trust, which is foundational to data protection
and privacy. Subsequently the chapter reflects upon concepts such as: Data Controller,

4 European Parliament, ‘REPORT on the First Report on the implementation of the Data Protec-
tion Directive (95/46/EC) (COM(2003) 265 – C5-0375/2003 – 2003/2153(INI))’ (24 February
2004). https://www.europarl.europa.eu/doceo/document/A-5-2004-0104_EN.html. Accessed 25
June 2025.
5 Neil Robinson, Hans Graux, Maarten Botterman, and Lorenzo Valeri, ‘Review of the European

Data Protection Directive’ (RAND Corporation 2009). https://www.rand.org/pubs/technical_rep

orts/TR710.html. Accessed 25 June 2024.
6 Rebecca Wong, ‘The Data Protection Directive 95/46/EC: Idealisms and realisms’ (2012) 26:2–3

International Review of Law, Computers & Technology, 229–244.

7 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning

the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, pp. 37–47.
8 Charter of Fundamental Rights of the European Union OJ C 326, 26.10.2012, pp. 391–407.
9 OECD, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’

(12 Feb 2002). https://www.oecd-ilibrary.org/science-and-technology/oecd-guidelines-on-the-pro

tection-of-privacy-and-transborder-flows-of-personal-data_9789264196391-en. Accessed 25 June
2024.
10 OECD, ‘The OECD Privacy Framework’ (2013). https://www.oecd.org/sti/ieconomy/oecd_priv

acy_framework.pdf. Accessed 25 June 2024.

2 Revisiting Trust in Data Protection 3

Personal Data, Legal basis of processing (including Legitimate Interest, Consent and
Necessity for the performance of contract) and Proportionality in the data processing.
In doing so, the chapter will refer to different judgements of the ECJ or the CJEU.

2 Revisiting Trust in Data Protection

Trust is at the core of data protection11 and forms its philosophy.

Trust is a cumulative outcome triggered by policy, technology and legal interven-
tions. In fact, trust allows these three parameters to connect with each other, which
otherwise may have different core functions. At the policy level, there is a theoretical
foundation and the conceptual framework within which the black letter of the law
exists. For instance, India’s data protection framework,12 holds fiduciary relationship
as a key. The core of this relationship is trust.
In the digital sphere, there are overarching issues and challenges. For instance,
with the terms of service and with most users not reading all the conditions pertaining
to the services provided. There could be issues with information asymmetry given
that data controllers control the flow and content of information shared with data
subjects. Therefore, a greater degree of trust must be factored in all transactions and
relationships, especially between the data subject and the data controller.
When individuals share personal data, they tend to relate to a trustworthy brand.
Law itself aims to create trustworthiness in all relationships. Therefore, certain policy
and regulatory Guidelines should help preserving trust and ensure that it flourishes.
The GDPR creates a sense of trust and goes a long way in protecting it.
Natural persons expect data controllers to be fully transparent, which in turn helps
rebuilding trust. They expect their data to be deleted when they ask for erasure and
expects that the data controller does not just delete from somewhere and keep it else-
where. Law, policy Guidelines and technology are all geared up towards protecting
the core. There have been multiple instances where controllers have been fined owing
to breach of trust.13 Therefore, there is a general hesitance to share personal data
amongst data subjects.

11 The World Bank, ‘World Development Report 2021 - Chapter 6: Data policies, laws, and
Regulations: Creating a trust environment’. https://wdr2021.worldbank.org. Accessed 25 June 2024.
12 The Digital Personal Data Protection Act, 2023. https://www.meity.gov.in/writereaddata/files/

Digital%20Personal%20Data%20Protection%20Act%202023.pdf. Accessed 25 June 2024.

13 EDPB, ‘Fines’. https://edpb.europa.eu/our-work-tools/our-documents/topic/fines_en. Accessed

25 June 2024.
4 1 Introduction to EU Data Protection Law

3 Data Protection Directive 1995 and the OECD Guidelines

The protection level in the EU is multi-layered and robust. The roots can be found
in the OECD Guidelines.
The preface to the 1980 OECD Guidelines reads:
“The development of automatic data processing, which enables vast quantities of data to be
transmitted within seconds across national frontiers, and indeed across continents, has made
it necessary to consider privacy protection in relation to personal data.”14

In 1980, the Guidelines identified the future of Automatic Data Processing where,
a vast quantity of data will be transmitted within seconds, thereby making bound-
aries meaningless. Data will travel not only within the country but across conti-
nents. Therefore, is harmonisation the most revered key in a borderless data world?
Overall, harmonisation is a difficult task when it comes to data protection because the
conceived framework will depend on the general economy of involved jurisdictions.
However, there is a need for efforts to harmonise the principles based on which the
data protection law functions.
The OECD Guidelines of 1980 were drafted in technologically neutral terms,
with a broad ambit covering private and public sectors’ entities. They recognise the
accountability principle, and the Guidelines follow a simple conceptual language.15
The OECD document of 1980 was amended in 2013, and refers to the data protection
principles. The OECD Guidelines reads:
“There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with the knowledge or consent
of the data subject.”16

The data controller must obtain personal data by lawful and fair means. The idea
of knowledge and consent is extremely important for fair processing. What is the
threshold of knowledge? One must travel from being informed to having knowledge.
Being aware of the consequences of data processing could take the individual closer
to knowledge. Further, knowledge only helps the individual share decisive consent.
The data controller must ensure that the journey [i.e. being informed and having
knowledge] ends in a fair and reasonable manner.
With knowledge, sharing of information becomes a key exercise. It is important
to consider when information is being given, how and to whom it is being given, and
in what ways it is being given. The data controller needs to ascertain this approach
and have an implementation plan to understand the expectations of the law.

14 OECD, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’.
https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/document/oecd_fips.pdf. Accessed 25 June
2024.
15 Michael Kirby, ‘The history, achievement and future of the 1980 OECD Guidelines on privacy’,

(2011) 1(1) International Data Privacy Law 6–14. https://doi.org/10.1093/idpl/ipq002.

16 OECD, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’.

https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/document/oecd_fips.pdf. Accessed 25 June

2024.
4 Basic Concepts: Data Protection Framework 5

The Directive of 1995 followed the OECD Guidelines. The overall objective was
to harmonise the existing levels of data protection measures in different Member
States. Like the OECD Guidelines, the Directive recognised purpose specification,
minimising data processing, limiting storage to the purpose, security safeguards,
ensuring all-round transparency, and accurate processing of data, amongst other
things.
After the passage of the Directive, the EU’s highest Court helped understand the
template of data protection measures that a data controller must adopt. Through some
of its judgements discussed in the subsequent sections it clarifies prevailing concepts
in data protection. These judgements considered relevant provisions of GDPR and
the data protection Directive. Although GDPR replaced the old Directive, its effect
has been foundational to the workings of GDPR.
The following section introduces the basic prevailing concepts by looking at ECJ/
CJEU judgements interpreting the GDPR and the Directive 95/46/EC.

4 Basic Concepts: Data Protection Framework

This section discusses the basic concepts of data protection framework, including
that of a data controller, personal data and the legal grounds of processing. It relies
on several ECJ/CJEU judgements to reflect upon the scope.

4.1 Data Controller and Processing of Personal Data

There are several judgements that give a better understanding about a data controller.
The landmark case in this regard involves Google Spain SL v. Agencia Española de
Protección de Datos Case C-131/12.17 Before delving into whether search engines
like Google are data controllers, this section will introduce the definition of a data
controller.
A data controller is understood under GDPR as the entity that decides why and
how data would be processed. The GDPR requires that the data controller should
have a legal ground for processing personal data, it should follow the obligations
provided under the law, and it should provide rights to the data subject (as per Article
4(1), data subject is the natural person who is identified or identifiable from the data).
The GDPR defines controller in Article 4(7)18

17 Google Spain SL v. Agencia Española de Protección de Datos Case C-131/12

ECLI:EU:C:2014:317.
18 Article 4(7), GDPR.
6 1 Introduction to EU Data Protection Law

“‘controller’ means the natural or legal person, public authority, agency or

other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and means of
such processing are determined by Union or Member State law, the controller
or the specific criteria for its nomination may be provided for by Union or
Member State law”

Source Article 4(7), GDPR

Thus, a data controller must decide the ‘purpose and means of processing’. The
European Data Protection Board (EDPB) Guidelines further illustrate purpose and
means of processing.19

“...the purposes and the means amounts to deciding respectively the “why”
and the “how” of the processing: given a particular processing operation, the
controller is the actor who has determined why the processing is taking place
(i.e., “to what end”; or “what for”) and how this objective shall be reached (i.e.
which means shall be employed to attain the objective).”

Source EDPB Guidelines 07/2020 on the concepts of controller and processor in the
GDPR
Alongside the data controller, the GDPR also introduces data processor. Article
4(8)20 defines processor as “a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller.”21 It is important to
differentiate between a data controller and a data processor. The following example
can help understand the difference. “A brewery has many employees. It signs a
contract with a payroll company to pay the wages. The brewery tells the payroll
company when the wages should be paid, when an employee leaves or has a pay rise,
and provides all other details for the salary slip and payment. The payroll company
provides the IT system and stores the employees’ data. The brewery is the data
controller and the payroll company is the data processor.”22
The scope of the term data controller is wide and not limited to public author-
ities. For instance, in C-272/19 Land Hessen, the CJEU decided that the Petitions
Committee of a Member State’s parliament is a controller and has to abide by Article
15 of GDPR at the time of deciding the purpose and means of processing personal
data. The concept of data controller in Regulation 2016/679 is not confined to public

19 Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 2.1 Adopted
on 07 July 2021.
20 Article 4(8), GDPR.
21 Article 4(8), GDPR.
22 EU Commission, ‘What is a data controller or a data processor?’. https://commission.europa.

eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controllerpr
ocessor/what-data-controller-or-data-processor_en. Accessed 25 June 2024.
4 Basic Concepts: Data Protection Framework 7

authorities and is sufficiently wide to include anybody who, as per Article 4(7) GDPR,
“alone or jointly with others, determines the purposes and means of the processing
of personal data.”23
Various CJEU judgements discussed below indicate how a data controller has been
interpreted in different contexts. The judgements of Wirtschaftsakademie Schleswig–
Holstein, Jehovan Todistajat, FashionID suggest that “one can be a joint controller
if there is an objective to process the data..even without having (i) access to the
data, and (ii) exercising only marginal influence over the means, such as in deciding
to use a given platform (and exercising very marginal influence over its means of
processing).”24 The crucial criteria seems to be that “the person in question ‘made it
possible’ for personal data to be collected and transferred, potentially coupled with
some input that such a joint controller has as to the parameters (or at least where
there is silent endorsement of them).”25

4.1.1 Google Spain SL v. Agencia Española de Protección de Datos

Case C-131/1226

The case involving Google Spain helps us understand why search engines such as
Google are data controllers under the GDPR as well as the old Directive. A Spanish
national Mr Costeja González filed a complaint before the Spanish Data Protection
Agency (the AEPD) against Google Spain SL (‘Google Spain’) and Google Inc. The
complaint was concerning removal of Mr Costeja Gonzálezs’ personal data from
Googles’ indexes and prevention of future access to the data.
Facts

“On 5 March 2010, Mr Costeja González, a Spanish national resident in Spain,

lodged with the AEPD a complaint against La Vanguardia Ediciones SL, which
publishes a daily newspaper with a large circulation, in particular in Catalonia
(Spain) (‘La Vanguardia’), and against Google Spain and Google Inc… when
an internet user entered Mr Costeja González’s name in the search engine of
the Google group (‘Google Search’), he would obtain links to two pages of
La Vanguardia’s newspaper, of 19 January and 9 March 1998 respectively,
on which an announcement mentioning Mr Costeja González’s name

23 VQ v Land Hessen, Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden,
C-272/19 Land Hessen ECLI:EU:C:2020:535.
24 Michèle Finck, ‘Cobwebs of control: the two imaginations of the data controller in EU law’,

(2021) (11)(4) International Data Privacy Law 333–347, https://doi.org/10.1093/idpl/ipab017.

25 Opinion of Advocate General Bobek, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW

e.V. ECLI:EU:C:2018:1039.
26 Google Spain SL v. Agencia Española de Protección de Datos Case C-131/12

ECLI:EU:C:2014:317.
8 1 Introduction to EU Data Protection Law

appeared for a real-estate auction connected with attachment proceedings

for the recovery of social security debts.
…By that complaint, Mr Costeja González requested, first, that La
Vanguardia be required either to remove or alter those pages so that the
personal data relating to him no longer appeared or to use certain tools
made available by search engines in order to protect the data…
….he requested that Google Spain or Google Inc. be required to remove
or conceal the personal data relating to him so that they ceased to be
included in the search results and no longer appeared in the links to La
Vanguardia…
…that the attachment proceedings concerning him had been fully
resolved for a number of years and that reference to them was now entirely
irrelevant.
…the complaint was upheld in so far as it was directed against Google Spain
and Google Inc.
…operators of search engines are subject to data protection legislation
given that they carry out data processing for which they are responsible
and act as intermediaries in the information society.
The AEPD took the view that it has the power to require the withdrawal
of data and the prohibition of access to certain data by the operators of search
engines when it considers that the locating and dissemination of the data are
liable to compromise the fundamental right to data protection and the dignity
of persons in the broad sense, and this would also encompass the mere wish of
the person concerned that such data not be known to third parties. The AEPD
considered that … obligation may be owed directly by operators of search
engines, without it being necessary to erase the data or information from the
website where they appear, including when retention of the information on that
site is justified by a statutory provision.”

Source Google Spain Judgement

Even before ascertaining whether information about an individual should be
removed from search results or web pages, the essential question is whether search
engines are ‘data controllers’, thereby making them accountable under the data
protection law.
Questions

“As regards the activity of search engines as providers of content in relation

to Directive 95/46 …:(a) in relation to the activity of [Google Search], as a
provider of content, consisting in locating information published or included
on the net by third parties, indexing it automatically, storing it temporarily and
finally making it available to internet users according to a particular order of
4 Basic Concepts: Data Protection Framework 9

preference, when that information contains personal data of third parties:

must an activity like the one described be interpreted as falling within
the concept of ’processing of … data’ used in Article 2(b) of Directive 95/
46?(b) If the answer to the foregoing question is affirmative, and once again in
relation to an activity like the one described: must Article 2(d) of Directive
95/46 be interpreted as meaning that the undertaking managing [Google
Search] is to be regarded as the ’controller’ of the personal data contained
in the web pages that it indexes?”

Source Google Spain Judgement

In the first instance, one has to ascertain the scope of data protection law. As a
primary condition, there has to be an instance of processing of personal data. Once
processing of personal data is established, the data protection law will apply and
further the status of the data controller must be addressed.
The Court investigated the scope of personal data under Article 2 of the 1995
Directive. There is an instance of processing of personal data when one can identify
a natural person either directly or indirectly with the help of different identifiers.
Processing of personal data under Article 2(b) refers to,

“(b) …any operation or set of operations,… such as collection, recording,

organisation, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction;”

Source Article 2(b), GDPR

The definition suggests that the processing of personal data wouldn’t require a
transformation of data from one type to another. It gives a wide scope to the term
processing.
The definition of controller under Article 2(d) of the Directive includes,

“(d) …the natural or legal person, public authority, agency or any other body
which alone or jointly with others determines the purposes and means of the
processing of personal data; where the purposes and means of processing are
determined by national or Community laws or Regulations, the controller
or the specific criteria for his nomination may be designated by national or
Community law;”

Source Article 2(d), Directive 95/46/EC

In the process of identifying the scope of a data controller and whether the activ-
ities performed by search engines would amount to the processing of personal data
under the Directive, the Court first identified the technicalities connected with the
10 1 Introduction to EU Data Protection Law

functioning of a search engine. The search engine fetches information published

on the internet by third parties. It indexes search results automatically and makes
them available to internet users in a particular order. In the process, search engines
temporarily store search results to provide users with information.
In their defence, Google suggested that the activities would not be data processing
since they merely display existing information in the public domain through search
results. They do not differentiate between personal data and any other informa-
tion available in the public domain. Further, search engines are not data controllers
because they do not exercise control over the source data. In their opinion, there is a
difference between processing at the level of a website that initially collects personal
data and a search engine that merely fetches such existing data.
In the Court’s opinion, the operational process followed by a search engine, i.e.
finding and producing search results for users, is an outcome of their own decision.
They decide on the purpose—as to why they should look for information and produce
search results for users.
Further, the entire process of searching, indexing and producing search results
was succinctly put within the scope and definition of processing personal data. The
CJEU suggested,

“…in exploring the internet automatically, constantly and systemati-

cally in search of the information which is published there, the oper-
ator of a search engine ‘collects’ such data which it subsequently
‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing
programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’
and ‘makes available’ to its users in the form of lists of search results.
…they must be classified as ‘processing’ …, regardless of the fact that
the operator of the search engine also carries out the same operations in
respect of other types of information and does not distinguish between the
latter and the personal data.
Nor is the foregoing finding affected by the fact that those data have
already been published on the internet and are not altered by the search
engine.”

Source Google Spain Judgement

Leaving search engines outside the purview of the definition of a controller would
not be sustainable. It cannot be reasoned on the basis that an operator of a search
engine does not exercise control over personal data available on the websites of
third parties. Search engines play a more significant role in disseminating personal
information that otherwise would be lying on an obscure website.
The Court faced the question of the duties assigned to a search engine. Under
Article 12(b) of the Directive, a data subject has a right to request rectification,
erasure or blocking data. These requests can be placed when incomplete or inaccu-
rate information is processed. Based on the proportionality principle, according to
4 Basic Concepts: Data Protection Framework 11

Google Spain and Google Inc., the deletion of personal information must be handled
by the website that published the data and made it publicly available. Therefore, the
publisher is in the most acceptable position to determine the information’s lawfulness.
The Court suggested, Google, as an operator of a search engine, would be a
controller. Otherwise, it would end up excluding those from the purview of data
protection who play a decisive role in disseminating personal data over the Internet.
Google is not a traditional controller that would play a primary role in data collection.
However, with advancements in technology, there would be situations where data
controllers would be involved in different activities that do not fit the scope of the
traditional framework.

4.1.2 Tietosuojavaltuutettu. Judgment of the Court (Grand Chamber)

of 10 July 2018. Case C-25/1727

While the CJEU considered the concept of search engine as data controller in Google
Spain, it extended its scope in a different context in the Jehovah’s Witnesses judge-
ment. The issue was whether a religious community is a data controller when it
organises activities involving the collection of personal data.
Facts
The Jehovah’s Witnesses Community engaged in door-to-door preaching activi-
ties. They collected data from persons unknown to them, including their names,
addresses, information about religious beliefs and family circumstances. The infor-
mation collected was used as a memory aid when visiting people for subsequent
times. The Jehovah’s Witnesses Community also maintained a list of persons in a
refusal register including people who had requested not to be visited by preachers.
The Jehovah’s Witnesses Community members had Guidelines for taking notes
mentioned in its magazines dedicated to preaching. They claimed it did not require
its members to collect data. They did not know the type of notes taken or the identity
of the preachers collecting the data.
Questions
In the background of these facts, the following were the issues referred to the
CJEU.

“… (3)Must the phrase “alone or jointly with others determines the purposes
and means of the processing of personal data” appearing in Article 2(d) of
… Directive [95/46] be interpreted as meaning that a religious community
that organises an activity in the course of which personal data is collected (in
particular, by allocating areas in which the activity is carried out among the

27Proceedings brought by Tietosuojavaltuutettu. Judgment of the Court (Grand Chamber) of 10

July 2018. Case C-25/17. ECLI:EU:C:2018:551.
12 1 Introduction to EU Data Protection Law

various preachers, supervising the activity of those preachers and keeping a list
of individuals who do not wish the preachers to visit them) may be regarded
as a controller, in respect of the processing of personal data carried out by
its members, even if the religious community claims that only the individual
members who engage in preaching have access to the data that they gather?
(4)Must Article 2(d) of Directive [95/46] be interpreted to the effect that in
order for a religious community to be considered a controller it must have
taken other specific measures, such as giving written instructions or orders
directing the collection of data, or is it sufficient that that religious community
can be regarded as having de facto control of its members’ activities?”

Source Jehovah’s Witnesses Judgement

The CJEU considered whether the religious community decided on the purpose
and means of processing, which is the condition for being considered a data controller.
It suggested:

“…[the]concept does not necessarily refer to a single natural or legal person

and may concern several actors taking part in that processing, with each of
them then being subject to the applicable data protection provisions
it is true that members of the Jehovah’s Witnesses Community who engage
in preaching determine in which specific circumstances they collect personal
data relating to persons visited, which specific data are collected and how
those data are subsequently processed. However, the collection of personal
data is carried out in the course of door-to-door preaching, by which members
of the Jehovah’s Witnesses Community who engage in preaching spread the
faith of their community. That preaching activity is organised, coordinated
and encouraged by that community. In that context, the data are collected as
a memory aid for later use and for a possible subsequent visit. Finally, the
congregations of the Jehovah’s Witnesses Community keep lists of persons
who no longer wish to receive a visit, from those data which are transmitted to
them by members who engage in preaching.
Thus, it appears that the collection of personal data relating to persons contacted
and their subsequent processing help to achieve the objective of the Jehovah’s
Witnesses Community, which is to spread its faith and are, therefore, carried
out by members who engage in preaching for the purposes of that community.
Furthermore, not only does the Jehovah’s Witnesses Community have knowl-
edge on a general level of the fact that such processing is carried out in order
to spread its faith, but that community organises and coordinates the preaching
activities of its members, in particular, by allocating areas of activity between
the various members who engage in preaching.
4 Basic Concepts: Data Protection Framework 13

Such circumstances lead to the conclusion that the Jehovah’s Witnesses

Community encourages its members who engage in preaching to carry out
data processing in the context of their preaching activity.
… it appears that the Jehovah’s Witnesses Community, by organising, coor-
dinating and encouraging the preaching activities of its members intended to
spread its faith, participates, jointly with its members who engage in preaching,
in determining the purposes and means of processing of personal data of the
persons contacted, which is, however, for the referring Court to verify with
regard to all of the circumstances of the case.
Having regard to the foregoing considerations, … it supports the finding that
a religious community is a controller, jointly with its members who engage in
preaching, of the processing of personal data carried out by the latter in the
context of door-to-door preaching organised, coordinated and encouraged by
that community, without it being necessary that the community has access to
those data, or to establish that that community has given its members written
Guidelines or instructions in relation to the data processing.”

Source Jehovah’s Witnesses Judgement

It means that a data controller need not be a single entity and may represent
multiple entities engaged in data processing leading to the applicability of the data
protection laws. In the course of carrying out preaching activities encouraged by the
community, the members engaged in data collection. Thus, a religious entity is a data
controller if it organises, coordinates and encourages preaching activities carried out
by its members and if data collection is a by-product of such activities. The essential
test of whether an entity is a data controller is whether it decides the purpose and
means of processing. There is no additional requirement of the community having
access to such collected data neither there is any requirement of written Guidelines
and instruction to the members in general.

4.1.3 Unabhängiges Landeszentrum für Datenschutz

Schleswig–Holstein v Wirtschaftsakademie Schleswig–Holstein
GmbH. Case C-210/1628

The judgement of Wirtschaftsakademie Schleswig–Holstein discussed the scope of

the term data controller. It was discussed in the context of a fan page on Facebook.
Facts
Wirtschaftsakademie had a fan page on Facebook that offered educational services.
Either businesses or individuals can set up fan pages, which are essentially user

28Unabhängiges Landeszentrum für Datenschutz Schleswig–Holstein v Wirtschaftsakademie

Schleswig–Holstein GmbH. Case C-210/16. ECLI:EU:C:2018:388.
14 1 Introduction to EU Data Protection Law

accounts. The fan page can post any communication and introduce itself to social
network users. The fan page administrators had access to anonymous statistical
information of its visitors made available by a Facebook feature called ‘Facebook
Insights’. Cookies collected information when they were stored on visitors’ devices.
The cookies contained a unique user code that matched with Facebook users’ connec-
tion data. The storage and functioning of cookies and subsequent data processing
were not disclosed to the user by Wirtschaftsakademie or Facebook Ireland Ltd.
Questions

“…the referring Court essentially wishes to know whether Article 2(d),

Article 17(2), Article 24 and the second indent of Article 28(3) of Directive 95/
46 must be interpreted as allowing an entity to be held liable in its capacity as
administrator of a fan page on a social network where the rules on the protec-
tion of personal data are infringed, because it has chosen to make use of that
social network to distribute the information it offers.

Source Holstein Judgement

One of the first questions before assessing the extent of liability was whether a
Facebook fan page can be a data controller. The CJEU discussed some basic criteria
in this regard.

“[Under] Article 2(d) … the objective of that provision is to ensure, through a

broad definition of the concept of ‘controller’, effective and complete protection
of the persons concerned…
as Article 2(d) of Directive 95/46 expressly provides, the concept of ‘controller’
relates to the entity which ‘alone or jointly with others’ determines the purposes
and means of the processing of personal data, that concept does not neces-
sarily refer to a single entity and may concern several actors taking part in
that processing, with each of them then being subject to the applicable data
protection provisions.
In the present case, Facebook Inc. and, for the European Union, Facebook
Ireland must be regarded as primarily determining the purposes and means of
processing the personal data of users of Facebook and persons visiting the fan
pages hosted on Facebook, and therefore fall within the concept of ‘controller’
within the meaning of Article 2(d) of Directive 95/46, which is not challenged
in the present case.”

Source Holstein Judgement

The Court then discussed how fan pages operate on Facebook.
4 Basic Concepts: Data Protection Framework 15

“It appears that any person wishing to create a fan page on Facebook concludes
a specific contract with Facebook Ireland for the opening of such a page, and
thereby subscribes to the conditions of use of the page, including the policy on
cookies, which is for the national Court to ascertain.
According to the documents before the Court, the data processing at issue in
the main proceedings is essentially carried out by Facebook placing cookies on
the computer or other device of persons visiting the fan page, whose purpose
is to store information on the browsers, those cookies remaining active for two
years if not deleted. It also appears that in practice Facebook receives, registers
and processes the information stored in the cookies in particular when a person
visits ‘the Facebook services, services provided by other members of the Face-
book family of companies, and services provided by other companies that use
the Facebook services’. Moreover, other entities such as Facebook partners
or even third parties ‘may use cookies on the Facebook services to provide
services [directly to that social network] and the businesses that advertise on
Facebook’.
That processing of personal data is intended in particular to enable Facebook
to improve its system of advertising transmitted via its network, and to enable
the fan page administrator to obtain statistics produced by Facebook from the
visits to the page, for the purposes of managing the promotion of its activity,
making it aware, for example, of the profile of the visitors who like its fan
page or use its applications, so that it can offer them more relevant content and
develop functionalities likely to be of more interest to them.”

Source Holstein Judgement

Therefore, the fan page in question would have the status of a data controller.
Alongside Facebook, it decided the purpose and means of processing. It took deci-
sions while defining the broad attributes of the audience to be targeted including the
further objectives of effectively managing its activities.

“..the administrator of a fan page hosted on Facebook, by creating such a

page, gives Facebook the opportunity to place cookies on the computer or
other device of a person visiting its fan page, whether or not that person has a
Facebook account.
In this context, according to the submissions made to the Court, the creation of a
fan page on Facebook involves the definition of parameters by the administrator,
depending inter alia on the target audience and the objectives of managing and
promoting its activities, which has an influence on the processing of personal
data for the purpose of producing statistics based on visits to the fan page. The
administrator may, with the help of filters made available by Facebook, define
16 1 Introduction to EU Data Protection Law

the criteria in accordance with which the statistics are to be drawn up and even
designate the categories of persons whose personal data is to be made use of by
Facebook. Consequently, the administrator of a fan page hosted on Facebook
contributes to the processing of the personal data of visitors to its page.
In particular, the administrator of the fan page can ask for — and thereby
request the processing of — demographic data relating to its target audience,
including trends in terms of age, sex, relationship and occupation, information
on the lifestyles and centres of interest of the target audience and information on
the purchases and online purchasing habits of visitors to its page, the categories
of goods and services that appeal the most, and geographical data which tell
the fan page administrator where to make special offers and where to organise
events, and more generally enable it to target best the information it offers.
While the audience statistics compiled by Facebook are indeed transmitted to
the fan page administrator only in anonymised form, it remains the case that
the production of those statistics is based on the prior collection, by means of
cookies installed by Facebook on the computers or other devices of visitors
to that page, and the processing of the personal data of those visitors for such
statistical purposes. In any event, Directive 95/46 does not, where several oper-
ators are jointly responsible for the same processing, require each of them to
have access to the personal data concerned.
In those circumstances, the administrator of a fan page hosted on Facebook,
such as Wirtschaftsakademie, must be regarded as taking part, by its definition
of parameters depending in particular on its target audience and the objec-
tives of managing and promoting its activities, in the determination of the
purposes and means of processing the personal data of the visitors to its fan
page. The administrator must therefore be categorised, in the present case, as
a controller responsible for that processing within the European Union, jointly
with Facebook Ireland, within the meaning of Article 2(d) of Directive 95/46.”

Source Holstein Judgement

The judgements reflect how different entities can be involved in deciding the
purpose and means of processing, making them responsible as data controllers under
data protection law. Judgements of Google Spain, Jehovah Witnesses and Facebook
Fan Pages seen together indicate that the concept of data controller is wide and can
encompass various entities. However, the entities must fulfil the condition of being
data controllers, i.e., deciding the purposes and means of processing. The entities
involved in a particular situation need not borne equal workload, while deciding upon
the purpose of processing. They may not always equally contribute towards deciding
the purpose or purposes. Thus, there is no formal requirement of assuming a primary
or secondary role by the stakeholders involved.
There is a counter-view to the broad scope of the term controller and the suggestion
is to “create an exemption for parties with no meaningful influence over the data
4 Basic Concepts: Data Protection Framework 17

processing by requiring a higher threshold of influence over the means. Future case
law should devise a de minimis threshold of influence over the means of processing
required to qualify as a data controller. Pursuant to this test, only parties that determine
the purposes and the means beyond the mere choice of a platform or service and the
enabling of someone else’s processing should be controllers.”29 It suggests a role
based approach; however, it may not be always possible to identify the exact role and
its influence over the purpose behind processing personal data. Also, is it the right
approach to reduce the scope attached with the term data controller? What impact
would it have on rights of the data subject? These questions are equally important to
answer.

4.2 Personal Data

The EU data protection law applies to the processing of personal data with the data
controller having a lawful justification for processing such data. Thus, it is essential
to determine that the processed data is indeed personal data.
Personal data is information about an identified or identifiable natural person
defined under Article 4(1) of GDPR. It –

“…means any information relating to an identified or identifiable natural person

(‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;”

Source Article 4(1), GDPR

Essentially, there are three elements in the definition: “any information”, “relating
to” and “identified or identifiable” natural person.30 The judgement of Peter Nowak
suggests that “ use of the expression ‘any information’ in the definition of the concept
of ‘personal data’,.. reflects the aim of the EU legislature to assign a wide scope
to that concept, which is not restricted to information that is sensitive or private,
but potentially encompasses all kinds of information, not only objective but also
subjective, in the form of opinions and assessments, provided that it ‘relates’ to the
data subject.”31 Further, information can be said to be ‘relating to’ an individual
when “the information, by reason of its content, purpose or effect, is linked to [that]

29 Michèle Finck, Cobwebs of control: the two imaginations of the data controller in EU law,
International Data Privacy Law, Volume 11, Issue 4, November 2021, Pages 333–347, https://doi.
org/10.1093/idpl/ipab017.
30 Article 4(1), GDPR.
31 Peter Nowak v Data Protection Commissioner. Case C-434/16. ECLI:EU:C:2017:994.
18 1 Introduction to EU Data Protection Law

particular person.”32 The judgement of Breyer suggests that for identifiability, “it is
not required that all the information enabling the identification of the data subject
must be in the hands of one person.”33 According to Recital 26 of the GDPR, “account
should be taken of all the means reasonably likely to be used, such as singling out,
either by the controller or by another person to identify the natural person directly or
indirectly.”34 These elements will be discussed further through different judgements
in this section.
But before discussing the judgements, it is important to note that data can be
de-identified, encrypted, pseudonymised, or anonymised. Which of these kinds of
data does data protection law apply to? The EU Commission has explained35

“…[p]ersonal data that has been de-identified, encrypted or pseudonymised

but can be used to re-identify a person remains personal data and falls within
the scope of the GDPR. Personal data that has been rendered anonymous in
such a way that the individual is not or no longer identifiable is no longer
considered personal data. For data to be truly anonymised, the anonymisation
must be irreversible.

Source EU Commission on What is Personal Data

It is good to note that “in today’s complex data ecosystems, it can never be assumed
that the anonymisation of data is ‘as permanent as erasure’. Data circulates and is
traded, new data sets are created, and third parties may be in possession of information
allowing linkage, which the original data controller has no knowledge of. There are
accordingly considerable complications in drawing the boundaries between personal
and non-personal data”36 There is the view that anonymisation cannot be inferred
merely by looking at the data, but there is also the need to look at its environment.37
There is also the view, all data that have been pseudonymised should not be
considered personal data.38 The data which have been pseudonymised can be

32 Peter Nowak v Data Protection Commissioner. Case C-434/16. ECLI:EU:C:2017:994.

33 Patrick Breyer v Bundesrepublik Deutschland. Case C-582/14. ECLI:EU:C:2016:779.
34 Recital 26, GDPR.
35 EU Commission, ‘What is personal data?’. https://commission.europa.eu/law/law-topic/data-pro

tection/reform/what-personal-data_en. Accessed 25 June 2024.

36 Michèle Finck, Frank Pallas, ‘They who must not be identified—distinguishing personal from

non-personal data under the GDPR’, (2020) 10(1) International Data Privacy Law 11–36, https://
doi.org/10.1093/idpl/ipz026.
37 Mark Elliot, Kieron O’Hara, Charles Raab, Christine M. O’Keefe, Elaine Mackey, Chris Dibben,

Heather Gowans, Kingsley Purdam, Karen McCullagh, ‘Functional anonymisation: Personal data
and the data environment’ (2018) 34(2) Computer Law & Security Review 204–221. https://doi.
org/10.1016/j.clsr.2018.02.001.
38 Miranda Mourby, Elaine Mackey, Mark Elliot, Heather Gowans, Susan E. Wallace, Jessica Bell,

Hannah Smith, Stergios Aidinlis, Jane Kaye, “Are ‘pseudonymised’ data always personal data?
4 Basic Concepts: Data Protection Framework 19

rendered anonymous, and data that is pseudonymised for one organisation could
be anonymised for a third party.39 More detailed discussions on pseudonymisation
can be found in the following chapters.
Importantly, “[w]hen the hyperconnected onlife world of data-driven agency
arrives, the intensive compliance regime of the General Data Protection Regulation
(GDPR) will become ‘the law of everything’, well-meant but impossible to maintain.
By then we should abandon the distinction between personal and non-personal data,
embrace the principle that all data processing should trigger protection, and under-
stand how this protection can be scalable.”40 In a connected environment often the
line between personal data and non-personal data becomes blurry. It is likely the case
where personal data becomes non-personal by or through the use of accepted tech-
nological norms. If all forms of data trigger data protection, there could questions
about its overall impact on innovation and business models adopted in the digital
economy.
The following sub-sections discuss CJEU judgements to understand the concept
of personal data in different situations, such as in the case of examination scripts
and dynamic IP addresses. The test of identifiability is discussed alongside other
concepts.

4.2.1 Patrick Breyer v Bundesrepublik Deutschland Case C-582/1441

The judgement identified the dynamic internet protocol address as personal data. It
raises the all-important question of the possible accessibility of additional data in
a combination of available data from different sources that may help identify the
natural person.
Facts
Breyer had accessed the websites of several German Federal institutions. These
websites provided topical information to their users. With the emerging web attacks,
these websites mentioned all access operations in logfiles to prevent possible intru-
sions. It was done to prosecute those indulging in such behaviours. The informa-
tion in these logfiles included the address of the website accessed, the file accessed
during such search, keywords entered while searching for information, the time when
websites were accessed, the volume of data transferred, an indication of a successful

Implications of the GDPR for administrative data research in the UK”, (2018) 34(2) Computer
Law & Security Review 222–233, https://doi.org/10.1016/j.clsr.2018.01.002.
39 Miranda Mourby, Elaine Mackey, Mark Elliot, Heather Gowans, Susan E. Wallace, Jessica Bell,

Hannah Smith, Stergios Aidinlis, Jane Kaye, “Are ‘pseudonymised’ data always personal data?
Implications of the GDPR for administrative data research in the UK” (2018) 34(2) Computer
Law & Security Review 222–233. https://doi.org/10.1016/j.clsr.2018.01.002.
40 Nadezhda Purtova, ‘The law of everything. Broad concept of personal data and future of EU data

protection law’ (2018) 10(1) Law, Innovation and Technology 40–81. https://doi.org/10.1080/175
79961.2018.1452176.
41 Patrick Breyer v Bundesrepublik Deutschland C-582/14. ECLI:EU:C:2016:779.
20 1 Introduction to EU Data Protection Law

transaction and most importantly, the Internet Protocol address of the computer from
where these information have been accessed.
IP address represents a computer, and it helps develop a connection with a website,
thereby seeking access to a server where the website is located. The Internet Service
Provider (ISP) facilitates the Internet connection and allocates either a static IP
address or a dynamic IP address to the subscribers’ computers, who are data subjects
in this matter. Unlike a static IP address, the dynamic IP address changes each time
a user connects to the internet.
Mr Breyer brought the action requesting an order restraining these websites from
storing IP addresses when users access them. He claimed that storage should be
restricted to resolve technical errors and not otherwise.
After the initial application was rejected, the Court of Appeal ruled in favour of
Mr Breyer. It said:

“a dynamic IP address, together with the date on which the website was
accessed to which that address relates constitutes, if the user of the website
concerned has revealed his identity during that consultation period, personal
data, because the operator of that website is able to identify the user by linking
his name to his computer’s IP address.”

Source Patrick Breyer Judgement

However, the Court of Appeal introduced certain caveats. For instance, in a situa-
tion where Mr Breyer did not reveal his identity when he accessed the website. Here,
the ISP is well-positioned to connect the user’s IP to the user’s identity. However, IP
addresses are not personal data for the websites because the users are not identifiable.
The referring Court believed that dynamic IP addresses stored by websites do not
directly identify Mr Breyer. The operators of the websites can only identify if they
have the additional information from the ISPs. Therefore, such data, i.e. IP addresses,
become personal data when Mr Breyer is identifiable.
Germany’s Federal Court of Justice discussed an objective and a relative criteria
to decide whether the individual is identifiable.

“The application of an ‘objective’ criterion would have the consequence that

data such as the IP addresses at issue in the main proceedings may be regarded,
at the end of the period of use of the websites at issue, as being personal data
even if only a third party is able to determine the identity of the data subject,
that third party being, in the present case, Mr Breyer’s internet service provider,
which stored the additional data enabling his identification by means of those
IP addresses. According to a ‘relative’ criterion, such data may be regarded
as personal data in relation to an entity such as Mr Breyer’s internet service
provider because they allow the user to be precisely identified, but not being
regarded as such with respect to another entity, since that operator does not
4 Basic Concepts: Data Protection Framework 21

have, if Mr Breyer has not disclosed his identity during the consultation of those
websites, the information necessary to identify him without disproportionate
effort.
….[A]cademic opinion mostly supports the view, first, that the collection
and use of personal data relating to the user of a website is authorised only in
order to facilitate the specific use of that website and, second, that those data
must be deleted at the end of period of consultation concerned if they are not
data required for billing purposes.”

Source Patrick Breyer Judgement

The CJEU then decided whether dynamic IP addresses constitute personal data.
Questions

“… Must Article 2(a) of Directive 95/46 … be interpreted as meaning that

an internet protocol address (IP address) which an [online media] service
provider stores when his website is accessed already constitutes personal data
for the service provider if a third party (an access provider) has the additional
knowledge required in order to identify the data subject?”

Source Patrick Breyer Judgement

Recital 26 of Directive 95/46 discusses the test for identifiability. To know about
an identifiable person, one should consider all possible reasonable means that the
data controller is likely use to identify.

“Whereas the principles of protection must apply to any information

concerning an identified or identifiable person; …whereas the principles of
protection shall not apply to data rendered anonymous in such a way that the
data subject is no longer identifiable; whereas codes of conduct within the
meaning of Article 27 may be a useful instrument for providing guidance as to
the ways in which data may be rendered anonymous and retained in a form in
which identification of the data subject is no longer possible.”

Source Recital 26, Directive 95/46/EC

According to a previous judgement (Scarlet extended),42 IP addresses of internet
users are considered personal data because such data can precisely identify users.
However, that situation involves where ISPs handle collecting and identifying IP

42Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM).
C-70/10. ECLI:EU:C:2011:771.
22 1 Introduction to EU Data Protection Law

addresses. The present situation involves applying dynamic IP addresses, essentially

provisional addresses assigned to users and replaced at times of subsequent connec-
tions. This, unlike static IP, which stays the same and would allow identification of
the connected device at different times.
A dynamic IP address is not information that can relate to the identified natural
person. The reason is that the address alone cannot reveal a person’s identity. It
merely represents the computer that the person uses.
However, the definition of personal data involves an identifiable person identified
either directly or indirectly. The use of the word indirectly means that it is not
important that the information in the hands of one entity alone helps identify data
subjects. Recital 26 talks about the requirement that all means are to be considered
that the controller may use or by any other third party to identify the person. The
use of any other person in Recital 26 suggests that all information enabling the
identification of a natural person does not need to be with a single entity.
Therefore, the CJEU believed that “additional data necessary to identify the user
of a website are held not by the online media services provider, but by that user’s …
[ISP] does not appear to be such as to exclude that dynamic IP addresses registered
by the online media services provider constitute personal data within the meaning of
Article 2(a) of Directive 95/46.”43
Is the possibility of combining dynamic IP addresses with details available with the
ISP a reasonable means through which data subjects can be identified? In this context,
the Advocate General suggested, “that would not be the case if the identification of
the data subject was prohibited by law or practically impossible on account of the
fact that it requires a disproportionate effort in terms of time, cost and man-power,
so that the risk of identification appears in reality to be insignificant.”44
German law does not allow ISPs to transmit data directly to websites; however,
in instances like cybercrimes, there are legal channels where ISPs must share details
with competent authorities.
Therefore, the CJEU concluded:

“it appears that the online media services provider has the means which may
likely reasonably be used in order to identify the data subject, with the assis-
tance of other persons, namely the competent authority and the internet service
provider, on the basis of the IP addresses stored.
..a dynamic IP address registered by an online media services provider when
a person accesses a website that the provider makes accessible to the public
constitutes personal data within the meaning of that provision, concerning that
provider, where the latter has the legal means which enable it to identify the

43 Patrick Breyer v Bundesrepublik Deutschland C-582/14. ECLI:EU:C:2016:779.

44 Patrick Breyer v Bundesrepublik Deutschland C-582/14. ECLI:EU:C:2016:779.
4 Basic Concepts: Data Protection Framework 23

data subject with additional data which the internet service provider has about
that person.”

Source Patrick Breyer Judgement

The judgement suggests that the scope of the definition of personal data is wide.
All the information required to identify an individual need not be in the hands of one
entity, and an individual is considered identifiable even if the entity has reasonable
means to identify the individual. Besides, identification is considered by means that
the controller is reasonably likely to use unless prohibited by law or practically
impossible and requiring disproportionate effort.

4.2.2 Peter Nowak v Data Protection Commissioner Case C-434/1645

In Peter Nowak, answer scripts of students alongside the comments shared by exam-
iners were construed personal data. Unlike the previous judgement, which developed
the idea of identifiability, the CJEU developed another perspective surrounding the
definition of personal data: that the data must ‘relate’ to an identified or identifiable
individual. The CJEU laid down the content, purpose and effect test for the data to
‘relate’ to an individual.
Facts
The complainant, Mr Nowak, was a trainee accountant and cleared some of the levels
of examinations organised by the Institute of Chartered Accountants of Ireland (CAI).
Mr Nowak could not clear the Strategic Finance and Management Accounting course,
which was classified as an open-book examination.
Unfortunately, Mr Nowak could not clear the course in question on four occasions.
He reached out to CAI, suggesting that they hold his personal data. The CAI refused
to share the script with him, citing that the script in question cannot be considered
personal data within the meaning of the data protection legislation. The Data Protec-
tion Commissioner also rejected his application, citing that examinations’ scripts do
not generally fall within the scope of personal data. Finally, after several rejections,
the Supreme Court allowed the appeal and ruled in favour of Mr Nowak.
Questions
However, the Supreme Court decided to refer this matter to the CJEU and forwarded
the following questions:

45 Peter Nowak v Data Protection Commissioner C-434/16 ECLI:EU:C:2017:994.

24 1 Introduction to EU Data Protection Law

“(1) Is information recorded in/as answers given by a candidate during a profes-

sional examination capable of being personal data, within the meaning of
Directive 95/46?
(2) If the answer to Question 1 is that all or some of such information may be
personal data within the meaning of the Directive, what factors are relevant in
determining whether in any given case such script is personal data, and what
weight should be given to such factors?”

Source Peter Nowak Judgement

With answer scripts as personal data, the data subjects would have the option to
exercise rights, including the right to access personal data. It would allow Mr Peter
Nowak to access his personal data, i.e. the exam answer script in question.
Recitals 25, 26 and 41 of Directive 95/46 are important to consider.

“(25) … the principles of protection must be reflected, on the one hand, in

the obligations imposed on persons … responsible for processing, in partic-
ular regarding data quality, technical security, notification to the supervisory
authority, and the circumstances under which processing can be carried out,
and, on the other hand, in the right conferred on individuals, the data on whom
are the subject of processing, to be informed that processing is taking place,
to consult the data, to request corrections and even to object to processing in
certain circumstances;”

Source Recital 25, GDPR

Recital 25 talks about the rights and obligations of the data controller and the data
subject. The data controller must process data within the data protection framework,
incorporating data quality, security safeguard standards, and inform the supervisory
authority about data breach. The data subjects have the right to access processed
data, consult the shared data, request rectifications and further object to processing
of personal data under certain circumstances.

“(26) … the principles of protection must apply to any information concerning

an identified or identifiable person; whereas, to determine whether a person is
identifiable, account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said person;
… the principles of protection shall not apply to data rendered anonymous in
such a way that the data subject is no longer identifiable;..”

Source Recital 26, GDPR

According to Recital 26, the data protection principles must apply to information
through which a natural person is identified either directly or indirectly. When it is to
4 Basic Concepts: Data Protection Framework 25

be determined whether a person is identifiable, the factors that need to be considered

are the means available to identify the natural person or likely to be used by the
data controller or any person. The data protection principles would not apply to
anonymised data because it makes it almost impossible to identify natural persons.

“(41) … any person must be able to exercise the right of access to data relating
to him which are being processed, in order to verify in particular the accuracy
of the data and the lawfulness of the processing;”

Source Recital 41, GDPR

According to Recital 41, the data subject will verify personal data. The data subject
should verify the accuracy with the data controller and verify the reason behind such
processing.
The right to access has also been recognised by the GDPR, which replaced the
old Directive.
Article 15 of GDPR, headed ‘Right of access by the data subject’, provides:

“1. The data subject shall have the right to obtain from the controller confir-
mation as to whether or not personal data concerning him or her are being
processed, and, where that is the case, access to the personal data …
3. The controller shall provide a copy of the personal data undergoing
processing …
4. The right to obtain a copy referred to in paragraph 3 shall not adversely
affect the rights and freedoms of others.”

Source Article 15, GDPR

Thus, a data subject is within rights to know when processing of personal data
takes place and also, can receive a copy of such information. Before allowing the
data subject to access exam answer scripts, the CJEU first determined whether exam
answer scripts constitute personal data.
The CJEU began by assessing the meaning of personal data. It is information
relating to a natural person either directly or indirectly identifiable. Clearly, the
complainant is a natural person and can be easily identified directly or indirectly
through various identifiers, including the name and identification number available
on the cover sheet of the answer script. Whether the examiner can identify the student
in question while marking the examination script is not important. Following the
Breyer judgement discussed above, it is not required for all the identifiers to be in
the hands of one person. Rather, it is important whether the person in question has
the legal or otherwise capacity to access these identifiers from different sources.
Therefore, while the candidate’s details were unavailable to the examiner, the details
were available with CAI. These details can, therefore, easily identify Mr Nowak.
26 1 Introduction to EU Data Protection Law

The Court referred to the words ‘any information’ in the definition of personal data
and concluded that it is quite broad in nature. It encompasses all possible kinds of
information and is not limited to opinions and assessments. They could be subjective
and objective in nature. The requirement is that the information in hand relates to
the data subject.
There are reasons why the written answers submitted by a person ‘relate’ to the
person.

“First, the content of those answers reflects the extent of the candidate’s knowl-
edge and competence in a given field and, in some cases, his intellect, thought
processes, and judgment. In the case of a handwritten script, the answers
contain, in addition, information as to his handwriting. Second, collecting those
answers is to evaluate the candidate’s professional abilities and suitability to
practice the profession concerned. Last, the use of that information, one conse-
quence of that use being the candidate’s success or failure at the examination
concerned, is liable to affect his or her rights and interests, in that it may deter-
mine or influence, for example, the chance of entering the profession aspired
to or of obtaining the post sought.”

Source Peter Nowak Judgement

The comments shared by an examiner concerning the candidate’s answer relate
to the individual. The purpose of those comments is to assess the examinee’s perfor-
mance. This outcome concerns the knowledge and competencies in the given course.
If the examiners’ comments are not personal data, then the rights of the candidates
to access and possible rectification in case of any errors are not protected.
In the context of Recital 25 of the Directive, if neither the answers submitted in
an exam nor the comments submitted by the examiner are classified as personal data,
it would mean entirely excluding all the possible data protection principles.
It is also important to protect the answer scripts in an examination from third-
party access that may be unlawful. If the answer script is not considered personal
information, it may be published or sent to third parties without permission.
The rights of access and rectification and the rights of intervention in the context
of data protection exist in the answer scripts and the examiner’s comments. However,
the right of rectification does not give the candidate the subsequent right to correct
answers marked incorrect by the examiner.
Considering the answer scripts and the comments as personal data would enable
a student to handle inaccuracy and discrepancy concerning the evaluation of the
answer scripts. There could be many mistakes, such as mixed-up answer scripts,
wrong marks being ascribed and unevaluated portions, among other possible errors.
Considering the answer script as personal data would give the candidate the right
to erasure. The candidate can reach out to the data controller asking the controller
to destroy the answer script subject to any legal requirement of keeping the answer
script for a minimum amount of time.
4 Basic Concepts: Data Protection Framework 27

Therefore, in conclusion, the Court suggested that,

“[i]n so far as the written answers submitted by a candidate at a professional

examination and any comments made by an examiner with respect to those
answers are therefore liable to be checked for, in particular, their accuracy
and the need for their retention, within the meaning of Article 6(1)(d) and
(e) of Directive 95/46, and may be subject to rectification or erasure, under
Article 12(b) of the Directive, the Court must hold that to give a candidate a right
of access to those answers and to those comments, under Article 12(a) of that
Directive, serves the purpose of that Directive of guaranteeing the protection of
that candidate’s right to privacy with regard to the processing of data relating to
him … irrespective of whether that candidate does or does not also have such
a right of access under the national legislation applicable to the examination
procedure.”

Source Peter Nowak Judgement

The CJEU judgements involving Patrick Breyer and Peter Nowak indicate that the
definition of personal data is wide. It can encompass information about an already
identified or possibly identifiable individual to whom the information relates by
content, purpose and effect. The test of identifiability is broad as it includes all
possible means through which an individual can be reasonably identified.

4.3 Legal Basis of Processing

Once it is ascertained that a data controller is processing personal data, the legal basis
behind such processing must be established. Article 6(1) of the GDPR provides
different legal grounds that the data controller can rely upon prior to processing
personal data.

“1. Processing shall be lawful only if and to the extent that at least one of the
following applies: (a) the data subject has given consent to the processing of
his or her personal data for one or more specific purposes; (b) processing is
necessary for the performance of a contract to which the data subject is party
or in order to take steps at the request of the data subject prior to entering into a
contract; (c) processing is necessary for compliance with a legal obligation to
which the controller is subject; (d) processing is necessary in order to protect
the vital interests of the data subject or of another natural person; (e) processing
is necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller; (f) processing is
necessary for the purposes of the legitimate interests pursued by the controller
28 1 Introduction to EU Data Protection Law

or by a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require protection
of personal data, in particular where the data subject is a child.”

Source Article 6(1), GDPR

Different legal grounds of processing would be suitable in different situations.
While the data controller is free to rely on any legal ground of processing, some
legal grounds of processing are more suitable in some situations. For instance, the
EU Commission provides examples of when the legal basis of processing would
apply.46

“Consent Your company/organisation offers a music app and ask for citizens’
consent to process their musical preferences in order to suggest tailored songs
and possible concerts to them.
Contractual obligation Your company/organisation sell goods online. It can
process data that is necessary to take steps at the request of the individual prior
to entering into the contract and for the performance of the contract. So you can
process the name, delivery address, credit card number (if payment by card),
etc.
Legal obligation You own a company with employees. In order to obtain social
security cover, the law obliges you to provide personal data (for example weekly
income of your employees) to the relevant authority.
Public interest … [A] professional association such as a bar association or
a chamber of medical professionals vested with an official authority to do so
may carry out disciplinary procedures against some of their members.
Vital interests of a person: A hospital is treating a patient after a serious road
accident; the hospital doesn’t need his consent to search for his ID to check
whether that person exists in the hospital’s database to find previous medical
history or to contact his next of kin.
Your organisation’s legitimate interests: Your company/organisation ensures
its network security by monitoring the use of its employees’ IT devices. Your
company/organisation may legitimately process personal data for that purpose,
only if the least intrusive method is chosen as regards the privacy and data
protection rights of your employees, for example, by limiting the accessibility

46EU Commission, ‘When can personal data be processed?’. https://commission.europa.eu/law/

law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/
grounds-processing/when-can-personal-data-be-processed_en. Accessed 25 June 2024.
4 Basic Concepts: Data Protection Framework 29

of certain websites. (Note that this can’t be done in EU Member States where
national law sets out stricter rules for processing in the employment context).”

Source EU Commission, ‘When can personal data be processed?’

This section discusses the judgements of the CJEU and explains some legal
grounds for processing. Subsequent chapters address the requirement of consent
as a ground for processing personal data. The judgements indicate that when relying
on legal grounds for processing, data controllers must fulfil the requirements of that
legal ground. Besides, in a given situation, some legal grounds of processing may
be more appropriate than other legal grounds of processing. For instance, the legal
ground of consent must not be bypassed by relying on the legal ground of necessity for
the performance of a contract by including non-necessary processing in mandatory
terms of service.

4.3.1 Legitimate Interest

Recital 47 of the GDPR explains legitimate interest. It states:

“The legitimate interests of a controller, including those of a controller to

which the personal data may be disclosed, or of a third party, may provide a
legal basis for processing, provided that the interests or the fundamental rights
and freedoms of the data subject are not overriding, taking into consideration
the reasonable expectations of data subjects based on their relationship with
the controller. Such legitimate interest could exist for example where there is a
relevant and appropriate relationship between the data subject and the controller
in situations such as where the data subject is a client or in the service of the
controller. At any rate the existence of a legitimate interest would need careful
assessment including whether a data subject can reasonably expect at the time
and in the context of the collection of the personal data that processing for that
purpose may take place. The interests and fundamental rights of the data subject
could in particular override the interest of the data controller where personal
data are processed in circumstances where data subjects do not reasonably
expect further processing.”

Source Recital 47, GDPR

It seems what a data subject expects may define the scope and sanctity of legitimate
interest. Further, a data controller should be able to establish a stable relationship with
a data subject through which the ethos of reasonable expectations develop. While
reasonable expectations of the data subject are a key factor to consider if an interest
30 1 Introduction to EU Data Protection Law

is legitimate, there is a three-part test for legitimate interest as explained by the ICO,
UK.47 These three-part tests are primarily related to the data protection principles
with purpose behind personal data processing is an essential hinge that legitimises
processing. It also helps the data controller to not digress and remain with the confines
of the objective of data collection. The necessity test is also proportional to the exact
need of data collection and to the subsequent processing. The data controller has
to run an assessment exercise, if not formally, to gauge the exact need before data
collection begins. The final prong dictates the overarching interest of legislative
intervention, which is to give the personal autonomy back to the data subjects.

“Purpose test: are you pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?”

Source ICO on Legitimate Interests

To understand legitimate interests, the following example is useful.48 They give a
snapshot of the expected norms, although there may be additional requirements to
fulfil before data subjects reasonably expects any of the following reasons of data
processing. For instance, if it includes processing for direct marketing reason.

“Your company/organisation has a legitimate interest when the processing takes

place within a client relationship, when it processes personal data for direct
marketing purposes, to prevent fraud or to ensure the network and information
security of your IT systems.”

Source EU Commission, ‘What does ‘grounds of legitimate interest’ mean?’

TK v Asociaţia de Proprietari Bloc M5A Scara-A Case C-708/1849
This judgement considers legitimate interest as a legal ground of processing and lays
down the conditions for its exercise. The issue involved the use of video surveillance
in a society and the Court evaluated the rights and freedom of the data subject
measured against the security requirement of the other residents.

47 ICO, ‘Legitimate interests’. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-res

ources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/legitimate-interests/.
Accessed 25 June 2024.
48 European Commission, ‘What does ‘grounds of legitimate interest’ mean?’. https://commission.

europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-
processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en. Accessed
25 June 2024.
49 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.
4 Basic Concepts: Data Protection Framework 31

Facts
The complainant lived in an apartment he owned in a building society named M5A.
At a residential community’s general assembly organised in April 2016, the building
society decided to install a video surveillance system. As part of the video surveillance
system, the plan was to install three cameras in the buildings’ common parts. The
first camera pointed towards the buildings’ front, while the other two cameras were
in the lift and the ground-floor hallway.
The complainant claimed that the video surveillance system infringed the
complainant’s privacy. Even after numerous complaints, the video cameras continued
to operate in society. In his complaint to the referring Court, the complainant
requested the removal of the cameras.
According to the association, “the decision to install a video surveillance system
had been taken in order to monitor as effectively as possible who enters and leaves
the building, since the lift had been vandalised on many occasions and there had
been burglaries and thefts in several apartments and the common parts.”50 Further,
the association suggested that they had previously taken alternative measures, such
as installing an intercom/magnetic card entry system before installing the video
cameras.
The referring Court suggested, “in a general manner, that processing of personal
data, such as the recording of images by means of a video surveillance system, may
be carried out only if the data subject has given his or her express and unequivocal
consent. …[However] a series of exceptions to that rule, which include the exception
whereby the processing of personal data is required in order to protect the data
subject’s life, physical integrity or health or those of a threatened third party.”51
Questions
The questions that were referred to the CJEU essentially asked whether legitimate
interests could justify the installation of CCTV cameras in the building society in
the absence of the complainant’s consent.

“(1) Are Articles 8 and 52 of the Charter and Article 7(f) of Directive 95/
46 to be interpreted as precluding provisions of national law such as those at
issue in the main proceedings, … in accordance with which video surveillance
may be used to ensure the safety and protection of individuals, property and
valuables and for the pursuit of legitimate interests, without the data subject’s

50 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.

51 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.
32 1 Introduction to EU Data Protection Law

consent? (2) Are Articles 8 and 52 of the Charter to be interpreted as meaning

that the limitation of rights and freedoms which results from video surveillance
is in accordance with the principle of proportionality, satisfies the requirement
of being ‘necessary’ and ‘meets objectives of general interest or the need to
protect the rights and freedoms of others’, where the controller is able to take
other measures to protect the legitimate interest in question ? (3) Is Article 7(f)
of Directive 95/46 to be interpreted as meaning that the ‘legitimate interests’
of the controller must be proven, present and effective at the time of the data
processing?(4) Is Article 6(1)(e) of Directive 95/46 to be interpreted as meaning
that data processing (video surveillance) is excessive or inappropriate where
the controller is able to take other measures to protect the legitimate interest in
question?”

Source M5A Scara Judgement

The CJEU reiterated the grounds of processing personal data and stated that while
the legal ground of consent is an important ground, the data controller can also rely
on other grounds of processing such as legitimate interest.
Some of the preliminary discussions about whether video surveillance systems
involve personal data processing can be found in a similar case, where the point of
contention was whether using a home security system that monitors a public area
while recording individuals for property protection counts as processing personal
data as defined by Article 3(1) of Directive 95/46. The Court examined the definition
of “personal data” and determined that a person’s image captured by a camera system
falls under the definition of personal data under Article 2(a) Directive 95/46, to the
extent that it can be used to identify an individual. The Court emphasised that every
action taken on personal data, including collection, storage and recording, is within
the scope of processing under Article 2(a) with regard to the automatic processing
of that data. The Court also cited Recitals 15 and 16 of Directive 95/46, which list
video surveillance as an example of automatic processing. According to Article 3(1)
Directive 95/46, this operation was deemed to be the automatic processing of personal
data because the video footage was kept on a continuous recording device.52
Once it is determined that the data controller processes personal data, the data
controller must rely on legal grounds for processing, which can be consent or legiti-
mate interest, amongst others. It should be noted that legitimate interest under Article
7(f) works without the consent of the data subject, which is limited only to Article
7(a).
According to the CJEU, three cumulative conditions are attached to the func-
tioning of Article 7(f) of the Directive. The three cumulative conditions are “first, the
pursuit of a legitimate interest by the data controller or by the third party or parties to
whom the data are disclosed; secondly, the need to process personal data for the legit-
imate interests pursued; and thirdly, that the fundamental rights and freedoms of the

52 František Ryneš v Úřad pro ochranu osobních údajů. Case C-212/13 ECLI:EU:C:2014:2428.
4 Basic Concepts: Data Protection Framework 33

person concerned by the data protection do not take precedence over the legitimate
interest pursued.”53
As to the first condition i.e. data controller’s legitimate interest claim, the Court
weighed the Controller’s practice of setting up a video surveillance system. The
objective was to protect property and the health and life of the co-owners of the
building, including that of the complainant. This activity would amount to legitimate
interest under Article 7(f).
In the context of Article 7(f), the referring Court questioned whether “the interests
pursued by the controller at issue must, first, be ‘proven’ and, secondly, be ‘present
and effective at the time of the data processing’.”54 The present and effective interest
were fulfilled because there were previous instances of theft burglaries, and they
continued even after installing other services like various security arrangements at
the gate of the building.
As for the second condition i.e. the need to process for legitimate interest, the
derogations in question should be no more than what is strictly necessary. Therefore,
it must be ascertained that legitimate data processing interests “cannot reasonably
be as effectively achieved by other means less restrictive of the fundamental rights
and freedoms of data subjects, in particular the rights to respect for private life and
to the protection of personal data guaranteed by Articles 7 and 8 of the Charter.”55
This approach relates to the data minimisation principle, as data processing should
correlate to the purpose, and processing must not be beyond the stipulated purpose.
The idea of proportionality must be respected in the workings of the video surveil-
lance device—the specific methods of installing and operating the three installed
cameras, the working hours of the three installed cameras and the opportunity to
block or obscure such images where surveillance is not essential.
As for the third condition, i.e. reconciling fundamental rights vis-à-vis legitimate
purpose, it is important to measure the seriousness of the derogation of fundamental
rights. Further, it is important to consider the nature of personal data—i.e. its sensi-
tivity and access rights of different individuals, including the methods followed while
accessing such data.
The reasonable expectations of data subjects must also be considered because
processing should not continue beyond necessary. These reasonable expectations
should balance with the interests of the co-owners who stay in the same building
society, whose expectations are equally important.
Therefore, finally, the Court suggested:

“In the light of the foregoing, the answer to the questions raised is that
Article 6(1)(c) and Article 7(f) of Directive 95/46, read in the light of Arti-
cles 7 and 8 of the Charter, must be interpreted as not precluding national

53 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.

54 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.
55 TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.
34 1 Introduction to EU Data Protection Law

provisions which authorise the installation of a video surveillance system,

such as the system at issue in the main proceedings, installed in the common
parts of a residential building, for the purposes of pursuing legitimate interests
of ensuring the safety and protection of individuals and property, without the
consent of the data subjects, if the processing of personal data carried out by
means of the video surveillance system at issue fulfils the conditions laid down
in Article 7(f), which it is for the referring Court to determine.”

Source M5A Scara Judgement

The judgement is important to understand how the conditions of legitimate interest
apply. When relying on legitimate interest, the data controller must ensure reasons
behind pursuing such interests, available alternatives and reconciling fundamental
rights vis-à-vis legitimate purpose.
Meta Platforms v Verbraucherzentrale Bundesverband eV Case C-252/2156
This landmark judgement deals with the question of which legal ground of processing
is most appropriate for online behavioural advertising carried out by Facebook. The
Court delved into whether the necessity for the performance of a contract, legitimate
interest or consent is the most appropriate ground for processing.
It is important to note that “the cookie consent requirement of the e-Privacy
Directive does not provide a legal basis for the processing of personal data. As far as
behavioural targeting entails personal data processing, the data controller that uses
behavioural targeting, such as an advertising network, needs a legal basis for the
processing.”57
Facts
The facts reflect the business model of Facebook and the role of online advertising
in their business model.
Meta Platforms Ireland operated a Facebook social network within the EU free
of charge for private users. The business model was based on financing using
online advertising. Online advertising was tailored to individual users by evalu-
ating their behaviour, interests, personal situation and purchasing power. Detailed
automated profiles of Facebook users were generated considering “in addition to
the data provided by the users directly when they sign up for the online services
concerned, other user- and device-related data [were] also collected on and off that
social network and the online services provided by the Meta group, and linked to their
various user accounts.”58 This step allowed for the generation of an aggregate view
of the users’ preferences and interests. Meta relied on user agreement to carry out this

56 Meta Platforms v Verbraucherzentrale Bundesverband eV Case C-252/21 ECLI:EU:C:2023:537.

57 Frederik J. Zuiderveen Borgesius, ‘Personal data processing for behavioural targeting: which
legal basis?’, (2015) 5(3) International Data Privacy Law 163–176, https://doi.org/10.1093/idpl/
ipv011.
58 Meta Platforms v Verbraucherzentrale Bundesverband eV Case C-252/21 ECLI:EU:C:2023:537.
4 Basic Concepts: Data Protection Framework 35

processing, which the users agreed to when signing up for the services. The general
terms provided the companies’ cookie and data policy. The terms also provided that
“Meta Platforms Ireland collect[ed] user- and device-related data about user activi-
ties on and off the social network and link[ed] the data with the Facebook accounts of
the users concerned. The latter data, relating to activities outside the social network
(‘the off-Facebook data’), [were] data concerning visits to third-party webpages and
apps, which [were] linked to Facebook through programming interfaces—‘Face-
book Business Tools’—as well as data concerning the use of other online services
belonging to the Meta group, including Instagram, WhatsApp, Oculus and—until
13 March 2020—Masquerade.”59 In this background, the CJEU decided on the most
appropriate legal basis for processing online behavioural advertising. In detail, the
following were the questions before the CJEU -
Questions

“Can an undertaking, such as [Meta Platforms Ireland], which operates a digital

social network funded by advertising and offers personalised content and adver-
tising, network security, product improvement and consistent, seamless use of
all of its group products in its terms of service, justify collecting data for these
purposes from other group services and third-party websites and apps via inte-
grated interfaces such as ’Facebook Business Tools’, or via cookies or similar
storage technologies placed on the internet user’s computer or mobile device,
linking those data with the user’s Facebook.com account and using them, on the
ground of necessity for the performance of the contract under Article 6(1)(b)
of the GDPR or on the ground of the pursuit of legitimate interests under
Article 6(1)(f) of the GDPR?
In those circumstances, can – the fact of users being underage, vis-à-vis the
personalisation of content and advertising, product improvement, network
security and non-marketing communications intended for the user;
– the provision of measurements, analytics and other business services to
enable advertisers, developers and other partners to evaluate and improve their
services;
– the provision of marketing communications intended for the user to enable
the undertaking to improve its products and engage in direct marketing;
– research and innovation for social good, to further the state of the art or
the academic understanding of important social issues and to affect society and
the world in a positive way;
– the sharing of information with law-enforcement agencies and responding
to legal requests in order to prevent, detect and prosecute criminal offences,

59 Meta Platforms v Verbraucherzentrale Bundesverband eV Case C-252/21 ECLI:EU:C:2023:537.

36 1 Introduction to EU Data Protection Law

unlawful use, breaches of the terms of service and policies and other harmful
behaviour;
also constitute legitimate interests within the meaning of Article 6(1)(f) of the
GDPR if, for those purposes, the undertaking [collects data from other group
services and from third-party websites and apps via integrated interfaces such
as ’Facebook Business Tools’, or via cookies or similar storage technologies
placed on the internet user’s computer or mobile device, links those data with
the user’s Facebook.com account and uses them]?
In those circumstances, can collecting data from other group services and
from third-party websites and apps via integrated interfaces such as ’Facebook
Business Tools’, or via cookies or similar storage technologies placed on the
internet user’s computer or mobile device, linking those data with the user’s
Facebook.com account and using them, or using data already collected and
linked by other lawful means, also be justified under Article 6(1)(c), (d) and
(e) of the GDPR in individual cases, for example to respond to a legitimate
request for certain data (point (c)), to combat harmful behaviour and promote
security (point (d)), to research for social good and to promote safety, integrity
and security (point (e))?
Can consent within the meaning of Article 6(1)(a) and Article 9(2)(a) of
the GDPR be given effectively and, in accordance with Article 4(11) of the
GDPR in particular, freely, to a dominant undertaking such as [Meta Platforms
Ireland]?”

Source Meta Judgement

As for the scope of the ground of necessity for the performance of contract, the
CJEU discussed that it requires that the processing be “objectively indispensable for
a purpose” integral to a contractual obligation. It essentially means that there is no
alternative other than to process data without which the data controller would not be
able to fulfil tasks assigned under contractual obligation. Alternatives available are
not less intrusive in comparison with availed option of data processing. The CJEU
discussed whether personalisation is necessary to offer social network services and
questioned the utility of personalised service in the overall context of data controller
providing services under contractual obligations. The answer was in negative when
they tried to link personalised service as a necessary activity to the overall obligation
of the data controller under a given contract.

“…[I]n order for the processing of personal data to be regarded as necessary

for the performance of a contract, within the meaning of that provision, it must
be objectively indispensable for a purpose that is integral to the contractual
obligation intended for the data subject. The controller must therefore be able
4 Basic Concepts: Data Protection Framework 37

to demonstrate how the main subject matter of the contract cannot be achieved
if the processing in question does not occur…
..The fact that such processing may be referred to in the contract or may be
merely useful for the performance of the contract is, in itself, irrelevant in
that regard. The decisive factor for the purposes of applying the justification
set out in point (b) of the first subparagraph of Article 6(1) of the GDPR is
rather that the processing of personal data by the controller must be essential
for the proper performance of the contract concluded between the controller
and the data subject and, therefore, that there are no workable, less intrusive
alternatives…
..As regards, first, the justification based on personalised content, it is important
to note that, although such a personalisation is useful to the user, in so far as
it enables the user, inter alia, to view content corresponding to a large extent
to his or her interests, the fact remains that, subject to verification by the
referring Court, personalised content does not appear to be necessary in order
to offer that user the services of the online social network. Those services
may, where appropriate, be provided to the user in the form of an equivalent
alternative which does not involve such a personalisation, such that the latter is
not objectively indispensable for a purpose that is integral to those services.”

Source Meta Judgement

The CJEU while discussing the legitimate interest and its scope referred to the
GDPR. According to the GDPR: the reasons behind adopting legitimate interest,
the ‘need’ to process personal data, and balancing individual’s rights with legitimate
interests are the three pillars that the data controller must follow. To keep with the
transparency requirement, the data controller should convey the data subject about the
legitimate interest behind processing personal data. In comparison with the adopted
way of processing, it has to be further investigated whether there are other means of
processing that are less intrusive towards protecting fundamental rights of the data
subject. The overarching idea is to restrict overprocessing of personal data with the
strict aim of following the data minimisation principle. Data subjects’ reasonable
expectations in the context of processed data are an essential yardstick to legitimise
the processing in question. Their interests and fundamental rights hold an upper hand
against the interest of the data controller.

“First, with regard to the condition relating to the pursuit of a legitimate interest,
it must be stated that, according to Article 13(1)(d) of the GDPR, it is the respon-
sibility of the controller, at the time when personal data relating to a data subject
are collected from that person, to inform him or her of the legitimate interests
pursued where that processing is based on point (f) of the first subparagraph
of Article 6(1) of that regulation....
38 1 Introduction to EU Data Protection Law

…Second, with regard to the condition that the processing of personal data be
necessary for the purposes of the legitimate interests pursued, that condition
requires the referring Court to ascertain that the legitimate data processing
interests pursued cannot reasonably be achieved just as effectively by other
means less restrictive of the fundamental rights and freedoms of data subjects,
in particular the rights to respect for private life and to the protection of personal
data guaranteed by Articles 7 and 8 of the Charter.
…In this context, it should also be recalled that the condition relating to the need
for processing must be examined in conjunction with the ‘data minimisation’
principle enshrined in Article 5(1)(c) of the GDPR, in accordance with which
personal data must be ‘adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed’..
…Third, with regard to the condition that the interests or fundamental rights and
freedoms of the person concerned by the data protection do not take precedence
over the legitimate interests of the controller or of a third party, the Court has
already held that that condition entails a balancing of the opposing rights and
interests at issue which depends in principle on the specific circumstances of
the particular case and that, consequently, it is for the referring Court to carry
out that balancing exercise, taking account of those specific circumstances….
Furthermore, as can be seen from Recital 47 of the GDPR, the interests and
fundamental rights of the data subject may in particular override the interest of
the data controller where personal data are processed in circumstances where
data subjects do not reasonably expect such processing.”

Source Meta Judgement

Applying the requirements of legitimate interest under the GDPR to the case on
online behavioural advertising on Facebook, the CJEU stated that online behavioural
advertising went against the reasonable expectations of the data subject. While
Recital 47 allows direct marketing purpose as a legitimate reason for a data controller,
it has to be balanced against reasonable expectations of a data subject. It is beyond
reasonable expectations for a data subject to know that a free service would result in
processing for personal advertising.

The Court held that, “First, with regard to personalised advertising, it must be
borne in mind that, according to Recital 47 of the GDPR, the processing of
personal data for direct marketing purposes may be regarded as carried out for
a legitimate interest of the controller….
…However, such processing must also be necessary in order to achieve that
interest and the interests or fundamental freedoms and rights of the data subject
must not override that interest. In the context of that balancing of the opposing
4 Basic Concepts: Data Protection Framework 39

rights at issue, namely, those of the controller, on the one hand, and those
of the data subject, on the other, account must be taken,[..]in particular of the
reasonable expecta tions of the data subject as well as the scale of the processing
at issue and its impact on that person…
…In this regard, it is important to note that, despite the fact that the services of
an online social network such as Facebook are free of charge, the user of that
network cannot reasonably expect that the operator of the social network will
process that user’s personal data, without his or her consent, for the purposes
of personalised advertising. In those circumstances, it must be held that the
interests and fundamental rights of such a user override the interest of that
operator in such personalised advertising by which it finances its activity, with
the result that the processing by that operator for such purposes cannot fall
within the scope of point (f) of the first subparagraph of Article 6(1) of the
GDPR….
…Furthermore, the processing at issue in the main proceedings is particularly
extensive since it relates to potentially unlimited data and has a significant
impact on the user, a large part – if not almost all – of whose online activities
are monitored by Meta Platforms Ireland, which may give rise to the feeling
that his or her private life is being continuously monitored.”

Source Meta Judgement

As for the scope of the ground of legitimate interest for specific processing
purposes, even in processing purposes such as ensuring network security, product
improvement objectives and information sharing with law enforcement agencies,
the CJEU found that legitimate interest would not be the appropriate legal basis
for processing. Recital 49 does allow processing for network security as a legitimate
interest for a data controller. However, the principle of proportionality will be used to
measure actual need, rights of data subjects, opportunity to minimise data processing
vis-à-vis extent of actual processing. The Court held that,

“[a]s regards the objective of ensuring network security, that objective, as stated
in Recital 49 of the GDPR, constitutes a legitimate interest of Meta Platforms
Ireland, capable of justifying the processing operation at issue in the main
proceedings…
…However, as regards the need for that processing for the purposes of that
legitimate interest, the referring Court will have to ascertain whether and to
what extent the processing of personal data collected from sources outside
the social network Facebook is actually necessary to ensure that the internal
security of that network is not compromised…
40 1 Introduction to EU Data Protection Law

…In that context, [..] it will also have to ascertain whether the legitimate data
processing interest pursued cannot reasonably be achieved just as effectively by
other means less restrictive of the fundamental freedoms and rights of the data
subjects, in particular the rights to respect for private life and to the protection
of personal data guaranteed by Articles 7 and 8 of the Charter and whether
the ‘data minimisation’ principle enshrined in Article 5(1)(c) of the GDPR has
been observed….
…as regards the ‘product improvement’ objective, it cannot be ruled out from
the outset that the controller’s interest in improving the product or service with
a view to making it more efficient and thus more attractive can constitute a
legitimate interest capable of justifying the processing of personal data and
that such processing may be necessary in order to pursue that interest….
…However, subject to final assessment by the referring Court in that respect,
it appears doubtful whether, as regards the data processing at issue in the
main proceedings, the ‘product improvement’ objective, given the scale of that
processing and its significant impact on the user, as well as the fact that the user
cannot reasonably expect those data to be processed by Meta Platforms Ireland,
may override the interests and fundamental rights of such a user, particularly
in the case where that user is a child…
….as regards the objective referred to by the referring Court, relating to the
sharing of information with law-enforcement agencies in order to prevent,
detect and prosecute criminal offences, it must be held that that objective
is not capable, in principle, of constituting a legitimate interest pursued by
the controller, within the meaning of point (f) of the first subparagraph of
Article 6(1) of the GDPR. A private operator such as Meta Platforms Ireland
cannot rely on such a legitimate interest, which is unrelated to its economic
and commercial activity. Conversely, that objective may justify processing by
such an operator where it is objectively necessary for compliance with a legal
obligation to which that operator is subject.”

Source Meta Judgement

As for the scope of the ground of consent, the CJEU considered whether consent
was an appropriate basis for online behavioural advertising. The Court first explained
the requirements of freely given consent under the GDPR: the presence of a genuine
choice, separate choice for separate processing, and the performance of a contract
not being conditional on consent not necessary for the performance.

“Article 4(11) of the GDPR [...] defines ‘consent’ as meaning ‘any freely given,
specific, informed and unambiguous indication of the data subject’s wishes by
4 Basic Concepts: Data Protection Framework 41

which he or she, by a statement or by a clear affirmative action, signifies

agreement to the processing of personal data relating to him or her’…
…according to Recital 42 of the GDPR, consent cannot be regarded as freely
given if the data subject has no genuine or free choice or is unable to refuse or
withdraw consent without detriment….
…In the second place, Recital 43 of that regulation states that, in order to ensure
that consent is freely given, consent should not provide a valid legal ground
for the processing of personal data where there is a clear imbalance between
the data subject and the controller. That Recital also clarifies that consent is
presumed not to be freely given if it does not allow separate consent to be given
to different personal data processing operations despite it being appropriate in
the individual case….
…In the third place, Article 7(4) of the GDPR provides that when assessing
whether consent is freely given, utmost account must be taken of whether,
inter alia, the performance of a contract, including the provision of a service, is
conditional on consent to the processing of personal data that is not necessary
for the performance of that contract….
…In that regard, it should be noted that, admittedly, the fact that the operator of
an online social network, as controller, holds a dominant position on the social
network market does not, as such, prevent the users of that social network from
validly giving their consent, within the meaning of Article 4(11) of the GDPR,
to the processing of their personal data by that operator.”

Source Meta Judgement

The Court assessed freely given consent in the context of online behavioural adver-
tising on Facebook and suggested that although social network operators can hold a
dominant position on the market, it does not preclude users from being able to give
valid consent to processing by the operator. But, the dominant position is important
in determining whether free consent was validly given. Further, non-necessary data
processing for the performance of the terms incorporated in a contract must receive
support from a free and fair consent of the data subject. It goes to show that consent
acts as a catalyst even when other legal grounds of processing have been relied upon.
The intricacies of using consent as a legal basis have been further discussed in the
next chapter. The Court held that,

“[..]such a circumstance must be taken into consideration in assessing whether

the user of that network has validly and, in particular, freely given consent,
since that circumstance is liable to affect the freedom of choice of that user,
who might be unable to refuse or withdraw consent without detriment, as stated
in Recital 42 of the GDPR....
42 1 Introduction to EU Data Protection Law

…Furthermore, the existence of such a dominant position may create a clear

imbalance, within the meaning of Recital 43 of the GDPR, between the data
subject and the controller, that imbalance favouring, inter alia, the imposition of
conditions that are not strictly necessary for the performance of the contract,
which must be taken into account under Article 7(4) of that regulation. In
that context, it must be borne in mind that, [..] it does not appear, subject to
verification by the referring Court, that the processing at issue in the main
proceedings is strictly necessary for the performance of the contract between
Meta Platforms Ireland and the users of the social network Facebook…
..Thus, those users must be free to refuse individually, in the context of the
contractual process, to give their consent to particular data processing opera-
tions not necessary for the performance of the contract, without being obliged
to refrain entirely from using the service offered by the online social network
operator, which means that those users are to be offered, if necessary for
an appropriate fee, an equivalent alternative not accompanied by such data
processing operations….
…Moreover, given the scale of the processing of the data in question and the
significant impact of that processing on the users of that network as well as the
fact that those users cannot reasonably expect data other than those relating
to their conduct within the social network to be processed by the operator of
that network, it is appropriate, within the meaning of Recital 43, to have the
possibility of giving separate consent for the processing of the latter data, on
the one hand, and the off-Facebook data, on the other. It is for the referring
Court to ascertain whether such a possibility exists, in the absence of which
the consent of those users to the processing of the off-Facebook data must be
presumed not to be freely given….
…Finally, it must be borne in mind that, pursuant to Article 7(1) of the GDPR,
where processing is based on consent, it is the controller who bears the burden
of demonstrating that the data subject has consented to the processing of his
or her personal data.”

Source Meta Judgement

The Meta case signifies that the data controller must use the most appropriate
legal basis of processing in any given situation. Online behavioural advertising is not
necessary to provide a social network service. Besides, it affects individuals’ funda-
mental rights and reasonable expectations, given the large scale of data processing.
Thus, consent is the appropriate legal basis, but it must be ensured that the freely given
consent of the user is sought. Both the Meta case and the M5A Scara case suggest
that it is not just important to choose the appropriate legal basis of processing but
also to fulfil the requirements of the legal basis. The legitimacy of any legal basis
5 ePrivacy Directive 43

of processing personal data has to be proportional to data subjects’ rights. For a

data controller, the choice of a legal basis should commensurate the purpose of data
processing and to data minimisation principle.

5 ePrivacy Directive

Other than the 1995 Data Protection Directive and the GDPR, there are other
data protection endeavours in the EU. One of the major Directives is the ePrivacy
Directive. The ePrivacy Directive looks to:

“…harmonises the provisions of the Member States required to ensure an

equivalent level of protection of fundamental rights and freedoms, and in partic-
ular the right to privacy, with respect to the processing of personal data in the
electronic communication sector and to ensure the free movement of such data
and of electronic communication equipment and services in the Community.”

Source Directive 2002/58/EC

The following sections discuss judgements that have interpreted provisions of the
ePrivacy Directive. They explain different facets of the ePrivacy Directive and issues
such as privacy vis-à-vis surveillance and law enforcement vis-à-vis privacy.

5.1 Scope of Article 15(1) of the ePrivacy Directive

This section discusses the judgements involving La Quadrature du Net and Privacy
International to explain how Article 15(1) of the ePrivacy Directive must be inter-
preted where information is processed for surveillance. Article 15(1) allows Member
States to adopt restrictions on individual rights by necessary, appropriate and
proportionate measures. The Court held that EU law precluded national legislation
mandating providers of electronic communications services to transmit traffic data
and location data to security and intelligence agencies on a broad and indiscriminate
basis to protect national security.
44 1 Introduction to EU Data Protection Law

5.1.1 La Quadrature du Net and Others v Premier ministre and Others

Joined Cases C-511/18, C-512/18 and C-520/1860

Facts
La Quadrature du Net, French Data Network, brought actions before the Council
of State, France for the annulment on the grounds that they infringed the French
Constitution, the ECHR and Directives 2000/31 and 2002/58, read in the light of the
Charters’ Articles 7, 8 and 47. The relevant Articles of the Internal Security Code in
question were the following.

Article L. 851-2 of the Code de la sécurité intérieure (Internal Security Code)

(hereinafter CSI) provides:
“for the sole purpose of preventing terrorism, the collection in real time, on
the networks of the operators and persons referred to in Article L. 851-1,
of the information or documents referred to in that article relating to a person
previously identified as potentially having links to a threat, may be individually
authorised. “
Article L. 851-3 of the CSI provides:
“for the sole purpose of preventing terrorism, the operators and persons referred
to in Article L. 851-1 may be required to implement on their networks auto-
mated data processing practices designed, within the parameters laid down
in the authorisation, to detect links that might constitute a terrorist threat….
The data shall be used within 60 days of collection and shall be destroyed
upon expiry of that period, unless there are substantial grounds confirming
the existence of a terrorist threat associated with one or more of the persons
concerned.”
Article L. 851-4 of the CSI reads as follows:
“technical data relating to the location of the terminal equipment used, as
mentioned in Article L. 851-1, may be collected upon request from the network
and transmitted in real time by the operators”

Source La Quadrature du Net Judgement

Therefore, the issues were about tracking individuals, their location data, the role
of electronic communication services, indiscriminate and arbitrary storage of data,
the extent of interference with the private life of natural persons, the application
of intelligence techniques and whether they have been within the framework of
Internal Security Code, the available remedial measures, the structure of judicial
review amongst other things.

60La Quadrature du Net and Others v Premier ministre and Others. Joined Cases C-511/18, C-512/
18 and C-520/18. ECLI:EU:C:2020:791.
5 ePrivacy Directive 45

Questions
The essential question before the CJEU was whether the legislative measures of
Member States restricting the right to privacy are justified as per Article 15(1)
of the ePrivacy Directive, which requires necessary, appropriate and proportionate
measures.

“(1) Is the general and indiscriminate retention obligation imposed on providers

on the basis of the implementing provisions of Article 15(1) of [Directive 2002/
58] to be regarded, against a background of serious and persistent threats to
national security, and in particular the terrorist threat, as interference justified by
the right to security guaranteed in Article 6 of the [Charter] and the requirements
of national security, responsibility for which falls to the Member States alone
pursuant to Article 4 [TEU]?
(2) Is [Directive 2002/58], read in the light of the [Charter], to be interpreted as
authorising legislative measures, such as the measures for the real-time collec-
tion of the traffic and location data of specified individuals, which, whilst
affecting the rights and obligations of the providers of an electronic commu-
nications service, do not however require them to comply with a specific
obligation to retain their data?”

Source La Quadrature du Net Judgement

The main provision in question was Article 15(1) of the ePrivacy Directive, which
allows restrictions on rights subject to safeguards.

“Member States may adopt legislative measures to restrict the scope of the
rights and obligations …of this Directive when such restriction constitutes a
necessary, appropriate and proportionate measure within a democratic society
to safeguard national security (i.e. State security), defence, public security, and
the prevention, investigation, detection and prosecution of criminal offences
or of unauthorised use of the electronic communication system…To this end,
Member States may, …adopt legislative measures providing for the retention
of data for a limited period justified on the grounds laid down in this paragraph.
All the measures referred to in this paragraph shall All the measures referred to
in this paragraph shall be in accordance with the general principles of [Union]
law…”

Source Article 15, ePrivacy Directive

Electronic communications services can retain a significant amount of traffic and
location data over time, leading to a general and indiscriminate way of handling data.
As some of the data could be sensitive in nature, the process entails a risk of abuse
and questionable lawful access. Therefore, electronic communications services are
46 1 Introduction to EU Data Protection Law

expected to keep the communications and data of subscribers anonymous. They must
not record such communications unless there is an agreement to the contrary.
However, Article 15(1) of Directive 2002/58 allows Member States to introduce
a certain legislative framework that derogates the scope of Articles 7, 8 and 11 of the
Charter of Fundamental Rights which recognise, inter alia, the right to privacy and
personal data protection. The rights enshrined under these Articles are not absolute
and must be measured against the rights that are essential for the functioning of a
democratic society. But, the steps to preserve the rights within a democratic society
should be necessary, appropriate and proportionate to the freedoms and rights of
natural persons whose traffic and location data are tracked. Recital 11 of the Directive
reads that the intended purpose should decide the course of measures undertaken.
In the context of necessary appropriate and proportionate measures, the CJEU
suggested:

“…[i]n order to satisfy the requirement of proportionality, the legislation must

lay down clear and precise rules governing the scope and application of the
measure in question and imposing minimum safeguards, so that the persons
whose personal data is affected have sufficient guarantees that data will be
effectively protected against the risk of abuse. That legislation must be legally
binding under domestic law and, in particular, must indicate in what circum-
stances and under which conditions a measure providing for the processing of
such data may be adopted, thereby ensuring that the interference is limited to
what is strictly necessary…”

Source La Quadrature du Net Judgement

The meaning of proportionality was reflected in a judgement on Article 7(e) of
the Data Protection Directive (95/46/EC), where the ECJ issued a preliminary ruling
to the Supreme Court of the Slovak Republic concerning the meaning of “a task
carried out in the public interest”61 as a legal justification for processing personal
data. The ECJ ruled that, as long as certain requirements are satisfied, tax authorities
may handle personal data for the purposes of tax collection and tax fraud prevention
as long as the “tasks carried out in the public interest” specified in Article 7(e) of the
Directive are not prohibited. The ECJ emphasised on the proportionality principle.
They stated that “derogations from the protection of personal data and its limitations
must be carried out within the limits of what is strictly necessary.”62 Consequently,
the Supreme Court should decide whether this was sufficient and required and that
there was no other, less restricted way to accomplish this goal.63

61 Peter Puškár v Finančné riaditeľstvo Slovenskej republiky, Kriminálny úrad finančnej správy
C-73/16.
62 Peter Puškár v Finančné riaditeľstvo Slovenskej republiky, Kriminálny úrad finančnej správy

C-73/16.
63 Peter Puškár v Finančné riaditeľstvo Slovenskej republiky, Kriminálny úrad finančnej správy

C-73/16.
5 ePrivacy Directive 47

The Court applied the tests of necessity, proportionality and safeguards to the
legislative measures examining intrusive actions in the private lives of natural
persons, even if the aim of national legislation framed under Article 15(1) is towards
combatting serious crime and threats to public security. Article 15(1), read with Arti-
cles 7, 8, 11 and 52 of the Charter of Fundamental Rights, will not preclude legislative
measures protecting national security and preventing threats in a democratic society.
However, such pre-conditions should be genuine, present and foreseeable. When
there is a serious threat to jeopardising Articles 7 and 8 of the Charter, the processing
may only happen where there is a serious threat to national security. Furthermore, an
effective review must be carried out through a Court or an independent administra-
tive body. The review system should reflect upon the safeguarding measures in place
to reduce the instances of possible abuse. For instance, data retention cannot be the
general rule since that takes us away from the data minimisation principle. Besides,
data must not be retained systematically and continuously, especially in the context
of the sensitivity attached to traffic and location data that electronic communication
service providers may collect. It could seriously threaten the private life of individ-
uals who may have subscribed to certain services offered by the service providers.
The above assertion is also relevant when combating serious crime or preventing
threats to public security. Following the principle of proportionality, the duration
of retention should be limited to the circumstances and objectives that are strictly
necessary.
The Court listed the above principles when considering automated analysis and
real-time collection, inter alia, of traffic and location data. They emphasised:

“It …must be interpreted as not precluding national rules which requires

providers of electronic communications services to have recourse, first, to the
automated analysis and real-time collection, inter alia, of traffic and location
data and, second, to the real-time collection of technical data concerning the
location of the terminal equipment used, where:
–recourse to automated analysis is limited to situations in which a Member State
is facing a serious threat to national security which is shown to be genuine and
present or foreseeable, and where recourse to such analysis may be the subject
of an effective review, either by a Court or by an independent administrative
body whose decision is binding, the aim of that review being to verify that a
situation justifying that measure exists and that the conditions and safeguards
that must be laid down are observed; and where
–recourse to the real-time collection of traffic and location data is limited to
persons in respect of whom there is a valid reason to suspect that they are
involved in one way or another in terrorist activities and is subject to a prior
review carried out either by a Court or by an independent administrative body
whose decision is binding in order to ensure that such real-time collection is
48 1 Introduction to EU Data Protection Law

authorised only within the limits of what is strictly necessary. In cases of duly
justified urgency, the review must take place within a short time.”

Source La Quadrature du Net Judgement

The Court mentioned that the data retention period must be strictly related to the
threat. The processes for data retention should be non-discriminatory. For instance,
if retention is based on categories of persons or geographical locations, the retention
period should be limited to the strictly necessary time. It extends to indiscriminate
retention of IP addresses connected to a source computer. The retention period should
not unduly cross the purpose for which it was stored in the first place.
A similar evaluation was carried out by the CJEU in the Privacy International
case, whose facts and findings are discussed below.

5.1.2 Privacy International C-623/1764

Privacy International’s judgement is about applying Article 15(1) of the ePrivacy

Directive to processing bulk communications data by security and intelligence agen-
cies. Privacy International, a UK-based advocacy group, filed a case with the Inves-
tigatory Powers Tribunal (UK) challenging the validity of legislation authorising the
collection and the use of bulk communications data by security and intelligence agen-
cies (namely GCHQ, MI5 and MI6). The defendants admitted to using bulk personal
data (such as biographical, travel, financial, commercial and communications data)
for cross-checking, automated processing and disclosing to other persons/authorities
and overseas partners. The intelligence agencies had been using data obtained from
public electronic communications networks.
Facts
Since 2015, there existed practices wherein bulk communications data was acquired
by various security and intelligence agencies of the United Kingdom (GCHQ, MI5
and MI6). The nature of the data involved biographical data, travel data, financial
or commercial information, and communications data, liable to include sensitive
data covered by professional secrecy or journalistic material. The collection of data
happened by various possible secretive means. Automated means were used when
collecting such data, and the data was cross-checked with multiple databases. Further,
the authorities shared the data with other authorities and foreign partners.
Following the RIPA [Regulation of Investigatory Powers Act 2000], the collected
data included traffic data and service use information. With the help of such data
and information, it would be possible to know the ‘who, where, when and how’
of a communication. This kind of data was transferred to the security and intelli-
gence agencies, and they retained them to use in their activities. The referring Court

64Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others.
Case C-623/17. ECLI:EU:C:2020:790.
5 ePrivacy Directive 49

further added “that the databases compiled by the security and intelligence agencies
[were] subject to bulk, unspecific, automated processing, with the aim of discovering
unknown threats. To that end, the referring Court state[d] that the sets of metadata
thus compiled should be as comprehensive as possible, so as to have a ‘haystack’ in
order to find the ‘needle’ hidden therein.”65
The Court considered Recital 11 of Directive 2002/58, which indicates that
Member States can carry out lawful interceptions, which should be strictly propor-
tionate to the intended purpose that is considered necessary for the functioning of
a democratic society. All actions are to be measured against available adequate
safeguards.
The case examined whether general and indiscriminate transmission of traffic and
location data was allowed under Article 15(1) in the given circumstances.

“…it should be noted that the transmission of traffic data and location data to
persons other than users, such as security and intelligence agencies, derogates
from the principle of confidentiality. Where that operation is carried out, as in
the present case, in a general and indiscriminate way, it has the effect of making
the exception to the obligation of principle to ensure the confidentiality of data
the rule, whereas the system established by Directive 2002/58 requires that that
exception remain an exception.
Lastly, given the significant amount of traffic data and location data that can be
retained continuously by a general retention measure and the sensitive nature
of the information that data may provide, the mere retention of that data by
the providers of electronic communications services entails a risk of abuse and
unlawful access.
It follows that national legislation requiring providers of electronic communi-
cations services to disclose traffic data and location data to the security and
intelligence agencies by means of general and indiscriminate transmission
exceeds the limits of what is strictly necessary and cannot be considered to be
justified, within a democratic society, as required by Article 15(1) of Directive
2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and
Article 52(1) of the Charter.
In the light of all the foregoing considerations, …precluding national legislation
enabling a State authority to require providers of electronic communications
services to carry out the general and indiscriminate transmission of traffic data
and location data to the security and intelligence agencies for the purpose of
safeguarding national security.”

Source Privacy International Judgement

65Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others.
Case C-623/17. ECLI:EU:C:2020:790.
50 1 Introduction to EU Data Protection Law

In sum, the judgements involving La Quadrature and Privacy International

explain the requirement of necessity, proportionality and safeguards when legislative
measures restrict the right to privacy and personal data protection. Besides, the judge-
ments indicate that the seriousness of the intrusion by the legislative measures must
be considered parallelly with the seriousness of the objective sought to be achieved.

5.1.3 Ministerio Fiscal. Case C-207/1666

Another judgement that deals with the interpretation of Article 15(1) of the ePrivacy
Directive read with fundamental rights under the Charter of Fundamental Rights
is Ministerio Fiscal. The judgement was about a situation when public authorities
wanted to access data concerning SIM cards so that they could identify individuals
using stolen mobile phones.
Facts.

“Mr Hernandez Sierra lodged a complaint with the police for a robbery, which
took place on 16 February 2015, during which he was injured and his wallet
and mobile telephone were stolen.
On 27 February 2015, the police requested the investigating magistrate to order
various providers of electronic communications services to provide (i) the tele-
phone numbers that had been activated between 16 February and 27 February
2015 with the International Mobile Equipment Identity code (‘the IMEI code’)
of the stolen mobile telephone and (ii) the personal data relating to the identity
of the owners or users of the telephone numbers corresponding to the SIM
cards activated with the code, such as their surnames, forenames and, if need
be, addresses.
By order of 5 May 2015, the investigating magistrate refused that request.
The latter held that the measure requested would not serve to identify the
perpetrators of the offence. Moreover, it refused to grant the request on the
ground that Law 25/2007 limited the communication of the data retained by
the providers of electronic communications services to serious offences. Under
the Criminal Code, serious offences are punishable by a term of imprisonment
of more than five years, whereas the facts at issue in the main proceedings did
not appear to constitute such an offence.”

Source Ministerio Fiscal Judgement

Questions
In the words of the CJEU, “the referring Court ask[ed], in essence, whether
Article 15(1) of Directive 2002/58, read in the light of Articles 7 and 8 of the Charter,

66 Proceedings brought by Ministerio Fiscal. C-207/16. ECLI:EU:C:2018:788.

5 ePrivacy Directive 51

must be interpreted as meaning that public authorities’ access to data for the purpose
of identifying the owners of SIM cards activated with a stolen mobile telephone,
such as the surnames, forenames and, if need be, addresses of the owners of the SIM
cards, entails interference with their fundamental rights, enshrined in those articles
of the Charter, which is sufficiently serious to entail that access being limited, in the
area of prevention, investigation, detection and prosecution of criminal offences, to
the objective of fighting serious crime and, if so, by reference to which criteria the
seriousness of the offence at issue must be assessed.”67

“.. the access of public authorities to such data constitutes an interference with
the fundamental right to respect for private life, enshrined in Article 7 of the
Charter, even in the absence of circumstances which would allow that interfer-
ence to be defined as ‘serious’, without it being relevant that the information in
question relating to private life is sensitive or whether the persons concerned
have been inconvenienced in any way. Such access also constitutes interfer-
ence with the fundamental right to the protection of personal data guaranteed
in Article 8 of the Charter, as it constitutes processing of personal data..
As regards the objectives that are capable of justifying national legislation, such
as that at issue in the main proceedings, governing the access of public author-
ities to data retained by providers of electronic communications services and
thereby derogating from the principle of confidentiality of electronic commu-
nications, it must be borne in mind that the list of objectives set out in the
first sentence of Article 15(1) of Directive 2002/58 is exhaustive, as a result
of which that access must correspond, genuinely and strictly, to one of those
objectives
As regards the objective of preventing, investigating, detecting and prosecuting
criminal offences, it should be noted that the wording of the first sentence of
Article 15(1) of Directive 2002/58 does not limit that objective to the fight
against serious crime alone, but refers to ‘criminal offences’ generally.
In that regard, the Court has admittedly held that, in areas of prevention, inves-
tigation, detection and prosecution of criminal offences, only the objective
of fighting serious crime is capable of justifying public authorities’ access
to personal data retained by providers of electronic communications services
which, taken as a whole, allow precise conclusions to be drawn concerning the
private lives of the persons whose data is concerned.
.. the objective pursued by legislation governing that access must be propor-
tionate to the seriousness of the interference with the fundamental rights in
question that that access entails..

67 Proceedings brought by Ministerio Fiscal. C-207/16. ECLI:EU:C:2018:788.

52 1 Introduction to EU Data Protection Law

In accordance with the principle of proportionality, serious interference can

be justified, in areas of prevention, investigation, detection and prosecution of
criminal offences, only by the objective of fighting crime which must also be
defined as ‘serious’.
By contrast, when the interference that such access entails is not serious, that
access is capable of being justified by the objective of preventing, investigating,
detecting and prosecuting ‘criminal offences’ generally.”

Source Ministerio Fiscal Judgement

As the previous cases have indicated, the seriousness of the intrusion must be
considered parallelly with the seriousness of the objectives sought to be achieved.
The CJEU applied this principle to the present facts. The extent of interference should
be in proportion to the seriousness of the activity vis-à-vis the rights and freedom of
a data subject. In the process, the CJEU explained the scope associated with Article
15(1), which includes both serious crimes and fighting crimes generally.

“…the sole purpose of the request at issue in the main proceedings, by which the
police seeks, for the purposes of a criminal investigation, a Court authorisation
to access personal data retained by providers of electronic communications
services, is to identify the owners of SIM cards activated over a period of 12
days with the IMEI code of the stolen mobile telephone...that request seeks
access to only the telephone numbers corresponding to those SIM cards and
to the data relating to the identity of the owners of those cards, such as their
surnames, forenames and, if need be, addresses. By contrast, those data do
not concern, as confirmed by both the Spanish Government and the Public
Prosecutor’s Office during the hearing, the communications carried out with
the stolen mobile telephone or its location.
It is therefore apparent that the data concerned by the request for access at issue
in the main proceedings only enables the SIM card or cards activated with the
stolen mobile telephone to be linked, during a specific period, with the identity
of the owners of those SIM cards. Without those data being cross-referenced
with the data pertaining to the communications with those SIM cards and the
location data, those data do not make it possible to ascertain the date, time,
duration and recipients of the communications made with the SIM card or cards
in question, nor the locations where those communications took place or the
frequency of those communications with specific people during a given period.
Those data do not therefore allow precise conclusions to be drawn concerning
the private lives of the persons whose data is concerned.
5 ePrivacy Directive 53

In those circumstances, access to only the data referred to in the request at

issue in the main proceedings cannot be defined as ‘serious’ interference with
the fundamental rights of the persons whose data is concerned.
the interference that access to such data entails is therefore capable of being
justified by the objective, to which the first sentence of Article 15(1) of Direc-
tive 2002/58 refers, of preventing, investigating, detecting and prosecuting
‘criminal offences’ generally, without it being necessary that those offences be
defined as ‘serious’.”

Source Ministerio Fiscal Judgement

In conclusion, the CJEU suggested that the intervention in question was not serious
enough to cause unnecessary interference with the rights of the individuals sharing
their personal data. Further on, the interference falls within the scope enshrined
under the said Article i.e. prevention and prosecution of criminal offences that are
not deemed serious.

5.2 ePrivacy vis-à-vis Intellectual Property Infringement

The Promusicae judgement interpreted the connection with Directive 2000/31/

EC and the ePrivacy Directive. There was a reference to such connection during
the proceedings between ’Promusicae’, a non-profit organisation, and Telefónica de
Espaa SAU (’Telefónica’). Telefónica had refused to disclose personal data relating
to Internet use via Telefónica connections to Promusicae, which was acting on behalf
of its members who held the intellectual property rights.

5.2.1 Productores de Música de España (Promusicae) v Telefónica De

España SAU Case C-275/0668

Facts
Promusicae, a non-profit organisation of producers and publishers, filed an appli-
cation for preliminary measures against Telefónica, a commercial business that
provides Internet connection services. Promusicae requested Telefónica to reveal
identities and physical addresses of people who were using its Internet access
services, and whose IP address and date and time of connection information was
available. Promusicae claimed that KaZaA file exchange program (peer-to-peer or
P2P) was used to share phonograms whose exploitation rights were held by members
of Promusicae.

68Productores de Música de España (Promusicae) v Telefónica de España SAU Case C-275/06.

ECLI:EU:C:2008:54.
54 1 Introduction to EU Data Protection Law

Promusicae claimed that KaZaA users violated intellectual property rights. Tele-
fónica claimed that the scope of law does not extend to civil procedures or proceed-
ings and extends to criminal investigations or to ensure public security and national
defence. Promusicae contended that the law should be read in accordance with Direc-
tives 2000/31, 2001/29 and 2004/48, as well as UN Charter Articles 17 and 47, which
authorise similar requests for other purposes.
Questions

“…the duty of operators of electronic communications networks and services,

providers of access to telecommunications networks and providers of data
storage services to retain and make available connection and traffic data gener-
ated by the communications established during the supply of an information
society service?…
…[whether] Member States to lay down, in order to ensure effective protection
of copyright, an obligation to communicate personal data in the context of civil
proceedings.”

Source Promusicae Judgement

Under Article 5 of the ePrivacy Directive, Member States must preserve the confi-
dentiality of communications, traffic and location data when public communications
networks and publicly available communications services are used. There is a ban on,
“listening, tapping, storage or other kinds of interception or surveillance of commu-
nications and the related traffic data by persons other than users, without the consent
of the users concerned.”69 The only exception is under Article 15(1), when a Member
State can enact legislation in the name of national security.
Article 6 of Directive 2002/58 reflects upon the data retention obligation of a
public communications network or publicly available electronic communications
service. It states that the traffic data of subscribers and users that are processed and
stored should be deleted or made anonymous when the purpose has ceased to exist.
For matters related to marketing and value-added services, the duration of processing
would depend on the consent of the subscriber or the user. A subscriber or a user
would be allowed to withdraw their consent from processing personal data.
The essential question before the CJEU was the following.

“…whether Directive 2002/58 precludes the Member States from laying down,
with a view to ensuring effective protection of copyright, an obligation to
communicate personal data which will enable the copyright holder to bring
civil proceedings based on the existence of that right…

69 Article 5, ePrivacy Directive.

5 ePrivacy Directive 55

If that is not the case, it will then have to be ascertained whether it follows
directly from the three Directives expressly mentioned by the national Court
that the Member States are required to lay down such an obligation…”

Source Promusicae Judgement

The question was whether the ePrivacy Directive precludes the Member States
from laying down legislative intervention to help transmit information about possible
infringers so that copyright holders can initiate civil proceedings.

“Article 5(1) of Directive 2002/58 provides that Member States must ensure
the confidentiality of communications by means of a public communications
network and publicly available electronic communications services, and of the
related traffic data, and must inter alia prohibit, in principle, the storage of that
data by persons other than users, without the consent of the users concerned…
Article 15(1) of Directive 2002/58 thus gives Member States the possibility
of providing for exceptions to the obligation of principle, imposed on them
by Article 5 of that Directive, to ensure the confidentiality of personal
data.”

Source Promusicae Judgement

Under Article 5(1) of the ePrivacy Directive, the Member States must regulate
communications over different networks and not communicate traffic and location
data. The only exception relates to Article 15(1) and the legislative rights given to
the Member States to protect national security etc. However, the exceptions do not
relate to the situations of civil proceedings.
Therefore, the Court stated that.

“…the Member States [may] adopt legislative measures to restrict the obliga-
tion of confidentiality of personal data where that restriction is necessary inter
alia for the protection of the rights and freedoms of others. As they do not
specify the rights and freedoms concerned, those provisions of Article 15(1)
of Directive 2002/58 must be interpreted as expressing the Community legis-
lature’s intention not to exclude from their scope the protection of the right to
property or situations in which authors seek to obtain that protection in civil
proceedings.”

Source Promusicae Judgement

While the Directive does not preclude Member States, it does not compel them for
legislative interventions to initiate civil proceedings. Therefore, it must be ascertained
if this is a requirement from any of the three Directives to ensure effective copyright
protection.
56 1 Introduction to EU Data Protection Law

“Further, when implementing the measures transposing those Directives, the

authorities and Courts of the Member States must not only interpret their
national law in a manner consistent with those Directives but also make sure
that they do not rely on an interpretation of them which would be in conflict with
those fundamental rights or with the other general principles of Community
law, such as the principle of proportionality.”

Source Promusicae Judgement

In conclusion, the ECJ held:

“In the light of all the foregoing, the answer to the national Court’s question
must be that Directives 2000/31, 2001/29, 2004/48 and 2002/58 do not require
the Member States to lay down, in a situation such as that in the main proceed-
ings, an obligation to communicate personal data in order to ensure effective
protection of copyright in the context of civil proceedings.”

Source Promusicae Judgement

The ECJ appeared to strike a balance between the ability of the content industry
to safeguard its intellectual property and the privacy of ISPs’ consumers under the
community law, while noting that nothing in the EU Directives prevents Member
States from adopting such restrictions on their own.
Questions
1. What is the role of trust in data protection?
2. How have the concepts of data controller and personal data been interpreted in
case law? Is a broad or narrow interpretation of these concepts desirable?
3. What are the conditions of consent and legitimate interest? Is a particular legal
basis of processing more appropriate than others in a given situation?
4. How should an individual’s privacy rights be balanced with law enforcement
considerations?

Suggested Readings

1. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980.
2. The OECD Privacy Framework, 2013.
3. Michael Kirby, The history, achievement and future of the 1980 OECD guidelines on privacy,
International Data Privacy Law, Volume 1, Issue 1, February 2011, Pages 6–14, https://doi.org/
10.1093/idpl/ipq002
4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data OJ L 281, 23.11.1995, p. 31–50.
Suggested Readings 57

5. Commission of the European Communities, First report on the implementation of the Data
Protection Directive (95/46/EC) Brussels, 15.5.2003 COM(2003) 265 final.
6. European Parliament, REPORT on the First Report on the implementation of the Data Protection
Directive (95/46/EC) (COM(2003) 265 – C5-0375/2003 – 2003/2153(INI)) 24 February 2004
https://www.europarl.europa.eu/doceo/document/A-5-2004-0104_EN.html
7. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) OJ L 119, 4.5.2016, p. 1–88.
8. COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT
AND THE COUNCIL Data protection as a pillar of citizens’ empowerment and the EU’s
approach to the digital transition - two years of application of the General Data Protection
Regulation COM/2020/264 final.
9. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47.
10. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL concerning the respect for private life and the protection of personal data in
electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications) COM/2017/010 final - 2017/03 (COD).
11. Charter of Fundamental Rights of the European Union OJ C 326, 26.10.2012, p. 391–407.
12. The Digital Personal Data Protection Act, 2023.
13. EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version
2.1 Adopted on 07 July 2021.
14. Nadezhda Purtova, ‘The law of everything. Broad concept of personal data and future of EU
data protection law’ (2018) 10(1) Law, Innovation and Technology 40–81.
15. Frederik J. Zuiderveen Borgesius, ‘Personal data processing for behavioural targeting: which
legal basis?’, (2015) 5(3) International Data Privacy Law 163–176, https://doi.org/10.1093/
idpl/ipv011
16. Michael Veale and Frederik Zuiderveen Borgesius, ‘Adtech and real-time bidding under
European data protection law’ (2022) 23(2) German Law Journal 226–256.
17. Rechnungshof (C-465/00) v Österreichischer Rundfunk and Others and Christa Neukomm (C-
138/01) and Joseph Lauermann (C-139/01) v Österreichischer Rundfunk. Joined cases C-465/
00, C-138/01 and C-139/01. ECLI:EU:C:2003:294.
18. Heinz Huber v Bundesrepublik Deutschland. Case C-524/06. ECLI:EU:C:2008:724.
19. VS v Inspektor v Inspektorata kam Visshia sadeben savet. Case C-180/21.
ECLI:EU:C:2022:967.
20. Advocate General Opinion in La Quadrature du Net v Premier ministre, Ministère de la Culture
Case C-470/21.
21. VQ v Land Hessen, Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden,
C-272/19 Land Hessen ECLI:EU:C:2020:535.
22. Michèle Finck, ‘Cobwebs of control: the two imaginations of the data controller in EU law’
(2021) 11(4) International Data Privacy Law 333–347, https://doi.org/10.1093/idpl/ipab017
23. Google Spain SL v. Agencia Española de Protección de Datos Case C-131/12
ECLI:EU:C:2014:317.
24. Proceedings brought by Tietosuojavaltuutettu. Judgment of the Court (Grand Chamber) of 10
July 2018. Case C-25/17. ECLI:EU:C:2018:551.
25. Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie
Schleswig-Holstein GmbH. Case C-210/16. ECLI:EU:C:2018:388
26. Peter Nowak v Data Protection Commissioner. Case C-434/16. ECLI:EU:C:2017:994.
27. Patrick Breyer v Bundesrepublik Deutschland. Case C-582/14. ECLI:EU:C:2016:779.
28. Michèle Finck, Frank Pallas, ‘They who must not be identified—distinguishing personal from
non-personal data under the GDPR’, (2020) 10(1) International Data Privacy Law 11–36,
https://doi.org/10.1093/idpl/ipz026
58 1 Introduction to EU Data Protection Law

29. Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM).
C-70/10. ECLI:EU:C:2011:771.
30. TK v Asociaţia de Proprietari bloc M5A Scara-A Case C-708/18 ECLI:EU:C:2019:1064.
31. František Ryneš v Úřad pro ochranu osobních údajů. Case C-212/13. ECLI:EU:C:2014:2428.
32. Meta Platforms v Verbraucherzentrale Bundesverband eV Case C-252/21
ECLI:EU:C:2023:537.
33. La Quadrature du Net and Others v Premier ministre and Others. Joined Cases C-511/18,
C-512/18 and C-520/18. ECLI:EU:C:2020:791
34. Peter Puškár v Finančné riaditeľstvo Slovenskej republiky, Kriminálny úrad finančnej správy
C-73/16.
35. Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others.
Case C-623/17. ECLI:EU:C:2020:790.
36. Proceedings brought by Ministerio Fiscal. C-207/16. ECLI:EU:C:2018:788
37. Productores de Música de España (Promusicae) v Telefónica de España SAU Case C-275/06.
ECLI:EU:C:2008:54.
38. Raphael Gellert, ‘We Have Always Managed Risks in Data Protection Law: Understanding
the Similarities and Differences between the Rights-Based and the Risk-Based Approaches to
Data Protection’ (2016) 2 Eur Data Prot L Rev 481.
39. V. Cimina, “The data protection concepts of ‘controller’, ‘processor’ and ‘joint controllership’
under Regulation (EU) 2018/1725” (2021) 21 ERA Forum 639–654 https://doi.org/10.1007/
s12027-020-00632-8
40. Chris Jay Hoofnagle, Bart van der Sloot & Frederik Zuiderveen Borgesius, ‘The Euro-
pean Union general data protection regulation: what it is and what it means’ (2019) 28(1)
Information & Communications Technology Law, https://doi.org/10.1080/13600834.2019.157
3501
41. Marianna Rantou, ‘The growing tension between copyright and personal data protection on
an online environment: The position of Internet Service Providers according to the European
Court of Justice’, (2012) 3(2) European Journal for Law and Technology.
42. Fanny Coudert, Evi Werkers, ‘In The Aftermath of the Promusicae Case: How to Strike the
Balance?’, (2010) 18(1) International Journal of Law and Information Technology 50–71.
https://doi.org/10.1093/ijlit/ean015
43. Michèle Finck, Frank Pallas, ‘They who must not be identified—distinguishing personal from
non-personal data under the GDPR’, (2020) 10(1) International Data Privacy Law 11–36.
https://doi.org/10.1093/idpl/ipz026
44. Irene Kamara, ‘Exam Scripts Are Personal Data According to AG Kokott’ (2017) 3(3) European
Data Protection Law Review 402–405
45. Frederik Zuiderveen Borgesius, ‘The Breyer Case of the Court of Justice of the European
Union: IP Addresses and the Personal Data Definition’ (2017) 3(1) European Data Protection
Law Review 130–137
46. Karolina Podstawa, ‘Peter Nowak v Data Protection Commissioner: You Can Access Your
Exam Script, Because It Is Personal Data’ (2018) 4(2) European Data Protection Law Review
252–259
Chapter 2
EU Data Protection Law Framework

1 Introduction

In the previous chapter, we have discussed several basic concepts of data protection,
which are personal data, the data controller and legal basis of processing (including
consent, legitimate interests and the necessity for the performance of a contract). A
data controller who processes personal data must have a legal basis for processing.
This chapter delves into the requirement of consent as a legal basis for processing.
It also discusses the principles of processing that a data controller must observe
when processing personal data. Finally, it discusses exceptions under the data protec-
tion framework, including the personal or household exemption and the journalistic
purpose exemption.

2 Principles of Processing

With the help of different judgements delivered by the ECJ and the CJEU, this
section introduces the data protection principles concerning Purpose specification
and Collection Limitation, Accuracy, Accountability and Storage Limitation.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 59
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_2
60 2 EU Data Protection Law Framework

2.1 Purpose Specification and Collection Limitation

Article 5(1)(b) reads:

“1. Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes;”

Source Article 5(1)(b), GDPR

It is important for a data controller to have a specific purpose before processing
any personal data. First, it helps the data controller map the objective behind the data
collection process. Second, it helps the data controller revisit and refine the purpose
of data collection. Third, a definite or specific purpose helps the data controller
decide on the categories of data to be collected. Not only does it help the controller
to limit the collection to a minimum, but it also helps the data controller meet the
data principles related to the purpose and collection of personal data. Besides, it
helps a data protection authority ascertain the legitimate basis for collecting data.
It also helps a data controller seek specific consent for processing personal data. A
data controller must avoid bundling purposes together, citing compatibility amongst
them. The bundling of purposes represents a sign of overprocessing of personal data.
Further, it affects the crucial requirement of transparency that is critical at all stages of
data processing. A controller must consider why processing is necessary and having
a clear purpose at the outset can help discover steps and categories of data collection.
For instance, a data controller decides to collect personal data to deliver electronic
merchandise available on its website. A customer decides to buy the latest gadget
that would help improve the quality of sound on her laptop. A clause in the form that
refers to the collection of personal data reads that personal data is collected for the
delivery of the product. Occasionally, personal data will be further processed to send
promotional offers to customers. This second processing may not be related to the
delivery of merchandise. In fact, in different situations, the second processing may
be an additional activity, completely unrelated to the primary purpose stated during
the initial data collection. It would lead to overprocessing and be an antithesis to
the limited collection of personal data. In this example, the data controller may still
engage with the second processing for sharing promotional offers. However, the data
controller must keep the two purposes separate without resorting to bundling. The
data subject or the customer must choose to say either ‘yes’ or ‘no’ to such an offer.
The key elements of the purpose limitation principle from a design and default
perspective include the following1 :

1EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0
Adopted on 20 October 2020.
2 Principles of Processing 61

. “Predetermination – The legitimate purposes shall be determined before the

design of the processing.
. Specificity – The purposes shall be specified and explicit as to why personal
data is being processed.
. Purpose orientation – The purpose of processing should guide the design of
the processing and set processing boundaries.
. Necessity – The purpose determines what personal data is necessary for the
processing.
. Compatibility – Any new purpose must be compatible with the original
purpose for which the data was collected and guide relevant changes in
design.
. Limit further processing – The controller should not connect datasets or
perform any further processing for new incompatible purposes.
. Limitations of reuse – The controller should use technical measures,
including hashing and encryption, to limit the possibility of repurposing
personal data. The controller should also have organisational measures,
such as policies and contractual obligations, which limit reuse of personal
data.
. Review – The controller should regularly review whether the processing
is necessary for the purposes for which the data was collected and test the
design against purpose limitation.”

Source EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by

Default

2.2 Accuracy and the Option to Update Personal Information

Article 5(1)(d) of GDPR reflects the importance of accuracy. It reads:

“Personal data shall be:

(d) accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having regard
to the purposes for which they are processed, are erased or rectified without
delay (‘accuracy’);”

Source Article 5(1)(d), GDPR

The data controller is responsible for keeping personal data accurate and updated.
This responsibility has multiple dimensions. At the time of data collection, it is
extremely difficult for a controller to know the veracity of personal data shared by
a data subject. The data controller has to accept all data on trust and good faith.
62 2 EU Data Protection Law Framework

Therefore, there could be possible errors in the collected data. However, a controller
can always give a data subject an option to review the submitted data and take
necessary measures to correct incorrect personal data. This opportunity would count
towards reasonable steps taken by data controllers to process data accurately. Data
not processed accurately can create difficulties. For example, a credit rating agency
calculating credit scores for a data subject could give erroneous results if the data
is not processed accurately by data controllers. It may lead to the refusal of a loan
application by a financial organisation if the data available with a credit rating agency
is incorrect. Lastly, the process to update records should not be complicated. It should
not be unnecessarily lengthy or cumbersome.
The scope, content and precision of the accuracy principle must be understood.
The scope of the accuracy principle is that it applies to all personal data processed
under the scope of the GDPR.2 The content of the accuracy principle can be under-
stood as follows: “Article 5(1)(d) GDPR encompasses two separate concepts of
accuracy: factual accuracy and temporal accuracy. Both concepts are related, and
both can be subsumed by a broad understanding of factual accuracy.”3 Accuracy
generally means accuracy as to a matter of fact.4 The precision of the accuracy prin-
ciple is that accuracy must be ascertained in the “light of the purpose for which that
data was collected.”5 The accuracy principle arguably protects people from making
decisions based on wrong information, and also applies to opinions.6

2.3 Accountability

Article 5(2) provides the principle of accountability: “The controller shall be respon-
sible for, and be able to demonstrate compliance with, paragraph 1.”7 It suggests that
accountability requires the data controller to demonstrate compliance with all other
data protection principles mentioned in paragraph 1.

2 Dara Hallinan, Frederik Zuiderveen Borgesius, ‘Opinions can be incorrect (in our opinion)! On
data protection law’s accuracy principle’ (2020) 10(1) International Data Privacy Law 1–10. https://
doi.org/10.1093/idpl/ipz025.
3 Dara Hallinan, Frederik Zuiderveen Borgesius, ‘Opinions can be incorrect (in our opinion)! On

data protection law’s accuracy principle’ (2020) 10(1) International Data Privacy Law 1–10. https://
doi.org/10.1093/idpl/ipz025.
4 Article 29 Working Party, Guidelines on the Implementation of the Court of Justice of the European

Union Judgment on ‘Google Spain and inc v. Agencia Española de Protección De Datos (AEPD)
and Mario Costeja González’ C-131/12 (14/EN WP 225, 2014), 15.
5 Peter Nowak v Data Protection Commissioner C434/16 ECLI:EU:C:2017:994, para 53.
6 Dara Hallinan, Frederik Zuiderveen Borgesius, ‘Opinions can be incorrect (in our opinion)! On

data protection law’s accuracy principle’ (2020) 10(1) International Data Privacy Law 1–10. https://
doi.org/10.1093/idpl/ipz025.
7 Article 5(2), GDPR.
2 Principles of Processing 63

The idea of accountability can be found in Recital 85 of the GDPR. It reads:

“A personal data breach may, if not addressed in an appropriate and timely

manner, result in physical, material or non-material damage to natural persons
such as loss of control over their personal data or limitation of their rights,
discrimination, identity theft or fraud, financial loss, unauthorised reversal of
pseudonymisation, damage to reputation, loss of confidentiality of personal
data protected by professional secrecy or any other significant economic or
social disadvantage to the natural person concerned. Therefore, as soon as
the controller becomes aware that a personal data breach has occurred, the
controller should notify the personal data breach to the supervisory authority
without undue delay and, where feasible, not later than 72 hours after having
become aware of it, unless the controller is able to demonstrate, in accordance
with the accountability principle, that the personal data breach is unlikely to
result in a risk to the rights and freedoms of natural persons. Where such
notification cannot be achieved within 72 hours, the reasons for the delay
should accompany the notification and information may be provided in phases
without undue further delay.”

Source Recital 85, GDPR

Here, the accountability of a data controller relates to communicating any breach
to the supervisory authority and the data subject within the specified time. If the data
controller believes that the breach would not affect the rights and freedoms of natural
persons, then the data controller may choose not to inform the authority about the
breach. However, the onus is on the data controller to suggest why it did not inform
the authority.
Data controllers are responsible for keeping the data secure at all times. For
example, in 2020, the Information Commissioner’s Office (ICO), UK fined British
Airways 20 million pounds sterling. British Airways (BA) was fined for failure to
protect the personal and financial details of more than 400,000 customers because
they did not have adequate security. The airline company also suffered a cyber-attack
that they could not detect for two months. The ICO believed that BA ought to have
identified their system’s weaknesses and resolved them by incorporating adequate
security measures of the time.
The breach caused access to personal details, including names, addresses, payment
card numbers and CVV numbers. The ICO found that BA did not detect the attack
themselves, but a third party instead informed them. Even after that information came
to them, they waited before informing the ICO about the data breach incident.
The following can be inferred from this decision.
. The data controller is obligated to create its safeguard mechanism so that no data
breach goes unnoticed.
. The onus is on the data controller to showcase the due diligence measures adopted
at various stages.
64 2 EU Data Protection Law Framework

. The data controller is responsible for informing the supervisory authority about
the data breach.

2.4 Limited Storage and Processing

Storage limitation is one of the principles recognised by Article 5(1)(e) following

which the personal data shall be -

“(e) kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data
will be processed solely for archiving purposes in the public interest, scien-
tific or historical research purposes or statistical purposes in accordance with
Article 89(1) subject to implementation of the appropriate technical and organ-
isational measures required by this Regulation in order to safeguard the rights
and freedoms of the data subject (‘storage limitation’);”

Source Article 5(1)(e), GDPR

The storage of personal data is directly related to the purpose of processing.
Any additional storage time involves overprocessing personal data, requiring a legal
basis. To ensure that data processing is transparent and fair, the data controller must
share the storage period with the data subject. Otherwise, the data controller should
inform about the criteria followed in deciding the duration of storage. Further, the
data controller must have a clear data retention policy.
For example, an airline company provided additional support services during
the first stage of the COVID-19 pandemic. As a part of their services, they tied up
with insurance providers and local cab agencies. A data subject requiring any of
these services would expect the storage of their personal details to be limited to the
journey. Insurance for a particular trip is valid for a certain period, and data processing
cannot happen indefinitely. Therefore, personal data must be deleted at the end of
the purpose of processing. Since the insurance provider would know the duration
for which insurance is valid, there is no legitimate basis to store and further process
data beyond that time. Similar expectations are on the local cab agencies. Storage
limitation and a specific retention policy help mitigate the possible risk of abuse by
overprocessing personal data.
2 Principles of Processing 65

2.4.1 Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és

Információszabadság Hatóság Case C-77/218

The judgement concerns the interpretation of the purpose limitation and storage
limitation principle when another database is created by the data controller for storing
information. The purpose limitation principle is a cornerstone of data protection law
and its strong enforcement can help safeguard data subjects’ rights.9
Facts
The facts involved Digi, a leading internet service and television provider in Hungary.
Digi had created a test database copying the data of one-third of its private customers
and stored them in a database called ‘digihu’ database. Digi became aware that an
ethical hacker had gained access to the personal data of 322,000 persons from the test
database. Thus, Digi concluded a confidentiality agreement with the hacker, offering
them a reward. Digi also corrected the fault, enabling access to the test database.
Digi then notified the Authority of the data breach and an investigation was opened.
The Authority found infringement of Article 5(1)(b) and (e) of Regulation 2016/
679 as Digi had not immediately deleted the test database after correcting the fault.
This had resulted in a large amount of personal data being stored in the test database
for 18 months without any purpose. Digi was asked to review its databases and fined
around EUR 248 000.
The essential question was whether the purpose limitation and storage limitation
principles allow the data controller to store data, which was collected for a limited
legitimate purpose, in a parallel database.
Questions
The Fővárosi Törvényszék (Budapest High Court, Hungary) referred the following
questions to the Court for a preliminary ruling:

“(1) Must the concept of ’purpose limitation’ as defined in Article 5(1)(b)

of [Regulation 2016/679] … be interpreted as meaning that the fact that the
controller stores in parallel in another database personal data which were other-
wise collected and stored for a limited legitimate purpose is consistent with
that concept or, conversely, is the limited legitimate purpose of collecting those
data no longer valid so far as the parallel database is concerned?
(2) Should the answer to the first question referred be that the parallel storage
of data is in principle incompatible with the principle of “purpose limita-
tion”, is the fact that the controller stores in parallel in another database

8 Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság Case

C-77/21.
9 Isabel Hahn, ‘Purpose Limitation in the Time of Data Power: Is There a Way Forward?’ (2021) 7

Eur Data Prot L Rev 31.

66 2 EU Data Protection Law Framework

personal data which were otherwise collected and stored for a limited legiti-
mate purpose compatible with the principle of ’storage limitation’ established
in Article 5(1)(e) of [Regulation 2016/679]?.”

Source Digi Judgement

The Court explained the legal provisions before answering the two questions.

“[I]t is thus apparent from the wording of that provision that it comprises
two requirements, one relating to the purposes of the initial collection of the
personal data and the other concerning the further processing of those data.
Regarding, first, the requirement that personal data are to be collected for
specified, explicit and legitimate purposes, it follows from the case-law of
the Court that that requirement implies, first of all, that the purposes of the
processing are to be identified at the latest at the time of the collection of the
personal data, next, that the purposes of that processing are to be clearly stated
and, finally, that the purposes of that processing are to guarantee, inter alia, the
lawfulness of the processing of those data, within the meaning of Article 6(1)
of Regulation 2016/679.
With regard, secondly, to the requirement that the personal data are not to
be the subject of further processing which is incompatible with those purposes,
it should be pointed out, on the one hand, that the recording and storage, by
the controller, in a newly created database, of personal data stored in another
database constitutes ‘further processing’ of those data.
The concept of ‘processing’ is defined broadly in Article 4(2) of Regulation
2016/679 as covering any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as, inter alia, the collection, recording and storage of those data.
Moreover, in accordance with the usual meaning of the term ‘further’ in
everyday language, any processing of personal data which is subsequent to the
initial processing constituted by the initial collection of those data constitutes
‘further’ processing of those data, regardless of the purpose of that further
processing.
It is apparent from a combined reading of Article 5(1)(b), Article 6(1)(a) and
Article 6(4) of Regulation 2016/679 that the question of the compatibility of
the further processing of personal data with the purposes for which those data
were initially collected arises only if the purposes of that further processing
are not identical to the purposes of the initial collection.
Moreover, it follows from that Article 6(4), read in the light of Recital 50
of that Regulation, that, where the processing for a purpose other than that for
which the data have been collected is not based on the data subject’s consent
or on an EU or Member State law, it is necessary, in order to ascertain whether
processing for another purpose is compatible with the purpose for which the
2 Principles of Processing 67

personal data are initially collected, to take into account, inter alia, first, any
link between the purposes for which the personal data have been collected and
the purposes of the intended further processing; secondly, the context in which
the personal data have been collected, in particular regarding the relationship
between data subjects and the controller; thirdly, the nature of the personal
data; fourthly, the possible consequences of the intended further processing
for data subjects; and finally, fifthly, the existence of appropriate safeguards in
both the original and intended further processing operations.
[T]hose criteria reflect the need for a specific, logical and sufficiently close
link between the purposes for which the personal data were initially collected
and the further processing of those data, and ensure that such further processing
does not deviate from the legitimate expectations of the subscribers as to the
subsequent use of their data.
Furthermore, in the third place, [..] those criteria limit the reuse of personal
data previously collected by ensuring a balance between, on the one hand,
the need for predictability and legal certainty regarding the purposes of the
processing of personal data previously collected and, on the other hand, the
recognition of a degree of flexibility for the controller in the management of
those data, and thereby contribute to the attainment of the objective of ensuring
a consistent and high level of protection of natural persons, which is set out in
Recital 10 of Regulation 2016/679."

Source Digi Judgement

Thus, the purpose limitation principle requires (1) clearly identifying and commu-
nicating the purpose of processing and (2) further processing purposes should be
compatible with the initial purpose of processing. There are several factors to consider
while determining the compatibility of purposes, including the link between the
purposes, nature of data, the context of data collection, possible consequences of
further processing and appropriate safeguards for processing. If further processing is
incompatible with existing processing, the data controller needs to have a legal basis
for further processing such as consent.
The Court stated that the purpose limitation principle “does not preclude the
recording and storage by the controller, in a database created for the purposes of
carrying out tests and correcting errors, of personal data previously collected and
stored in another database, where such further processing is compatible with the
specific purposes for which the personal data were initially collected.”10 It means
that processing of personal data at different times would call upon the stated purposes
if the data collection has happened only once. The data controller should however
avoid reusing data for different purposes leading to overprocessing of personal data.
Therefore, at the time of data collection, the data controller should avoid bundling
of purposes. In case of a relatable purpose such intention should be put forth in a

10Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság

Case C-77/21.
68 2 EU Data Protection Law Framework

timely and transparent manner to the data subject, preferably during data collection.
Data subjects’ expectations about the second round of processing of personal data is
a further test to ensure fair processing. The Court stated that,

“it is apparent from the order for reference that the personal data were initially
collected by Digi, the controller, for the purposes of the conclusion and
performance of subscription contracts with its private customers.
Second, the parties to the main proceedings are not in agreement on the
specific purpose of the recording and storage by Digi, in the test database, of
the personal data at issue. While Digi argues that the specific purpose of the
creation of the test database was to guarantee access to the subscribers’ data
until the errors were corrected, with the result that that purpose was identical
to the purposes pursued by the initial collection of those data, the Authority
maintains that the specific purpose of the further processing was distinct from
those purposes since it was the conducting of tests and the correction of errors.
It is apparent from the order for reference that the test database was created
by Digi in order to be able to carry out tests and correct errors, so that it is in the
light of those purposes that it falls to the referring Court to assess the compati-
bility of the further processing with the purposes of the initial collection, being
the conclusion and performance of subscription contracts… Third, regarding
that assessment, it should be pointed out that there is a specific link between the
conducting of tests and the correction of errors affecting the subscriber database
and the performance of the subscription contracts of private customers, in that
such errors may be prejudicial to the provision of the contractually agreed
service, for which the data were initially collected…
…[S]uch processing does not deviate from the legitimate expectations of
those customers as to the subsequent use of their personal data. It is not, further-
more, apparent from the order for reference that those data were sensitive in
whole or in part or that the further processing at issue of those data, as such,
had detrimental consequences for the subscribers or was not accompanied by
appropriate safeguards, which it is, in any event, for the referring Court to
verify.”

Source Digi Judgement

The Court then addressed the storage limitation principle which requires personal
data to be “kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed.”11 It
stated that the storage limitation principle “precludes the storage by the controller,
in a database created for the purposes of carrying out tests and correcting errors, of
personal data previously collected for other purposes, for longer than is necessary

11 Article 5(1)(e) GDPR.

2 Principles of Processing 69

for the conducting of those tests and the correction of those errors.”12 It entails that
legal basis of data processing may be questioned when the data controller exceeds the
storage time, which in turn must be synchronised with the purpose limitation prin-
ciple. An otherwise legitimate processing may turn invalid owing to a data controller
exceeding the data storage time. The Court explained –

“In the first place, it should be pointed out that, under Article 5(1)(e) of Regu-
lation 2016/679, personal data are to be kept in a form which permits identi-
fication of data subjects for no longer than is necessary for the purposes for
which the personal data are processed.
It is thus unequivocally clear from the wording of that article that the prin-
ciple of ‘storage limitation’ requires the controller to be able to demonstrate, in
accordance with the principle of accountability referred to in paragraph 24 of
the present judgment, that personal data are kept only for as long as is necessary
for the purposes for which they were collected or for which they have been
further processed.
It follows that even initially lawful processing of data may over time become
incompatible with Regulation 2016/679 where those data are no longer neces-
sary for such purposes and that the data must be erased when those purposes
have been served.
That interpretation is consistent, in the second place, with the context of
Article 5(1)(e) of Regulation 2016/679.
In this case, Digi argued that it was due to an oversight that the personal
data of a portion of its private customers stored in the test database were not
deleted after the tests had been conducted and the errors had been corrected.
In that regard, it is sufficient to point out that that argument is not relevant
for the purposes of assessing whether data were kept for longer than was
necessary for the purposes for which they were further processed, in breach of
the principle of ‘storage limitation’, laid down in Article 5(1)(e) of Regulation
2016/679."

Source Digi Judgement

The judgement of Digi suggests that the purpose limitation principle allows a data
controller to create a database to test and correct errors to the extent that testing and
correcting errors is compatible with the initial purpose of processing. Besides, the
storage limitation principle requires that the data must not be stored in the database
when the purpose of testing and correcting errors is fulfilled.
This section suggests that the data controller must carefully assess compliance
with each of the data protection principles as it is accountable to comply with them.
The data controller must map its processing activities and processing purposes. It
will help ensure that data is collected for specified processing purposes, a legal basis

12Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság

Case C-77/21.
70 2 EU Data Protection Law Framework

of processing is found for further processing, which is incompatible with initial

processing, and data is stored in identifiable form only until when it is necessary for
processing purposes.

3 Consent

The GDPR provides six legal grounds of processing. A data controller processing
personal data must rely on one of these legal bases to justify the processing. Consent
is one of the most important lawful bases for processing personal data, as suggested
by the Meta case discussed in Chapter 1. According to the GDPR, consent must
be sought through a clear affirmative act by the data subject agreeing to the data
processing. There are four attributes of valid consent: freely given, specific, informed
and unambiguous.13 This section discusses judgements to ascertain the meaning
associated with all these terms.

3.1 Orange Romania SA v Autoritatea Naţională de

Supraveghere a Prelucrării Datelor cu Caracter Personal
(ANSPDCP) Case C—61/1914

The judgement involving Orange discusses the concept of consent and how it is imple-
mented under the old Directive and the GDPR. Orange Romania, the data controller,
provided mobile communication services in Romania. In 2018, the Romanian Data
Protection Authority imposed a fine on the data controller, citing that they were
involved in storing copies of customer identity documents. Orange Romania could
not show demonstrable evidence suggesting that customers had consented to such
processing. Orange Romania was asked to destroy the copies of such documents.
Facts
Orange Romania had concluded contracts with their subscribers and had attached
copies of personal identity documents to the concluded contracts. The relevant clauses
of the pre-printed form were:

“The customer states that:

(i), he or she has been informed, prior to concluding the contract, of the
chosen tariff plan, the applicable tariffs, the minimum duration of the contract,

13Article 7, GDPR.
14Orange Romania SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter
Personal (ANSPDCP) Case C - 61/19.
3 Consent 71

the conditions for its termination, the conditions for accessing and using the
services, including service coverage areas, …;
(ii), Orange România has provided the customer with all the necessary
information to enable him or her to give his or her unvitiated, express, free
and specific consent to the conclusion and express acceptance of the contract,
including all the contractual documentation, the General Terms and Conditions
for using Orange’s services and the Brochure of Tariffs and Services;
(iii) he or she has been informed of, and has consented to, the following:
- the processing of personal data for the purposes referred to in Article 1.15
of the General Terms and Conditions for using Orange’s services;
- the storage of copies of documents containing personal data for identifi-
cation purposes;
- the agreement for the processing of personal data (contact number and
email address) for direct marketing purposes;
- the agreement for the processing of personal data (contact number and
email address) for market research purposes;”

Source Orange Romania Judgement

Orange Romania did not refuse to sign an agreement with any subscriber who
did not share consent to the storage of personal identification documents. Orange
Romania’s sales procedure required customers to sign a specific form in case they
refused the storage of personal identity documents. The essential question was
whether Orange Romania had sought valid consent to store identity documents.
Questions

“(1) For the purposes of Article [2](h) of Directive 95/46, what conditions must
be fulfilled in order for an indication of wishes to be regarded as specific and
informed?
(2) For the purposes of Article 2(h) of Directive 95/46, what conditions
must be fulfilled in order for an indication of wishes to be regarded as freely
given?…
…whether Article 2(h) and Article 7(a) of Directive 95/46 and Article 4(11)
and Article 6(1)(a) of Regulation 2016/679 must be interpreted as meaning that
a contract for the provision of telecommunications services which contains a
clause stating that the data subject has been informed of, and has consented
to, the collection and storage of a copy of his or her identity document for
identification purposes is capable of demonstrating that that person’s consent
has been validly given, as provided for in those provisions, to that collection
and storage.”

Source Orange Romania Judgement

72 2 EU Data Protection Law Framework

The essential question was whether Orange Romania did indulge in practices that
exudes the requirements of freely given, specific and informed consent of users.
They did include a provision in the user agreement that suggested that a data subject
was well informed and further on the data subjects did share consent to process their
identity documents. An answer to the above questions is related to the idea of fairness
under data protection law. Recital 38 of the Directive 95/46 provides:

“if the processing of data is to be fair, the data subject must be in a position to
learn of the existence of a processing operation and, where data are collected
from him, must be given accurate and full information, bearing in mind the
circumstances of the collection.”

Source Recital 38
The ethos of fairness is inextricably connected with the information the data
controllers share with the data subjects. Sharing accurate information helps provide
the requisite knowledge about data processing to the data subject. Also important is
the method of providing the information. It also relates to informed consent, which
requires relevant information to be provided to the data subject before seeking their
consent. The idea of consent was provided by Article 2(h) of the old Directive, which
states:

“the data subject’s consent shall mean any freely given specific and informed
indication of his wishes by which the data subject signifies his agreement to
personal data relating to him being processed.”

Source Article 2(h), GDPR

The idea of consent has also been explained by the GDPR Recitals and Articles.

GDPR 2016/679: Recitals 32 and 42 state:

“(32) Consent should be given by a clear affirmative act establishing a freely
given, specific, informed and unambiguous indication of the data subject’s
agreement to the processing of personal data relating to him or her, such as by
a written statement, including by electronic means, or an oral statement. This
could include ticking a box when visiting an internet website, choosing tech-
nical settings for information society services or another statement or conduct
which clearly indicates in this context the data subject’s acceptance of the
proposed processing of his or her personal data. Silence, pre-ticked boxes or
inactivity should not therefore constitute consent. Consent should cover all
processing activities carried out for the same purpose or purposes. When the
processing has multiple purposes, consent should be given for all of them. If the
data subject’s consent is to be given following a request by electronic means,
3 Consent 73

the request must be clear, concise and not unnecessarily disruptive to the use
of the service for which it is provided.
(42) Where processing is based on the data subject’s consent, the controller
should be able to demonstrate that the data subject has given consent to the
processing operation. In particular in the context of a written declaration on
another matter, safeguards should ensure that the data subject is aware of the
fact that and the extent to which consent is given. In accordance with Council
Directive 93/13/EEC [of 5 April 1993 on unfair terms in consumer contracts,
(OJ 1993 L 95, p. 29)], a declaration of consent pre-formulated by the controller
should be provided in an intelligible and easily accessible form, using clear
and plain language and it should not contain unfair terms. For consent to
be informed, the data subject should be aware at least of the identity of the
controller and the purposes of the processing for which the personal data are
intended. Consent should not be regarded as freely given if the data subject has
no genuine or free choice or is unable to refuse or withdraw consent without
detriment."
Article 7(1), (2) and (4) of Regulation 2016/679.
“1. Where processing is based on consent, the controller shall be able to
demonstrate that the data subject has consented to processing of his or her
personal data.
2. If the data subject’s consent is given in the context of a written declaration
which also concerns other matters, the request for consent shall be presented
in a manner which is clearly distinguishable from the other matters, in an
intelligible and easily accessible form, using clear and plain language. Any
part of such a declaration which constitutes an infringement of this Regulation
shall not be binding.
4. When assessing whether consent is freely given, utmost account shall
be taken of whether, inter alia, the performance of a contract, including the
provision of a service, is conditional on consent to the processing of personal
data that is not necessary for the performance of that contract."

Source Recitals 32, 42; Article 7, GDPR

Consent provides the controller with the legal basis for processing personal data.
Valid consent has certain attributes: freely given, specific and informed. Freely given
consent is when the data subject voluntarily decides to share consent with the data
controller. Data subjects must be given choices when accepting the terms relating
to the processing of personal information. Specific consent requires consent and
the purpose behind collecting information to go hand in hand. The data controller
should be able to showcase that a processing purpose is connected to a particular
consent. This condition prevents bundling of purposes by the controller asking for a
single consent for multiple purposes. Informed consent requires the data subject to
be pre-informed about the identity of the controller and the purpose of processing,
amongst other things. Consent must also be shared unambiguously. The onus is on
the controller to show that the data subject was given an appropriate opportunity to
74 2 EU Data Protection Law Framework

share consent. If enough and clear consent options are shared, then it is less likely
that consent was ambiguous.
The GDPR requires that the controller follows a framework that allows data
subjects to share consent through an easily accessible and intelligible format. The
data subject should not need to look for information; rather, the data controller
should provide reasonable means to easily access information. Consent as a lawful
basis should be clearly identified with the purpose of processing. Further, the data
controller should use clear and plain language while providing information to the
data subject.
Consent is also closely related to the idea of fair processing. Fair and transparent
processing would include sharing of pre-processing information, fair disclosure of
data, transparent means adopted by data controllers at the time of transferring of data,
providing adequate and simple opportunities for sharing consent and withdrawal of
consent and expressing at all times, terms related to privacy in a clear, plain and
simple language.
Article 5 of the GDPR reflects upon processing fairly and lawfully.

Article 5 of that Regulation provides:

“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the
data subject (“lawfulness, fairness and transparency”).
2. The controller shall be responsible for, and be able to demonstrate
compliance with, paragraph 1 (“accountability”).”
In accordance with Article 6(1)(a) of Regulation 2016/679:
“1. Processing shall be lawful only if and to the extent that at least one of
the following applies:
(a) the data subject has given consent to the processing of his or her personal
data for one or more specific purposes;"

Source Article 5, GDPR

According to Article 5 of the GDPR, lawful, fair and transparent are the key
elements that make personal data processing legitimate. Lawfulness, requires a data
controller to ensure that consent is shared effectively. The GDPR also expects the
transaction, i.e., data processing, to be carried out fairly and transparently by a data
controller. With technological advancements, there could be additional challenges
to transposing concepts and principles that may have worked in a two-dimensional
world, i.e., a communication channel between a data subject and a data controller.
With the possibility of multiple data controllers being involved in data processing,
the threshold of fairness and transparency must be carefully assessed in such cases.
The conditions under which personal data should be processed need to be under-
stood. Further, the data controller needs to share the required information with data
subjects.
3 Consent 75

Article 13(1) and (2) GDPR.

“1. Where personal data relating to a data subject are collected from the
data subject, the controller shall, at the time when personal data are obtained,
provide the data subject with all of the following information:
(a), the identity and the contact details of the controller and, where
applicable, of the controller’s representative;
(c), the purposes of the processing for which the personal data are intended
as well as the legal basis for the processing;
2. In addition to the information referred to in paragraph 1, the controller
shall, at the time when personal data are obtained, provide the data subject
with the following further information necessary to ensure fair and transparent
processing:
(a), the period for which the personal data will be stored, or if that is not
possible, the criteria used to determine that period;
(b), the existence of the right to request from the controller access to and
rectification or erasure of personal data or restriction of processing concerning
the data subject or to object to processing as well as the right to data portability;
(c), where the processing is based on point (a) of Article 6(1) or point (a) of
Article 9(2), the existence of the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its withdrawal."

Source Article 13, GDPR.

The GDPR proposes that the data subject should know the details of the controller
or its representatives. As purpose provides the foundation for any data processing, the
data subject should be aware of the reasons behind data processing. Further, the data
controller should provide information about its data retention and storage policy. The
data controller should proactively remove or delete personal data when the purpose
has ceased. The data cannot be stored for an indefinite period. The data subjects must
further have the right to rectify personal data shared with the data controller. They
have a right of erasure alongside the right of portability of personal data between
different data controllers. If a data subject decides to withdraw previously shared
consent, the data subject should be provided with an efficient process for withdrawal
of consent. A non-availability of a withdrawal option or cumbersome withdrawal
process would fall short of fair and transparent processing.
In the case of Orange Romania, the question of consent and fair and transparent
processing arose. The following argument was made by Orange Romania –

“…during the procedure for concluding the contracts at issue in the main
proceedings, its sales agents informed the customers concerned, before
concluding the contracts, inter alia, of the purposes of collecting and storing
copies of the identity documents and of their choice as to that collection and
storage, before obtaining their oral consent to that collection and storage.
76 2 EU Data Protection Law Framework

According to Orange România, the box relating to the storage of copies of

identity documents was therefore ticked solely on the basis of the individuals’
freely expressed agreement to that effect when the contract was concluded.”

Source Orange Romania Judgement

Therefore, Orange Romania suggested that the customer walked into the store and
completed the form. The customers were informed about the storage of documents
and that Orange Romania would be storing personal identification documents. They
were informed by the sales agent, who shared the purpose of processing. There-
fore, they had allowed the subscriber or data subject to share informed consent.
The customers shared oral consent to collect personal identification documents and
storage. They agreed to the terms and conditions pertaining to the services. There-
fore, the box relating to such storage was pre-ticked based on the presumption that
the customers understood and agreed to the processing and storage of identification
documents.
On the other hand, the advocate general observed in his opinion15 :

“[I]t appears to me to be legitimate for a firm to ask customers to provide some

personal data and in particular to prove their identity for the purposes of the
conclusion of a contract. To require a customer to consent to the copying and
storing of identity documents, however, appears to go beyond what is necessary
for the performance of the contract.
On the basis of the information available, it appears to me that the customers
of Orange România do not give their free, specific and informed consent under
the circumstances described by the referring Court.
There is no freely given consent. [..] I should like to recall in this respect
that the Court has laid an emphasis on active behaviour on the part of the data
subject with a view to giving his or her consent. A positive action of the data
subject is therefore required for giving consent. Yet, in the case at issue, the
reverse situation appears to occur: a positive action is needed in order to refuse
consent.
[t]here is no informed consent. It is not made crystal-clear to the customer
that a refusal to the copying and storing of his or her ID card does not make
the conclusion of a contract impossible. A customer does not choose in an
informed manner if he or she is not aware of the consequences."

Source Advocate General Opinion in Orange Romania Case

15 Opinion of Advocate General Szpunar delivered on 4 March 2020. Orange Romania SA v Autori-
tatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). Case C-61/
19. ECLI:EU:C:2020:158.
3 Consent 77

The situation suggests that the data controller did not seek active participation
from the data subject. It is required that data subjects share their clear affirmative
action when sharing consent. Besides, informed consent is questionable because
Orange did not make it absolutely clear that the refusal to share the consent about the
storage of identification documents would have any bearing on the service at hand.
The Court suggested:

“[I]t is for the data controller to demonstrate that the data subject has, by active
behaviour, given his or her consent to the processing of his or her personal
data and that he or she has obtained, beforehand, information relating to all
the circumstances surrounding that processing, in an intelligible and easily
accessible form, using clear and plain language, allowing that person easily
to understand the consequences of that consent, so that it is given with full
knowledge of the facts. A contract for the provision of telecommunications
services which contains a clause stating that the data subject has been informed
of, and has consented to, the collection and storage of a copy of his or her
identity document for identification purposes is not such as to demonstrate
that that person has validly given his or her consent, as provided for in those
provisions, to that collection and storage, where
– the box referring to that clause has been ticked by the data controller before
the contract was signed, or where – the terms of that contract are capable of
misleading the data subject as to the possibility of concluding the contract in
question even if he or she refuses to consent to the processing of his or her
data, or where
– the freedom to choose to object to that collection and storage is unduly
affected by that controller in requiring that the data subject, in order to refuse
consent, must complete an additional form setting out that refusal.”

Source Orange Romania Judgement

Essentially, the data controller failed to establish a connection with the data subject
when it decided to pre-tick the check-box. It is questionable why a data controller
should pre-tick a few boxes while leaving the remaining check-boxes unticked. It
failed to provide a justifiable rationale why the customers shouldn’t have the option
to freely act upon the task of selecting all check-boxes. There would question of a
data controller misleading data subjects about the processing of personal data. In
fact, the GDPR states that pre-ticking of a box would not amount to free and fair
consent from the data subject. Pre-ticking the check-box greatly affects the freedom
of the data subject to decide and share consent.
Further, the data controller must share the information with data subjects in
an “intelligible and easily accessible form using clear and plain language.”16
Data subjects must not be misguided when looking for information pertaining to
processing personal data. Data controllers must provide information in the simplest

16 Article 7, GDPR.
78 2 EU Data Protection Law Framework

possible manner with no inconsistency. The controller should avoid sharing unneces-
sary, lengthy documents where important information cannot be found easily. In fact,
the controller should use effective tools to highlight important excerpts of privacy
policies for data subjects.
Orange Romania raises the importance of steps taken by data controllers during
the pre-stage processing of personal data. It explains the meaning associated with
active, freely given and informed consent. Data controllers must ensure that data
subjects should have complete information and should not be confused because of
misleading information.

3.2 Bundesverband der Verbraucherzentralen und

Verbraucherverbände — verbraucherzentrale
Bundesverband eV v Planet49 GmbH Case C-673/1717

Another judgement that discusses the concept of consent is the CJEU’s decision in
Planet49. The decision discussed consent in the context of cookies. It is important to
introduce cookies and their Regulation under the ePrivacy Directive before discussing
the Planet49 judgement.
Cookies and similar technologies are used to track customers’ online activities.
Essentially, cookies can help the data controller understand user choices, interests
and online behaviour. Therefore, advertisers can target customers based on their
behavioural patterns and time spent on the Internet.
In this context, consent plays a crucial role in allowing customers to decide whether
they want to allow cookies. The controller should clearly state the purposes for using
cookies and allow the data subjects to select one or all purposes. However, some
cookies are deemed strictly necessary from the point of operation of websites. If
those cookies are rejected, some of the website features won’t work well because
those technical cookies connect the user’s computers to the data controller’s website.
Usually, websites mention that they use cookies for various purposes and provide
users with a link to the cookie policy. Websites also categorise cookies by purpose,
including strictly necessary, performance, functional and marketing cookies. The
users are free to accept, reject, or choose the cookies they wish to allow.
It is important to facilitate the individual’s understanding of the implications
of consenting. There is a need to clearly delineate the purposes of using cookies.
Customers should have the choice to freely decide which cookies to allow. It is
important not to bundle purposes by presenting only the choice to accept all cookies
and not the choice to accept cookies by purpose. Besides, the data subject should
have the opportunity to exercise the right to opt out of using cookies. Further, the
check-boxes must not be pre-selected. When sliders are used, the slider should not
be enabled by default, expecting that the data subject can disable such an option.

17Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale

Bundesverband eV v Planet49 GmbH Case C-673/17. ECLI:EU:C:2019:801.
3 Consent 79

In Planet49, CJEU had the opportunity to decide the implications of pre-selecting a

check-box for consent to cookies.
Facts
Planet49 GmbH (Planet49) organised an online lottery and asked users to share
their names and address before they could participate. The users needed to check
two check-boxes to participate. One check-box which was not pre-ticked requested
for users’ consent to receiving marketing information from sponsors. The second
pre-ticked check-box had accompanying text which read:

“I agree to the web analytics service Remintrex being used for me. This has the
consequence that [Planet49] sets cookies, which enables Planet49 to evaluate
my surfing and use behaviour on websites of advertising partners and thus
enables advertising by Remintrex that is based on my interests. (…)”

Source Planet49 Judgement

As per the data controller, the data subject could only participate in the lottery
after clicking the first check-box.
The Federation of German Consumer Organisations claimed that consent requests
did not comply with Germany’s transposition of ePrivacy Directive. Several questions
were referred by the Bundesgerichtshof (Federal Court of Justice) to the CJEU, the
most important being whether valid consent for cookies can be sought using pre-
ticked boxes. The Court’s decision considered the requirements for consent based
on the Directive 95/46/EC and the GDPR.
Questions

“(1)(a) Does it constitute a valid consent within the meaning of Article 5(3)
and Article 2(f) of Directive [2002/58], read in conjunction with Article 2(h) of
Directive [95/46], if the storage of information, or access to information already
stored in the user’s terminal equipment, is permitted by way of a pre-checked
check-box which the user must deselect to refuse his or her consent?
(b) For the purposes of the application of Article 5(3) and of Article 2(f) of
Directive [2002/58] read in conjunction with Article 2(h) of Directive [95/46],
does it make a difference whether the information stored or accessed constitutes
personal data?
(c) In the circumstances referred to in Question 1(a), does a valid consent
within the meaning of Article 6(1)(a) of Regulation [2016/679] exist?
(2) What information does the service provider have to give within the scope
of the provision of clear and comprehensive information to the user that has to
be undertaken in accordance with Article 5(3) of Directive [2002/58]? Does
80 2 EU Data Protection Law Framework

this include the duration of the operation of the cookies and the question of
whether third parties are given access to the cookies?’.”

Source Planet49 Judgement

According to the GDPR, consent must portray a clear affirmative action on the part
of a data subject. Such action has the support of four given parameters that a data
subject expresses: freely given, specific, informed and unambiguous indication.18
Clear affirmative action requires users to check the boxes when sharing consent.
Otherwise, it is difficult to comprehend whether the user actually shared the consent.
Pre-ticked boxes are an antithesis to the overall objective of capturing informed
choice.
This understanding is presented in the CJEU decision, which suggests

“… it would appear impossible in practice to ascertain objectively whether a

website user had actually given his or her consent to the processing of his or
her personal data by not deselecting a pre-ticked check-box nor, in any event,
whether that consent had been informed. It is not inconceivable that a user
would not have read the information accompanying the pre-selected check-
box, or even would not have noticed that check-box, before continuing with
his or her activity on the website visited.”

Source Planet49 Judgement

Therefore, the CJEU suggested that “the fact that a user selects the button to
participate in the promotional lottery organized by that company cannot, therefore,
be sufficient for it to be concluded that the user validly gave his or her consent to the
storage of cookies.”19
In the opinion of the Advocate General, the idea that consent follows an opt-in
model is universal, regardless of the differences in the wording either of the old data
protection Directive, the ePrivacy Directive and GDPR. The overall objective is to
remove any presumption about user’s consent. The user’s consent through opt-out
instead of opt-in is not the way forward.

18GDPR, Article 4(11).

19Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale
Bundesverband eV v Planet49 GmbH Case C-673/17. ECLI:EU:C:2019:801.
3 Consent 81

The Court discussed other questions, such as the scope of the ePrivacy Directive.
In ascertaining the scope of the ePrivacy Directive, the Court suggested,

“Article 5(3) of Directive 2002/58 refers to ‘the storing of information and ‘the
gaining of access to information already stored’, without characterizing that
information or specifying that it must be personal data.”

Source Planet49 Judgement

Article 5(3) is the provision in the ePrivacy Directive that requires prior informed
consent for using cookies and it reads that:

“3. Member States shall ensure that the storing of information, or the gaining of
access to information already stored, in the terminal equipment of a subscriber
or user is only allowed on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and compre-
hensive information, in accordance with Directive 95/46/EC, inter alia, about
the purposes of the processing. This shall not prevent any technical storage or
access for the sole purpose of carrying out the transmission of a communication
over an electronic communications network, or as strictly necessary in order
for the provider of an information society service explicitly requested by the
subscriber or user to provide the service.”

Source Article 5(3), ePrivacy Directive

The Court reflected also on Recital 24 of Directive 2002/58 “according to which
any information stored in the terminal equipment of users of electronic communica-
tions networks are part of the private sphere of the users requiring protection under
the European Convention for the Protection of Human Rights and Fundamental Free-
doms. That protection applies to any information stored in such terminal equipment,
regardless of whether or not it is personal data, and is intended, in particular, as is
clear from that Recital, to protect users from the risk that hidden identifiers and other
similar devices enter those users’ terminal equipment without their knowledge.”20
The Recital reflects that the overarching objective to protect users from the possible
risk of abuse must be protected.
By reference to the fairness principle, the CJEU held that in a situation where
cookies are used to collect information for advertising purposes, the time until such
cookies would remain operational and the possible accessibility of third parties
should be clearly and comprehensively informed to the data subject. This requirement
also follows from the GDPR, whose information requirements must be complied with
when storing or accessing cookies in the user’s terminal equipment.
The key takeaway of the Planet49 judgement is that consent forms the crucial
basis before processing starts and consent should be taken in an opt-in manner.

20 Recital 24, ePrivacy Directive.

82 2 EU Data Protection Law Framework

Data subjects should not be expected to opt out of check-boxes pre-ticked by data
controllers. There are other features of consent that will be discussed in this section,
which are the language and the standard of explicit consent.

3.3 Dutch Data Protection Authority Decision Against

TikTok21

The Dutch Data Protection Authority (DDPA) had fined TikTok for e 750,000.
TikTok, in the process of offering its services, had violated children’s privacy. TikTok
did not share the information regarding terms of service and privacy in the appro-
priate language. The chosen language was English instead of Dutch; therefore, the
data subjects could not understand their rights and the risks associated with the TikTok
service. Further, an additional problem was that many of Tiktok’s subscribers were
children; therefore, there was a lot of concern regarding transparency. While trans-
parency is a key measure to protect privacy, the breadth and scope of activities adding
to a transparent transaction are not easily understood.
Defending their position, Tiktok suggested that many of their subscribers would
understand English and that residents would be proficient in the language. Therefore,
providing the terms of service and privacy policy in English would not be a problem
for the subscribers. The DDPA suggested that transparency is a core requirement for
all data controllers. The test of transparency begins with proper information sharing.
The DDPA suggested that there is a higher degree of responsibility attached to data
controllers where data subjects are children. Children would need to be informed in
a clear, plain and simple manner. By sending information in English, in the opinion
of DDPA, TikTok failed to fulfil the requirement of clear, plain and simple language.
Further questions could be asked about the meaning and implementation of the
steps that promote a clear, plain and simple way of informing data subjects. At the
outset, it is assumed that data subjects would read the terms of service and privacy
conditions if they were provided information in a clear, simple and plain manner.
However, there is no way one can guarantee such a thing to happen. After reading,
the data subject must understand the information the data controller has shared.
Therefore, understanding would be absent if reading does not happen in the first
place. Although presenting the terms of service and privacy policy in clear, plain
and simple language would help the data controller check the compliance box, an
unaddressed concern is achieving the overall purpose of the data subject reading and
understanding policy documents to make informed privacy decisions.
The Dutch DPA decision indicates the importance of language for data subjects
reading and understanding information. This approach would help data subjects
make informed and educated decisions about whether they want to use a service.
The following section discusses another mechanism which can help data subjects
make informed decisions – the requirement of explicit consent.

21 Dutch Data Protection Authority decision against TikTok 2021.

3 Consent 83

3.4 Explicit Consent and Ordinary Consent

It is difficult to differentiate between ordinary consent and consent that is explicit in

nature. According to the GDPR, consent represents a clear affirmative action by the
data subject. It means that the data subject can click on a check-box offered by a data
controller to show positive assent. In an online environment, clicking a check-box
is one of the standard arrangements of sharing consent with a data controller. This
activity is recognised as a valid form of consent under GDPR as clicking a check-box
represents multiple facets of a valid consent. It allows the data subject to exercise
free choice and shows positive assent. Further, it allows the data subject to read the
contents corresponding to the consent template signifying informed consent. It also
symbolises specific consent.
Clicking a check-box is a mere representation of what the GPDR needs. Consent
should go hand-in-hand with purpose. A single purpose behind the processing of
personal data by the data controller would need a single consent. Therefore, multiple
purposes would need multiple consents, and consent must not be bundled.
The GDPR mentions the idea of explicit consent as a requirement for processing
sensitive personal data. However, the GDPR does not expressly share the meaning
of explicit consent. The general framework of consent acceptable under GDPR is an
explicit representation of active participation on the part of the data subjects. Since
they have further mentioned the explicit consent requirement, it must be assumed
that this standard is higher than ordinary consent. One way of understanding explicit
consent is by ensuring that data subjects fully understand the implications of data
processing. The data controllers could be required to doubly verify data subjects’
understanding. There is not one definitive way but different ways a data controller
can verify understanding.
This section on consent as a legal basis of processing primarily discussed the
requirements of valid consent. Consent must be given through a clear affirmative
action which is freely given, specific, informed and unambiguous. The Orange
Romania judgement suggested that transparency and fairness are important when
seeking consent.22 The Dutch DPA decision indicates the importance of language
and understanding in facilitating transparency and informed consent. In connection
to this idea, the Planet49 judgement is an example of how pre-ticked check-boxes
are against the idea of valid consent, as it cannot be assumed that people would have
read and understood the information when they do not uncheck a ticked check-box.23
The judgements and decisions discussed in this section suggest the importance of
ensuring that the data subject is provided information in clear and understandable
language to enable them to read and understand the information and make educated
and informed consent decisions. Finally, the threshold of explicit consent is a tool

22 Orange Romania SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter

Personal (ANSPDCP) Case C - 61/19.
23 Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale

Bundesverband eV v Planet49 GmbH Case C-673/17. ECLI:EU:C:2019:801.

84 2 EU Data Protection Law Framework

under the GDPR that may be used to verify that the user has understood the infor-
mation. This standard is applicable when processing sensitive personal data, which
carries a high privacy risk to individuals.

4 Exemptions Under Data Protection Framework

GDPR provides certain exemptions in relation to the processing of personal data.

They are in the context of personal or household use or where processing has
happened based on journalistic purposes.

4.1 Personal or Household Purposes

Recital 18 of the GDPR explains the personal or household exemption.24

“[t]his Regulation does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity and thus with
no connection to a professional or commercial activity. Personal or household
activities could include correspondence and the holding of addresses, or social
networking and online activity undertaken within the context of such activities.
However, this Regulation applies to controllers or processors which provide the
means for processing personal data for such personal or household activities.”

Source Recital 18, GDPR

Another example that can help understand this exemption is in the case of video
surveillance, if it “covers, even partially, a public space and is accordingly directed
outwards from the private setting of the person processing the data in that manner, it
cannot be regarded as an activity which is a purely ‘personal or household’ activity.”25
It should not apply to purely personal or household activities otherwise it would
be too onerous for the prospective data controllers operating from their respec-
tive homes. It may lead to onerous obligations on an individual engaging in data
processing with minimal risk in a domestic environment.26 The exemption was
discussed in the Lindqvist case which has been discussed in this section.

24 Recital 81, GDPR.

25 František Ryneš v Úřad pro ochranu osobních údajů. Case C-212/13. ECLI:EU:C:2014:2428.
26 Jiahong Chen, Lilian Edwards, Lachlan Urquhart, Derek McAuley, ‘Who is responsible for

data processing in smart homes? Reconsidering joint controllership and the household exemption’,
(2020) 10(4) International Data Privacy Law 279–293. https://doi.org/10.1093/idpl/ipaa011.
4 Exemptions Under Data Protection Framework 85

4.1.1 Bodil Lindqvist Case C-101/0127

The Lindqvist judgement is one of the earliest decisions that was useful for under-
standing the scope of exemptions prescribed under the old data protection Directive.
The complaint was filed at a time when the use of commercial Internet was slowly
starting.
Facts
Mrs Lindqvist worked as a catechist in a parish in Sweden. In 1998, she created
certain webpages on her personal computer. These pages had information about Mrs
Lindqvist and her 18 colleagues in the parish. The information included personal
details and the job and hobbies of 18 individuals including circumstances they had in
their respective families, telephone numbers and other matters. Mrs Lindqvist also
shared information about a particular colleague of hers who had injured herself.
Mrs Lindqvist did not inform her colleagues about the internet pages and the fact
that she uploaded all such information. She had to remove those pages when others
objected.
The public prosecutor brought charges against Mrs Lindqvist for breaching the EU
Data Protection Directive 95/46 for (1) processing personal data by automatic means
without notifying in written the Swedish DPA, (2) processing sensitive personal data
without authorisation and (3) transferring without authorisation personal data to a
third country.
Questions
There were several questions in this case.
. What is the meaning associated with personal data processed either wholly or
partly by automated means falling under Article 3(1) of Directive 95/46.
. Whether uploading information about individuals would be considered an
exemption under Article 3(2).
. Whether the nature of the information pertaining to the injured colleague, which
was available on the Internet, would be considered personal data relating to health.
Therefore, whether it will fall within the category of special categories of data
under Article 8(1).
There were several arguments made by Mrs Lindqvist and the Government of
Sweden. On the first question, Mrs Lindqvist was against the opinion that automatic
processing of personal data would include mentioning names on a web page. Since
the names were not meta tags, one would not be able to search such pages with the
help of a search engine. In the opinion of the Government, all forms of processing
using a computer would account for the processing of personal data.
According to the Court, processing under Article 2(b) of Directive 95/46 includes
“any operation or set of operations which are performed upon personal data, whether

27 Criminal proceedings against Bodil Lindqvist Case C-101/01.

86 2 EU Data Protection Law Framework

or not by automatic means.”28 Therefore, the activity of loading personal data on a

webpage will be considered processing.
On the second question, Mrs Lindqvist claimed that her act of uploading infor-
mation on the webpage would fall under the rights of a private individual exercising
freedom of expression. It was not an economic activity that she undertook. In the
view of the government, “…processing of personal data by a natural person which
consisted in publishing those data to an indeterminate number of people, for example
through the internet, could not be described as a purely personal or household activity
within the meaning of the second indent of Article 3(2) of Directive 95/46.”29
The Court relied on the statutory exemptions provided under the old Directive
to answer the question. The first exemption relates to processing concerning public
security, defence and state security, while the second exemption deals with the State’s
activities in criminal law. The Court suggested that Article 3(2) “applies only to the
activities which are expressly listed there or which can be classified in the same
category (ejusdem generis).”30 Therefore, the activities of Mrs Lindqvist wouldn’t
be considered to fall under the scope of Article 3(2).
A second aspect of the exemption mentioned under Article 3(2) is when processing
happens in the context of activities meant for personal or domestic use, including
correspondence and holding of records of addresses. Here, the Court agreed with
the Government’s view and suggested that, “exception must therefore be interpreted
as relating only to activities which are carried out in the course of private or family
life of individuals, which is clearly not the case with the processing of personal data
consisting in publication on the internet so that those data are made accessible to an
indefinite number of people.”31
On the third question, the Court suggested, “the expression ‘data concerning
health’ used in Article 8(1) … must be given a wide interpretation so as to include
information concerning all aspects, both physical and mental, of the health of an
individual.”32 It means that the category of data uploaded by Mrs Lindqvist would
be classified as sensitive personal data.
Lindqvist’s judgement essentially looked at the exemption of personal or house-
hold purpose and paved the path for future cases. The judgement essentially estab-
lished that publication of information on the Internet, which can be accessed by an
indefinite number of people, would not fall under the personal or household use.

28 Criminal proceedings against Bodil Lindqvist Case C-101/01.

29 Criminal proceedings against Bodil Lindqvist Case C-101/01.
30 Criminal proceedings against Bodil Lindqvist Case C-101/01.
31 Criminal proceedings against Bodil Lindqvist Case C-101/01.
32 Criminal proceedings against Bodil Lindqvist Case C-101/01.
4 Exemptions Under Data Protection Framework 87

4.2 Journalistic Purposes

Other than the personal or household exemption, there is also the exemption of
journalistic purpose which will be discussed by reference to two CJEU judgements.

4.2.1 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy Case

C-73/0733

This judgement involved the publication of tax-related data by a newspaper in

Finland. The issue was about the scope of processing, which is allowed solely for
journalistic purposes under the Directive.
Facts
In Finland, certain tax-related data was made available in the public domain.
Satakunnan collected tax-related data for several years to publish them in regional
newspaper editions. The information collected was voluminous in nature and
consisted of the surnames and given names of roughly about 1.2 million natural
persons. Information collected was based on the income threshold and the wealth tax
levied on them. The information was arranged alphabetically and further organised
according to municipality and income bracket. The newspaper in question allowed
removal of personal data upon request of the data subject, and would not charge the
data subject for that service.
Satakunnan also transferred tax-related information published by the newspaper
to Satamedia. The objective was to disseminate tax-related information by text-
messaging system. Furthermore, Satakunnan and Satamedia entered into an agree-
ment with a mobile telephony company. This company activated a text-messaging
service for all mobile telephone users to receive tax-related information published
in the newspaper editions. Further, they removed personal data upon request.
Questions

“(1) Can an activity in which data relating to the earned and unearned income
and assets of natural persons are:
(a) collected from documents in the public domain held by the tax authorities
and processed for publication,
(b) published alphabetically in printed form by income bracket and
municipality in the form of comprehensive lists,
(c) transferred onward on CD-ROM to be used for commercial purposes,
and

33 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.

88 2 EU Data Protection Law Framework

(d) processed for the purposes of a text-messaging service whereby mobile

telephone users can, by sending a text message containing details of an indi-
vidual’s name and municipality of residence to a given number, receive in
reply information concerning the earned and unearned income and assets of
that person, be regarded as the processing of personal data within the meaning
of Article 3(1) of [the Directive]?
(2) Is [the Directive] to be interpreted as meaning that the various activities
listed in Question 1(a) to (d) can be regarded as the processing of personal data
carried out solely for journalistic purposes within the meaning of Article 9 of
the Directive, having regard to the fact that data on over one million taxpayers
have been collected from information which is in the public domain under
national legislation on the right of public access to the information? Does the
fact that publication of those data is the principal aim of the operation have any
bearing on the assessment in this case?
(4) Is [the Directive] to be interpreted as meaning that personal data
files containing, solely and in unaltered form, material that has already been
published in the media fall altogether outside its scope?".

Source Satakunnan Judgement

Essentially, the questions were whether the data controllers are involved in
personal data processing, whether their processing activities fall within the scope
of the law, and whether they can seek the journalistic purpose exemption.
Recital 37 of the Directive provided exemptions from certain provisions of the
law for journalistic purposes -

“Whereas the processing of personal data for purposes of journalism or for

purposes of literary or artistic expression, in particular in the audiovisual field,
should qualify for exemption from the requirements of certain provisions of
this Directive in so far as this is necessary to reconcile the fundamental rights
of individuals with freedom of [expression] and notably the right to receive and
impart information, as guaranteed in particular in Article 10 of the European
Convention for the Protection of Human Rights and Fundamental Freedoms…”

Source Recital 37
The Recital allows data processing to happen in derogation of the rights envisaged
under the Directive solely for journalistic purposes. However, the Member States
must ensure that proper safeguards and measures are in place to mitigate the possible
risk of abuse concerning the use of personal data.
The Court answered the first question in the affirmative. Reiterating the scope of
Article 3(1) of the Directive in the context of the case in hand, they suggested the
activities including collection of documents from the public domain, publishing the
documents alphabetically, transfer of data to CD-ROM and processing the data for
text-messaging service involve the processing of personal data under Article 3(1).
4 Exemptions Under Data Protection Framework 89

The data are personal data since they directly or indirectly relate to natural persons
with the help of different identifiers. Therefore, personal data is processed since the
steps involve aspects of the collection, retrieval and storage.
One of the questions dealt with the issue of already available personal data in the
public domain and whether processing such data would fall outside the scope of the
Directive. One such condition has already been explained in the Lindqvist case,34 in
the context of purely personal or household activity and outcome of holding records
of addresses and other correspondences. Following the Lindqvist judgement, the
data controller cannot use this basis if the processing and its outcome extend to an
indefinite number of people. While the reference point in the Lindqvist case was
uploading the data on the Internet for anyone to access, the reference point in the
Satakunnan case was making the data available to an unrestricted number of people
over the mobile telephone.35
Further, the Court argued that “a general derogation from the application of the
Directive in respect of published information would largely deprive the Directive of
its effect. It would be sufficient for the Member States to publish data in order for
those data to cease to enjoy the protection afforded by the Directive.”36 Therefore, the
Court concluded that personal data, and “files which contain solely, and in unaltered
form, material that has already been published in the media, fall within the scope of
application of the Directive.”37
Finally, the Court determined whether the processing activities would fall within
the scope of journalistic purposes. The overarching objective under the Directive is
not to stem data flow but equally protect natural persons’ fundamental right to privacy
and personal data protection. At times, there is a need to reconcile these rights with
freedom of expression in a democratic society. Member States must take steps for
such reconciliation. The derogations and limitations must be limited to the scope of
solely journalistic purposes or the purpose of artistic or literary expression.38
The Court stated few principles that can help understand the journalistic purpose
exemption. First, following the Advocate General, the Court stated that “apparent
from the legislative history of the Directive, the exemptions and derogations provided
for in Article 9 of the Directive apply not only to media undertakings but also to every
person engaged in journalism.”39
Secondly, the fact that the data has been published within the public domain
with the intention of profit-making does not seem prima facie to put such activity
outside the scope of an activity undertaken ‘solely for journalistic purposes’. In fact, a
degree of commercial activity and success is even attached to those who are attached
to professional journalistic activities.

34 Criminal proceedings against Bodil Lindqvist Case C-101/01.

35 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
36 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
37 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
38 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
39 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
90 2 EU Data Protection Law Framework

Lastly, the medium and methods adopted to disseminate the outcome of such
activity are immaterial. Therefore, it could possibly be carried out on the Internet as
well.
Therefore,

“It follows from all of the above that activities such as those involved in the
main proceedings, relating to data from documents which are in the public
domain under national legislation, may be classified as ‘journalistic activities’
if their object is the disclosure to the public of the information, opinions or
ideas, irrespective of the medium which is used to transmit them. They are
not limited to media undertakings and may be undertaken for profit-making
purposes.”

Source Satakunnan Judgement

The Satakunnan judgement provides an interesting observation about the Court
being inclined to give freedom of expression a greater scope in comparison to the
privacy rights of data subjects. It possibly reflects the stance that it is in the greater
interest of the democratic society to know about the distribution of wealth, which
can increase credibility and transparency in a democratic society.

4.2.2 Sergejs Buivids Case C-345/1740

This judgement reflects on the data protection norms to follow while conducting jour-
nalistic activities. It explains who could be a journalist and the journalist’s role and
further reflects on whether formal training is required to become a journalist. Further,
it reflects upon the possibility of disseminating journalistic material on different
media and the objective of carrying out a journalistic activity.
Facts
Buivids reflects on the scope of journalism and its cross-section with the data
protection principles and the data protection framework in the EU.

“Mr Buivids made a video recording in a station of the Latvian national police
while he was making a statement in the context of administrative proceedings
which had been brought against him.
Mr Buivids published the recorded video (‘the video in question’), which
showed police officers going about their duties in the police station, on the
internet site www.youtube.com, which is an internet site that allows users to
publish, share and watch videos.

40 Proceedings brought by Sergejs Buivids Case C-345/17.

4 Exemptions Under Data Protection Framework 91

After that video had been published, the National Data Protection Agency
found, by decision of 30 August 2013, that Mr Buivids had infringed
Article 8(1) of the Personal Data Protection Law because he had not informed
the police officers, as persons concerned, in the manner laid down by that provi-
sion, of the intended purpose of the processing of personal data concerning
them. It is submitted that Mr Buivids also failed to provide any information
to the National Data Protection Agency as to the purpose of the recording
and publication of the recorded video on an internet site such as to prove
that the objective pursued was compliant with the provisions of the Personal
Data Protection Law. The National Data Protection Agency therefore requested
Mr Buivids to remove that video from the internet site www.youtube.com and
from other websites.
Mr Buivids stated in his application that he had wished, by the publication
of the video in question, to bring to the attention of society something which
he considered to constitute unlawful conduct on the part of the police. That
Court dismissed the action.”

Source Buivids Judgement

Following the above facts, the essential question was whether Mr Buivids’
activities constitute processing for journalistic purpose.
Questions

“(1) Do activities such as those at issue in the case (the recording, in a police
station, of police officers carrying out procedural measures and publication of
the video on the internet site www.youtube.com) fall within the scope of the
Data Protection Directive 1995?
(2) Are the activities in question processing of personal data for journalistic
purposes within the meaning of Article 9 of the Data Protection Directive
1995?”

Source Buivids Judgement

Before answering the question on journalistic purpose exemption, the Court asked
some basic questions including whether personal data was processed in the present
case? Personal data is information helping identify either directly or indirectly a
natural person. The identification can happen by “reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity.”41 Therefore, personal data has a broad scope and any information,
on its own or in a combination of other information, has a considerable chance of
becoming personal data.

41 Article 4, GDPR.
92 2 EU Data Protection Law Framework

Processing of personal data means “…any operation or set of operations which is

performed on personal data or on sets of personal data, whether or not by automated
means, such as collection, recording, organisation, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction.”42 The scope of processing is broad, and even collection and recording
would amount to processing. It shows that data processing begins the moment the
data controller is in possession of personal data by collecting the data.
The image or video of a person captured by a camera would be construed as
personal data because that image or video, either directly or indirectly, would be able
to identify the data subject in question. Therefore, the recorded video by Mr Buivids
would be personal data simply because one can identify the policemen in the station.
Mr Buivids’ activity would be construed as processing personal data. In this
regard, the Court relied on previous judgement.

“In the context of a video-surveillance system, the Court has held that a video
recording of persons which is stored on a continuous recording device — the
hard disk drive of that system — constitutes, pursuant to Article 2(b) and Article
3(1) of Directive 95/46, the automatic processing of personal data" (Ryneš, C-
212/13).

Source Buivids Judgement

In the context of this judgement, the digital camera used by Mr Buivids made it
possible to continuously record on the memory of the device, thereby constituting
the processing of personal data. The fact that Mr Buivids recorded just once does not
have a bearing on the outcome.
The next question was whether Mr Buivids’ activity would fall within one of the
exemptions under the Directive. Here, the Court suggested:

“First, the recording and publication of the video in question cannot be regarded
as a processing of personal data in the exercise of an activity which falls outside
the scope of EU law, nor can it be understood as a processing operation which
concerns public security, defence, State security and the activities of the State
in areas of criminal law, within the meaning of the first indent of Article 3(2)
of Directive 95/46. …
Secondly, since Mr Buivids published the video in question on a video
website on which users can send, watch and share videos without restricting
access to that video, thereby permitting access to personal data to an indef-
inite number of people, the processing of personal data at issue in the main

42 Article 4, GDPR.
4 Exemptions Under Data Protection Framework 93

proceedings does not come within the context of purely personal or household
activities.
Moreover, the act of recording a video of police officers in the performance
of their duties is not capable of excluding such a type of processing of personal
data from coming within the scope of Directive 95/46.”

Source Buivids Judgement

The ECJ agreed with the Advocate General, suggesting that there is no express
provision under the Directive, which expressly excludes processing pertaining to
personal data of public officials. Therefore, the Directive extends to the video
recording of police officers in the station.
Turning to the question of exemption for journalistic purposes, the Court observed
that Mr Buivids was not a professional journalist. However, that would not prevent –
the recording of a video and publication of such video for indefinite users to see and
share – from falling within the scope of journalistic purposes.
Further, it does not matter whether dissemination of information happens through
one of the classical means of disseminating news/information for journalistic
purposes or whether dissemination happens over the Internet. It does not remove
the possibility of an activity falling within the scope solely for journalistic purposes.
It is important to consider that the exemptions and derogations mentioned under
Article 9 should be considered by balancing the two fundamental rights – privacy
and rights of expression in a democratic society. The threshold for attaining such
balance,-

“…the right to privacy and the right to freedom of expression, the European
Court of Human Rights has laid down a number of relevant criteria which must
be taken into account, inter alia, contribution to a debate of public interest, the
degree of the notoriety of the person affected, the subject of the news report,
the prior conduct of the person concerned, the content, form and consequences
of the publication, and the manner and circumstances in which the information
was obtained and its veracity.”

Source Buivids Judgement

In the present judgement, there was no doubt about interference with the right to
privacy. Therefore, it was essential to prove that the objective of the recording and
the subsequent publication was only meant to disclose the information to the public.
The Buivids judgement expands the scope of processing solely for journalistic
purposes. Both the Satakunnan and the Buivids judgement indicate that the journal-
istic exemption is broadly construed and not only limited to the traditional notions of
journalism. While it is important to protect privacy, the broad scope of the journal-
istic exemption allows the processing for such purposes without needing to comply
with some data protection provisions. The Court appears to tilt the balance in favour
of the freedom of expression over personal data protection and privacy rights of the
individual.
94 2 EU Data Protection Law Framework

Questions
1. Explain the principles of processing under the GDPR with implementation
examples.
2. As a data controller, what are the various considerations for seeking valid consent
of data subjects?
3. Explain the exemptions for personal or household purposes and journalistic
purposes. Is a broad or narrow interpretation of these exemptions desirable?
4. Explain the scope of the journalistic purpose exemption with case law.

Suggested Readings

1. EDPB Guidelines 05/2020 on consent under Regulation 2016/679.

2. Article 29 Working Party Guidelines on Transparency under Regulation 2016/679
(wp260rev.01).
3. Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data
controller under Article 7 of Directive 95/46/EC.
4. Article 29 Working Party Working Document 02/2013 providing guidance on obtaining consent
for cookies.
5. Article 29 Working Party Opinion 03/2013 on purpose limitation.
6. Article 29 Working Party Opinion 3/2010 on the principle of accountability.
7. Dara Hallinan, Frederik Zuiderveen Borgesius, ‘Opinions can be incorrect (in our opinion)!
On data protection law’s accuracy principle’ (2020) 10(1) International Data Privacy Law 1–10
https://doi.org/10.1093/idpl/ipz025
8. Peter Nowak v Data Protection Commissioner C434/16 ECLI:EU:C:2017:994, para 53.
9. Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság
Case C-77/21.
10. Orange Romania SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter
Personal (ANSPDCP) Case C - 61/19.
11. Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale
Bundesverband eV v Planet49 GmbH Case C-673/17. ECLI:EU:C:2019:801.
12. Dutch Data Protection Authority decision against TikTok.
13. František Ryneš v Úřad pro ochranu osobních údajů. Case C-212/13. ECLI:EU:C:2014:2428.
14. Criminal proceedings against Bodil Lindqvist Case C-101/01.
15. Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy. Case C-73/07. ECLI:EU:C:2008:727.
16. Proceedings brought by Sergejs Buivids Case C-345/17.
17. von Grafenstein, Max, ‘The Principle of Purpose Limitation in Data Protection Laws: The
Risk-based Approach, Principles, and Private Standards as Elements for Regulating Innovation’
(2018) https://doi.org/10.5771/9783845290843.
18. Tuulia Karjalainen, ‘All Talk, No Action? The Effect of the GDPR Accountability Principle
on the EU Data Protection Paradigm’ (2022) 8 Eur Data Prot L Rev 19.
19. Stephen Breen, Karim Ouazzane and Preeti Patel, ‘GDPR: Is your consent valid?’ (2020) 37(1)
Business Information Review 19–24. https://doi.org/10.1177/0266382120903254
20. Eleni Kosta, ‘Peeking into the cookie jar: the European approach towards the regulation of
cookies’, (2013) 21(4) International Journal of Law and Information Technology 380–406.
https://doi.org/10.1093/ijlit/eat011
21. Elena Kaiser, ‘The Concept of ‘Freely Given, Specific and Informed’ Consent under the
Scrutiny of the European Court of Justice’ (2020) 6(4) European Data Protection Law Review
607–610
Suggested Readings 95

22. Agnieszka Jabłonowska, Adrianna Michałowicz, ‘Planet49: Pre-Ticked Checkboxes Are Not
Sufficient to Convey User’s Consent to the Storage of Cookies (C-673/17 Planet49)’ (2020)
6(1) European Data Protection Law Review 137–142
Chapter 3
Transparency and Rights of the Data
Subject

1 Introduction

The idea and framework of transparency provide the necessary foundation for
protecting the privacy of individuals. However, there is no universal standardised
scale available to measure the transparency level that a data controller should follow.
This chapter will discuss the meaning associated with the transparency principle.
Amongst other things, the section will discuss the general rules of the transparency
requirement (Article 12) and the requirement of information to be provided (Articles
13–14). Further, the chapter will discuss how the transparency principle is connected
to other rights and principles under the GDPR.
This chapter will broadly cover the rights of the data subject under the GDPR1
including the right to access (Article 15), right to erasure (right to be forgotten)
(Article 17), the right to data portability (Article 20) and right to object to data
processing (Article 21). Various CJEU judgements including Google Spain,2 Google

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
OJ 2016 L 119/1 (hereinafter ‘GDPR’).
2 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario

Costeja González, Case C-131/12, ECLI identifier: ECLI:EU:C:2014:317.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 97
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_3
98 3 Transparency and Rights of the Data Subject

CNIL,3 GC CNIL,4 the case of Dutch Data Protection Authority and IAB Europe,5
Virgin Media6 and We Buy Any Car Limited (WBAC)7 will be discussed.

2 The Principle of Transparency

The essential function of transparency is engendering trust and allowing processes

to be challenged, as put forth by the Article 29 Working Party Guidelines.

Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) 22/08/

2018.
“Transparency is a long established feature of the law of the EU. It is about
engendering trust in the processes which affect the citizen by enabling them
to understand, and if necessary, challenge those processes. It is also an expres-
sion of the principle of fairness in relation to the processing of personal data
expressed in Article 8 of the Charter of Fundamental Rights of the European
Union.”

Source Article 29 Data Protection Working Party Guidelines of transparency under

Regulation 2016/679
The GDPR discusses how the processing of personal data must happen in a trans-
parent manner. Transparency essentially requires providing the required information
at the outset in an easily accessible manner. Further, the data controllers must use
clear and plain language for data subjects to understand the information.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 39 states:
“Any processing of personal data should be lawful and fair. It should be transparent to
natural persons that personal data concerning them are collected, used, consulted or
otherwise processed and to what extent the personal data are or will be processed. The

3 Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des
libertés (CNIL), Case C-507/17, ECLI identifier: ECLI:EU:C:2019:772.
4 GC and Others v Commission nationale de l’informatique et des libertés (CNIL), Case C-136/17,

ECLI identifier: ECLI:EU:C:2019:773.

5 Decision on the merits 21/2022 of 2 February 2022, Case number: DOS-2019-01377, Concerning:

Complaint relating to Transparency & Consent Framework. https://edpb.europa.eu/system/files/

2022-03/be_2022-02_decisionpublic_0.pdf . Accessed Januray 16, 2023.
6 ICO, ‘Virgin Media Limited’. https://ico.org.uk/action-weve-taken/enforcement/virgin-media-lim

ited/. Accessed 16 January, 2023.

7 ICO, ‘We Buy Any Car Limited’. https://ico.org.uk/action-weve-taken/enforcement/we-buy-any-

car-limited/. Accessed January 14, 2023.

2 The Principle of Transparency 99

principle of transparency requires that any information and communication relating

to the processing of those personal data be easily accessible and easy to understand,
and that clear and plain language be used.”

Source Recital 39, GDPR

The requirement of clear and plain language is one of the crucial expectations. To
make communications clear and plain, the communication has to be simple. However,
it is difficult to provide an objective standard of simple communication. Unless there
is a standard template that has been approved by the concerned authority for clear
and plain communication, the requirement is difficult to ascertain.
An important consideration for clear and plain language is that the information
should be provided in the simplest manner possible, avoiding complicated sentences
and language patterns.8 The information should be specific and unambiguous; it
should not be expressed in abstract words or allows for several interpretations.9
Particularly, the objectives and legal justifications for collecting personal data must
be explicitly stated.10
An important challenge is that the simplest communications could be difficult
for a data subject to understand. The data subject may not understand the impact
of consenting. Going forward, a solution could be to adopt alternative communi-
cation systems representing the meanings associated within the terms of service.
For instance, different pictorial tools could represent the key terms of service and
privacy policy. Before implementing these tools, their utility must be ascertained
and they must be formally included as an expectation for data controllers. The use
of alternative tools has been suggested under Recital 58.

Recital 58 GDPR states:

“The principle of transparency requires that any information addressed to
the public or to the data subject be concise, easily accessible and easy to
understand, and that clear and plain language and, additionally, where appro-
priate, visualisation be used. Such information could be provided in electronic
form, for example, when addressed to the public through a website. This is
of particular relevance in situations where the proliferation of actors and the
technological complexity make it difficult for the data subject to know and
understand whether, by whom and for what purpose personal data relating to
him or her are being collected, such as in the case of online advertising. Given
that children merit specific protection, any information and communication,

8 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.

9 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
10 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
100 3 Transparency and Rights of the Data Subject

where processing is addressed to a child, should be in such a clear and plain

language that the child can easily understand.”

Source Recital 58, GDPR

There are further requirements for transparency. One of the requirements is that
concise and easily accessible information should be shared with the data subjects.
This requirement is particularly important, as pointed out by Recital 58, where
multiple stakeholders are present and in circumstances where it becomes difficult
for data subjects to understand the data collection process, the purposes behind data
collection and the identity of data controllers. Besides, as pointed out by Recital 58,
children merit a greater level of protection, and information must be communicated
to children in a clear and plain language they can understand. The situation with chil-
dren deserves more attention, an example of which is the Children’s Code developed
by the Information Commissioners’ Office (ICO), UK.11 The Code talks about how
information should be provided to children. The Code categorises children according
to age and provides different transparency requirements for each category. The Code
suggests using a mix of video, audio and text files, so children can easily understand
the information.
The requirement of easily accessible information requires easy access to infor-
mation for which no standard template exists. There could be multiple ways in
which a data controller can provide access to information. However, certain prac-
tices should not be followed. For instance, sending data subjects to multiple places
on a website and placing information at obscure locations which the data subjects
are unlikely to visit. The data controller is responsible for leading the data subject to
the relevant information without needing the data subject to look for the information.
When the data subject is presented with a consent request, the relevant information
about purpose should be immediately forthcoming without any additional efforts
undertaken by the data subject.
Recital 39 provides a summary of the transparency expectations. In essence,
natural persons should know how the personal data are processed. Providing the
information mentioned in Recital 39 would make the processing more transparent
for the data controllers, data subjects and supervisory authorities.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 39 states:
“That principle concerns, in particular, information to the data subjects on
the identity of the controller and the purposes of the processing and further
information to ensure fair and transparent processing in respect of the natural

11ICO, ‘Introduction to the Age-Appropriate Design Code’. https://ico.org.uk/for-organisations/

guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/. Accessed January
14, 2023.
2 The Principle of Transparency 101

persons concerned and their right to obtain confirmation and communication

of personal data concerning them which are being processed. Natural persons
should be made aware of risks, rules, safeguards and rights in relation to the
processing of personal data and how to exercise their rights in relation to
such processing. In particular, the specific purposes for which personal data
are processed should be explicit and legitimate and determined at the time of
collecting the personal data. The personal data should be adequate, relevant
and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal data
are stored is limited to a strict minimum.”

Source Recital 39, GDPR

Lastly, to avoid information overload, data controllers must provide information
in a “concise and transparent” way.12 This information must be distinguished from
other non-privacy related information such as contractual clauses.13 A layered privacy
statement or notice can help the data subject easily find specific information instead
of having to navigate through a large volume of information in search of specific
information.14
The key elements of the transparency principle from a design and default
perspective include the following15 :

. “Clarity – Information shall be in clear and plain language, concise and

intelligible.
. Semantics – Communication should have a clear meaning to the audience
in question.
. Accessibility - Information shall be easily accessible for the data subject.
. Contextual – Information should be provided at the relevant time and in the
appropriate form.
. Relevance – Information should be relevant and applicable to the specific
data subject.
. Universal design – Information shall be accessible to all data subjects,
include use of machine readable languages to facilitate and automate
readability and clarity.
. Comprehensible – Data subjects should have a fair understanding of what
they can expect with regards to the processing of their personal data,
particularly when the data subjects are children or other vulnerable groups.

12 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.

13 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
14 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
15 EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0

Adopted on 20 October 2020.

102 3 Transparency and Rights of the Data Subject

. Multi-channel – Information should be provided in different channels and

media, not only the textual, to increase the probability for the information
to effectively reach the data subject.
. Layered – The information should be layered in a manner that resolves the
tension between completeness and understanding, while accounting for data
subjects’ reasonable expectations.”

Source EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by

Default

2.1 Connecting Transparency with Purpose Limitation

Principle

As per Recital 39, the information to be provided includes the risks, the rules, the
safeguards and the rights, and what happens to what kind of data. Whether data
controllers handle any sensitive personal information and how they store it, or whether
they transfer the data. Further, the specific purpose of processing has to be specified
on the data controller’s interface at the time of collection of the personal information.
The specific purposes should match with the forthcoming granular consent. Consent
should connect to the purpose of processing.
The processing of personal data should be relevant and limited to the purpose
behind data collection. Purpose limitation is a principle that ensures that processing
connects through and through with the purpose. Essentially, the principle ensures
that there is no overprocessing. Further, the storage period for personal data must
be limited to a strict minimum time within the confines of the purpose shared with
the natural person. Once the purpose has been fulfilled, the data controller must not
store the information unless there are definite reasons for storing them.
The data controller should review the data storage timeline, becoming part of the
internal governance structure. The data protection officer would help the internal
governance evolve within the data controller’s establishment. There must be discus-
sions about data storage and possible data erasure. All persons working in an
establishment and handling data should know data storage and deletion protocol.
Recital 50 helps us understand the concept of compatible purpose in the purpose
limitation principle. It lists the circumstances under which purposes could be deemed
compatible.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 50 reads:
3 The Requirement of Transparent Information 103

“The processing of personal data for purposes other than those for which
the personal data were initially collected should be allowed only where the
processing is compatible with the purposes for which the personal data were
initially collected. In such a case, no legal basis separate from that which
allowed the collection of the personal data is required. … In order to ascer-
tain whether a purpose of further processing is compatible with the purpose
for which the personal data are initially collected, the controller, after having
met all the requirements for the lawfulness of the original processing, should
take into account, inter alia:
any link between those purposes and the purposes of the intended further
processing;
the context in which the personal data have been collected, in particular the
reasonable expectations of data subjects based on their relationship with the
controller as to their further use;
the nature of the personal data;
the consequences of the intended further processing for data subjects;
and the existence of appropriate safeguards in both the original and intended
further processing operations.”

Source Recital 50, GDPR

A further round of processing is legitimate where there exists a certain compat-
ibility with the initial purpose shared at the stage of data collection. There should
be a connection between the data processing purpose in question and the purpose
at the initial phase. Importantly, there is no further need for the data controller to
have another legal basis for processing, such as fresh consent, when the further
processing purpose is related to the original purpose. Importantly, the data controller
must clearly specify the consequences of data processing at the initial stage, and the
consequences of further processing for a claimed compatible purpose should not be
unexpected. Otherwise, the data controller would not connect the further processing
with the initial consent.

3 The Requirement of Transparent Information

Another important Recital is Recital 60, which talks about transparency in the context
of profiling.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 60 reads:
“The principles of fair and transparent processing require that the data
subject be informed of the existence of the processing operation and its
104 3 Transparency and Rights of the Data Subject

purposes. The controller should provide the data subject with any further
information necessary to ensure fair and transparent processing taking into
account the specific circumstances and context in which the personal data are
processed. Furthermore, the data subject should be informed of the existence
of profiling and the consequences of such profiling. Where the personal data
are collected from the data subject, the data subject should also be informed
whether he or she is obliged to provide the personal data and the conse-
quences, where he or she does not provide such data. That information may be
provided in combination with standardised icons in order to give in an easily
visible, intelligible and clearly legible manner, a meaningful overview of the
intended processing. Where the icons are presented electronically, they should
be machine-readable.”

Source Recital 60, GDPR

Profiling has been defined under Article 4(4) of GDPR.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 4(4):
“‘profiling’ means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal aspects to
a natural person, in particular to analyse or predict aspects concerning that
natural person’s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements.”

Source Article 4, GDPR

Profiling is the process of identifying certain personal aspects of individuals.
Recital 60 requires data controllers to inform data subjects about profiling in general
and its consequences. The data subjects should be aware of any obligation to share
personal data and the possible negative consequences in case they refuse to share
such data. Besides, there are serious repercussions on the issue of free consent when
data subjects are not allowed to reject processing for marketing or otherwise. Data
subjects should freely exercise their choice when the data controller has shared the
reasons for processing personal data.
With the recitals as the foundation, Article 12 lays down the general rule of the
transparency requirement. All information about the data subject must be shared
featuring five attributes—concise, transparent, intelligible, easily accessible modes
and following clear and plain language.16 As required by Article 13, the following
information must be provided to the data subject.

16 Article 12, GDPR.

3 The Requirement of Transparent Information 105

Article 13:
“1. Where personal data relating to a data subject are collected from the
data subject, the controller shall, at the time when personal data are obtained,
provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable,
of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended
as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate
interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal
data to a third country or international organisation and the existence or absence
of an adequacy decision by the Commission, or in the case of transfers referred
to in Article 46 or 47, or the second subparagraph of Article 49(1), reference
to the appropriate or suitable safeguards and the means by which to obtain a
copy of them or where they have been made available."

Source Article 13, GDPR

There can be situations where the data controller may not have received
information directly from the data subject. In this context, Recital 61 is important.

Recital 61:
“The information in relation to the processing of personal data relating to
the data subject should be given to him or her at the time of collection from
the data subject, or, where the personal data are obtained from another source,
within a reasonable period, depending on the circumstances of the case. Where
personal data can be legitimately disclosed to another recipient, the data subject
should be informed when the personal data are first disclosed to the recipient.
Where the controller intends to process the personal data for a purpose other
than that for which they were collected, the controller should provide the data
subject prior to that further processing with information on that other purpose
and other necessary information. Where the origin of the personal data cannot
be provided to the data subject because various sources have been used, general
information should be provided.”

Source Recital 61, GDPR

If a data controller obtains personal data from a different source, the data controller
must share information with the data subject within a reasonable time. As per Recital
62, sharing information is not obligatory “where the data subject already possesses
106 3 Transparency and Rights of the Data Subject

the information, […] or where the provision of information to the data subject proves
to be impossible or would involve a disproportionate effort.”17
Article 14 applies in cases where data controllers collect personal data of data
subjects indirectly. It has the same requirements as under Article 13, except additional
conditions about informing the data subjects.

Article 14:
“The controller shall provide the information […]:
within a reasonable period after obtaining the personal data, but at the latest
within one month, having regard to the specific circumstances in which the
personal data are processed;
if the personal data are to be used for communication with the data subject,
at the latest at the time of the first communication to that data subject; or.
if a disclosure to another recipient is envisaged, at the latest when the
personal data are first disclosed.”

Source Article 14, GDPR

The ability of the data subject to know the extent and effects of data processing
in advance is key to actuating transparency. The WP29 position is that, for complex,
technical, or unexpected data processing, controllers should not only provide the
required information under Articles 13 and 14 but also explicitly state in clear terms
the most significant consequences of data processing.18 In other words, what will be
the impact of the processing on the data subject? A description of the impact of data
processing would give an overview of the processes that pose the greatest risk to the
rights of data subjects in the context of protecting their personal information.19

4 Compliance Example

The following compliance example suggests how the principle of transparency and
other provisions of data protection law, including consent, apply in a practical
scenario. It is important to understand not only the provisions of the GDPR but
also their application in practice.

17 Recital 62, GDPR.

18 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
19 Article 29 Working Party Guidelines on Transparency under Regulation 2016/679.
4 Compliance Example 107

4.1 Transparency and Consent Framework: The Case

of Dutch Data Protection Authority and IAB Europe20

Facts
Around 2019, a series of complaints were filed against Interactive Advertising Bureau
(IAB), Europe. The basis of these complaints was GDPR and how the IAB infringed
several principles, including but not limited to legality, appropriateness, transparency,
purpose limitation, storage restriction, security safeguards and accountability.
The case dealt with the conformity of the Transparency and Consent Framework
(TCF) with GDPR. The case also pertains to impact of TCF on the practice of
Real-Time Bidding (RTB).
The TCF process included multiple players. These were21 :
1. Publishers: These were websites that make advertising space available, and they
were in direct contact with online users and collect and process the personal
data of online users. These publishers provided a consent management platform
(CMP) on their website or on their application. The CMP helped them manage
consent shared by users or visitors and facilitate the TCF process. Publishers
could also decide on the Adtech vendors who would collect users’ personal data
from their websites and the respective purposes for such collections.
2. Adtech vendors: These were companies that receive the personal data of online
users from publishers so that they could fill up advertising spaces on the
publishers’ websites and their applications.
3. Consent Management Platforms: There were specific consent management
platforms to facilitate the CMP. A pop-up appeared during the first connection
to a website. Through that pop-up, consent was sought to placing cookies and
other identifying information related to the online user. Here, there are certain
additional technical details that need to be understood.
The practice of Real-Time Bidding (RTB) can be explained as follows:
“[O]nline advertising is usually done primarily automatically and behind the
scenes, through ‘Programmatic advertising’ methods of which real-time bidding
(RTB) is the leading system. Real-time bidding refers to the use of an instantaneous
automated online auction for the sale and purchase of online advertising space.
Specifically, it means that when an individual accesses a website or application that
contains an advertising space, behind the scenes through an automated online auction

20 AEPD Decision on the merits 21/2022 of 2 February 2022 Case number: DOS-2019-01377.
https://edpb.europa.eu/system/files/2022-03/be_2022-02_decisionpublic_0.pdf. Accessed January
16, 2023
21 AEPD Decision on the merits 21/2022 of 2 February 2022 Case number: DOS-2019-01377.

https://edpb.europa.eu/system/files/2022-03/be_2022-02_decisionpublic_0.pdf. Accessed January

16, 2023
108 3 Transparency and Rights of the Data Subject

system and algorithms, technology companies representing thousands of advertisers

can instantly (in real time) bid for that advertising space to display targeted advertising
specifically tailored to that individual’s profile.”22
The online advertising space required a lot of tracking of those visiting multiple
websites. It required a coordinated real-time effort of multiple parties. This process
works behind the screen on commercial websites and different mobile applications.
It involved thousands of companies who would receive real-time information about
online users and sites they are visiting. In this manner, billions of advertising space
were auctioned every day. The following categories of information were shared with
possible buyers of those advertising spaces as a part of the bid request.
. The description of a website that the user is visiting.
. The operating system that is in use and installed on the device which is accessing
the website.
. The details of the browser and its settings.
. Manufacture the model of the device.
. Different operators provide the service to the online user.
. The dimension of the screen used by the online user.
. Unique identifiers of users collected through different sources.
. Then personal data like the year of birth, gender, personal interests, location of
the user, metadata on consent given and postcode.
In the above process, the consent management platforms intervene through gener-
ation of string of characters called the Transparency and Consent String or TC String.
Consent management platforms and TC string work as follows:

Case Number- DOS-2019-01377

Complaint Relating to Transparency and Consent Framwork
“An essential part of the intervention of a CMP [Consent Management
Platforms] is the generation of a character string consisting of a combination
of letters, numbers and other characters. This string is called the ’TC String’ by
IAB Europe, which stands for the ’Transparency and Consent String’. The TC
String is meant to capture in a structured and automated way the preferences
of a user when he visits a website or app of a publisher that has integrated
the CMP. This concerns in particular the capturing of consent (or not) to the
processing of personal data for marketing and other purposes, whether or not
to share personal data with third parties (adtech vendors) and the exercise or
not of the right to object. Vendors decipher the TC String to determine whether
they have the necessary legal basis to process a user’s personal data for the
specified purposes. Thanks to its concise data format, the CMP can store and

22 AEPD Decision on the merits 21/2022 of 2 February 2022 Case number: DOS-2019-01377.
https://edpb.europa.eu/system/files/2022-03/be_2022-02_decisionpublic_0.pdf. Accessed January
16, 2023.
4 Compliance Example 109

retrieve a user’s preferred data at any time and pass this information on to
adtech vendors who need it…
An Internet user browses the website of a publisher, for example a news
website.
i.The publisher ensures that a CMP is activated on its website or in its app
when the user arrives.
ii.The CMP checks whether a TC String already exists for this user or not. If
a ‘globally stored’ TC String is chosen, the CMP will contact the IAB Europe-
managed consensu.org internet domain to verify from there whether there is
already a so- called ’consensu’ cookie on the user’s device. In particular, this
relates to the euconsent-v2 cookie.
iii.If the third step shows that the TC String does not yet exist or is not up
to date, in a fourth step the CMP will show the user a user interface where he
can consent to the collection and sharing of his personal data.
iv.The Internet user makes a choice in the user interface.
v.The CMP generates the TC String and places a euconsent-v2 cookie on
the user’s device or updates the existing cookie.”

Source Complaint relating to Transparency & Consent Framework, Case DOS-2019-

01377, 2 February 2022
There are multiple risks associated with the above processes. The risks included
and suggested by the DPA are:
. Profiling and automated decision-making.
. Large-scale processing (including special categories of personal data).
. Matching or merging of datasets, thereby running the risk of de-anonymising
already anonymised data.
. Prediction of online behaviour of users, their movement and location.
. Unlimited processing of personal data without giving online users a fair chance
to intervene or decide about the course of processing.
The following excerpts of the decision explain how GDPR was infringed:
Lawfulness and Fair Processing: It was decided based on two facts: Receiving of
consent signal, objections and preferences of users in the TC String by the CMPs
(a) and collection and dissemination of the users’ personal data by the participating
organisations (b). It was decided that:

1. “In the absence of a valid legal basis, … the data processing in the context
of the TCF in its current format, whereby CMPs capture the preferences of
online users in a TC String, does not comply with Article 6 of the GDPR.
110 3 Transparency and Rights of the Data Subject

2. It is therefore undeniable … that IAB Europe, as Managing Organisation for

the TCF, has failed to provide a legal basis for the processing of user preferences
in the form of a TC String and has therefore breached article 6 GDPR.”

Source Complaint relating to Transparency & Consent Framework, Case DOS-2019-

01377, 2 February 2022
Users were not informed about installing the euconsent-v2 cookie on the device
they used to access the website. Therefore, it does not matter if they have agreed
with the purposes offered by the Adtech vendors. Further, they were not informed
about their rights to object to such processing. It meant insufficient information was
shared with the user, and there was no lawful basis. The decision concluded,

“that the processing of personal data under the OpenRTB on the basis of prefer-
ences captured in accordance with the current version of the TCF is incompat-
ible with the GDPR, due to an inherent breach of the principles of lawfulness
and fairness.”

Source Complaint relating to Transparency & Consent Framework, Case DOS-2019-

01377, 2 February 2022
Further, the complainants suggested that since the entire ecosystem was so vast, it
was nearly impossible for the data subjects to share informed consent to processing
personal data. Neither they do have a chance to object to certain parts of processing.
In the opinion of the DPA,

“the examples of CMPs specified in the Technical Report of the Inspection

Service, and notes that the interface offered to users does not allow, among
other things, the processing purposes associated with the authorisation of a
particular vendor or which adtech vendors will process their data for a specific
purpose to be identified in a simple and clear manner.”

Source Complaint relating to Transparency & Consent Framework, Case DOS-2019-

01377, 2 February 2022.
The CMP did not adequately support the users. Therefore, the TCF setup did not
comply with the transparency requirement.
There were additional breaches that the DPA noted, and the DPA shared the
following with IAB:

1. “providing a valid legal basis for the processing and dissemination of users’
preferences within the context of the TCF, in the form of a TC String and a
euconsent-v2 cookie, as well as prohibiting, via the terms of use of the TCF, the
5 Right of Access Under the GDPR 111

reliance on legitimate interests as a legal ground for the processing of personal

data by organisations participating in the TCF in its current form…;
2. ensuring effective technical and organisational monitoring measures in
order to guarantee the integrity and confidentiality of the TC String, …;
3. maintaining a strict audit of organisations that join the TCF in order to
ensure that participating organisations meet the requirements of the GDPR,
…;
4. taking technical and organisational measures to prevent consent from
being ticked by default in the CMP interfaces as well as to prevent automatic
authorisation of participating vendors relying on legitimate interest for their
processing activities…;
5. forcing CMPs to adopt a uniform and GDPR-compliant approach to the
information they submit to users, …;
6. updating the current records of processing activities, by including the
processing of personal data in the TCF by IAB Europe,..;
7. carrying out a data protection impact assessment (DPIA) with regard to
the processing activities under the TCF and their impact on the processing
activities carried out under the Open RTB system, as well as adapting this
DPIA to future versions or amendments to the current version of the TCF…;
8. Appointing a Data Protection Officer (DPO).”

Source Complaint relating to Transparency & Consent Framework, Case DOS-2019-

01377, 2 February 2022
The above compliance example reflects the importance of implementing GDPR
provisions in practice. It is important to assess the processing operations and analyse
how the provisions could apply to such operations.

5 Right of Access Under the GDPR

The right of access to personal data relates to the principle of transparency. It enables
the data subject to comprehend how their personal data are handled and the effects of
that processing. The purpose of this right is also to give the person enough information
about how their data are processed so that they can verify and challenge various
parts of the processing activity in accordance with the GDPR (e.g. the principle
of lawfulness, accuracy).23 Recital 63 of the GDPR elaborates the right to access
personal data.

23 EDPB Guidelines 01/2022 on Data Subject Rights - Right of Access

112 3 Transparency and Rights of the Data Subject

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 63 reads
“A data subject should have the right of access to personal data which have
been collected concerning him or her, and to exercise that right easily and
at reasonable intervals, in order to be aware of, and verify, the lawfulness
of the processing. This includes the right for data subjects to have access to
data concerning their health, for example, the data in their medical records
containing information such as diagnoses, examination results, assessments
by treating physicians and any treatment or interventions provided. Every data
subject should therefore have the right to know and obtain communication in
particular with regard to the purposes for which the personal data are processed,
where possible, the period for which the personal data are processed, the recip-
ients of the personal data, the logic involved in any automatic personal data
processing and, at least when based on profiling, the consequences of such
processing. Where possible, the controller should be able to provide remote
access to a secure system which would provide the data subject with direct
access to his or her personal data. That right should not adversely affect the
rights or freedoms of others, including trade secrets or intellectual property
and in particular the copyright protecting the software. However, the result
of those considerations should not be a refusal to provide all information to
the data subject. Where the controller processes a large quantity of informa-
tion concerning the data subject, the controller should be able to request that,
before the information is delivered, the data subject specify the information or
processing activities to which the request relates.”

Source Recital 63, GDPR

The access right given to the data subjects under Recital 63 ensures that the data
subjects are aware of the data about them that the data controller holds. They can
verify the legal basis of data processing. The information that data subjects access
includes the purpose of processing, the time duration of such processing, recipients
of personal data, etc. The ideal system would allow the data subjects to remotely
access these details.
The data subject by virtue of Article 15 of the GDPR has the right to access
information as and when a controller processes personal data. Besides, the data
subject requests the following information:

“(a) the purposes of the processing;

(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data
have been or will be disclosed, in particular recipients in third countries or
international organisations;
5 Right of Access Under the GDPR 113

(d) where possible, the envisaged period for which the personal data will
be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or
erasure of personal data or restriction of processing of personal data concerning
the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any
available information as to their source;
(h) the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) and, at least in those cases, meaningful infor-
mation about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.”

Source Article 15, GDPR

5.1 RW v Österreichische Post AG Case C-154/2124

This judgement dealt with the question of whether the right to access under Article
15 of the GDPR includes the right to access information about the categories of
recipients or even specific recipients of the data.
Facts

“On 15 January 2019, RW asked Österreichische Post for access under

Article 15 of the GDPR to the personal data concerning him which were being
stored or had previously been stored by Österreichische Post and, if the data
had been disclosed to third parties, for information as to the identity of the
recipients.
In response to that request, Österreichische Post merely stated that it uses
data, to the extent permissible by law, in the course of its activities as a publisher
of telephone directories and that it offers those personal data to trading partners
for marketing purposes. It also referred to a website that set out more informa-
tion and further data processing purposes. It did not disclose to RW the identity
of the specific recipients of the data.”

Source Österreichische Post Judgement

24 RW v Österreichische Post AG. Case C-154/21. ECLI:EU:C:2023:3.

114 3 Transparency and Rights of the Data Subject

Questions
The Oberster Gerichtshof (Supreme Court) referred the following question to the
CJEU:

“Is Article 15(1)(c) of [the GDPR] to be interpreted as meaning that the right
of access is limited to information concerning categories of recipient where
specific recipients have not yet been determined in the case of planned disclo-
sures, but that right must necessarily also cover recipients of those disclosures
in cases where data [have] already been disclosed? ”

Source Österreichische Post Judgement

The relevant provision is Article 15 of GDPR which states:

“1. The data subject shall have the right to obtain from the controller confir-
mation as to whether or not personal data concerning him or her are being
processed, and, where that is the case, access to the personal data and the
following information:
(c) the recipients or categories of recipient to whom the personal data
have been or will be disclosed, in particular recipients in third countries or
international organisations;”

Source Article 15, GDPR

A data subject has a right to know about how the data collected is further processed
with a further right of accessibility of such information. It is imperative for a data
controller to share the list of specific recipients who are in possession of personal
data shared by data subjects. It forges the all-important transparent process that a
data controller must follow. As an exception, the CJEU was of the opinion that in
some circumstances, it may not be possible to share details of specific recipients.
However, in these cases the categories of recipients must be identified.25 The CJEU
reasoned that information about recipients of data must be provided in accordance
with the principle of transparency and also to ensure the effectiveness of the exercise
of other rights, such as the right to rectification and erasure. In conclusion, the CJEU
held:

“ [..] in order to respect the right of access, all processing of personal data
of natural persons must comply with the principles set out in Article 5 of
the GDPR…Those principles include the principle of transparency set out
in Article 5(1)(a) of the GDPR, which, as is clear from Recital 39 of that
Regulation, requires that the data subject have information about how his or

25 RW v Österreichische Post AG. Case C-154/21. ECLI:EU:C:2023:3.

6 The Right to Erasure (Right to Be Forgotten) 115

her personal data are processed and that that information be easily accessible
and easy to understand…
…the exercise of that right of access must enable the data subject to verify
not only that the data concerning him or her are correct, but also that they are
processed in a lawful manner…
In particular, that right of access is necessary to enable the data subject
to exercise, depending on the circumstances, his or her right to rectification,
right to erasure (‘right to be forgotten’) or right to restriction of processing,
conferred, respectively, by Articles 16, 17 and 18 of the GDPR [..] and the data
subject’s right to object to his or her personal data being processed, laid down
in Article 21 of the GDPR, and right of action where he or she suffers damage,
laid down in Articles 79 and 82 of the GDPR… Thus, in order to ensure the
effectiveness of all of the rights [..] the data subject must have, in particular,
the right to be informed of the identity of the specific recipients where his or
her personal data have already been disclosed…
…as is apparent from Recital 4 of the GDPR, the right to the protection of
personal data is not an absolute right. That right must be considered in relation
to its function in society and be balanced against other fundamental rights, in
accordance with the principle of proportionality…
Accordingly, it may be accepted that, in specific circumstances, it is not
possible to provide information about specific recipients. Therefore, the right
of access may be restricted to information about categories of recipient if it is
impossible to disclose the identity of specific recipients, in particular where
they are not yet known. In addition, it should be borne in mind that, under
Article 12(5)(b) of the GDPR, the controller may, pursuant to the principle
of responsibility referred to in Article 5(2) and Recital 74 of that Regulation,
refuse to act on requests from a data subject where those requests are mani-
festly unfounded or excessive, it being specified that it is for the controller to
demonstrate that those requests are unfounded or excessive.”

Source Österreichische Post Judgement

6 The Right to Erasure (Right to Be Forgotten)

6.1 The Idea of the Right to Be Forgotten

The right to be forgotten (RTBF) is a right that is available with a data subject when
the retention of personal data by a data controller is no longer necessary for the
purpose of processing. It is available even when the data subject has withdrawn
the consent shared initially with the data controller or where the processing is in
contravention of any of the provisions of GDPR. The right can be exercised in the
116 3 Transparency and Rights of the Data Subject

particular instance of a child’s consent. A child may not have been fully aware of the
risks involved with processing personal data and realise the potential risks of such
processing on the Internet after a few years. The data subject who is no longer a
child can also exercise this right.
While a data subject can exercise the right to be forgotten to remove or erase
personal data, there are situations where further data retention would be lawful,
including fulfilling a legal obligation. Recital 65 of the GDPR mentions these
situations as well as the grounds for the exercise of the right.

Recital 65 states:
“A data subject should have the right to have personal data concerning him
or her rectified and a ‘right to be forgotten’ where the retention of such
data infringes this Regulation or Union or Member State law to which the
controller is subject. In particular, a data subject should have the right
to have his or her personal data erased and no longer processed where
the personal data are no longer necessary in relation to the purposes for
which they are collected or otherwise processed, where a data subject has
withdrawn his or her consent or objects to the processing of personal data
concerning him or her, or where the processing of his or her personal data
does not otherwise comply with this Regulation. That right is relevant in
particular where the data subject has given his or her consent as a child and
is not fully aware of the risks involved by the processing, and later wants to
remove such personal data, especially on the internet. The data subject should
be able to exercise that right notwithstanding the fact that he or she is no longer
a child. However, the further retention of the personal data should be lawful
where it is necessary, for exercising the right of freedom of expression and
information, for compliance with a legal obligation, for the performance of a
task carried out in the public interest or in the exercise of official authority
vested in the controller, on the grounds of public interest in the area of public
health, for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, or for the establishment, exercise or
defence of legal claims.”

Source Recital 65, GDPR

In the case of search engines, the grounds on which the right to delisting can be
exercised are the following as mentioned under Article 17(1):

“(a) the personal data are no longer necessary in relation to the purposes for
which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based
according to point (a) of Article 6(1), or point (a) of Article 9(2), and where
there is no other legal ground for the processing;
6 The Right to Erasure (Right to Be Forgotten) 117

(c) the data subject objects to the processing pursuant to Article 21(1) and
there are no overriding legitimate grounds for the processing, or the data subject
objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation
in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of
information society services referred to in Article 8(1).”

Source Article 17, GDPR

In the case of search engines, the exceptions to the right to delisting are the
following as mentioned under Article 17(3):

“(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by
Union or Member State law to which the controller is subject or for the perfor-
mance of a task carried out in the public interest or in the exercise of official
authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance
with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) in
so far as the right referred to in paragraph 1 is likely to render impossible or
seriously impair the achievement of the objectives of that processing; or.
(e) for the establishment, exercise or defence of legal claims.”

Source Article 17, GDPR

For a request of a right to be forgotten to be effectively implemented in an online
environment, the data controller is obliged to inform other controllers who have
received and processed such data to erase the data so that the personal data in question
are no longer processed. Recital 66 explains this requirement.

Recital 66 reads:
“To strengthen the right to be forgotten in the online environment, the right to
erasure should also be extended in such a way that a controller who has made
the personal data public should be obliged to inform the controllers which are
processing such personal data to erase any links to, or copies or replications
of those personal data. In doing so, that controller should take reasonable
118 3 Transparency and Rights of the Data Subject

steps, taking into account available technology and the means available to the
controller, including technical measures, to inform the controllers which are
processing the personal data of the data subject’s request.”

Source Recital 66, GDPR

Article 17 of the GDPR titled, the Right of Erasure (“Right to be forgotten”),
emphasises the erasure of the data rather than forgetting. The fulfilment of the objec-
tive of forgetting depends on how effectively the right of erasure can be carried
out. In a digital environment, it is difficult for a data controller or a group of data
controllers to implement forgetting as it would encompass erasing all digital foot-
prints of personal data. Once the data are in the public domain, it is even more difficult
to erase all digital footprints.
In a digital environment, the network (i.e. network of networks or the Internet)
must forget the information, with the idea that if the information is erased from the
network, the network will eventually forget. If any part of the network remembers
the information, the right to be forgotten cannot be implemented absolutely.
For instance, there are limitations of the right to be forgotten in the case of delisting
requests made to search engines.26

“If a data subject obtains the delisting of a particular content, this will result in
the deletion of that specific content from the list of search results concerning
the data subject when the search is, as a main rule, based on his or her name.
This content will however still be available using other search criteria.
Delisting requests do not result in the personal data being completely erased.
Indeed, the personal data will neither be erased from the source website nor
from the index and cache of the search engine provider. For example, a data
subject may seek the delisting of personal data from a search engine’s index
which have originated from a media outlet, such as a newspaper article. In this
instance, the link to the personal data may be delisted from the search engine’s
index; however, the article in question will still remain within the control of
the media outlet and may remain publicly available and accessible, even if no
longer visible in search results based on queries that include in principle the
data subject’s name.”

Source EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the
search engines cases under the GDPR (Part 1)
The right to be forgotten in the case of search engines has been considered by
several CJEU judgements, including Google Spain, Google CNIL, GC CNIL, TU
and RE v Google LLC.

26EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases
under the GDPR (part 1) Version 2.0 Adopted on 7 July 2020.
6 The Right to Erasure (Right to Be Forgotten) 119

6.1.1 Google Spain SL v. Agencia Española de Protección de Datos

Case C-131/1227

This matter concerns a Spanish national, Mr Costeja González, who filed a complaint
before the Spanish Data Protection Agency ‘the AEPD’ against Google Spain SL
(‘Google Spain’) and Google Inc. It concerns the appropriate measures to be adopted
so that Mr Costeja González’s personal data are removed from the search engine’s
index and future access to the data is prevented. The judgement suggests the concep-
tual dimensions attached to the right to be forgotten. The AEPD considered that
“obligation [to erase] may be owed directly by operators of search engines, without
it being necessary to erase the data or information from the website where they appear,
including when retention of the information on that site is justified by a statutory
provision.”28
Questions
The essential question was whether the GDPR allows Mr Costeja to exercise the
right to be forgotten so that search results about him would not appear in the search
results list when his name was searched on Google.

Google Spain SL v. Agencia Española de Protección de Datos Case C-131/

12
“[Whether] the rights to erasure and blocking of data, provided for in
Article 12(b), and the right to object, provided for by [subparagraph (a) of
the first paragraph of Article 14] of Directive 95/46, extend to enabling the
data subject to address himself to search engines in order to prevent indexing
of the information relating to him personally, published on third parties’ web
pages, invoking his wish that such information should not be known to internet
users when he considers that it might be prejudicial to him or he wishes it to
be consigned to oblivion, even though the information in question has been
lawfully published by third parties?”

Source Google Spain Judgement

The provisions of both GDPR and Data Protection Directive (1995) were consid-
ered. The Directive provided for the right to object and the right to erasure, which
were the framework for the complainant to raise the claim.

27 Google Spain SL v. Agencia Española de Protección de Datos Case C-131/12

ECLI:EU:C:2014:317
28 Google Spain SL v. Agencia Española de Protección de Datos Case C-131/12

ECLI:EU:C:2014:317
120 3 Transparency and Rights of the Data Subject

Article 12 of Directive 95/46, entitled ‘Rights of access’, provides data subjects

with an opportunity to.
“(b) as appropriate the rectification, erasure or blocking of data the
processing of which does not comply with the provisions of this Directive,
in particular because of the incomplete or inaccurate nature of the data;”
Article 14 of Directive 95/46, entitled ‘The data subject’s right to object’,
prvides:
“Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7(e) and (f), to object at any
time on compelling legitimate grounds relating to his particular situation to the
processing of data relating to him, save where otherwise provided by national
legislation.”

Source Articles 12, 14 Directive 95/46

Google raised the argument of proximity vis-à-vis the entire operation to state
that it could not effectively implement the right to be forgotten. In Google’s opinion,
the website that has published this information is much better placed to remove the
personal data in question. Google cited that removing information from its indexes
may affect the fundamental rights of different stakeholders in question.
On the other hand, Mr Costeja argued that Google should implement the right
to be forgotten as it is a data controller processing personal data. The search results
shown by Google can significantly affect the rights of data subjects. Search engines
play an important role in modern society, and search results provide information in
a structured way about an individual on the Internet.

Google Spain SL v. Agencia Española de Protección de Datos Case C-131/

12
“Mr Costeja González, … submit[s] that the national authority may
directly order the operator of a search engine to withdraw from its indexes
and intermediate memory information containing personal data that has
been published by third parties, without having to approach beforehand
or simultaneously the publisher of the web page on which that information
appears.
Article 12(b) of Directive 95/46 provides that Member States are to guar-
antee every data subject the right to obtain from the controller, as appropriate,
the rectification, erasure or blocking of data the processing of which does not
comply with the provisions of Directive 95/46, in particular because of the
incomplete or inaccurate nature of the data.
…processing of personal data, such as that at issue in the main proceedings,
carried out by the operator of a search engine is liable to affect significantly
the fundamental rights to privacy and to the protection of personal data when
the search by means of that engine is carried out on the basis of an individual’s
6 The Right to Erasure (Right to Be Forgotten) 121

name, since that processing enables any internet user to obtain through
the list of results a structured overview of the information relating to
that individual that can be found on the internet — information which
potentially concerns a vast number of aspects of his private life and which,
…without the search engine, could not have been interconnected or
could have been only with great difficulty — and thereby to establish a
more or less detailed profile of him.
…Furthermore, the effect of the interference with those rights of the
data subject is heightened on account of the important role played by the
internet and search engines in modern society.”

Source Google Spain Judgement

The judgement considered the capacity and capability of search engines compared
to individual websites, as information accessed through search engines cover a range
of websites. Search engines make it possible to dig out the information from an
obscure website, which otherwise would have remained unknown to the users. There-
fore, using search engines and their capability heightens the risk to privacy. More-
over, the utility of removing personal data from a website was questioned because
information published on the websites can be replicated easily.
It is difficult to track all those who have replicated the information on other
websites. Moreover, those replicating the information may not be subject to EU
legislation. Therefore, search engines must mitigate the risks by removing personal
data from its search indexes.
Another important consideration is balancing conflicting interests while imple-
menting the right to be forgotten. In certain instances, the right to request erasure
has to be balanced with the importance of the information requested to be erased.
It will depend on data subject’s role in public life when he requests the erasure of
information. If the data subject’s role in public life requires the information to be in
the public domain, the erasure request would be overridden.

Google Spain SL v. Agencia Española de Protección de Datos Case C-131/

12
“[T]he operator of a search engine is obliged to remove from the list of
results displayed following a search made on the basis of a person’s name
links to web pages, published by third parties and containing information
relating to that person, also in a case where that name or information is not
erased beforehand or simultaneously from those web pages, and even, as the
case may be, when its publication in itself on those pages is lawful.
The operator of a search engine to remove from the list of results displayed
following a search made on the basis of his name links to web pages published
lawfully by third parties and containing true information relating to him, on
122 3 Transparency and Rights of the Data Subject

the ground that that information may be prejudicial to him or that he wishes it
to be ‘forgotten’ after a certain time.
As the data subject may, in the light of his fundamental rights under Arti-
cles 7 and 8 of the Charter, request that the information in question no longer
be made available to the general public by its inclusion in such a list of results,
it should be held, …that those rights override, as a rule, not only the economic
interest of the operator of the search engine but also, the interest of the
general public in finding that information upon a search relating to the
data subject’s name.
However, that would not be the case if it appeared, for particular
reasons, such as the role played by the data subject in public life, that
the interference with his fundamental rights is justified by the prepon-
derant interest of the general public in having, on account of inclusion in
the list of results, access to the information in question.”

Source Google Spain Judgement

After the Google Spain judgement, the Article 29 Working Party provided the
following criteria for the data controllers to consider while considering a delisting
request29 :

“Does the search result relate to a natural person – i.e. an individual? And does
the search result come up against a search on the data subject’s name?
Does the data subject play a role in public life? Is the data subject a public
figure?
Is the data subject a minor?
Is the data accurate?
Is the data relevant and not excessive?
a. Does the data relate to the working life of the data subject?
b. Does the search result link to information which allegedly constitutes
hate speech/slander/libel or similar offences in the area of expression against
the complainant?
c. Is it clear that the data reflect an individual’s personal opinion or does it
appear to be verified fact?
Is the information sensitive within the meaning of Article 8 of the Directive
95/46/EC?
Is the data up to date? Is the data being made available for longer than is
necessary for the purpose of the processing?
Is the data processing causing prejudice to the data subject? Does the data
have a disproportionately negative privacy impact on the data subject?

29Guidelines On The Implementation Of The Court Of Justice Of The European Union Judgment
On “Google Spain And Inc V. Agencia Española De Protección De Datos (Aepd) And Mario Costeja
González” C-131/12 Adopted on 26 November 2014 14/EN WP 225.
6 The Right to Erasure (Right to Be Forgotten) 123

Does the search result link to information that puts the data subject at risk?
In what context was the information published?
a. Was the content voluntarily made public by the data subject?
b. Was the content intended to be made public? Could the data subject have
reasonably known that the content would be made public?
Was the original content published in the context of journalistic purposes?
Does the publisher of the data have a legal power – or a legal obligation – to
make the personal data publicly available?
Does the data relate to a criminal offence?”

Source Guidelines on the Implementation of the Court of Justice of the European

Union Judgment on “Google Spain and Inc V. Agencia Española De Protección De
Datos (Aepd) and Mario Costeja González” C-131/12
While the Court laid down the right to be forgotten in the case of search engines,
there is a difference between a search engine as a data controller and a data controller
that is not a search engine. Non-search engine data controllers are also likely to have
a search option, but the difference is, for instance, between a web-based search in
Google vis-à-vis searching the contents of the particular website.
It is very difficult to implement erasure at all nodal points of the network of
networks (Internet), i.e. all computers or servers storing personal data. Once data are
in the public domain, the task is extremely difficult. Even if the data controllers in
question managed to erase all data, there could be an additional nodal point where
the information is available.
Therefore, Google, with the reach of a search engine, is seen as an alternative
to erasure at the end of a website that published the data. Google is the bridge that
provides an opportunity to reach the destined information. Without the bridge, an
online user would not be able to reach the information and may not even know that
search information exists in the first place.
Thus, erasure has a completely different conceptual dimension when data
controllers are search engines. Instead of carrying out the activity of erasure to
implement the right to be forgotten, they act as ‘disconnectors’ by breaking the
chain between an online user and the information.
Thus, there are multiple ways to fulfil the objective of the right to be forgotten. The
expectations about the right to be forgotten from a non-search engine data controller
could be very different from the expectations of a search engine. That would depend
on how close a data controller is to the information. It would help decide the extent
of erasure.
124 3 Transparency and Rights of the Data Subject

6.1.2 Google v CNIL Case C-507/1730

This judgement, which was delivered subsequent to the Google Spain case, discusses
an interesting issue about de-referencing across all possible search engine domains.
The matter relates to a dispute between Google LLC, the legal successor to Google
Inc., and the Commission nationale de l’informatique et des libertés (‘the CNIL’).
The dispute was over a EUR 100,000 penalty imposed on Google by the CNIL.
Google had refused to de-reference links from all of Google Search domain name
extensions.
Facts

“CNIL served formal notice on Google that, when granting a request from a
natural person for links to web pages to be removed from the list of results
displayed following a search conducted on the basis of that person’s name, it
must apply that removal to all its search engine’s domain name extensions.
Google refused to comply …confining itself to removing the links in ques-
tion from only the results displayed following searches conducted from the
domain names corresponding to the versions of its search engine in the
Member States.”

Source Google CNIL Judgement

Questions
The essential question was about which domain names corresponding to EU Member
States the right to de-referencing by search engines extends. Another question was
whether geo-blocking would be required to implement the right to de-referencing?

Google v CNIL C-507/17

QUESTION REFERRED:
“(1) Must the “right to de-referencing”, as established by the [Court] in its judg-
ment of 13 May 2014, [Google Spain and Google (C-131/12, EU:C:2014:317),]
on the basis of the provisions of [Article 12(b) and subparagraph (a) of the first
paragraph of Article 14] of Directive [95/46], be interpreted as meaning that a
search engine operator is required, when granting a request for de-referencing,
to deploy the de-referencing to all of the domain names used by its search
engine so that the links at issue no longer appear, irrespective of the place from
where the search initiated on the basis of the requester’s name is conducted,
and even if it is conducted from a place outside the territorial scope of Directive
[95/46]?

30Google LLC, Successor in Law to Google Inc., v Commission Nationale De l’Informatique Et

Des Libertés (CNIL) and others, C-507/17, ECLI:EU:C:2019:772
6 The Right to Erasure (Right to Be Forgotten) 125

(2) In the event that Question 1 is answered in the negative, must the “right to
de-referencing”, as established by the [Court] in the judgment cited above, be
interpreted as meaning that a search engine operator is required, when granting
a request for de-referencing, only to remove the links at issue from the results
displayed following a search conducted on the basis of the requester’s name
on the domain name corresponding to the State in which the request is deemed
to have been made or, more generally, on the domain names distinguished
by the national extensions used by that search engine for all of the Member
States …?”

Source Google CNIL Judgement

The CJEU stated,

Google v CNIL C-507/17

“both …directive and …regulation permit data subjects to assert their
right to de-referencing against a search engine operator who has one or
more establishments in the territory of the Union in the context of activities
involving the processing of personal data concerning those data subjects,
regardless of whether that processing takes place in the Union or not…
…internet users’ access — including those outside the Union — to the
referencing of a link referring to information regarding a person whose
centre of interests is situated in the Union is thus likely to have immediate
and substantial effects on that person within the Union itself.
Such considerations are such as to justify the existence of competence on
the part of the EU legislature to lay down the obligation for a search engine
operator, to carry out, when granting a request for de-referencing made by such
a person, a de-referencing on all the versions of its search engine.”

Source Google CNIL Judgement

Therefore, inaccurate or incomplete information can be accessed from anywhere in
the world. It will greatly impact those living in the Union. While the Court suggested
that the EU legislature may lay down certain obligations on the search engines to
remove information from search results using all its domains, it said, “it should be
emphasised that numerous third States do not recognise the right to de-referencing
or have a different approach to that right….”31

31Case C-507/17 Google LLC vs. Commission nationale de l’informatique et des libertés (CNIL)
EU:C:2019:772.
126 3 Transparency and Rights of the Data Subject

Therefore,

“It follows that, currently, there is no obligation under EU law, for a search
engine operator who grants a request for de-referencing made by a data
subject, as the case may be, following an injunction from a supervisory or
judicial authority of a Member State, to carry out such a de-referencing on
all the versions of its search engine.
…a search engine operator cannot be required, …to carry out a de-
referencing on all the versions of its search engine… .”

Source Google CNIL Judgement

The Court was also faced with de-referencing information from search results
carried out using domains in all EU Member States. Alternatively, is de-referencing
required for the version operationalised at a place where the data subject resides?

“the rules concerning data protection by way of a Regulation, which is directly

applicable in all the Member States, …in order to ensure a consistent and high
level of protection throughout the European Union and to remove the obstacles
to flows of personal data within the Union, that the de-referencing in question
is, in principle, supposed to be carried out in respect of all the Member
States.”

Source Google CNIL Judgement

In the same context, the Court raised an important issue of privacy rights and the
public’s interest in accessing such information. This parameter is likely to vary from
one Member State to another. There could be issues like data processing for journal-
istic purposes; therefore, Member States must balance the two rights. Therefore, the
Court said that.

“the national supervisory authorities with the instruments and mecha-

nisms necessary to reconcile a data subject’s rights to privacy and the protec-
tion of personal data with the interest of the whole public throughout the
Member States in accessing the information in question and, accordingly, to
be able to adopt, where appropriate, a de-referencing decision which covers
all searches conducted from the territory of the Union on the basis of that data
subject’s name.”

Source Google CNIL Judgement

In conclusion, the Court stated that as per the right to de-referencing “operator is
not required to carry out that de-referencing on all versions of its search engine, but
on the versions of that search engine corresponding to all the Member States, using,
where necessary, measures which, while meeting the legal requirements, effectively
6 The Right to Erasure (Right to Be Forgotten) 127

prevent or, at the very least, seriously discourage an internet user conducting a search
from one of the Member States on the basis of a data subject’s name from gaining
access, via the list of results displayed following that search, to the links which are
the subject of that request.”32 Thus, while the Google Spain case laid down the right
to be forgotten in the case of search engines, the Google CNIL case laid down the
extent of the right vis-à-vis the domain names of the search engine corresponding to
EU Member States. Further, there are existing conditions under which the request for
erasure will not be upheld. It is a right if upheld will work only in the EU. Another
judgement that deals with the right to be forgotten for search engines is the GC CNIL
case, which discusses the right in the case of sensitive personal data.

6.1.3 GC CNIL Case C-136/1733

The request was made as part of a dispute between GC, AF, BH and ED and the
Commission nationale de l’informatique et des libertés (‘the CNIL’). The question
arose over four decisions and whether Google Inc., now Google LLC, has to de-
reference various links appearing in the search results displaying their names and
leading to third-party web pages.
Facts

“GC, AF, BH and ED each requested Google to de-reference, in the list of

results displayed by the search engine operated by Google in response to
searches against their names, various links leading to web pages published
by third parties; Google, however, refused to do this….
…GC requested the de-referencing of a link leading to a satirical photomon-
tage placed online pseudonymously on 18 February 2011 on YouTube,
depicting her alongside the mayor of a municipality whom she served as head
of cabinet and explicitly referring to an intimate relationship between them and
to the impact of that relationship on her own political career. The photomon-
tage was placed online during the campaign for the cantonal elections in which
GC was then a candidate. On the date on which her request for de-referencing
was refused she was neither a local councillor nor a candidate for local elec-
tive office and no longer served as the head of cabinet of the mayor of the
municipality.”

Source GC CNIL Judgement

32 Case C-507/17 Google LLC vs. Commission nationale de l’informatique et des libertés (CNIL).
EU:C:2019:772.
33 GC, AF, BH, ED v Commission nationale de l’informatique et des libertés (CNIL) Case C-136/

17 ECLI:EU:C:2019:773.
128 3 Transparency and Rights of the Data Subject

“AF requested de-referencing of links leading to an article in the daily

newspaper Libération of 9 September 2008, reproduced on the site of the
Centre contre les manipulations mentales (Centre against mental manipula-
tion) (CCMM) (France), concerning the suicide of a member of the Church of
Scientology in December 2006. AF is mentioned in that article in his capacity
as public relations officer of the Church of Scientology, an occupation which
he has since ceased to exercise. Furthermore, the author of the article states
that he contacted AF in order to obtain his version of the facts and describes
the comments received on that occasion…
…BH requested the de-referencing of links leading to articles, mainly in
the press, concerning the judicial investigation opened in June 1995 into the
funding of the Parti républicain (PR), in which he was questioned with a number
of businessmen and political personalities. The proceedings against him were
closed by an order discharging him on 26 February 2010. Most of the links are to
articles contemporaneous with the opening of the investigation and therefore do
not mention the outcome of the proceedings.” “ED requested the de-referencing
of links leading to two articles published in Nice Matin and Le Figaro reporting
the criminal hearing during which he was sentenced to 7 years’ imprisonment
and an additional penalty of 10 years’ social and judicial supervision for sexual
assaults on children under the age of 15. One of the accounts of the Court
proceedings also mentions several intimate details relating to ED that were
revealed at the hearing.”

Source GC CNIL Judgement

The facts of the case illustrate four different situations in exercising the right to be
forgotten requests. The data subjects in all four cases have different social positions.
It needs to be assessed whether the published information has any bearing, impor-
tance, or relevance in a democratic society. Further, whether any of this published
information affects the role these individuals play in their public lives.
Questions

“whether the provisions of Article 8(1) and (5) of Directive 95/46 must be inter-
preted as meaning that the prohibition or restrictions relating to the processing
of special categories of personal data, mentioned in those provisions, apply
also, subject to the exceptions provided for by the Directive, to the operator of
a search engine in the context of his responsibilities, powers and capabilities
as the controller of the processing carried out for the needs of the functioning
of the search engine….
…whether the provisions of Article 8(1) and (5) of Directive 95/46 must be
interpreted as meaning that the operator of a search engine is required by those
provisions, …to accede to requests for de-referencing in relation to links
to web pages containing personal data falling within the special categories
referred to by those provisions;
6 The Right to Erasure (Right to Be Forgotten) 129

– whether Article 8(2)(a) and (e) of Directive 95/46 must be interpreted as

meaning that, …, such an operator may refuse to accede … if he establishes
that the links at issue lead to content comprising personal data falling within the
special categories referred to in Article 8(1) but whose processing is covered
by one of the exceptions laid down in Article 8(2)(a) and (e) of the Directive;
and.
– whether …operator of a search engine may also refuse to accede … on
the ground that the links whose de-referencing is requested lead to web pages
…published solely for journalistic purposes.”

Source GC CNIL Judgement

“whether or not publication of the personal data on the web page at the end of
the link at issue is lawful, must the provisions of Directive 95/46 be interpreted
as:
– requiring the operator of a search engine, when the person making the
request establishes that the data in question have become incomplete or inac-
curate, or are no longer up to date, to grant the corresponding request for
de-referencing;
– more specifically, requiring the operator of a search engine, when the
person making the request shows that, having regard to the conduct of the legal
proceedings, the information relating to an earlier stage of those proceedings
is no longer consistent with the current reality of his situation, to de-reference
the links to web pages comprising such information?
Must Article 8(5) of Directive 95/46 be interpreted as meaning that infor-
mation relating to the investigation of an individual or reporting a trial and
the resulting conviction and sentencing constitutes data relating to offences
and to criminal convictions? More generally, does a web page comprising data
referring to the convictions of or legal proceedings involving a natural person
fall within the ambit of those provisions?”

Source GC CNIL Judgement

Article 8 of the Directive reflects upon the protocol of processing data, sensitive
in nature. One of the restrictions before the data controller can process these data
is explicit consent. Article 8(5) concerns data processing relating to offences and
explains how the processing can be carried out with appropriate safeguards.
Another point to note is that the right about protecting personal data is not absolute.
Following the principle of proportionality, it must be balanced with other forms of
rights encountered in a democratic society. The reference points in such cases are
Article 11 and Article 52 (1) of the Charter of Fundamental Rights. Article 52(1)
acknowledges that the rights under Articles 7 and 8 under the Charter may be limited.
These limitations are provided under any law and align with European law and the
proportionality principle.
130 3 Transparency and Rights of the Data Subject

The Court stated that search engines become liable to take off information from
the list of search results given the nature of the data that is shared while displaying
search results. Search engines may be asked to remove information from their search
results if the information is inaccurate or incomplete and can potentially negatively
impact the data subject.
While consent provides the lawful basis for processing personal data, in the context
of search engines, the data controller cannot ask for consent from data subjects in a
traditional manner. But if search engines receive a request for the right to be forgotten,
it represents an expression of withdrawal of consent. The search engines should take
RTBF requests as indications suggesting stopping further personal data processing.
After receiving de-referencing requests, the search engines must ascertain

“having regard to the reasons of substantial public interest referred to in

Article 8(4) of Directive 95/46 or Article 9(2)(g) of Regulation 2016/679 and
in compliance with the conditions laid down in those provisions, whether the
inclusion of the link to the web page in question in the list displayed following
a search on the basis of the data subject’s name is necessary for exercising
the right of freedom of information of internet users potentially interested
in accessing that web page by means of such a search, a right protected by
Article 11 of the Charter. While the data subject’s rights protected by Articles 7
and 8 of the Charter override, as a general rule, the freedom of information
of internet users, that balance may, however, depend, in specific cases, on the
nature of the information in question and its sensitivity for the data subject’s
private life and on the interest of the public in having that information, an
interest which may vary, in particular, according to the role played by the data
subject in public life”

Source GC CNIL Judgement

Further, the Court said.

“It is thus for the operator of a search engine to assess, in the context of a
request for de-referencing relating to links to web pages on which information
is published relating to criminal proceedings brought against the data subject,
concerning an earlier stage of the proceedings and no longer corresponding to
the current situation, whether, in the light of all the circumstances of the case,
such as, in particular, the nature and seriousness of the offence in question, the
progress and the outcome of the proceedings, the time elapsed, the part played
by the data subject in public life and his past conduct, the public’s interest
at the time of the request, the content and form of the publication and the
consequences of publication for the data subject, he or she has a right to the
information in question no longer, in the present state of things, being linked
6 The Right to Erasure (Right to Be Forgotten) 131

with his or her name by a list of results displayed following a search carried
out based on that name.
It must, however, be added that, even if the operator of a search engine were
to find that that is not the case because the inclusion of the link in question
is strictly necessary for reconciling the data subject’s rights to privacy and
protection of personal data with the freedom of information of potentially
interested internet users, the operator is in any event required, at the latest on
the occasion of the request for de-referencing, to adjust the list of results in
such a way that the overall picture it gives the internet user reflects the current
legal position, which means in particular that links to web pages containing
information on that point must appear in first place on the list.”

Source GC CNIL Judgement

Thus, several factors need to be considered while determining an RTBF request
by balancing the privacy rights of the data subject with other fundamental rights,
including information and expression. In conclusion, the Court stated the following:

“Having regard to the above considerations, …

– first, information relating to legal proceedings brought against an indi-
vidual and, as the case may be, information relating to an ensuing conviction
are data relating to ‘offences’ and ‘criminal convictions’ within the meaning
of Article 8(5) of Directive 95/46, and.
– second, the operator of a search engine is required to accede to a request
for de-referencing relating to links to web pages displaying such informa-
tion, where the information relates to an earlier stage of the legal proceedings
in question and, having regard to the progress of the proceedings, no longer
corresponds to the current situation, in so far as it is established in the verifi-
cation of the reasons of substantial public interest referred to in Article 8(4) of
Directive 95/46 that, in the light of all the circumstances of the case, the data
subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter over-
ride the rights of potentially interested internet users protected by Article 11
of the Charter.”

Source GC CNIL Judgement

Another judgement that deals with the question of RTBF in the case of search
engines is the TU, RE Google case. The matter deals with the interpretation of the
right to be forgotten (right to erasure) by search engines when removal of a link to
content containing content claimed to be inaccurate is requested. The judgement also
deals with the application of the right to be forgotten (right to erasure) in the case of
image search results on search engine.
132 3 Transparency and Rights of the Data Subject

6.1.4 TU, RE v Google LLC Case C-460/2034

Facts
TU was engaged in business and was cohabiting partners with RE. In 2015, three
articles were published on the g-net website criticising the investment model of the
fifth company. An article also illustrated photos of TU in a luxury car, near a helicopter
and aeroplane. There was also a photo of RE in a convertible car. G-LLC operates
the g-net website and has its registered office in New York, USA. The purpose of
G-LLC is “to contribute consistently towards fraud prevention in the economy and
society by means of active investigation and constant transparency.”35 There are
publications criticising G-LLC’s model, which involves blackmailing companies to
publish negative reports and later offering to delete the reports for money.
Google displayed the articles about TU and RE when their names were searched
on their own and with the names of the companies. An article was also showing when
company names were entered. Besides, an image search of Google displayed photos
of the applicants as thumbnails. TU and RE requested Google “to de-reference the
links to the articles at issue in the main proceedings from the list of search results,
on the ground that they contained inaccurate claims and defamatory opinions, and,
second, to remove the thumbnails from the list of search results.”36 Google refused
as it was unaware of the inaccuracy claimed.
Questions

“(1) Is it compatible with the data subject’s right to respect for private life
(Article 7 of the [Charter]) and to protection of personal data (Article 8 of
the Charter) if, within the context of the weighing-up of conflicting rights and
interests arising from Articles 7, 8, 11 and 16 of the Charter, within the scope
of the examination of his [or her] request for de-referencing brought against
the data controller of an internet search engine, pursuant to Article 17(3)(a)
of [the GDPR], when the link, the de-referencing of which [that person] is
requesting, leads to content that includes factual claims and value judgments
based on factual claims the truth of which is denied by the data subject, and the
lawfulness of which depends on the question of the extent to which the factual
claims contained in that content are true, the national Court also concentrates
conclusively on the issue of whether the data subject could reasonably seek
legal protection against the content provider, for instance by means of interim
relief, and thus at least provisional clarification on the question of the truth of
the content displayed by the search engine data controller could be provided?

34 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.

35 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.
36 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.
6 The Right to Erasure (Right to Be Forgotten) 133

(2) In the case of a request for de-referencing made against the data controller of
an internet search engine, which in a name search searches for photos of natural
persons which third parties have introduced into the internet in connection with
the person’s name, and which displays the photos which it has found in its search
results as preview images (thumbnails), within the context of the weighing-up
of the conflicting rights and interests arising from Articles 7, 8, 11 and 16
of the Charter pursuant to Article 12(b) and [point (a) of the first paragraph
of Article 14] of Directive [95/46 or] Article 17(3)(a) of [the GDPR], should
the context of the original third-party publication be conclusively taken into
account, even if the third-party website is linked by the search engine when
the preview image is displayed but is not specifically named, and the resulting
context is not shown with it by the internet search engine?.”

Source TU and RE V Google LLC Case

The CJEU stated that when assessing conditions in Article 17(3)(a) GDPR, the
accuracy of referenced content must be considered to assess whether the right to
information and freedom of expression overrides the right to de-referencing.
If a data subject happens to play a role in public life, privacy rights will be over-
ridden by other rights existing in a democratic society, but this relationship is reversed
when the information is inaccurate. The right to information cannot be considered
because it does not include the right to disseminate inaccurate information.
The question of the accuracy of information must distinguish factual accuracy
and value judgements. Value judgements are not susceptible of proof. The person
making the de-referencing request need not be overburdened with the requirement
of hard evidence pointing towards the inaccuracy to be rectified. Similarly, not all
responsibilities can be bestowed on the operators. It is unfair to think that they need to
set an adversarial system to investigate the facts relating to the claim of inaccuracy in
the de-referencing request. There must be a balance between the person making such
a de-referencing request submitting ‘relevant and sufficient’ evidence of inaccuracy
vis-à-vis prima facie evidence that an operator assesses.37 The Court answered the
following way to assess these issues:

“As regards, in the first place, the obligations of the person requesting de-
referencing on account of the referenced content being inaccurate, it is for
that person to establish the manifest inaccuracy of the information found in
that content or, at the very least, of a part – which is not minor in relation
to the content as a whole – of that information. However, in order to avoid
imposing on that person an excessive burden which is liable to undermine
the practical effect of the right to de-referencing, that person has to provide
only evidence that, in the light of the circumstances of the particular case, can

37 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.

134 3 Transparency and Rights of the Data Subject

reasonably be required of him or her to try to find in order to establish that

manifest inaccuracy. In that regard, that person cannot be required, in principle,
to produce, as from the pre-litigation stage, in support of his or her request for
de-referencing made to the operator of the search engine, a judicial decision
made against the publisher of the website in question, even in the form of a
decision given in interim proceedings. To impose such an obligation on that
person would have the effect of imposing an unreasonable burden on him or
her.
As regards, in the second place, the obligations and responsibilities incum-
bent on the operator of the search engine, it is true that the operator of the
search engine must, in order to determine whether content may continue to
be included in the list of search results carried out using its search engine
following a request for de-referencing, take into account all the rights and
interests involved and all the circumstances of the case.
However, when assessing the conditions for application laid down in
Article 17(3)(a) of the GDPR, that operator cannot be required to play an
active role in trying to find facts which are not substantiated by the request for
de-referencing, for the purposes of determining whether that request is well
founded.
Accordingly, when such a request is processed, the operator of the search
engine concerned cannot be required to investigate the facts and, to that end,
to organise an adversarial debate with the content provider seeking to obtain
missing information concerning the accuracy of the referenced content. In so far
as it would require the operator of the search engine to contribute to establishing
itself whether or not the referenced content is accurate, such an obligation
would impose on that operator a burden in excess of what can reasonably be
expected of it in the light of its responsibilities, powers and capabilities [..].That
obligation would thereby entail a serious risk that content meeting the public’s
legitimate and compelling need for information would be de-referenced and
would thereby become difficult to find on the internet. In that regard, there
would be a real risk of a deterrent effect on the exercise of freedom of expression
and of information if the operator of the search engine undertook such a de-
referencing exercise quasi-systematically, in order to avoid having to bear the
burden of investigating the relevant facts for the purpose of establishing whether
or not the referenced content was accurate.
Accordingly, where the person who has made a request for de-referencing
submits relevant and sufficient evidence capable of substantiating his or her
request and of establishing the manifest inaccuracy of the information found
in the referenced content or, at the very least, of a part – which is not minor
in relation to the content as a whole – of that information, the operator of
the search engine is required to accede to that request for de-referencing. The
same applies where the data subject submits a judicial decision made against
the publisher of the website, which is based on the finding that information
6 The Right to Erasure (Right to Be Forgotten) 135

found in the referenced content – which is not minor in relation to that content
as a whole – is, at least prima facie, inaccurate.
By contrast, where the inaccuracy of such information found in the refer-
enced content is not obvious, in the light of the evidence provided by the data
subject, the operator of the search engine is not required, where there is no
such judicial decision, to accede to such a request for de-referencing. Where
the information in question is likely to contribute to a debate of public interest, it
is appropriate, in the light of all the circumstances of the case, to place particular
importance on the right to freedom of expression and of information.”

Source TU and RE v Google LLC Case

Regarding the thumbnails displayed on Google image search, the Court stated that
such display involves processing personal data, with Google being the controller who
must ensure compliance with the GDPR provisions. The Court stated that including
an internet page and information relating to a person in the list of results on searching
a persons’ name makes the information easier to access and disseminate. It can
constitute a significant interference with the data subjects’ privacy. It analysed the
value of an individual photograph and its value when it is assessed with relatable text.
Further, the Court in the following paragraph reflected the outcome of upholding a de-
referencing request for the text separately and its impact on the thumbnail generated
by the operator.38 An image can convey “personal or even intimate information about
an individual or his or her family.”39 The Court stated:

“As regards, in the first place, the purpose of the processing at issue, it should
be noted that the publication of photographs as a non-verbal means of commu-
nication is likely to have a stronger impact on internet users than text publica-
tions. Photographs are, as such, an important means of attracting internet users’
attention and may encourage an interest in accessing the articles they illustrate.
Since, in particular, photographs are often open to a number of interpretations,
displaying them in the list of search results as thumbnails may, in accordance
with what has been stated in paragraph 95 of the present judgment, result in a
particularly serious interference with the data subject’s right to protection of his
or her image, which must be taken into account when weighing-up competing
rights and interests.
As regards, in the second place, the nature of the processing carried out
by the operator of the search engine, it must be observed, as did the Advocate
General in point 55 of his Opinion, that, by retrieving the photographs of natural
persons published on the internet and displaying them separately, in the results
of an image search, in the form of thumbnails, the operator of a search engine

38 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.

39 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.
136 3 Transparency and Rights of the Data Subject

offers a service in which it carries out autonomous processing of personal data

which is distinct both from that of the publisher of the internet page from
which the photographs are taken and from that, for which the operator is also
responsible, of referencing that page.
Therefore, an autonomous assessment of the activity of the operator of the
search engine, which consists of displaying results of an image search, in the
form of thumbnails, is necessary, given that the additional interference with
fundamental rights resulting from such activity may be particularly intense
owing to the aggregation, in a search by name, of all information concerning
the data subject which is found on the internet. In the context of that autonomous
assessment, account must be taken of the fact that the display of the photographs
in the form of thumbnails on the internet constitutes, in itself, the result sought
by the internet user, regardless of his or her subsequent decision to access the
original internet page or not.
It should be added that such a specific weighing-up exercise, which takes
account of the autonomous nature of the data processing performed by the
operator of the search engine, is without prejudice to the possible relevance
of text elements which may directly accompany the display of a photograph
in the list of search results, since such elements are capable of casting light
on the informative value of that photograph for the public and, consequently,
of influencing the weighing-up of the rights and interests involved... In the
present case, it is apparent [..] that, while the photographs of the applicants
in the main proceedings contribute, in the context of the 4 June 2015 article
of which they form part, to conveying the information and opinions expressed
therein, those photographs, outside that context, when they appear solely in the
form of thumbnails in the list of results displayed following a search carried
out by the search engine, have little informative value. It follows that, if the
request for de-referencing of that article were to be rejected, on the ground
that freedom of expression and of information must prevail over the rights of
the applicants in the main proceedings to respect for their private life and to
protection of their personal data, that fact would be without prejudice to the
appropriate outcome of the request for removal of those photographs displayed
in the form of thumbnails in the list of results.
By contrast, if the request for de-referencing of the 4 June 2015 article
at issue were to be granted, the display, in the form of thumbnails, of the
photographs contained in that article would have to be removed. If that display
were retained, the practical effect of de-referencing the article would be
compromised since internet users would continue to have access to the entire
article, by virtue of the link contained in the thumbnails which leads to the
internet page on which the article from which the thumbnails are taken is
published.”

Source TU and RE V Google LLC Case

7 The Right to Data Portability and Right to Object to Processing 137

The Court held that Article 17(3)(a) GDPR implies that de-referencing request
is not dependant on the issue of accuracy being resolved in the action that a person
has brought against the content provider.40 It suggested that de-referencing request
for removal of image search result must consider informative value of the picture as
well as informative value of text accompanying the picture, irrespective of context
of publication.41
Thus, the CJEU has interpreted the right to be forgotten in various judgements
that are discussed above. While the Google Spain judgement (Case C-131/12) laid
down the right to be forgotten in the case of search engines by allowing the removal
from the list of search results links containing personal data, the Google CNIL
judgement (Case C-507/17) laid down that the de-referencing of links extends to
all EU domain names and not domain names worldwide. Other judgements dealt
with specific circumstances for the right to be forgotten. The GC CNIL judgement
(Case C-136/17) involved discussing the right to be forgotten when sensitive personal
data are processed, and the TU, RE Google judgement (Case C-460/20) involved
discussing the right to be forgotten when the accuracy of personal information is in
question.

7 The Right to Data Portability and Right to Object

to Processing

7.1 The Data Portability Right

The GDPR provides for the right to data portability. The essential components of
the right to data portability include the right to get personal data, the right to transfer
personal information from one data controller to another and the controllership of
personal information.42
Recital 68 of GDPR refers to the right of data portability and the conditions under
which a data controller must transfer the data to another data controller.

Recital 68
“To further strengthen the control over his or her own data, where the processing
of personal data is carried out by automated means, the data subject should
also be allowed to receive personal data concerning him or her which he or
she has provided to a controller in a structured, commonly used, machine-
readable and interoperable format, and to transmit it to another controller.

40 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.

41 TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.
42 Article 29 WP Guidelines on the right to data portability WP 242 rev.01 Adopted on 13 December

2016 As last Revised and adopted on 5 April 2017

138 3 Transparency and Rights of the Data Subject

Data controllers should be encouraged to develop interoperable formats that

enable data portability. That right should apply where the data subject provided
the personal data based on his or her consent or the processing is necessary
for the performance of a contract. It should not apply where processing is
based on a legal ground other than consent or contract. By its very nature,
that right should not be exercised against controllers processing personal data
in the exercise of their public duties. Therefore, it should not apply where
the processing of the personal data is necessary for compliance with a legal
obligation to which the controller is subject or for the performance of a task
carried out in the public interest or the exercise of an official authority vested
in the controller. The data subject’s right to transmit or receive personal data
concerning him or her should not create an obligation for the controllers to
adopt or maintain processing systems which are technically compatible. In
a certain set of personal data, more than one data subject is concerned, the
right to receive the personal data should be without prejudice to the rights and
freedoms of other data subjects following this Regulation. Furthermore, that
right should not prejudice the right of the data subject to obtain the erasure
of personal data and the limitations of that right as set out in this Regulation
and should, in particular, not imply the erasure of personal data concerning the
data subject which have been provided by him or her for the performance of a
contract to the extent that and for as long as the personal data are necessary for
the performance of that contract. Where technically feasible, the data subject
should have the right to have the personal data transmitted directly from one
controller to another.”

Source Recital 68, GDPR

The right of data portability and its utility have been discussed in the first evalu-
ation report of the GDPR.43 The report stated that this right could put data subjects
in control over their data and help them choose between data controllers. They can
switch between controllers while choosing the preferred services or those with better
data protection-friendly services. The opportunity to exercise this right will indirectly
support innovation and foster competition amongst data controllers.
An important aspect of the right to data portability is that it applies to data “pro-
vided” by the data subject to the data controller. The Article 29 Working Party
suggested certain categories of data will qualify as coming from the data subjects.
Like the one that comes directly, for instance name and age. There could be data that
data subjects generate using a device or a service. For instance, it could be traffic
data or data generated through mobile devices.44 There could be other ‘inferred data

43 European Parliament, ‘REPORT on the First Report on the implementation of the Data Protec-
tion Directive (95/46/EC) (COM(2003) 265 – C5-0375/2003 – 2003/2153(INI))’ (24 February
2004). https://www.europarl.europa.eu/doceo/document/A-5-2004-0104_EN.html. Accessed 25
June 2025.
44 Article 29 Working Party Guidelines on the right to data portability 16/EN WP 242 rev.01 Adopted

on 13 December 2016 As last Revised and adopted on 5 April 2017.

7 The Right to Data Portability and Right to Object to Processing 139

and derived data’ that data controllers generate by virtue of the data shared by data
subjects. It could be health-related data that data subjects share for carrying out
some kind of risk assessment exercise. Further, the data controller may infer some
information out of the shared data.45
As pointed by scholars, the right of data portability not only encourages compe-
tition amongst service providers, but it also ensures in limiting large companies
monopolising the functioning of the digital economy. The right encourages interop-
erability through the development of multilevel platforms, thereby bringing the data
subject at the helm of affairs amongst different stakeholders.46

7.2 Right to Object to Processing

Articles 21 and 22 and Recitals 70, 71 and 72 of the GDPR deal with the data subjects
right to object processing of personal data. The data subject has the right to object,
when the processing is for direct marketing purposes. Further, a data subject can
also oppose personal data processing for scientific or historical research or statistical
purposes, based on the data subject’s situation, unless such processing is necessary
to complete a task fulfilling a certain public interest.
Article 22 of GDPR provides certain safeguards from solely automated processing
and processing towards profiling a natural person. Article 22 titled, ‘Automated
individual decision-making, including profiling’ reads,

“1. The data subject shall have the right not to be subject to a decision based
solely on automated processing, including profiling, which produces legal
effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the
data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller
is subject and which also lays down suitable measures to safeguard the data
subject’s rights and freedoms and legitimate interests; or.
(c) is based on the data subject’s explicit consent.
….the data controller shall implement suitable measures to safeguard the
data subject’s rights and freedoms and legitimate interests, at least the right to

45 Article 29 Working Party Guidelines on the right to data portability 16/EN WP 242 rev.01 Adopted
on 13 December 2016 As last Revised and adopted on 5 April 2017.
46 Paul De Hert, Vagelis Papakonstantinou, Gianclaudio Malgieri, Laurent Beslay, Ignacio Sanchez,

‘The right to data portability in the GDPR: Towards user-centric interoperability of digital services’
(2018) 34(2) Computer Law & Security Review 193–203, https://doi.org/10.1016/j.clsr.2017.
10.003.
140 3 Transparency and Rights of the Data Subject

obtain human intervention on the part of the controller, to express his or her
point of view and to contest the decision.”

Source Article 22, GDPR

Article 22 does not create a general ban on the use automated processing for
making decisions that affect individuals.47 Instead, Article 22 confers upon data
subjects rights that they may exercise against automated decision-making.48
The EDPB in its Guidelines on Automated individual decision-making and
Profiling for the purposes of Regulation 2016/679 has explained the above provision.

“Article 22 provides that: (i) as a rule, there is a general prohibition on fully

automated individual decision-making, including profiling that has a legal or
similarly significant effect; (ii) there are exceptions to the rule; (iii) where one
of these exceptions applies, there must be measures in place to safeguard the
data subject’s rights and freedoms and legitimate interests.
The term ‘right’ in the provision does not mean that Article 22(1) applies
only when actively invoked by the data subject. Article 22(1) establishes a
general prohibition for decision-making based solely on automated processing.
This prohibition applies whether or not the data subject takes an action
regarding the processing of their personal data.”

Source EDPB Guidelines on Automated individual decision-making and Profiling

for the purposes of Regulation 2016/679
The EDPB has also explained the terms used in the provision which are “decision
based solely on automated processing”, “legal or similarly significant effects” and
“similarly significantly affects him or her.”49

The EDPB explained ‘Decision based solely on automated processing’ with an

example that “An automated process produces what is in effect a recommen-
dation concerning a data subject. If a human being reviews and takes account
of other factors in making the final decision, that decision would not be ‘based
solely’ on automated processing [..] The controller cannot avoid the Article
22 provisions by fabricating human involvement. For example, if someone

47 Luca Tosoni, ‘The right to object to automated individual decisions: resolving the ambiguity of
Article 22(1) of the General Data Protection Regulation’ (2021) 11(2) International Data Privacy
Law 145–162, https://doi.org/10.1093/idpl/ipaa024.
48 Luca Tosoni, ‘The right to object to automated individual decisions: resolving the ambiguity of

Article 22(1) of the General Data Protection Regulation’ (2021) 11(2) International Data Privacy
Law 145–162, https://doi.org/10.1093/idpl/ipaa024.
49 EDPB Guidelines on Automated individual decision-making and Profiling for the purposes of

Regulation 2016/679.
7 The Right to Data Portability and Right to Object to Processing 141

routinely applies automatically generated profiles to individuals without any

actual influence on the result, this would still be a decision based solely on
automated processing. To qualify as human involvement, the controller must
ensure that any oversight of the decision is meaningful, rather than just a token
gesture. It should be carried out by someone who has the authority and compe-
tence to change the decision. As part of the analysis, they should consider all
the relevant data.”
The EDPB explained ‘Legal’ or ‘similarly significant’ effects as “A legal
effect requires that the decision, which is based on solely automated processing,
affects someone’s legal rights, such as the freedom to associate with others,
vote in an election, or take legal action. A legal effect may also be something
that affects a person’s legal status or their rights under a contract.”
The EDPB explained ‘Similarly significantly affects him or her’ as “For
data processing to significantly affect someone the effects of the processing
must be sufficiently great or important to be worthy of attention. In other words,
the decision must have the potential to: significantly affect the circumstances,
behaviour or choices of the individuals concerned; have a prolonged or perma-
nent impact on the data subject; or at its most extreme, lead to the exclusion or
discrimination of individuals.”

Source EDPB Guidelines on Automated individual decision-making and Profiling

for the purposes of Regulation 2016/679
The EDPB has explained the exceptions to the provisions as under:

The EDPB explained the exception of ‘Performance of a contract’ as “Con-

trollers may wish to use solely automated decision-making processes for
contractual purposes because they believe it is the most appropriate way to
achieve the objective. Routine human involvement can sometimes be imprac-
tical or impossible due to the sheer quantity of data being processed.” The
EDPB explains the exception of “Authorised by Union or Member State law”
as “Automated decision-making including profiling could potentially take place
under 22(2)(b) if Union or Member State law authorised its use. The relevant
law must also lay down suitable measures to safeguard the data subject’s rights
and freedoms and legitimate interests.”

Source EDPB Guidelines on Automated individual decision-making and Profiling

for the purposes of Regulation 2016/679
Further, the data controller must implement measures safeguarding data subjects’
rights. There are specific safeguard measures that the data controllers can adapt,
like pseudonymisation or anonymisation. The law provides the data subject with
an option to contest the decisions by using human intervention. Therefore, the data
controller should facilitate such measures that fulfil the requirement. There is also
142 3 Transparency and Rights of the Data Subject

a need to provide meaningful information about the logic of automated processing,

which should have practical value for data subjects.50

8 Compliance Examples

The section further discusses two decisions of Data Protection Authorities that can
help understand the nuances of the data subjects objecting to automated processing
and processing for direct marketing purposes.

8.1 Virgin Media51

The ICO fined Virgin Media in 2021 for sending its customers volumes of direct
marketing emails. The customers received marketing preference reminders from
Virgin Media. The ICO stated that these were direct marketing messages and imposed
a fine of GBP 50,000.
Facts
More than 400,000 marketing emails were sent to subscribers who had opted out of
receiving marketing communications from Virgin Media. The text of the mail was
the following:

“We want to let you know that we won’t be raising your price this year. This
means the price you pay for your current package right now will stay the same
in 2020.
We’d like to stay in touch about all the great Virgin Media stuff we have on
offer for you. You have currently said no to receiving marketing messages from
us, which means that we are not able to keep you up to date with our latest TV,
broadband, phone and mobile news, competitions, product and bundle offers
via online, email, post, SMS, phone. You can change your preferences by
simply registering or signing in to virginmedia.com/optin. Click ‘My Profile’,
then ‘My Preferences’.”

Source Information Commissioner’s Office on Virgin Media Limited Monetary

Penalty Notice (2021)

50 Bart Custers, Anne-Sophie Heijne, ‘The right of access in automated decision-making: The scope
of article 15(1)(h) GDPR in theory and practice’ (2022) 46 Computer Law & Security Review,
https://doi.org/10.1016/j.clsr.2022.105727.
51 ICO, ‘Virgin Media Limited’. https://cy.ico.org.uk/action-weve-taken/enforcement/virgin-

media-limited/. Accessed January 16, 2023.

8 Compliance Examples 143

The complainant believed that a service message was masked to lure customers
into opting for future marketing communications. A series of events help understand
the nature of communication between Virgin Media and its subscribers.
A total of 1,964,562 emails were sent by Virgin Media on the 4 August. These
emails were about the price freeze. Out of these emails, Virgin media had sent
1,303,671 emails to those subscribers who had opted in to receive price freeze
messages. These were those groups of customers who wanted to receive this infor-
mation. 209,376 emails went to those subscribers who had decided to opt out
from receiving marketing communications. It meant that these customers did not
want to receive these emails. They did not have the marketing preference reminder
text. Further, 4,51,515 emails were sent to those customers who had opted out
of receiving marketing emails. In these cases, however, the marketing preference
reminder text was included. The ICO received a complaint regarding this category
of emails.
Virgin media suggested that they had received this data about Prize Freeze Emails
directly from the subscribers. They claimed they relied on certain feedback before
sending those emails, although they did not disclose the actual number. They claimed
that the feedback data suggested that some customers preferred to be informed about
marketing information. This information ranges from discounts on different products
and other packages that customers may not have opted for earlier.
Virgin media assumed that customers who had opted out a year ago may have
changed their minds about marketing preferences.
Decision
The ICO believed that Virgin media violated the data protection norms by sending
451,217 emails to subscribers who had specifically opted out of receiving marketing
emails. They were direct marketing messages with the marketing preference reminder
text in them.
Further on, they suggested,

“The Marketing Preference Reminder sought to entice or encourage customers

to update their marketing preferences. It also marketed Virgin Media’s commer-
cial offerings, i.e. “the great Virgin Media stuff we have on offer for you…our
latest TV, broadband, phone and mobile news, competitions, product and
bundle offers.”

Source Information Commissioner’s Office on Virgin Media Limited Monetary

Penalty Notice (2021)
The processing of personal data for all these customers who had received the
emails was not based on consent. Consent provides a legal basis before processing
commences. ICO marketing Guidelines have said,
144 3 Transparency and Rights of the Data Subject

“Organisations must not contact people on a suppression list at a later date to

ask them if they want to opt back in to receiving marketing.
This contact would involve using their personal data for direct marketing
purposes and is likely to breach the DPA and will also breach PECR if the
contact is by phone, text or email.”

Source Information Commissioner’s Office on Virgin Media Limited Monetary

Penalty Notice (2021)

8.2 We Buy Any Car Limited (WBAC)52

We Buy Any Car Limited, or WBAC, is a vehicle purchasing company. Individuals

can use this website to fix a price valuation of their vehicles. To stop receiving spam
or unsolicited messages, individuals can use the GSMA spam reporting service.
Facts
On April 2020, ICO started investigating marketing messages sent by WBAC
between 7 April 2019 and 7 April 2020. The ICO sought to know about the data
source and consent before processing the personal data. WBAC suggested that they
only correspond with individuals who request a vehicle for evaluation. The WBAC
guaranteed the price valuation for a fixed time. The individuals can sell their vehicles
within that fixed time. If the fixed time expires with the individuals who have not
yet sold their vehicles, WBAC would contact the individual. They will give individ-
uals the opportunity to update their valuation. Before sending those communications
either by email or text, WBAC suggested that the customers requested to send those
emails or followed the soft opt-in option. The ICO here assessed the soft-in approach.
The law in the UK defines the soft opt-in approach as:

“(3) A person may send or instigate the sending of electronic mail for the
purposes of direct marketing where –
(a) That person has obtained the contact details of the recipient of that
electronic mail in the course of the sale or negotiations for the sale of a product
or device to that recipient;
(b) The direct marketing is in respect of that person’s similar products and
services only; and.
(c) The recipient has been given a simple means of refusing (free of charge
except for the costs of transmission of the refusal) the use of his contact details

52ICO, ‘We Buy Any Car Limited’. https://ico.org.uk/action-weve-taken/enforcement/we-buy-any-

car-limited/. Accessed January 16, 2023.
8 Compliance Examples 145

for the purposes of such direct marketing at the time that the details were
initially collected, and, where he did not initially refuse the use of the details,
at the time of each subsequent communication.”

Source Information Commissioner’s Office on We Buy Any Car Limited (2021)

The soft opt-in approach requires establishing a connection before sending out any
communication from the end of the data controller. The data controller cannot send
spam messages where there is no relationship between the data controller and the
data subject. The data subjects can be reached out for similar products and services,
and data subjects must always have an opportunity to say no and refuse to process
for direct marketing purposes.
There were three categories of emails shared by WBAC during that period. They
were journey emails, batch emails and good news emails. There were 92.3 million
journey emails based on the customers’ requests. The batch emails consisted of occa-
sional emails shared with customers after completing a certain period with WBAC.
The good news email informed customers about the increase in the offer price.
Other than the journey emails sent during the valuation process, the ICO affirmed
that customers did not solicit the remaining journey emails. Hence, these remaining
emails would not fall under the category of personal data processed on a lawful basis.
This is also true with batch emails and good news emails. The customers did not
solicit these emails.
With regard to the soft opt-in option, the ICO suggested:

“It is apparent from the above that whilst customers are informed of future
ways to opt-out at the point of collection of their details, the opportunity to
actually object to marketing messages is presented only after provision of the
vehicle valuation. Individuals have no opportunity to refuse marketing when
initially inputting their details. WBAC accept that the opt-out provision does
not occur until receipt of the first valuation email however believe that as there
is a ’minor temporal gap’ between the two events it is ’simultaneous’.”

Source Information Commissioner’s Office on We Buy Any Car Limited (2021)

The ICO did not agree with this point of contention and reaffirmed that the
customers had no choice but to opt out of receiving marketing emails.
Examples of some of the customer complaints are as follows:

“I’ve tried to unsubscribe twice and I’m still getting emails…

..Having repeatedly asked them to not send me any more messages. I
continue to receive direct marketing..
..I got a quote from we buy any car last summer and since then I have been
bombarded with emails from them about the car, I received the quote for. I
146 3 Transparency and Rights of the Data Subject

have requested to unsubscribe from their service in full at least 3 to 4 times

possibly more. I have lost count. But still, I get emails from them. I tend to
delete them now but today I decided to try again to remove myself from their
service. You never get any confirmation that you’ve succeeded either.”

Source Information Commissioner’s Office on We Buy Any Car Limited (2021)

These examples suggest that WBAC did not allow its customers to withdraw
from receiving marketing emails. These are instances of overprocessing; these are
instances of direct marketing without seeking consent from the customers. While
the initial purpose for processing personal information has long ended, processing
continued at the end of the data controller.
Questions
1. As a data controller, how can you achieve transparency for the data subject?
2. Explain the various facets of the right to be forgotten with case law. What are the
limitations of the right to be forgotten in enabling forgetting in the digital age?
3. Explain the conditions of Article 22 GDPR, which provides for the right against
automated decision-making.
4. Explain the right to object to direct marketing with examples.

Suggested Readings

1. EDPB Guidelines 01/2022 on data subject rights - Right of access.

2. EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases
under the GDPR (part 1)
3. EDPB Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01.
4. Article 29 Working Party Guidelines on Transparency under Regulation 2016/679
(wp260rev.01).
5. Article 29 Working Party Opinion 1/2008 on data protection issues related to search engines.
6. YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie
en Asiel v M and S. Joined Cases C-141/12 and C-372/12. ECLI:EU:C:2014:2081.
7. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and
Mario Costeja González, Case C-131/12, ECLI identifier: ECLI:EU:C:2014:317.
8. Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des
libertés (CNIL), Case C-507/17, ECLI identifier: ECLI:EU:C:2019:772.
9. GC and Others v Commission nationale de l’informatique et des libertés (CNIL), Case C-136/
17, ECLI identifier: ECLI:EU:C:2019:773.
10. TU and RE v Google LLC. Case C-460/20. ECLI:EU:C:2022:962.
11. Guidelines On The Implementation Of The Court Of Justice Of The European Union Judgment
On “Google Spain And Inc V. Agencia Española De Protección De Datos (Aepd) And Mario
Costeja González” C-131/12 Adopted on 26 November 2014 14/EN WP 225.
12. Decision on the merits 21/2022 of 2 February 2022, Case number: DOS-2019–01377,
Concerning: Complaint relating to Transparency & Consent Framework. https://edpb.europa.
eu/system/files/2022-03/be_2022-02_decisionpublic_0.pdf. Accessed January 16, 2023.
Suggested Readings 147

13. “Introduction to the Age-Appropriate Design Code” (ICO). https://ico.org.uk/for-organisat

ions/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/. Accessed
January 14, 2023.
14. RW v Österreichische Post AG. Case C-154/21. ECLI:EU:C:2023:3.
15. Janis Wong, Tristan Henderson, ‘The right to data portability in practice: exploring the impli-
cations of the technologically neutral GDPR’ (2019) 9(3) International Data Privacy Law
173–191, https://doi.org/10.1093/idpl/ipz008
16. Luca Tosoni, ‘The right to object to automated individual decisions: resolving the ambiguity
of Article 22(1) of the General Data Protection Regulation’ (2021) 11(2) International Data
Privacy Law 145–162, https://doi.org/10.1093/idpl/ipaa024
17. Kieron O’hara, , Nigel Shadbolt, and Wendy Hall. “A pragmatic approach to the right to
be forgotten.” (2016). https://www.cigionline.org/publications/pragmatic-approach-right-be-
forgotten/
18. P.T.J. (Pieter) Wolters, ‘The territorial effect of the right to be forgotten after Google v CNIL’
(2021) 29(1) International Journal of Law and Information Technology 57–75. https://doi.org/
10.1093/ijlit/eaaa022
19. Yann Padova, ‘Is the right to be forgotten a universal, regional, or ‘glocal’ right?’ (2019) 9(1)
International Data Privacy Law 15–29. https://doi.org/10.1093/idpl/ipy025
20. Florent Thouvenin, Alfred Früh, Simon Henseler, ‘Article 22 GDPR on Automated Individual
Decision-Making: Prohibition or Data Subject Right?’ 8(2) European Data Protection Law
Review 183–198, https://doi.org/10.21552/edpl/2022/2/6
21. Stefan Kulk, Frederik Zuiderveen Borgesius, ‘Freedom of Expression and ‘Right to Be
Forgotten’ Cases in the Netherlands After Google Spain’ (2015) 1(2) European Data Protection
Law Review 113–124
22. Kieron O’Hara, Nigel Shadbolt, ‘The Right to be Forgotten: Its Potential Role in a Coherent
Privacy Regime’ (2015) 1(3) European Data Protection Law Review 178–189
23. Mistale Taylor, ‘Google Spain Revisited: The Misunderstood Implementation of a Landmark
Decision and How Public International Law Could Offer Guidance’ (2017) 3(2) European Data
Protection Law Review 195–208
24. Daniela Copetti Cravo, ‘How to Make Data Portability Right More Meaningful for Data
Subjects?’ (2022) 8(1) European Data Protection Law Review 52–60
Chapter 4
Duties and Responsibilities of Controller
and Processor

1 Introduction

The chapter focuses on the obligations and tasks designated to data controllers and
data processors. According to the WP29, the main purpose of defining the concept of
a data controller is to determine who is responsible for complying with data protection
Regulations and how data subjects can exercise their rights effectively. Essentially, it
is about assigning responsibility.1 To comprehend the expectations, we will examine
rulings from the CJEU and determinations made by the data protection authorities.
Additionally, guidance from the EDPB and the ICO is consulted to grasp the standard
expectations. The GDPR establishes that the primary responsibility consistently lies
with the data controller.

2 Fashion ID C-40/172

In broad terms, a controller is an entity that establishes the purpose and methods of
processing personal data, functioning as the primary decision-maker. Controllers are
entrusted with the duty of maintaining continuous compliance with data protection
laws, achieved through the implementation of suitable technical and organisational
measures outlined in the privacy policy.3 The CJEU emphasised that the scope of

1 WP29 Opinion 1/2010 on the concepts of “controller” and “processor” Adopted on

16 February 2010, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/
files/2010/wp169_en.pdf (WP29 2010).
2 Case C–40/17 Fashion ID [2019] ECLI:EU:C:2019:629 (Fashion ID).
3 WP29 2010.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 149
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_4
150 4 Duties and Responsibilities of Controller and Processor

the word ‘controller’ includes “effective and complete protection” of data subjects.4
The CJEU has explicitly supported the WP29 stance that reasonable expectations of
data subjects must be considered as an important factor to determine and interpret
the concept of controller.5 To gain a better understanding of this concept, we will
analyse the judgement in the Fashion ID case.
Facts
Fashion ID, having a website of its own, implemented a plugin that Facebook
developed (“’Like’ button”).
The entire process was operationalised when a visitor would consult the Fashion
ID website. Through the Fashion ID’s website, details of visitors’ personal data were
communicated to Facebook Ireland. It did not require the visitor to be a member of
the social network Facebook. Also, it did not need the user to click on the Like button
embedded on Fashion ID’s website. There was a possibility that the data transmission
happened without the knowledge of the visitor.
A complaint was filed against Fashion ID, citing the transmission of personal data
that belonged to the visitors without their knowledge to Facebook Ireland. The data
transmission thus happened without their consent and infringed all the data protection
norms.
The interpretation of definition for consent under GDPR and the old Directive are
different. Due to the nature of the dispute and its timeframe, the old Directive has
been considered in this judgement.

Article 2(h) defines consent as

(h) “…any freely given specific and informed indication of his wishes by which
the data subject signifies his agreement to personal data relating to him being
processed.”
Article 7 “Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent.”
Article 10 entitled “’Information in cases of collection of data from the data
subject’ provides:
‘Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected with
at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as.

4 Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos
(AEPD) and Mario Costeja González [2014] ECLI:EU:C:2014:317, para 34; Case C-2010/16,
Wirtschaftsakademie Schleswig–Holstein (2018), ECLI:EU:C:2018:388, para. 28.
5 WP29 2010, 12.
2 Fashion ID C-40/17 151

– the recipients or categories of recipients of the data,

– whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
– the existence of the right of access to and the right to rectify the data
concerning him in so far as such further information is necessary, having regard
to the specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject.”

Source Article 2(h), 7, 10, Directive 95/46/EC of the European Parliament

Article 5 of the ePrivacy Directive suggests that personal data storage or access to
personal data of subscribers from their devices is based on the consent that subscribers
share. However, such consent becomes meaningful when the subscribers receive
comprehensive information about data processing from the data controller.
Questions

“[If] someone has embedded a programming code in his website which causes
the user’s browser to request content from a third party and, to this end, trans-
mits personal data to the third party, is the person embedding the content the
‘controller’ …if that person is himself unable to influence this data-processing
operation?
Does the duty to inform under Article 10 of Directive [95/46] also apply
in a situation such that in the present case to the operator of the website who
has embedded the content of a third party and thus creates the cause for the
processing of personal data by the third party?.”

Source Fashion ID Judgement

There is no norm to suggest that the data controller is a single entity. There could
be several stakeholders are bestowed with similar responsibilities as a data controller.
The issue of similar or joint responsibility does not mean that all of them would have
equal responsibility. They may get involved with the process at various stages and to
different degrees. Therefore, their liabilities must be determined when referring to a
particular case in question. Going by the definition of a joint controller:
“where several operators determine jointly the purposes and means of the processing of
personal data, they participate in that processing as controllers.”6

The activities of Fashion ID allowed Facebook to embed the Like button on its
webpage. It allowed them to collect personal data of those visiting Fashion ID’s
webpage. It happened regardless of whether the visitor to Fashion ID’s webpage was
a member of the social network that Facebook developed, accessed the Like button,
or had any awareness of such activity.

6 Fashion ID.
152 4 Duties and Responsibilities of Controller and Processor

Fashion ID exerted influence over transmitting data to Facebook and helped them
with the plugin on their webpage.
Overall, it can be understood that Facebook and Fashion ID jointly carried out the
operations through which personal data of visitors were collected and disclosed. The
embedding of a link on the Fashion ID’s website can be construed as a strategic plan
for making their goods more visible to those already part of the social networking
group of Facebook. There is undoubtedly an implicit commercial objective of
increasing publicity of their goods. This plan served Fashion ID’s and Facebook’s
economic interests.
The entire activity would make Fashion ID a controller whose responsibility would
be limited to the operations till the time data are transferred to Facebook.
Therefore, the Court observed:

“…it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on
its website allows it to optimise the publicity of its goods by making them more
visible on the social network Facebook when a visitor to its website clicks on
that button.
The reason why Fashion ID seems to have consented, at least implicitly,
to the collection and disclosure by the transmission of the personal data of
visitors to its website by embedding such a plugin on that website is in order
to benefit from the commercial advantage consisting in increased publicity for
its goods; those processing operations are performed in the economic interests
of both Fashion ID and Facebook Ireland, for whom the fact that it can use
those data for its own commercial purposes is the consideration for the benefit
to Fashion ID’…
‘…Fashion ID, that embeds on that website a social plugin causing the
browser of a visitor to that website to request content from the provider of that
plugin and, to that end, to transmit to that provider the personal data of the
visitor can be considered to be a controller, …limited to the operation or set
of operations involving the processing of personal data in respect of which it
actually determines the purposes and means, that is to say, the collection and
disclosure by transmission of the data at issue.”

Source Fashion ID Judgement

Under Article 10, the controller is under obligation to inform data subjects about
personal data processing. The controller’s responsibility is limited to the operations
and set of operations it controls. Here the controller decides the purpose and reasons
for processing. Similarly, consent must be obtained concerning those operations or
set of operations.
2 Fashion ID C-40/17 153

Therefore, on this point, the Court concluded:

“the consent referred to in those provisions must be obtained by that operator

only with regard to the operation or set of operations involving the processing
of personal data in respect of which that operator determines the purposes and
means.
In addition, Article 10 of that Directive must be interpreted as meaning that,
in such a situation, the duty to inform laid down in that provision is incumbent
also on that operator, but the information that the latter must provide to the
data subject need relate only to the operation or set of operations involving
the processing of personal data in respect of which that operator actually
determines the purposes and means.”

Source Fashion ID Case

The term ‘purpose’ refers to the ‘why’ of such processing, while ‘means’ broadly
include ‘how’ of such processing. Article 4(7) suggests that both ‘how’ and ‘why’
are important factors to determine the controllership.
In the Rīgas satikme judgement,7 the primary question posed before the CJEU
was whether or not a data controller would be required by Article 7(f) of the Data
Protection Directive to provide all the personal information required to initiate legal
action against an individual. The National Supreme Court went on to query whether
or not the response to the latter would change if the individual in question was a
minor. The Court explains the idea of the three-part test for legitimate interests in
relation to the old Data Protection Directive (95/46/EC), i.e.:
. Purpose test.
. Necessity test.
. Balancing test.
The judgement stated in paragraphs 29 and 308 that it is a reasonable interest if
the injured party’s desire to sue the person who caused the damage is the basis for the
party’s interest in acquiring the personal information of that person. Additionally,
it was noted that the claimant would not be able to launch the action without the
address and/or identity number of that individual; thus it appears to be absolutely
necessary. After determining that the first two requirements appeared to be met, the
CJEU addressed the last need, which is “balancing the opposing rights and inter-
ests at issue.”9 According to the CJEU, a legitimate interest of this kind cannot by
itself establish a legal foundation for the concerned processing. Initially, national
legislation itself needs to be required to give such legal justifications.10

7 C-13/16- Rīgas satiksme, ECLI:EU:C:2017:336 (C-13/16- Rīgas satiksme).

8 C-13/16- Rīgas satiksme.
9 C-13/16- Rīgas satiksme.
10 C-13/16- Rīgas satiksme
154 4 Duties and Responsibilities of Controller and Processor

Similarly, in the Worten judgement,11 the ECJ held that data contained in the
working time register constitute personal data and concluded that the controller
is responsible for ensuring that necessary security measures are in line with
the associated risks and its legal obligations.12
In many instances, the CJEU and EDPB define a controller as a party that has
‘decisive influence’ over the purposes and means of processing.13 This broad criterion
effectively protects the interests of the data subjects.14
In Wirtschaftsakademie Schleswig–Holstein judgement,15 the CJEU ruled that
the entity that manages a Facebook fan page constituted a joint controller since the
entity gave Facebook permission to set cookies on visitors’ devices, collect personal
information and produce marketing and advertising analytics. Although the entity did
not handle the personal data, it did facilitate Facebook’s data processing by creating
a fan page for its own marketing.16 The judgement demonstrated the importance of
a broad interpretation of control leading to better protection for data subjects. The
Grand Chamber concluded that both Facebook and the administrators of Facebook
fan pages are data controllers.17 Facebook is a data controller since it determines
the aims and methods of data processing for users and visitors to fan pages. Fan
page admins are also controllers because they agree to Facebook’s terms of service
and set criteria for data gathering, including the target audience. Despite obtaining
only anonymised analytics data, fan page admins impact Facebook’s data processing
modalities, identifying them as controllers.18
In Jehovan Todistajat judgement,19 the Grand Chamber confirmed that being a
data controller does not necessitate data access. In this case, the Jehovah’s Witnesses
Community was designated a controller for the data gathering that happened through
its members during their visits to different houses, which the society “organised,
coordinated and encouraged.”20

11 C-342/12- Worten, ECLI:EU:C:2013:355 (C-342/12- Worten).

12 C-342/12- Worten.
13 Wong,Benjamin; ‘Problems with Controller-based Responsibility in EU Data Protection Law’

(2021) 11 International Data Privacy Law 375, 377.

14 Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos

(AEPD) and Mario Costeja González [2014] ECLI:EU:C:2014:317, para 34 (Case 131/12 Google
Spain).
15 Case C-2010/16, Wirtschaftsakademie Schleswig–Holstein (2018), ECLI:EU:C:2018:388, paras

26–37.
16 Chen, Jiahong and others; ‘Who Is Responsible for Data Processing in Smart Homes? Recon-

sidering Joint Controllership and the Household Exemption’ (2020) 10 International Data Privacy
Law 279, 283;
Becker, Regina; Thorogood, Adrian; Bovenberg, Jaspe and Mitchell, Colin, ‘Applying GDPR
Roles and Responsibilities to Scientific Data Sharing’ (2022) International Data Privacy Law.
17 Finck, Michèle; ‘Cobwebs of Control: The Two Imaginations of the Data Controller in EU Law’

(2021) 11(4) International Data Privacy Law 333–347 (Finck, Michèle; ‘Cobwebs of Control: The
Two Imaginations of the Data Controller in EU Law).
18 Finck, Michèle; ‘Cobwebs of Control: The Two Imaginations of the Data Controller in EU Law.
19 Case C-25/17 Jehovan todistajat v Tietosuojavaltuutettu (2018) ECLI:EU:C:2018:551.
20 Case C-25/17 Jehovan todistajat [2018] ECLI:EU:C:2018:551.
3 Design and Default Approach to Protecting the Privacy 155

3 Design and Default Approach to Protecting the Privacy

At times, processing using complex technology makes it difficult for a data controller
to comply with the data protection principles that protect the privacy of data
subjects.21 The complex nature of technology only makes it difficult at the stage
where a product and service are offered to the data subject. To tackle such a situation,
the GDPR introduces the concept of privacy by design and default.22
In its preliminary opinion23 on privacy by design, the European Data Protection
Supervisor (EDPS) emphasised the need of examining a wide range of options, which
includes a visionary and ethical dimension that is consistent with the principles and
values enshrined in the EU Charter of Fundamental Rights.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 78:
“The protection of the rights and freedoms of natural persons with regard to
the processing of personal data require that appropriate technical and organisa-
tional measures be taken to ensure that the requirements of this Regulation are
met. In order to be able to demonstrate compliance with this Regulation, the
controller should adopt internal policies and implement measures which meet
in particular the principles of data protection by design and data protection by
default. Such measures could consist, inter alia, of minimising the processing of
personal data, pseudonymising personal data as soon as possible, transparency
with regard to the functions and processing of personal data, enabling the data
subject to monitor the data processing, enabling the controller to create and
improve security features. When developing, designing, selecting and using
applications, services and products that are based on the processing of personal
data or process personal data to fulfil their task, producers of the products,
services and applications should be encouraged to take into account the right
to data protection when developing and designing such products, services and
applications and, with due regard to the state of the art, to make sure that
controllers and processors are able to fulfil their data protection obligations.
The principles of data protection by design and by default should also be taken
into consideration in the context of public tenders.”

Source Recital 78, GDPR

The Recital starts on the note that for protecting data subjects’ rights, data
controllers must adopt processes, technical, or otherwise within the internal gover-
nance structure. The Recital proposes the utilisation of presenting data protection

21 Richard Preece, ‘Implementing a By Design and By Default Approach’ (2019) 2 JDPP 1.

22 Michael Veale, Reuben Binns, and Jef Ausloos, ‘When Data Protection by Design and Data
Subject Rights Clash’ (2018) 8 IDPL 105.
23 EDPS, opinion 5/2018. Preliminary Opinion on privacy by design, (May 2018),

< https://www.edps.europa.eu/sites/default/files/publication/18-05-31_preliminary_opinion_on_p
rivacy_by_design_en_0.pdf > accessed on 6th July 2024.
156 4 Duties and Responsibilities of Controller and Processor

configurations during the initial design phase of a product or service. They will entail
minimising data processing, pseudonymisation of personal data, increase overall
transparency of the processes undertaken, allowing data subjects to become stake-
holders and finally allow data controllers to adopt and enhance security protocols
for data processing. The second half of the Recital turns to the producers of these
technologies and services and products that draw upon these technologies assuming
that controllers and processors are end-users of these products and services. They
don’t entirely involve themselves in the production stage. On the contrary, they rely
on marketed technological products and services. However, the onus and account-
ability rest with controllers and processors. To ensure that controllers and processors
can comply with the data protection principles, it is only logical that the change
happens at the end of the producer or the manufacturer. Adopting privacy by default
and design would help the controllers and processors demonstrate compliance and
accountability.
In addition to Recital 78, Article 25 reflects upon other data protection features
by design and default.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 25:
“1. Taking into account the state of the art, the cost of implementation and
the nature, scope, context and purposes of the processing, as well as the risks of
varying likelihood and severity for rights and freedoms of natural persons posed
by the processing, the controller shall, both at the time of the determination
of the means for processing and at the time of the processing itself, imple-
ment appropriate technical and organisational measures, such as pseudonymi-
sation, which are designed to implement data-protection principles, such as
data minimisation, effectively and to integrate the necessary safeguards into
the processing to meet the requirements of this Regulation and protect the
rights of data subjects.
2. The controller shall implement appropriate technical and organisational
measures to ensure that, by default, only personal data necessary for each
processing purpose are processed. That obligation applies to the amount of
personal data collected, the extent of their processing, the period of their storage
and their accessibility. In particular, such measures shall ensure that personal
data are not made accessible by default without the individual’s intervention
to an indefinite number of natural persons.
3. An approved certification mechanism under Article 42 may be used as an
element to demonstrate compliance with the requirements set out in paragraphs
1 and 2 of this article.”

Source Article 25, GDPR

Article 25 of the GDPR guarantees that when designing and developing systems
for processing personal data, data protection principles are adequately considered
and integrated into the systems. It involves giving serious attention to safeguarding
3 Design and Default Approach to Protecting the Privacy 157

privacy interests throughout the entire lifecycle of information systems development,

rather than just at the end. Further, Article 25 elaborates on the heightened focus
within the Regulation on holding controllers accountable and responsible for their
data processing activities.24
Part I of Article 25 states that it is imperative for the controller to consider multiple
parameters before processing starts. In the first instance, there is a need to match the
risks associated with processing and the negative impact of such processing on the
rights and freedom of natural persons. These parameters are to be compared against
the technology used, the scale of its implementation and the objective of collecting
personal data. This matching exercise should happen and determine the methodology
of processing and use of various technical means that would help minimise the risk. It
includes pseudonymisation, and the technological framework would assist in limiting
the overprocessing of data and implementing the data protection principles.
Part II of Article 25 also discusses implementing privacy by design and default. As
a default setting, it should be ensured that only specific data necessary and matching
with the purpose shall be collected, and therefore, the extent of processing such data
can be determined. With the default setting in place, the retention period and its
accessibility can be controlled. It will mean that the sharing of data will be limited.
Part III of Article 25 also refers to a certification process to help the data controllers
reach the expected compliance level.
All the three parts of Article 25 rely a lot on the technology and the understanding
of the controller and processor about these technologies or products using these tech-
nologies. A controller or a processor may not have first-hand information about such
technology or product using the technology. As an end-user and often as data subjects
would rely on data controllers, data controllers would rely on the manufacturer or
the producer. Therefore, to implement the plan under Article 25, the producers and
manufacturers must know about the goals of implementing privacy to customise their
technology and further the product that runs this technology.25 It is essential to have
that flexibility because it is not necessary that all data controllers would have the same
default setting to follow or implement. Their settings would depend on the objective
of processing, the purpose and, therefore, the extent of data collection.26 It seems
we have to ensure that we can resolve the technical expectations and understanding
before successfully implementing the broader interventions under this Article.
One of the major European decisions that informs interpretations of Article 25 is
I v. Finland decision,27 decided by the European Court of Human Rights (ECHR)
where the Court transforms the principle of privacy by design into a specific respon-
sibility imposed on persons to protect privacy.28 In this case, an HIV-positive woman

24 Kuner, Christopher; Bygrave, Lee. A., The EU General Data Protection Regulation (GDPR): A
Commentary(2020)(Kuner).
25 Dag Wiese Schartum, ‘Making Privacy by Design Operative’ (2016) 24 IJLIT 151.
26 Joseph Srouji and Thibault Mechler, ’How Privacy-Enhancing Technologies Are Transforming

Privacy by Design and Default: Perspectives for Today and Tomorrow’ (2020) 3 JDPP 1.
27 I v. Finland, App. No. 20511/03 (2008) (I v. Finland).
28 Ari Ezra Waldman, ‘Data Protection by Design? A Critique of Article 25 of the GDPR’ (2021)

53 Cornell International Law Journal, Northeastern University School of Law Research Paper No.
411–2021.
158 4 Duties and Responsibilities of Controller and Processor

claimed that the institution handling her medical information employed a records
system that lacked proper privacy safeguards, particularly access logs. This design
issue made it hard to determine whether unauthorised access had occurred. Although
Finnish legislation provided for damages in circumstances of unauthorised access,
the ECHR deemed this insufficient.29
Using Article 8 of the European Convention on Human Rights, which ensures the
right to privacy, the ECHR determined that Finland was required to secure privacy by
design.30 The Court emphasised the need of taking realistic and effective precautions
to prevent unauthorised access in the first place. It emphasised that the State must
ensure that systems are designed to prevent or at least record unauthorised access to
personal information.31 The Court determined that if the hospital had limited access
to healthcare experts directly involved in the applicant’s treatment, the applicant
would have been better protected legally. This emphasises the need of privacy by
design in protecting personal information.32
EDPB which is an independent EU body established to enhance an effective and
consistent application of data protection Regulations has published Guidelines on
the issue of privacy by design and by default.

3.1 Guidelines 4/2019 on Article 25 Data Protection

by Design and by Default (DPDD)33

3.1.1 Data Protection by Design

The Guidelines 4/2019 on Article 25 data protection by design and by default (DPDD)
aim to ensure the implementation of DPDD principles amongst data controllers,
processors and producers, promoting GDPR-compliant products and services. The
Guidelines interpret Article 25, outlining general obligations, implementation plans,
certification schemes and the supervisory authority’s role. They emphasize creating
measures to safeguard data subjects’ rights and ensuring processing activities adhere
to data protection principles.34
Article 25(1) emphasises the need of controllers using suitable technical and
organisational measures to protect data subjects’ rights in order to improve the

29 I v. Finland.
30 Article VIII, Convention for the Protection of Human Rights and Fundamental Freedoms,
European Convention on Human Rights, (ECHR), 1950.
31 I v. Finland.
32 I v. Finland.
33 Guidelines 4/2019 on Article 25 data protection by design and by default. https://edpb.europa.

eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_def
ault_v2.0_en.pdf . Accessed 4 December 2023 (Guidelines 4/2019).
34 Ira S Rubinstein and Nathaniel Good, ‘The Trouble with Article 25 (and How to Fix It): The

Future of Data Protection by Design and Default’ (2020) 10 IDPL 37.

3 Design and Default Approach to Protecting the Privacy 159

internal governance structure inside the data controller’s organisation. This entails
implementing modern technologies like as pseudonymisation, structured data storage
and virus detection systems, as well as teaching personnel on cyber hygiene.
Controllers must foresee hazards, keep records to assess efficacy and ensure that
measures are consistent with data protection standards.35
The state of the art, implementation costs, type, scope, context, processing goal and
data subject hazards are all important concerns. All these components work together
to guarantee that data protection measures are effective, scalable and robust, in line
with the GDPR’s overall goals. The “state of the art”36 refers to the most recent
technological advances and organisational frameworks that data controllers must
use to protect data subjects’ interests. Controllers are expected to stay up to date
on technical advancements and incorporate them into their data protection policies
to effectively protect data subjects’ rights, which includes implementing advanced
internal governance structures that combine technology management with organi-
sational measures. The “cost of implementation”37 refers to the resources and time
required to put in place data protection procedures.38 The Guidelines emphasise
that costs should not impede the effective implementation of data protection stan-
dards. Furthermore, the phrase “nature, scope, context, and purpose of processing”39
emphasises the importance of taking into account the extent and conditions of data
processing operations.40 Controllers must foresee and handle risks to data subjects’
rights and freedoms, using a risk-based approach as described in numerous GDPR
rules.41 Finally, the “time aspect”42 emphasises the significance of incorporating data
protection considerations at all stages of the processing lifecycle, from initial design
to final implementation, to ensure continual protection of personal data.43

3.1.2 Data Protection by Default

The GDPR Guidelines for Article 25(2) focus on guaranteeing data protection by
default. This notion mandates that, by default, only personal data required for each
given processing purpose be handled. To comply with data protection standards,
configuration settings in software, devices and services must be configured before
processing begins.44 It allows the controller to follow the GDPR. When employing
third-party software, a risk assessment is required to guarantee that the default settings

35 Guidelines 4/2019.
36 Guidelines 4/2019.
37 Guidelines 4/2019.
38 Guidelines 4/2019.
39 Guidelines 4/2019.
40 Guidelines 4/2019.
41 Guidelines 4/2019.
42 Guidelines 4/2019.
43 Guidelines 4/2019.
44 Guidelines 4/2019.
160 4 Duties and Responsibilities of Controller and Processor

may be changed to satisfy GDPR compliance. The Guidelines describe four dimen-
sions of the data minimization duty. To begin, the amount of personal data collected
should be proportionate to the objective and purpose, considering both volume and
data categories.45
Third, storage of personal data should be dictated by the purpose of processing.
Once the goal has been met, there is no need for more storage.46 Finally, accessi-
bility should be based on necessity. Systems should be in place to limit access to
personal data during processing stages, ensuring that data are not made available to an
endless number of people without sufficient intervention.47 This holistic approach to
data protection by default assures GDPR compliance while protecting data subjects’
rights.

3.2 Implementing Data Protection Principles

in the Processing of Personal Data Using Data Protection
by Design and by Default48

To implement DPDD and to ensure that data controllers follow the data protection
principles, the Guidelines prescribe certain stages and methods. The data protection
principles include transparency, lawfulness, fairness, purpose limitation, data mini-
mization, accuracy, storage limitation, integrity and secrecy and accountability.49 The
DPDD Guidelines go into greater detail about how to apply each principle in prac-
tice. Under GDPR, Articles 15–22 talk about various facets of transparency.50 Trans-
parency, for example, necessitates that data subjects are provided with comprehensive
information regarding data processing, including pre-stage, during and post-stage
processing.51 Lawfulness focuses on the legal foundation for processing, with consent
becoming the most legal approach for processing,52 and emphasises that consent
must be free, informed, explicit and unambiguous, with a simple withdrawal proce-
dure.53 Fairness assures that data processing is unbiased, non-discriminatory and not
deceptive, even in automated procedures that require human participation.54 As a

45 Guidelines 4/2019.
46 Guidelines 4/2019.
47 Guidelines 4/2019.
48 Guidelines 4/2019, 14.
49 Article 5, Recital 39, GDPR.
50 Article 15–22, GDPR.
51 Guidelines 4/2019, 15.
52 Guidelines 05/2020 on consent under Regulation 2016/679. https://www.edpb.europa.eu/sites/

default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed on 24th June 2024.

53 Recital 32, GDPR.
54 Guidelines on Automated individual decision-making and Profiling for the purposes of Regu-

lation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=

49826. Accessed on 24th June 2024.
3 Design and Default Approach to Protecting the Privacy 161

recourse, there must be some human intervention to ascertain checks and balances,
including addressing grievances.55 Purpose limitation assures that data processing
does not go beyond the original, specified, explicit, legitimate reason for which it
was collected.56 Therefore, the data controller ought to be careful in this regard.
Otherwise, the processing would lose its legal basis. It would be useful to have a
review system in place.57
Additional principles include data minimisation, which necessitates settings that
allow only necessary data processing and advocates pseudonymisation or deletion of
irrelevant data.58 No longer necessary data can be deleted or anonymised.59 Accu-
racy requires that personal data can be maintained up to date, with data subjects able
to seek rectifications or erasure.60 Storage limitation ensures that data are retained
only for the duration required for initial processing, with automated deletion tech-
niques for unneeded data.61 Integrity and confidentiality entail preserving data from
loss, unauthorised access and damage via security measures and policies, as well as
pushing for security by design in system development.62 Accountability requires the
controller to demonstrate risk mitigation and breach management measures, such as
timely reporting of breaches to supervisory authorities and impacted data subjects,
in order to minimise the damage.63
Although Article 25 of the GDPR is a complex rule, its legal language reveals
a fundamental structure.64 The provision explicitly requires: (a) effective protection
against data processing risks to the data subject’s fundamental rights; (b) the incor-
poration of legal principles and rules and (c) the incorporation of these principles
into the processing design, including its technological and organisational aspects.65
It is quite obvious how to assess these dangers, which considerably aids in directing
protection efforts, assuring effective protection and reducing unnecessary regulatory
burdens.66
Furthermore, controllers have access to a comprehensive set of legal principles
and norms that act as legislative tools for providing more structure during the risk
protection implementation phase (while also taking into account the regulatory cost

55 Guidelines 4/2019, 17.

56 Article 5(1)(b), GDPR.
57 Guidelines 4/2019, 19.
58 Article 5(1)(c), Recital 39, GDPR.
59 Guidelines 4/2019, 21.
60 Article 5(1)(d), Recital 65, GDPR, Guidelines 4/2019, 23.
61 Guidelines 4/2019, 25.
62 Guidelines 4/2019, 26.
63 Guidelines 4/2019, 28.
64 Bygrave, L.A; ‘The Oxford Handbook of Law, Regulation and Technology’ (OUP 2017) 5.
65 Von Grafenstein, M; Jakobi, Timo; Stevens, Gunnar, Effective data protection by design through

interdisciplinary research methods: The example of effective purpose specification by applying

user-Centred UX-design methods, Computer Law &Security Review (2022) (von Grafenstein, M).
66 Von Grafenstein, M.
162 4 Duties and Responsibilities of Controller and Processor

that repetitive protection systems can impose).67 This is the core normative frame-
work established by Article 25(1) of the GDPR for implementing data protection by
design.

4 Role of Controllers and Processors

Safeguarding personal data depend on accountability and effective enforcement. The

data protection law explicitly designates the entities accountable for adhering to the
law, outlining their responsibilities to guarantee compliance and the protection of
individual rights. Data controllers and processors bear the responsibility of imple-
menting all essential measures to ensure adherence to the law.68 Mere compliance is
insufficient; they must also transparently demonstrate their compliance, showcasing
that data processing aligns with legal requirements.

4.1 Controllers Outside the EU

The Territorial Scope of Article 3(2) of GDPR extends to those data controllers or
data processors who may not be based out of the EU but are involved in processing
personal data of data subjects residing in the EU.69 It can happen in two ways:
1. When a data controller or a data processor is offering goods or services to those
in the EU. These transactions would not necessarily need payment at the end.
2. Second, when they engage themselves in monitoring the behaviour of EU
residents.
For a data controller or data processor outside the EU, there is a requirement to
have a representative or representatives in the EU. Article 27 of the GDPR requires:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 27:
“The representative shall be established in one of the Member States where
the data subjects, whose personal data are processed concerning the offering
of goods or services to them, or whose behaviour is monitored, are.
The representative shall be mandated by the controller or processor to be
addressed in addition to or instead of the controller or the processor by, in

67 Von Grafenstein, M. Refining the Concept of the Right to Data Protection in Article 8 ECFR – Part
III European Data Protection Law Review Volume 7, Issue 3 (2021). 373–387.
68 Dan Jerker B. Svantesson, ‘Article 4(1)(a) “Establishment of the Controller” in EU Data Privacy

Law—Time to Rein in This Expanding Concept?’ (2016) 6 IDPL 210.

69 Article 3, GDPR.
4 Role of Controllers and Processors 163

particular, supervisory authorities and data subjects, on all issues related to

processing, for the purposes of ensuring compliance with this Regulation.”

Source Article 27, GDPR

There are certain situations where these conditions are not applicable. They are:
. In case of occasional processing.
. It excludes large scale or processing of personal data falling under the purview
special categories of data.
. It is unlikely to lead to risking the rights and freedom of data subjects. Further,
in all these instances, the scope, nature of the processing, context and purpose
should be considered.

4.2 Mandates Under GDPR for Data Controllers/Processors

There are certain general obligations of the data controller.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 24:
“Taking into account the nature, scope, context and purposes of processing
as well as the risks of varying likelihood and severity for the rights and freedoms
of natural persons, the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation. Those measures shall be
reviewed and updated where necessary.”

Source Article 24, GDPR

The data controllers must internalise proportionate measures concerning the
processing activities. Controllers may adopt approved codes of conduct and follow
certification processes to demonstrate compliance.
At times, data controllers would have to rely on alternate imaginations concerning
data processing. There may be times when data controllers must have a broader
understanding of the consequences of data processing. They must have a comprehen-
sive understanding of data processing risks. These risks may directly affect the data
subjects and the enshrined rights. Therefore, the controller must consider internal-
ising measures helping in reducing the risks. In this regard, pseudonymisation could
be a helpful tool to comply with several data protection principles like data minimisa-
tion and incorporating security standards. As a general norm, a data controller must
ensure that the processing remains confined to the purpose, thereby reducing the
risks of overprocessing, and over the storage of personal data exceeding the purpose
and accessibility by third parties.
164 4 Duties and Responsibilities of Controller and Processor

There could be more than one controller deciding the purpose of processing
and how data would be processed. In such a case, they would be teamed up as
joint controllers. These controllers must individually determine their responsibilities
concerning the purpose of processing and maintaining the sanctity of the data protec-
tion principles. When GDPR applies to controllers based out of the European Union,
they need to ensure that their representatives are present to act on their behalf.

4.3 Processing Under the Authority of a Data Controller

A controller can take help from a processor acting on behalf of such controller. The
data controller would accept help from a processor, who would follow similar values
and adopt effective measures protecting the rights of data subjects and maintain the
sanctity of the data protection principles. The processor can only engage with another
processor subsequent of controller’s approval.
The agreement between the controller and processor should incorporate issues
that are relevant to the controller. For instance, issues such as the subject matter,
nature and purpose of processing, the duration of data processing, classification of
personal data and the data subjects and finally controllers’ obligations and rights.70
Amongst other responsibilities, the processor is expected to abide by the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 28:
“(a) processes the personal data only on documented instructions from the
controller, including with regard to transfers of personal data to a third country
or an international organisation, unless required to do so by Union or Member
State law to which the processor is subject; in such a case, the processor shall
inform the controller of that legal requirement before processing, unless that
law prohibits such information on important grounds of public interest;
…
(e) taking into account the nature of the processing, assists the controller by
appropriate technical and organisational measures, insofar as this is possible,
for the fulfilment of the controller’s obligation to respond to requests for
exercising the data subject’s rights …
…
(g) at the choice of the controller, deletes or returns all the personal data to
the controller after the end of the provision of services relating to processing,
and deletes existing copies unless Union or Member State law requires storage
of the personal data;

70 Article 30, GDPR.

4 Role of Controllers and Processors 165

(h) makes available to the controller all information necessary to demon-

strate compliance with the obligations laid down in this Article and allow for
and contribute to audits, including inspections, conducted by the controller or
another auditor mandated by the controller.
…”

Source Article 28, GDPR

When a processor engages with another processor to carry out the tasks of the
controller, the second processor would have similar obligations to the controller
within the requirements of the data protection framework. As a compliance require-
ment, the processor should follow the approved code of conduct and the approved
certificate mechanism.
There is an obligation on the controller or its representative, where ever applicable,
to record processing activities. Such records would have the following:
. The controllers’ details and its representatives, joint controller and the data
protection officer.
. The purpose behind any processing alongside the classification of data processed
and the data subjects involved.
. Recipients having access to personal details including recipients in third countries.
. The schedule of data erasure activities.
. Details of organisational safeguards and security measures internalised by data
controllers.
. With respect to processors and their representatives (if any)
– Processing that happens on behalf of the data controller.
– Their details and their representatives.
The obligations of recording would not extend to establishments employing,
“fewer than 250 persons unless the processing it carries out is likely to result in
a risk to the rights and freedoms of data subjects, the processing is not occasional,
or the processing includes special categories of data … or personal data relating to
criminal convictions and offences.”71
The controller and the processor should comprehend data processing risks. Risk
mitigating state-of-the-art technology should be introduced, which would be propor-
tionated to the levels of data processing, including capacity of the controller and the
processor.

71 Article 30, GDPR

166 4 Duties and Responsibilities of Controller and Processor

5 Security Standards in Data Protection

Data security is a prime concern for all organisations. With the application of
new technologies, organisations are collecting and processing data at all times,
thereby increasing instances of breaches. While most of the breaches happen due
to external malicious activities, but a significant amount of breach can be accorded
to casual errors within the organisation itself. Data security is not limited to securing
personal sensitive information but also being compliant to protect the personal infor-
mation on a continuous basis. Data security is a fundamental aspect of many obliga-
tions imposed on data controllers and processors by the GDPR. The commission’s
impact assessment which accompanies the GDPR and the Law Enforcement Direc-
tive (LED) proposals acknowledges that the reform gives actors space and flexibility
to improve a data controller’s and processor’s accountability and responsibility in
assessing and mitigating data protection risks.72

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 83:
“In order to maintain security and to prevent processing in infringement of
this Regulation, the controller or processor should evaluate the risks inherent
in the processing and implement measures to mitigate those risks, such as
encryption. Those measures should ensure an appropriate level of security,
including confidentiality, taking into account the state of the art and the costs
of implementation in relation to the risks and the nature of the personal data
to be protected. In assessing data security risk, consideration should be given
to the risks that are presented by personal data processing, such as accidental
or unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise processed which may in
particular lead to physical, material or non-material damage.”

Source Recital 83, GDPR

To have an appropriate security standard is key to the data protection measures that
a data controller can adopt. Regardless of whether the data controller has adequately
fulfilled the other relevant principles, security seems to have the highest priority
in the order of reference. For instance, the data controllers cannot afford to have
a data leak even after following a specific purpose, processing for legitimate and
lawful purposes, following the data minimisation principle, following the accuracy
requirement and the storage limitation principle. The data controller must not only
look to integrate security safeguards but should adopt risk mitigating techniques.

72EC Staff Working Paper 2012. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=

CELEX:52012SC0072.
5 Security Standards in Data Protection 167

5.1 Security of Processing

In the context of risks associated with various levels of processing, Article 32 portrays
specific risk mitigating steps for the data controllers. They are:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 32:
“(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability
and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a
timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effective-
ness of technical and organisational measures for ensuring the security of the
processing.”

Source Article 32, GDPR

The preferred ways to demonstrate compliance is to follow and adopt the code of
conduct and the certification mechanism.

In the Digital Rights Ireland case in 2014, the Court of Justice of the
European Union appeared to consider data security as integral to the core
essence of the right to data protection.
In 2006, the EU passed the Data Retention Directive, which requires
Telecommunications Service Providers (TSPs) to keep traffic and location
data for crime prevention and investigation. In Ireland, Digital Rights took this
Directive and Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 (Irish
Law) requiring data retention to the High Court. The High Court has submitted
the matter to the European Court of Justice (ECJ) for a preliminary ruling. Simi-
larly, in Austria, challenges to the Telekommunikationsgesetz 2003 (“Austrian
law”) implementing the Directive were taken before the Verfassungsgericht-
shof (“Constitutional Court of Austria).” Both the cases were joined by the
President of the Court and maintained that both the Directive and national
legislations violated privacy and data protection rights.I
The Court held that:
“Nor is that retention of data such as to adversely affect the essence of the
fundamental right to the protection of personal data enshrined in Article 8 of
the Charter, because Article 7 of Directive 2006/24 provides, in relation to data
protection and data security, that, without prejudice to the provisions adopted
pursuant to Directives 95/46 and 2002/58, certain principles of data protec-
tion and data security must be respected by providers of publicly available
168 4 Duties and Responsibilities of Controller and Processor

electronic communications services or of public communications networks.

According to those principles, Member States are to ensure that appropriate
technical and organisational measures are adopted against accidental or
unlawful destruction, accidental loss or alteration of the data.”

Source In Joined Cases C-293/12 and C-594/12.73

5.2 Breach of Security Standards in Personal Data: The ICO

Decision in Marriott Hotels74

Facts
In 2014, the IT systems of Starwood Hotels were compromised. Marriott acquired
Starwood in 2016. For two years, Marriott did not detect the attack. This was the
time when GDPR was in force. As the attack continued, the attacker got hold of
the cardholder data environment in the Starwood network. It allowed the attacker
access to the customers’ personal data. The attacker did get hold of both encrypted
and unencrypted files. Under the unencrypted file were names, gender, date of birth,
details under the Starwood loyalty programme [mailing address, passport country
code, phone number, email address and credit card expiration date]. In total, there
were 5.25 million unencrypted guest passport numbers, country, flight details and
email addresses. There were also data about child guests and the number of cribs in
the room.
Under the encrypted information, there were 18.5 million passport numbers with
9.1 million payment card details. Marriott estimated that in total 339 million guest
records were affected. Of these, 30.1 million were EEA records, and 7 million were
associated with the UK.
Finally, when the attack was discovered, the personal data of a large number of
individuals were compromised. Following the discovery, Marriott promptly informed
the data subjects and took immediate steps to mitigate the effects of the attack.

73 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and
Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12.
74 Information Commissioner’s Office (ICO). https://ico.org.uk/media/action-weve-taken/mpns/

2618524/marriott-international-inc-mpn-20201030.pdf. Accessed 5 December 2023. {Information

Commissioner’s Office (ICO)}
5 Security Standards in Data Protection 169

Steps taken by Marriott after they came to know about the incident:

“On 30 November 2018, Marriott provided a follow-up report to the Commis-

sioner regarding further personal data breaches. On the same day, Marriott
issued a press release about the Attack and established a dedicated Starwood
incident website. Marriott also began sending email notifications to affected
data subjects on 30 November 2018. In the initial email notification to data
subjects, Marriott informed them that a dedicated call centre had been set up
in order to receive complaints. The email notification did not provide the tele-
phone number for the call centre, however it did contain a link to the dedicated
website, which included the telephone number of the call centre. Following
telephone contact between the Commissioner’s office and Marriott, the email
was updated to include the telephone number for the call centre, and Marriott
sent the revised version on 9 December 2018.”

Source Information Commissioner’s Office (ICO)-Marriott International Case

In the opinion of the Commissioner, Marriott failed to fulfil its obligations regarding
Article 5(1)(f) and Article 32 of GDPR. The steps taken by Marriott were unable to
meet the threshold of appropriate security against accidental loss of data, destruction
of damage and unlawful or unauthorised access.
In their approach, the Commissioner suggested,
“The focus should be on the adequacy and appropriateness of the measures imple-
mented by the data controller, the risks that were known or could reasonably have
been identified or foreseen, and appropriate measures falling within Article 5 and/or
Article 32 GDPR that were not, but could and should have been, in place.”75
The Commissioner identified multiple failures while giving its decision which are
as follows:
. Insufficient Monitoring of Privileged Accounts
The concern was that Marriott failed to put in place monitoring activity in place. It
was mostly a concern related to the privileged accounts. The Commissioner suggested
that Marriott should have incorporated multiple layers of security to protect the data
they store adequately. Marriott should have better monitoring of user activity. This
additional layer of protection would help them detect an attack on their computer
systems.
It also would have helped Marriott to take measures to identify vulnerabilities.
Third-party assessment report did find fault with effective monitoring systems. These
systems include keeping an appropriate log of the activities of users, especially
privileged users.
In their defence, Marriott argued that, “no amount of logging would necessarily
have identified an attacker unless the attacker operated from an identified suspicious

75 Information Commissioner’s Office (ICO), 27.

170 4 Duties and Responsibilities of Controller and Processor

IP address, which is not the case in this matter."76 In their response, the Commissioner
said that “[i]t is right to say that no security measure ‘would necessarily’ work, there
being no guarantee that any security measure is wholly effective. It is also true that
it is harder to detect an attacker who is not operating from a suspicious IP address.
However, this is precisely why the monitoring of legitimate user accounts (including
through logging) within the network for unusual activity is vital.”77
. Insufficient Monitoring of Databases
The Commissioner posed concern about monitoring the existing databases that
Marriott maintained. There were no security alerts on databases, no process to
aggregate the logs, and there was concern with the restrictions imposed on these
databases.
. Control of Critical Systems
There was concern with how Marriott maintained their servers’ security since
the attacker could access the administrator accounts. They failed to ensure that their
critical systems were safeguarded from unauthorised access.
. Encryption
The concern was that Marriott did not follow a consistent approach regarding
encryption. They were not able to produce any risk assessment exercise catering to
the encryption process. Not all passport numbers were encrypted. While it may be
true that some personal data might be at higher risk than others, it does not mean that
threat to other categories of data, as a result, is vitiated.
Due to the incident, Marriott encountered substantial costs for recovery, legal
consequences and reputational damage. This security breach, arising from pre-
existing vulnerabilities, is now recognised as one of the most significant cyber inci-
dents globally. It emphasises the need to increase in the security standards especially
in the context of mergers and acquisitions (M&A).
Marriott International was scrutinised not only for the breach, but also for
the security procedures put in place to protect its guests’ personal information.
Pseudonymisation could have potentially reduced the impact of the leak if Marriott
had pseudonymised its guests’ personal information. Even if attackers acquired unau-
thorised access to the data, they would be unable to directly identify and exploit
individual records because sensitive information such as names and payment details
had been pseudonymised. The GDPR emphasises the need of pseudonymisation as a
security strategy for protecting personal data and reducing the risks connected with
data breaches.

76 Information Commissioner’s Office (ICO), 32.

77 Information Commissioner’s Office (ICO), 32.
5 Security Standards in Data Protection 171

5.3 What Is Pseudonymisation?

Pseudonymisation is a technique where the original set of data is replaced with an

alias or pseudonym. This process for data management is widely advocated by GDPR
to ensure data protection.78
For pseudonymisation to be applied under GDPR, personal data must satisfy
two conditions. First, the data must go through a process that renders it untraceable
to a specific individual without the usage of additional information. Ideally, this
entails replacing one attribute (such as a name, social security number, or date of
birth) in a dataset with another (such as a randomly generated code). Even after
this step, the data subject might be indirectly identified, indicating that the data are
still personal. Second, the additional information necessary to reidentify the original
data subject (like an encryption key) must be stored separately from the data it
pertains to, using technical or organisational measures. This separation can occur
even within the same entity, for instance, by sharing the reidentification information
only with specific individuals within the organisation (as outlined in Recital 29 of
the GDPR). However, the measures in place must effectively prevent any accidental
or unauthorised reidentification.79

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 4(5):
“ ‘pseudonymisation’ means the processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data
subject without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified or
identifiable natural person”

Source Article 4(5), GDPR

Recital 26 suggests that, to evaluate if one can identify a natural person, all reason-
ably probable means, such as singling out by the controller or another party, should
be considered for direct or indirect identification. This includes evaluating objective
criteria such as identification prices, necessary time, current technology and technical
improvements at the time of processing.80
Recital 28 highlights the benefits of pseudonymisation. It can reduce risks associ-
ated with processing of personal data and support to fulfil data protection obligations.
The Regulations exclusive mention of pseudonymisation does not imply that the other
measures of data protection are excluded.81

78 Article 4(5), GDPR.

79 Working Party29, 2014. https://ec.europa.eu/justice/article-29/documentation/opinion-recomm
endation/files/2014/wp216_en.pdf.
80 Recital 23, GDPR.
81 Recital 28, GDPR
172 4 Duties and Responsibilities of Controller and Processor

Pseudonymisation provides adequate safeguard for implementing lawful

processing of personal data. It also supports privacy by design and by default
because it helps to internalise governance mechanisms. Further, it supports the
Article 32 requirement concerning security and also effectively implementing codes
of conduct.82
There is a difference between anonymous data and pseudonymised data.83
Anonymised data cannot identify any natural person. Once personal data are truly
anonymised, it cannot relate to any identifiable person. Therefore, anonymous data
do not fall under the scope of GDPR.84

6 Data Protection Impact Assessment (DPIA)

Impact assessments have been utilised across various regulatory domains to evaluate
the risks associated with technologies or contexts. For example, technology assess-
ments emerged in the 1960s to examine the ramifications of technological inno-
vations, while environmental impact assessments are widely practised.85 Privacy
Impact Assessments (PIAs), later evolving into Data Protection Impact Assess-
ments (DPIAs), were initially conducted in the 1990s in Canada, New Zealand and
Australia. Initially, these assessments were primarily conducted by public sector enti-
ties but later adopted by industry as a means to protect privacy interests and showcase
accountability.86
Controllers and processors must follow specific protocols when processing
personal data in a high-risk environment. Data Protection Impact Assessment exer-
cise is to safeguard data subjects’ rights from high-risk processing.87 There are quite
a few Recitals we have to consider and Article 35 to understand the legal framework
under GDPR.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 84:
“In order to enhance compliance with this Regulation where processing
operations are likely to result in a high risk to the rights and freedoms of

82 Article 32(1)(a), Article 40(2)(d), GDPR.

83 Mike Hintze and Khaled El Emam, ‘Comparing the Benefits of Pseudonymisation and
Anonymisation under the GDPR’ (2018) 2 JDPP 1.
84 10 Misunderstandings Related to Anonymisation, agencia española protección datos (aepd).

https://www.edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf.
Accessed on 24th June 2024.
85 Environmental Impact Assessments, Directive 2015/52/EU.
86 Kloza,D; Dijik,Neils Van; Gellert, Raphaël; Istaván Böröcz; Tanas Alessia;Mantovani, Eugenio;

Quinn, Paul, Data protection impact assessments in the European Union: complementing the new
legal framework towards a more robust protection of individuals (2017).
87 David Wright and Kush Wadhwa, ‘Introducing a Privacy Impact Assessment Policy in the EU

Member States’ (2013) 3 IDPL 13.

6 Data Protection Impact Assessment (DPIA) 173

natural persons, the controller should be responsible for the carrying-out of a

data protection impact assessment to evaluate, in particular, the origin, nature,
particularity and severity of that risk.2 The outcome of the assessment should
be taken into account when determining the appropriate measures to be taken
in order to demonstrate that the processing of personal data complies with
this Regulation.3 Where a data-protection impact assessment indicates that
processing operations involve a high risk which the controller cannot mitigate
by appropriate measures in terms of available technology and costs of imple-
mentation, a consultation of the supervisory authority should take place prior
to the processing.”

Source Recital 84, GDPR

As a starting point, Recital 84 points to such processing likely to put the data
subjects at risk. In such cases, the controller is meant to evaluate the impact of such
processing and, in particular, the risk’s origin, nature and severity. While determining
the means and measures of processing catering to the requirements under this Regu-
lation, the data controller should consider the outcome of this exercise. In cases
where the mitigating measures planned by a data controller are not enough to cover
the excessive risk of processing, the supervisory authority must be consulted before
commencing the processing.88

6.1 Necessity of a Data Protection Impact Assessment

Exercise

Recital 91 deals with situations where the data controller is involved in large-scale
processing of personal data. This large-scale processing could affect multiple data
subjects. Owing to the extent of data processing, the overall impact could be sensitive
in nature leading to a high-risk environment. Further, there could be risk with the use
of high-end technologies where the data subject has minimal chance of exercising
their rights.89 ,90 There are certain instances of processing where an impact assessment
report should be considered. Here the Recital states:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 91:
“… where personal data are processed for taking decisions regarding
specific natural persons following any systematic and extensive evaluation
of personal aspects relating to natural persons based on profiling those data or

88 Recital 84, GDPR.

89 Reuben Binns, ‘Data Protection Impact Assessments: A Meta-Regulatory Approach’ (2017) 7
IDPL 22.
90 Recital 91, GDPR.
174 4 Duties and Responsibilities of Controller and Processor

following the processing of special categories of personal data, biometric data,

or data on criminal convictions and offences or related security measures. A
data protection impact assessment is equally required for monitoring publicly
accessible areas on a large scale, especially when using optic-electronic
devices or for any other operations where the competent supervisory authority
considers that the processing is likely to result in a high risk to the rights and
freedoms of data subjects, in particular because they prevent data subjects from
exercising a right or using a service or a contract, or because they are carried
out systematically on a large scale.”

Source Recital 91, GDPR

6.2 The Idea of Data Protection Impact Assessment

Using of new technologies to process personal data is likely to affect the rights of
data subjects, in the context of the purpose, nature and scope. In such situations, an
impact assessment exercise would help data controller to comprehend the situation.
A single assessment may help similar processing operations presenting identical
risks for the data subjects.91 The data protection officer in this regard can help the
data controller to organise the data impact exercise.92
Article 35 points to some instances where the impact assessment exercise is
crucial.
. An automated processing which results in “a systematic and extensive evalu-
ation of personal aspects relating to natural persons which is based on auto-
mate processing.”93 Such processing includes profiling, and the outcomes of such
processing will have a legal or other forms of impact on data subjects.
. Where special categories of data are processed—sensitive, special categories and
data relating to criminal convictions.
. A large-scale processing of a publicly accessible area through systematic
monitoring.
The supervisory authority would made available a list where DPIA is required.
Similarly, they can make a list public where no DPIA exercise is needed.

91 Article 35, GDPR.

92 Article 35, GDPR.
93 Article 35(3)(a), GDPR.
6 Data Protection Impact Assessment (DPIA) 175

The assessment shall have the following details:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 35:
“(a)…a systematic description of the envisaged processing operations and
the purposes of the processing, including, where applicable, the legitimate
interest pursued by the controller;
(b)an assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects …
(d) the measures envisaged to address the risks, including safeguards, secu-
rity measures and mechanisms to ensure the protection of personal data and
to demonstrate compliance with this Regulation taking into account the rights
and legitimate interests of data subjects and other persons concerned.”

Source Article 35, GDPR

The level of compliance with the approved standard code under Article 40 of the
GDPR is considered while analysing the processing operations’ impact for the data
impact assessment exercise.
Wherever possible, controllers would reach out to data subjects to know their
views about the impending processing. However, that should not prejudice the
commercial, public and security interests of such processing.
In case of a change of risk connected with the processing, it is expected that the
data controller will review and run the impact assessment exercise.

6.3 European Data Protection Board (EDPB) Guidelines

on Data Protection Impact Assessment Adopted on 4
April 2017 (Excerpts from the Guideline)94

The EDPB has also Guidelines on DPIA. The Guidelines provided nine criteria
reference points for data controllers to consider.
. The first criteria refer to Recitals 71 and 91, wherein the evaluation of personal
data includes profiling and predicting data subjects’ behavioural attributes.
. The second refers to automated decision-making, which has legal effects on data
subjects and significantly impacts them.

94 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing
is “likely to result in a high risk” for the purposes of Regulation 2016/679. https://ec.europa.eu/
newsroom/article29/items/611236/en. Accessed 5 December 2023. {Guidelines on Data Protection
Impact Assessment (DPIA)}
176 4 Duties and Responsibilities of Controller and Processor

. Systematic monitoring of data subjects by collecting data from various networks

to control them and including publicly accessible areas.
. Processing data that fall within the category of highly sensitive data like data
related to criminal convictions or offences.
. Large-scale data processing not in terms of the actual number of data subjects,
the volume of data including different categories, duration of processing and
geographical extent of this activity.
. Combining different datasets to co-relate various attributes of natural persons.
These datasets may have originated from other processing operations with
different purposes assigned during data collection. The act of combining would
amount to overprocessing based on the initial purpose.
. Data processing where power imbalance is an issue. In these cases, it may not
be easy for the data subject to object or exercise their rights concerning data
processing.
. Use of innovative technology like fingerprint and face recognition to improve
physical access control. It may require the data controller to run an assessment of
processing.
. Processing that either allows, modifies or refuses a data subject to access a service
or enter into a contract.95

6.3.1 Implementing a DPIA

The DPIA exercise should happen before data processing begins. It is a norm which
sits well with data protection by design and by default. It is merely a tool for deciding
on data processing. It is an ongoing process and may require a revisit owing to a
change in the purpose of processing or the categories of data involved in processing.
Therefore, it is not necessarily a one-time process.
Article 35(9) of the GDPR mandates that controllers should reach out to data
subjects or their representatives regarding planned processing, “without undermining
the protection of commercial or public interests or the security of processing opera-
tions,”96 when deemed suitable. This recognition implies that involving data subjects
in DPIA processes could impose significant administrative and financial burdens
on controllers. However, the GDPR provides no further guidance on assessing the
appropriateness qualification, leaving this decision to the controllers’ discretion.97
In most of the mentioned exercises, data controllers and data processors would
need help from experts. Under GDPR, data protection officer plays a role of an expert.

95 Guidelines on Data Protection Impact Assessment (DPIA).

96 Article 35(9), GDPR.
97 Kuner.
6 Data Protection Impact Assessment (DPIA) 177

6.4 The Role of a Data Protection Officer (DPO)

An expert is required to support certain instances of data processing by the controller

and the processor. Articles 37, 38 and 39 define the role and expectations of this
officer.

6.4.1 Designation of the Data Protection Officer

The controller and processor must designate a data protection officer in the following
cases:
. When a public authority conducts the processing.
. The core activities involve large-scale systematic monitoring of data subjects.
Systematic monitoring is required owing to the scope and purpose of processing.
The large-scale processing also extends to sensitive data.
A ‘core activity’ is linked to the notion that personal data processing is integral to
controller’s or processor’s operations, as elucidated by the WP29 Guidelines.98 The
Confederation of European Data Protection Organisations (CEDPO) suggested that
‘core activities’ should be interpreted based on the organisation’s corporate purpose
description and its revenues as outlined in the profit and loss statement.99
The GDPR does not give a specific definition for the term ‘large scale’ terms of
processing personal data; however, Recital 91 sheds some light on Article 34(3)(b)
of the GDPR, which requires DPIA exercise for large-scale processing of special
categories of data. The WP29 Data Protection Officer (DPO) Guidelines attach four
criteria to ‘large scale’ processing. They will depend on the number of data subjects
involved, the extent of processing as a result, the time period and the geographical
reach of such activity.100
A single data protection officer can be appointed by a group of data controllers.
However, each data controller should have access to the data protection officer. This
is also true for controllers representing public authorities. It will, however, depend
on the organisational structure and size of the organisation. The Working Party 29
recommends, “that the DPO be located within the European Union, whether or not
the controller or the processor is established in the European Union. However, it
cannot be excluded that, in some situations where the controller or the processor has
no establishment within the European Union, a DPO may be able to carry out his or
her activities more effectively if located outside the EU.”101

98 WP29, Guidelines on Data Protection Officers(‘DPOs’), (2017), 20.

99 CEDPO 2017. https://cedpo.eu/wp-content/uploads/CEDPO-Follow-Up_Letter_on_WP_29_
DPO-Guidelines_20170215.pdf.
100 Working Party29, 2017.
101 Guidelines on Data Protection Officers (‘DPOs’). https://ec.europa.eu/newsroom/article29/

items/611236/en. Accessed 5 December 2023.

178 4 Duties and Responsibilities of Controller and Processor

The data protection officer would be an expert, and we will reflect upon the
required qualities under Article 39. The controller or the processor should share the
details of the data protection officer with the supervisory authority.
In 2010, the Network of Data Protection Officers (‘NDPO’) of the EU institutions
and bodies already considered that a DPO should possess the following personal
qualities:
1. “(a) It is recommended that the DPO should have the following experience/
maturity: at least 3 years of relevant experience to serve as DPO in a body
where data protection is not related to the core business (and thus personal data
processing activities are mainly administrative); and at least 7 years of relevant
experience to serve as DPO in an EU institution or in those EU bodies where
data protection is related to the core business or which have an important volume
of processing operations on personal data.
2. (b) Personal skills: integrity, initiative, organisation, perseverance, discretion,
ability to assert him- self/herself in difficult circumstances, interest in data
protection and motivation to be a DPO.
3. (c) Interpersonal skills: communication, negotiation, conflict resolution, ability
to build working relationships.”102

6.4.2 Position of the Data Protection Officer

The controller or the processor should ensure that a data protection attends to the
issues pertaining to data protection promptly. Further, they shall extend their support
to the data protection officer by providing resources that the data protection officer
would require.103 The officer may need these resources to complete the entrusted
responsibility. No instructions should come to the data protection officer from the
controller or processor or any of their representatives.104 The data protection officer
should independently perform their tasks and report to the top-management within
the organisation.105 Data subjects can reach out to the data protection officer as well
for exercising their rights.106

6.4.3 Tasks of the Data Protection Officer

The data protection officer shall be entrusted with the following tasks:
. One of the responsibilities of the DPO is to train those involved in the processing
of personal data.

102 Professional Standards for Data Protection Officers of the EU institutions and bodies working
under Regulation (EC) 45/2001,(NDPO, 2010).
103 Eric Lachaud, ‘Should the DPO Be Certified?’ (2014) 4 IDPL 189.
104 Barbara Eggl, ‘Learning to Walk a Tightrope: Challenges DPOs Face in the Day-to-Day Exercise

of Their Responsibilities’ (2019) 3 JDPP 1.

105 Donato La Muscatella, ‘Data Protection Officer: Tasks and Responsibilities of a Key Role for

the Innovation of the Relationship between Data and Data Subjects’ Rights’ (2020) 3 JDPP 403.
106 Article 38, GDPR.
7 Standardisation of Processes 179

. In its advisory role, DPO is required to monitor compliance with GDPR. The DPO
shall also help raise awareness amongst staff members involved in data processing
and related auditing activities.
. As and when required, the DPO shall guide the DPIA exercise and monitor the
implementation under Article 35.
. For a supervisory authority in the Member State, the DPO is the first point of
contact on data protection issues.
. The DPO, while carrying out its task, should always factor in the related risk
associated with the context, scope and purpose of data processing.107
In the Oikonomopoulos judgement,108 the Court determined that the failure to
inform the DPO was a significant enough issue to support a claim for damages. It
emphasised that without proper and prompt information regarding data processing
activities, the DPO couldn’t effectively carry out the crucial supervisory role assigned
by the European legislature, including the ability to notify the European Data
Protection Supervisor.109

7 Standardisation of Processes

Standardised processes are critical to ensure that inconsistencies are addressed. The
data protection measures to protect the privacy of natural persons are no exceptions.
We have seen in many of our discussions in the past that several practices followed
by data controllers could suffer from inconsistencies. For instance, the template that
should be used to share communication with data subjects; the consent framework
and how consent is shared; steps concerning the transfer of personal data beyond the
borders of the European Union; appropriate measures taken by the data controllers
towards security so on and so forth.
Recitals 98 and 99 and Articles 40 and 41 reflect upon the introduction of these
standardised processes.

7.1 Drawing up of Codes of Conduct by Organisations

and Associations

The Recital encourage a multi-stakeholder approach in drawing up the codes of

conduct. It suggested inclusion of different associations or bodies that can represent
controllers and processors. While drawing up these codes of conduct, the controllers
and processors should limit the Regulation and its boundaries. These codes are

107 Article 39, GDPR

108 Case T-483/13.
109 Case T-483/13.
180 4 Duties and Responsibilities of Controller and Processor

encouraged to facilitate the effective implementation of the GDPR. The codes should
consider unique features of processing in certain sectors, including micro, small
and medium enterprises. The codes calibrate the obligations and responsibilities of
controllers and processors. This calibration happens after accounting for the risks
associated with data processing with an overarching aim of safeguarding the rights
of data subjects.110

7.2 The Consultation Route in Drawing up Codes

The process of arriving at codes of conduct should be through consultation. This

consultation should happen between different stakeholders. The association and other
bodies that represent different controllers and processors, where possible, should
reach out to data subjects and include comments and suggestions received during the
process of consultations concerning such codes at different levels.111

7.3 The Overall Exercise of Finalising the Codes

Drawing up codes of conduct is a multi-party and multi-structure process. It involves

the Member States, supervisory authorities, the EDPB and the Commission other than
the data controllers, data processors, data subjects and other stakeholders. Article 40
states that the initial encouragement should come from the first four. They should
draw up the codes to adequately implement the vision of GDPR. As stated in the
Recital, they should consider different categories of processing while drawing up the
codes.112
Those representing the controllers and processors may draw up codes and amend
them or extend the scope of these codes. Article 40 lists certain expectations:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 40:
“(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and data subjects;
(f) the exercise of the rights of data subjects;

110 Recital 98, GDPR.

111 Recital 99, GDPR.
112 Article 40, GDPR.
7 Standardisation of Processes 181

(g) the information provided to, and the protection of, children, and the
manner in which the consent of the holders of parental responsibility over
children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the
measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and
the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisa-
tions; or.
(k) out-of-court proceedings and other dispute resolution procedures for
resolving disputes between controllers and data subjects with regard to
processing, without prejudice to the rights of data subjects pursuant to Articles
77 and 79.”

Source Article 40, GDPR

Those responsible for drafting, amending, or extending codes should submit their
drafts to the supervisory authority. It shall review the draft and approve if it provides
adequate safeguards. Once approved, it will register and the code will be published.
For a draft where processing activities impact multiple Member States, the draft
should be submitted to the EDPB before the final approval. The EDPB would then
share an opinion on the effectiveness of the draft in implementing the vision of GDPR
and whether it also provides appropriate safeguards from the risks of processing. It
would then share its findings with the Commission. The Commission, in turn, after
ascertaining the general validity of the code and following the stated procedure, shall
publicise the approved code. The EDPB shall, in turn, collate all approved codes and
shall make the codes publicly available.

7.4 Monitoring of Approved Codes of Conduct

Article 41 talks about creating a setup, which will have relevant expertise to under-
stand the workings of the code. A competent supervisory authority will accredit
this body for that purpose. This accredited body will work in parallel and not in
contradiction with the tasks that one associates with a supervisory authority.113

113 Article 41, GDPR

182 4 Duties and Responsibilities of Controller and Processor

There are certain pre-requisites connected to the accreditation of this body, and
Article 41 lays down the ground rules:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 41:
“where that body has
(a) demonstrated its independence and expertise in relation to the subject-
matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of
controllers and processors concerned to apply the code, to monitor their
compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about
infringements of the code or the manner in which the code has been, or is
being, implemented by a controller or processor, and to make those procedures
and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority
that its tasks and duties do not result in a conflict of interests.”

Source Article 41, GDPR

In setting up the accreditation body, the EDPB will receive the draft criteria from
the supervisory authority.
The body is empowered to take appropriate actions against controllers and proces-
sors. In case of code infringements, such actions could amount to suspension or
exclusion from the code. While taking such decision, they must inform the supervi-
sory authority and share the reasons. The supervisory authority may revoke a body’s
accreditation if it fails to meet the standards or violates GDPR. The scope of Article
41 does not include data that public authorities process.
For instance, Guidelines on ICO accreditation requirements for a UK GDPR114
code of conduct monitoring bodies.115 The ICO has established eight important subdi-
visions to ensure effective data protection monitoring. These include proving inde-
pendence through legal, financial, organisational and accountability mechanisms,
as well as ensuring impartiality by addressing any conflicts of interest related to
governance, people, contracts and training. Monitoring bodies must demonstrate
their expertise by presenting evidence of their employees’ knowledge of data protec-
tion Regulations, processing operations and auditing abilities. They must also have
established procedures and structures for evaluating controller compliance and their
ability to conduct thorough assessments.116

114 Data Protection Act, 2018. https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_201

80012_en.pdf. accessed on 24th June 2024.
115 Information Commissioner’s Office (ICO). https://ico.org.uk/media/for-organisations/doc

uments/4024815/uk-accreditation-requirements-for-code-of-conduct-202303.pdf. Accessed 6
December 2023. {Information Commissioner’s Office (ICO)}.
116 Information Commissioner’s Office (ICO), 2.
7 Standardisation of Processes 183

Furthermore, monitoring bodies must have clear complaint handling mechanisms

capable of successfully addressing and resolving complaints within specified time-
frames. They shall notify the ICO of any suspensions or exclusions of non-compliant
data controllers or processors, giving these companies the chance to correct their posi-
tions. The bodies also play an important role in monitoring and enforcing the codes
of conduct, and they must declare their legal status and financial resources to the
ICO to ensure that they can meet their commitments.117

7.5 Initiating the Process of Certification

It is not just about sharing information with the data subjects, the data controllers
need to ensure that data subjects understand the consequences of data processing and
the complexities attached to such processing. It is difficult to predict whether data
subjects will read the privacy policy concerning the service or the product that a data
controller provides. Further, it is even more challenging to predict whether the data
subject would be able to understand the privacy policy in the way presented by the data
controller. We can keep trying to standardise the information that the data controller
shares, how they are represented and how data subjects navigate such information.
These are tough standards to meet, and in the last 27 years covering the time of the
Directive and the GDPR, there hasn’t been much of a change. Therefore, a better
option would be to develop certain standardised measures that the data controllers
must meet before processing begins. These standardisation measures would have a
certain degree of universality connected to them. Once data controllers are certified,
it will be easier for them as well for the data subjects, who then wouldn’t rely much
on the content of the information. Here we will turn our attention to Recital 100 and
Articles 42 and 43.

7.6 Certification

Recital 100 of the GDPR advises creating the entire certification procedure. It ranges
from creating data protection seals and marks as part of the code of conduct creation
process. These aimed standardisations streamline the tasks of data subjects while
assessing the data protection quality under different circumstances.118
At the EU level, Member States and the existing administrative structure, including
supervisory authorities, EDPB and the Commission would promote the certifica-
tion procedure and support data controllers and processors to comply with GDPR.
Participation is voluntary, but certification will aid in providing adherence to the
Regulations.

117 Information Commissioner’s Office (ICO), 7.

118 Recital 100, GDPR.
184 4 Duties and Responsibilities of Controller and Processor

The certification under this Article will follow the approval structure of a supervi-
sory authority and will be issued by certified bodies. If the Board happens to approve
the criteria behind adopting a common certification seal, it may become the European
Data Protection Seal.
The controller or processer must submit all necessary information about the
processing activities they follow. This information must be provided to the certi-
fication body or the supervisory authority to run the certification procedure.
The issued certification is valid for a maximum period of three years. Controllers
and processors may opt to renew, subject to meeting the relevant requirements. There
could be a situation where the certification is withdrawn. This could be due to not
meeting the certification requirements.
The EDPB collates all existing and valid certification mechanisms and data
protection seals. They will be responsible for making them public.119

7.7 Certification Bodies

Article 43 talks about creating certification bodies with an appropriate level of

data processing expertise. These certification bodies would be allowed to issue
or renew certifications where necessary. The Article also talks about the process
where Member States shall ensure the approved accreditation process for certifi-
cation bodies. The approval process could take place with a competent supervisory
authority or a recognised national accrediting agency. Certification organisations will
only be accredited after demonstrating their expertise in a certification-related issue
to the satisfaction of a supervisory authority.120
According to the EDPB guide on certification [Guidelines 1/2018 on certification
and identifying certification criteria in accordance with Articles 42 and 43 of
the Regulation adopted on 4th June 2019],121 the following three core components
are considered:

Guidelines 1/2018 on certification and identifying certification criteria in

accordance with Articles 42 and 43 of the Regulation adopted on 4th June
2019
“1. personal data (material scope of the GDPR);

119 Article 42, GDPR.

120 Article 43, GDPR.
121 EDPB | European Data Protection Board. https://edpb.europa.eu/sites/default/files/files/file1/

edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf. Accessed 6 December 2023.

Suggested Readings 185

2. technical systems - the infrastructure, such as hardware and software,

used to process the personal data; and.
3. processes and procedures related to the processing operation(s).”

Source Guidelines on certification and certification criteria, 2018

The obligations and responsibilities of data controllers and processors are critical
to ensuring effective data protection measures. Controllers must ensure that personal
data are treated lawfully, transparently and for legitimate purposes by implementing
data protection by design and default, which entails embedding privacy measures
into their processes and systems from the start to ensure comprehensive data security.
Adherence to established codes of conduct and participation in certification processes
shows a commitment to upholding high data protection standards and accountability.
Questions:
1. Explain the obligations of a data processor in relation to data protection principles
and legal compliance.
2. How does “Data Protection by Design and by Default” enhance privacy and
compliance with data protection laws?
3. Describe the process and benefits of pseudonymisation in data protection
practices.
4. What is the role of a Data Protection Impact Assessment (DPIA) and when should
it be conducted?
5. How does certification contribute to demonstrating accountability and trustwor-
thiness in handling personal data?

Suggested Readings

1. Guidelines 4/2019 and Analysis on Article 25 Data Protection by Design and by Default (Article
25).
2. EDPB Guidelines on Data Protection Impact Assessment (DPIA) adopted on 4th April 2017.
3. Guidelines 1/2018 on certification and identifying certification criteria in accordance with
Articles 42 and 43 of the Regulation adopted on 4th June 2019.
4. ICO Accreditation Requirements For UK GDPR Code Of Conduct Monitoring Bodies.
5. WP29, 2010, Opinion 1/2010 on the concepts of “controller” and “processor”.
6. EDPS, opinion 5/2018. Preliminary Opinion on privacy by design, ( May 2018).
7. Kuner, Christopher; Bygrave, Lee.A., The EU General Data Protection Regulation (GDPR):
A Commentary(2020).
8. Guidelines 05/2020 on consent under Regulation 2016/679.
9. Guidelines on Automated individual decision-making and Profiling for the purposes of
Regulation 2016/679.
10. EC Staff Working Paper 2012.
11. WP29, Guidelines on Data Protection Officers(‘DPOs’), (2017).
12. Michèle Finck, ‘Cobwebs of Control: The Two Imaginations of the Data Controller in EU Law’
(2021) 11 IDPL 333.
186 4 Duties and Responsibilities of Controller and Processor

13. Nils Zurawski, David Wright, and Paul de Hert (eds), Privacy Impact Assessment (Springer
2012) 519 pp, ISBN 978-94-007-2542-3, (2012) 2 IDPL 316.
14. Dan Jerker B. Svantesson, ‘Article 4(1)(a) “Establishment of the Controller” in EU Data Privacy
Law—Time to Rein in This Expanding Concept? (2016) 6 IDPL 210.
15. Michael Veale, Reuben Binns, and Jef Ausloos, ‘When Data Protection by Design and Data
Subject Rights Clash’ (2018) 8 IDPL 105.
16. Donato La Muscatella, ‘Data Protection Officer: Tasks and Responsibilities of a Key Role for
the Innovation of the Relationship between Data and Data Subjects’ Rights’ (2020) 3 JDPP
403.
Chapter 5
Transfer of Personal Data to Third
Countries

1 Introduction

Transferring of personal data beyond EU is one of the most difficult questions tackled
under the GDPR. It was an issue that the Data Protection Directive tried to remedy,
but the GDPR proposes a comprehensive structure for data transfer.
The GDPR sets the rules under circumstances when a data controller, while
fulfilling the purpose of processing, is required to transfer personal data beyond
the boundaries of the Union.
The general notion is that there has to be a comparable data protection framework
in the country where the data are now being transferred or would be transferred. Data
controllers need to ensure that the country where data are transferred has effective
implementation measures of the data protection principles.
This chapter will focus on the legal structure that exists under GDPR for transfer
of personal data. The legal structure encompasses relevant Recitals and Articles and
different Guidelines issued by EDPB along with their interpretation. Additionally,
we will look at the Schrems I and Schrems II judgements delivered by the CJEU
concerning data transfer from the EU to the USA and the circumstances under which
the safe harbour agreement and the privacy shield agreement have been questioned.
Finally, we will also look into the third EU-US Privacy Framework adopted by
European Commission which introduces new binding safeguards that addresses all
the concerns raised by the ECJ/CJEU.

2 Legal Structure on the Rules of Transfer of Personal Data

To ascertain the foundation of the rules of transfer, there are about fifteen Recitals
starting from 101, reflecting various dimensions of transfer.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 187
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_5
188 5 Transfer of Personal Data to Third Countries

In the era of globalisation data will flow outside the EU. As a result, with the
increase in the data flow, there are concerns associated with data protection. One
cannot undermine the extent of data protection offered to natural persons under
GDPR when transferring the data outside the EU. Therefore, a specific regulatory
framework must be followed before transferring happens. The General Principles
of Article 44 make it mandatory to follow the GDPR data transfer standards while
transferring data beyond EU.1
However, Recital 102 suggested that GDPR does not prejudice international agree-
ments resulting out of an agreement between the Union and a third country. Member
States are also free to enter into international agreements so far as such agreements
comply with GDPR and ensure safeguards to personal data through appropriate
means.2 The Commission will decide on the level of adequacy in the third country
[Recital 103].3 In such cases, the impending transfer to a third country or international
organisation does not need further authorization. It may also revoke such adequacy
decision after providing reasons to the stakeholders.4
When assessing the safeguards in the third country, the Commission would
consider the status of the rule of law and how the country’s legal structure gears
up to respect the rule of law and access to justice.5 Further, the Commission would
consider the existing human rights norms and laws concerning public and national
security.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital; 104:
“…The adoption of an adequacy decision with regard to a territory or a
specified sector in a third country should take into account clear and objective
criteria, such as specific processing activities and the scope of applicable legal
standards and legislation in force in the third country.”

Source Recital 104, GDPR

There is an equivalency test about the protection offered in a third country and
the expected norms within EU. Additional parameters like independence in the func-
tioning of an existing supervisory authority responsible for measuring level of data
protection compliance would help. In the foreign jurisdiction, data subjects should be
able to freely exercise rights and resort to judicial redress subsequent to a complaint.
Through the systematic review process, adequacy decisions must be monitored
alongside the level of protection in the third country. The periodic review should
be conducted in consultation with the third country after assessing recent policy

1 Article 44, GDPR

2 Recital 102, GDPR.
3 Recital 103, GDPR
4 ‘Recital 103, GDPR
5 Julian Wagner, ‘The Transfer of Personal Data to Third Countries under the GDPR: When Does

a Recipient Country Provide an Adequate Level of Protection?’ (2018) 8 IDPL 318.

2 Legal Structure on the Rules of Transfer of Personal Data 189

and legal developments.6 In the process, the Commission should consider the views
and findings of different bodies of the Union. Data transfer may be prohibited if
the review findings suggest that the countries or the organisations in question no
longer adequately process the data.7 Other than the Recitals, Article 45 reflects upon
transfers based on adequacy decisions. According to Article 45, the periodic review
should happen at least every four years.8
Adequacy requires that data protection Regulations outside EU are consistent
with the EU requirements with a further requirement of an adequate enforcement
mechanism. These Regulations must be significantly comparable to those of the EU,
but they do not have to be the same. According to WP29, it entails adhering to a
“core” set of principles governing the substance and enforcement of existing data
mechanisms covering GDPR, EU Charter of Fundamental Rights and international
agreements like Council of Europe Convention 108. It also entails analysing the legal
framework that governs public authorities’ access to personal data.9
There could be instances where adequacy decisions are not present in relation to
a third country. In all such cases, the data controllers should ensure that appropriate
safeguard mechanisms are in place for the data subjects. These could be in the form
of approved binding corporate rules, standard data protection clauses or contrac-
tual clauses approved by the supervisory authorities in the Member States.10 These
measures will be discussed in detail later in the chapter. They should ensure that the
requirements under GDPR are adequately protected in a third country. There could
be other administrative arrangements, like a memorandum of understanding (MoU),
where public authorities or their representatives carry out data transfers. This MoU
should be able to uphold the rights that data subjects want to exercise. Safeguards that
are not legally binding and offered as part of these arrangements must be authorised
by a competent supervisory authority.11
The controller or a processor can use the approved standard data protection clauses
by the Commission or the supervisory authority. A controller or a processor can also
include standard data protection clauses in a contract between the processor and
any other subsequent processor. Also, other clauses could be added, and additional
safeguards may be provided subject to that these clauses or the clauses mentioned
above do not affect the rights of data subjects.12

6 Julian Wagner, ‘The Transfer of Personal Data to Third Countries under the GDPR: When Does
a Recipient Country Provide an Adequate Level of Protection?’ (2018) 8 IDPL 318.
7 Bjørn Aslak Juliussen, Elisavet Kozyri, Dag Johansen, and Jon Petter Rui, ‘The Third Country

Problem under the GDPR: Enhancing Protection of Data Transfers with Technology’ (2023) 13
IDPL 225.
8 Article 45, GDPR.
9 Working Party 29, 2017.
10 Massimo Marelli, ‘Transferring Personal Data to International Organizations under the GDPR:

An Analysis of the Transfer Mechanisms’ (2024) 14 IDPL 19.

11 Article 46, GDPR.
12 Recital 108, GDPR.
190 5 Transfer of Personal Data to Third Countries

“Onward transfer,” although not explicitly defined in documents like the standard
contractual clauses,13 generally refers to a situation entailing subsequent transfer of
personal data after its initial transfer to a data importer outside the EU or EEA.14 This
term is commonly used to describe situations where data imported by a company are
further transferred to third parties by the initial importer. For example, a company
might delegate database management to a service provider, who then subcontracts
maintenance tasks to another entity, constituting an onward transfer of data.15

2.1 Transfers Subject to Appropriate Safeguards

Article 46 reflects on transfers subject to accommodating appropriate safeguards.

These safeguards have been listed and relate to the previous Recitals.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 46:
“(a) a legally binding and enforceable instrument between public authorities
or bodies;
(b) binding corporate rules..;
(c) standard data protection clauses adopted by the Commission;
(d) standard data protection clauses adopted by a supervisory authority and
approved by the Commission..;
(e) an approved code of conduct pursuant to Article 40 together with binding
and enforceable commitments of the controller or processor in the third country
to apply the appropriate safeguards, including as regards data subjects’ rights..;
(f) an approved certification mechanism pursuant to Article 42 together
with binding and enforceable commitments of the controller or processor in
the third country to apply the appropriate safeguards, including as regards data
subjects’ rights.. .”

Source Article 46, GDPR

Article 46 provides a range of safeguards, providing flexibility to organisations
to uphold the data protection principles and ensure that adequate safeguards are in
place regardless of where the data are processed or stored.
Further, following the competent supervisory authority’s authorisation, appro-
priate safeguards may include:
“contractual clauses between the controller or processor and the controller,
processor or the recipient of the personal data in the third country or international
organisation; or

13 Working Party29, 2008 (WP29, 2008).

14 WP29, 2008.
15 WP29, 2008.
2 Legal Structure on the Rules of Transfer of Personal Data 191

provisions to be inserted into administrative arrangements between public

authorities or bodies which include enforceable and effective data subject rights.”16
Using approved binding corporate rules to transfer data beyond EU can be used by
companies that carry out joint economic activity. Such transfer should remain within
the same corporate group. These rules should be inclusive of the data protection
principles, while ensuring protection to data subjects.
As per the working document on the procedure for the approval of binding corpo-
rate rules, they are governed under GDPR.17 It is a fundamental requirement that
binding corporate rules are approved. There could be a situation when the approval
process may require intervention of multiple supervisory authorities. In that case,
the EDPB will form its opinion and share its decision which the competent authority
will approve.

2.2 Binding Corporate Rules

Article 47 reflects upon binding corporate rules. These are internal policies estab-
lished and adhered by corporations for transfer of personal data. These rules shall
be approved by a competent supervisory authority and would be enforceable on
all concerned members of the group or group of enterprises.18 These rules should
include the following details:

Regulation (EU) 2016/679 of the European Parliament and of the Council

Article 47:
“(a) the structure and contact details of the group of undertakings, or group
of enterprises engaged in a joint economic activity and of each of its members;
(b) the data transfers or set of transfers, including the categories of personal
data, the type of processing and its purposes, the type of data subjects affected
and the identification of the third country or countries in question;
….
(d) the application of the general data protection principles, in particular
purpose limitation, data minimisation, limited storage periods, data quality,
data protection by design and by default, legal basis for processing, processing
of special categories of personal data, measures to ensure data security, and the
requirements in respect of onward transfers to bodies not bound by the binding
corporate rules;

16 Article 46, GDPR.

17 WP29; Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding
Corporate Rules” for controllers and processors under the GDPR (2018).
18 WP29 2003, 8.
192 5 Transfer of Personal Data to Third Countries

(e) the rights of data subjects in regard to processing and the means to
exercise those rights, including the right not to be subject to decisions based
solely on automated processing, including profiling …
(f) the acceptance by the controller or processor established on the territory
of a Member State of liability for any breaches of the binding corporate rules
by any member concerned not established in the Union…
(h) the tasks of any data protection officer designated in accordance with
Article 37 or any other person or entity in charge of the monitoring compliance
with the binding corporate rules within the group of undertakings, or group of
enterprises engaged in a joint economic activity, as well as monitoring training
and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises
engaged in a joint economic activity for ensuring the verification of compliance
with the binding corporate rules. Such mechanisms shall include data protection
audits and methods for ensuring corrective actions to protect the rights of the
data subject. …
(k) the mechanisms for reporting and recording changes to the rules and
reporting those changes to the supervisory authority; …”

Source Article 47, GDPR

Certain types of data transfers may require data subject to share explicit consent.
These are the instances in which the transfer is made on a one-time basis in connection
with a contract, a legal claim, or on the basis of public interest included under the
legislation of the Union or the Member State. The grounds are,
“…in particular apply to data transfers required and necessary for important reasons of public
interest, for example in cases of international data exchange between competition authorities,
tax or customs administrations, between financial supervisory authorities, between services
competent for social security matters, or for public health, for example in the case of contact
tracing for contagious diseases or in order to reduce and/or eliminate doping in sport.”19

If the data subject is unable to share consent, the transfer is deemed permis-
sible to safeguard their bodily integrity and vital interests, or the vital interests of
another individual. Adequacy decision sans public interest may lead to restriction
and stopping transfer of personal data beyond EU by the law of Union or Member
State.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 112:
“Any transfer to an international humanitarian organisation of personal data
of a data subject who is physically or legally incapable of giving consent, with
a view to accomplishing a task incumbent under the Geneva Conventions or to

19 Recital 112, GDPR.

2 Legal Structure on the Rules of Transfer of Personal Data 193

complying with international humanitarian law applicable in armed conflicts,

could be considered to be necessary for an important reason of public interest
or because it is in the vital interest of the data subject.”

Source Recital 112, GDPR

Transfers which are not frequent and involving limited number of data subjects
could happen based on compelling legitimate interest; however, such transfer should
not go against the rights of data subjects. At all times, there exists an obligation on
the controller to assess different variables concerning the category of personal data in
question, their place of origin, the purpose followed, the duration of data processing
and an assessment of legal and enforceable mechanisms in the third country. Such
transfers, as outlined in Recital 113, should occur only when other transfer grounds
are not viable, with notification to both data subjects and supervisory authority.20
Recital 115 refers to situations where judgements or decisions delivered by legal
authorities in a third country may require controllers or processors to disclose
personal data. The requirement is not based on international agreements. There-
fore, the extraterritorial application may breach international law and conflict with
the rights protected under GDPR. Transfers are only allowed when the conditions in
the third country are met, and disclosure is necessary on the ground of public interest
recognised in the Union.21
Article 49 refers to certain derogations under specific circumstances.22 These are
situations without adequacy decisions [Art.45]23 or appropriate safeguards [Art.46]24
including binding corporate rules. The previous Recitals form the basis of this Article.
A transfer may not fall under Articles, 45, 46 or 49. In that case, such a transfer
outside the EU is possible in the case of non-repetitive transfers and concerns limited
data subjects. The detailed conditions are already mentioned before. Article 49 deals
with situations connected to public interest where Union or Member State law can set
up impending limitations on data transfer for certain categories of personal data.25
Recital 116 and Article 50 recognise the challenges of enforcing legal remedies
since the cross-border transfer of data outside the Union increases the risk to exercise
the data protection rights.26 The data subjects, including the supervisory authorities,
may be unable to pursue complaints and conduct investigations outside the borders
of the EU. It could be for multiple reasons, including but not limited to inconsistent
legal regimes. Therefore, the Recital proposes that there has to be closer cooperation
between data protection authorities and their international partners. International

20 Recital 11, GDPR.

21 Recital 115, GDPR.
22 Article 49, GDPR.
23 Article 45, GDPR.
24 Article 46 GDPR.
25 Article 49(5), GDPR.
26 Recital 116, GDPR.
194 5 Transfer of Personal Data to Third Countries

cooperation mechanisms must be developed.27 There should mutual cooperation

between competent authorities in the third country with the competent authorities in
the EU on a reciprocity basis.28

3 Guidelines 2/2020 on Articles 46 (2) (a) and 46 (3) (b)

of Regulation 2016/679 for Transfers of Personal Data
Between EEA and Non-EEA Public Authorities
and Bodies29

As a general rule, data transfer should comply with a two-step process: follow data
protection principles under Article 5 of GDPR and have a lawful basis under Articles
6 and 9 when handling special categories of data.

3.1 The Idea of Appropriate Safeguards

The EDPB has identified critical safeguards for international data transfer agreements
between public agencies to protect data subjects’ rights. These agreements must state
the purpose of data collection and processing, ensuring that personal information is
not used for incompatible objectives.30 The agreements must also ensure that data are
accurate, relevant and confined to its intended purpose, with mechanisms in place
to quickly correct any mistakes.31 Furthermore, data retention clauses ensure that
personal data are stored for a limited period and only for as long as necessary.32
In addition, the agreements must ensure the security and confidentiality of
transferred data using adequate technical and organisational safeguards.33 An effi-
cient internal governance framework is required to regulate access to personal
data and enforce security Regulations. The agreements should also include proto-
cols for managing data breaches and notifying data subjects.34 Importantly, data

27 Olivier Proust and Emmanuelle Bartoli, ‘Binding Corporate Rules: A Global Solution for
International Data Transfers’ (2012) 2 IDPL 35.
28 Article 50, GDPR.
29 (Guidelines 2/2020 on Articles 46 (2) (a) and 46 (3) (b) of … - europa.eu). https://edpb.eur

opa.eu/sites/default/files/consultation/
edpb_guidelines_202002_art46guidelines_internationaltransferspublicbodies_v1.pdf. Accessed 7
December 2023 (Guidelines 2/2020).
30 Guidelines 2/2020, 8.
31 Guidelines 2/2020, 8.
32 Guidelines 2/2020, 9.
33 Guidelines 2/2020, 9.
34 Zuzanna Gulczyńska, ‘A Certain Standard of Protection for International Transfers of Personal

Data under the GDPR’ (2021) 11 IDPL 360.

3 Guidelines 2/2020 on Articles 46 (2) (a) and 46 (3) (b) of Regulation … 195

subjects’ rights must be protected, including enforceable obligations and processes

for addressing breaches. Any restrictions on these rights must be consistent with
Article 23 of the GDPR, ensuring that they are not arbitrary.35
Transparency is a core element under GDPR. The EDPB document suggests
that the international agreement must contain clear information that describes the
obligations of the parties with regard to transparency. The document further states
the information that must be included in the agreement. They are:

Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/
679 for transfers of personal data between EEA and non-EEA public
authorities and bodies (18th January 2020)
“a general information notice with, as a minimum, information on how and
why the public bodies may process and transfer personal data, the relevant tool
used for the transfer, the entities to which such data may be transferred, the
rights available to data subjects and applicable restrictions, available redress
mechanisms and contact details for submitting a dispute or claim”

Source Guidelines 2/2020

The EDPB document suggests that providing information in the agreement is
different from putting up information on the websites of public bodies. Further, it
will not suffice to put up information for data subjects on the websites.36
The EDPB specifies that these agreements must specifically state how data
subjects can use their rights to access, rectify, erase and object to data processing.
Responses to these requests must be sent in a timely manner, normally within one
month, with possible extensions of up to two months.37 The transferring public entity
is responsible for informing data subjects of any steps taken in response to their
requests within the timeframe indicated. In addition, the agreements should include
terms on automated individual decision-making, requiring explicit authorization for
choices based exclusively on automated processing.38
Furthermore, the agreements must include restrictions on onward data transfers,
permitting such transfers only with prior express authorization and requiring the
recipient third party to follow the same data protection standards.39 Transferring
sensitive data necessitates additional precautions, such as access limits and data
processing limitations. Effective redress mechanisms must be in place so that data
subjects can file complaints regarding non-compliance.40
The international transfer would always bring in the question of redressal mech-
anisms available for data subjects when data have been transferred outside EU or to

35 Guidelines 2/2020, 9.
36 Guidelines 2/2020, 10.
37 Guidelines 2/2020, 10.
38 Guidelines 2/2020, 11.
39 Guidelines 2/2020, 12.
40 Guidelines 2/2020, 13.
196 5 Transfer of Personal Data to Third Countries

a non-EEA country. Whenever there is an issue of non-compliance with the agree-

ment’s provisions, these mechanisms would help data subjects lodge complaints
about data transferred from EEA countries.41
The EDPB document recommends following a two-step process regarding the
redressal mechanism:

Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/
679 for transfers of personal data between EEA and non-EEA public
authorities and bodies (18th January 2020).
“First, the receiving public body should commit to put in place a mechanism
to effectively and timely handle and resolve complaints from data subjects
concerning compliance with the agreed data protection safeguards.
Second, the agreement should allow for a judicial remedy, including
compensation for damages - both material and non-material - as a result of
the unlawful processing of personal data.
In that case, the international agreement could create a structure which
enables the data subject to enforce its rights outside the Courts, for example,
through quasi-judicial, binding mechanisms such as arbitration or alternative
dispute resolution mechanisms such as mediation, which would guarantee an
independent review.”

Source Guidelines 2/2020

The redress mechanism should include the possibility of a public body trans-
ferring personal data with powers stop such transfer of personal data. Under the
international agreement, provisions must be present where parties cannot resolve a
dispute amicably.
The agreements should also contain robust internal and independent supervision
measures to guarantee that the precautions are followed. Periodic assessments and
collaboration amongst parties are required to maintain compliance, and in the absence
of a designated supervisory authority, alternative methods must be given to ensure
effective oversight.42

3.2 Transfer Based on Article 46 GDPR

Article 46 of the GDPR allows EEA public bodies to transfer personal data to public
bodies in a third country which will have prior authorisation of the supervisory
authority. They can base this transfer on instruments concluded between these public
authorities. These instruments must be legally binding and enforceable. The parties
involved in such transfer should commit themselves to safeguarding data subjects’

41 Guidelines 2/2020, 13.

42 Guidelines 2/2020, 15.
4 Adequacy Through the Lens of Law Enforcement Directive (LED) 197

interests. Therefore, the receiving public authority in a foreign jurisdiction must

apply the data protection principle to follow GDPR.43
There were certain recommendations made concerning the Law Enforcement
Directive and how to frame the adequacy decision concerning data transfer.

4 Adequacy Through the Lens of Law Enforcement

Directive (LED)

Article 1: Subject matter and objectives44 :

Directive (EU) 2016/680 of the European Parliament and of the Council

of 27 April 2016
“This Directive lays down the rules relating to the protection of natural persons
with regard to the processing of personal data by competent authorities for the
purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, including the safeguarding
against and the prevention of threats to public security.”

Source DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND

OF THE COUNCIL of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes
of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing
Council Framework Decision 2008/977/JHA

4.1 Transfers on the Basis of an Adequacy Decision

As a general rule, the Commission decides the adequacy level of protection in a

jurisdiction beyond the EU. There are few considerations for the Commission to
assess.
. It must consider the situation with basic legal structure with specific impor-
tance to rule of law, human rights treatment, legislation on public and national
security, criminal law and access to personal data by public authorities.45 It

43 Guidelines 2/2020, 17.

44 Kosta, Eleni; Boehm, Franziska The EU Law Enforcement Directive (LED): A Commentary
(2024).
45 Article 36- Transfers on basis of an adequacy decision-DIRECTIVE (EU) 2016/680 OF THE

EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of

natural persons with regard to the processing of personal data by competent authorities for the
198 5 Transfer of Personal Data to Third Countries

should also make an assessment of the existing data protection law with transfer
norms to third countries. Further, the availablilty of data subjects’ rights and
redressal mechanisms.
. The extent of independence associated with supervisory authority for enforcing
data subjects’ rights.
. Adequacy may be tested through an implementing act, which opens for peri-
odic reviews every four years. Review will address development in different
jurisdictions with a further option to monitor these changes.46
. The adequacy level falls short, and the Commission can repeal, amend or suspend
its decision as necessary. The deficiencies must be addressed in consultation with
the foreign jurisdiction or the organisation.47
Recommendations Published on 2 February 2021 on the Adequacy Referential Under
the LED
The EDPB document48 explains the process to be followed to test the level of
adequacy in a jurisdiction beyond EU and for an international organisation. In the
context of the LED for the purposes of the “prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, including the
safeguarding against the prevention of threats to public security”, the third country
must have the core data protection principles embedded in their legal framework to
ensure essential equivalence the EU framework.49 ,50

purposes of the prevention, investigation, detection or prosecution of criminal offences or the

execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA. https://eur-lex.europa.eu/legalcontent/EN/TXT/HTML/?uri=
CELEX%3A32016L0680#d1e1805-89-1. Accessed 7 December 2023 (Article 36- Transfers on
basis of an adequacy decision-DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL of 27 April 2016).
46 Article 36- Transfers on basis of an adequacy decision-DIRECTIVE (EU) 2016/680 OF THE

EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.

47 Article 36- Transfers on basis of an adequacy decision-DIRECTIVE (EU) 2016/680 OF THE

EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.

48 Recommendations 01/2021 on the adequacy referential under the law enforcement direc-

tive,. https://edpb.europa.eu/sites/default/files/files/file1/recommendations012021onart.36led.pdf_
en.pdf. Accessed 7 December 2023 (Recommendations 01/2021).
49 Laura Drechsler, ‘Wanted: LED Adequacy Decisions. How the Absence of Any LED Adequacy

Decision Is Hurting the Protection of Fundamental Rights in a Law Enforcement Context’ (2021)
11 IDPL 182.
50 Recommendations 01/2021,4.
5 EU Standards for Adequacy in the Police Cooperation and Judicial … 199

5 EU Standards for Adequacy in the Police Cooperation

and Judicial Cooperation in Criminal Matters51

Following different judgements delivered by CJEU, a legal basis that allows interfer-
ence with the rights in the Charter must satisfy the remit of proportionality correlated
to the purpose that permits such interference. [La Quadrature du Net and Schrems
II].52
To satisfy this requirement, the legislation must lay down the minimum safe-
guards. It is over and above having clear and precise rules covering the scope of
interference. It guarantees protection against the risk of abuse to those whose data
have been transferred. The measures of safeguarding the interest of data subjects
should explicitly include the circumstances under which processing can take place.
An adequacy decision is an outcome of the privacy and data protection framework
and effective implementation of such framework through the existing legal structure
in a third country.
The scope of LED ensures that the general data protection principles are followed,
yet there are specific changes from the general applicability in other cases which are
discussed below.
The EDPB defines numerous key principles for the lawful and fair data processing,
emphasising that permission must not be used as a legal foundation for processing
by competent authorities in criminal cases due to a lack of true free choice. Instead,
Member States may enact legislation requiring data subjects to comply in specified
cases, such as DNA testing or location surveillance.53 Processing becomes legal if
it is intended to prevent public security threats, as specified in national legislation.54
Following the purpose limitation principle, data processing is allowed for reasons
that are precise, explicit and legitimate, with an option of further processing in the
background of legally structured and proportionate reasons.55
Further processing or disclosure of personal data for non-law enforcement reasons
must be legally justified and appropriate, such as for national security.56 Data minimi-
sation is critical, with solutions such as limiting entry fields and implementing quality
checks to guarantee that only relevant data are handled.57 The notion of data accu-
racy is especially important in contexts such as Court procedures, where data can
include subjective statements.58 Transparency is vital, with data subjects receiving

51 Recommendations 01/2021, 8.
52 La Quadrature du Net and others, 6 October 2020, ECLI:EU:C:2020:791; Case C-311/18,
Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, 16 July 2020,
ECLI:EU:C:2020:559.
53 Nadezhda Purtova, ‘Between the GDPR and the Police Directive: Navigating through the Maze

of Information Sharing in Public–Private Partnerships’ (2018) 8 IDPL 52.

54 Recommendations 01/2021, 10.
55 Recommendations 01/2021, 10.
56 Recommendations 01/2021, 12.
57 Recommendations 01/2021, 12.
58 Recommendations 01/2021, 12.
200 5 Transfer of Personal Data to Third Countries

clear and basic information about data processing, while exceptions exist to protect
legal inquiries or investigations while balancing data subject rights.59
Data subjects have rights to access, rectify and erase data, particularly after
processing objectives have ended, albeit these rights may be limited to avoid impeding
law enforcement.60 Automated decision-making and profiling must be regulated,
with legal safeguards and human intervention to protect data subjects.61 Data protec-
tion by design and default is an option, including the technical measures such as
pseudonymisation. To ensure similar data protection levels in jurisdictions outside
the EU, particular rules and enforcement mechanisms must be in place to uphold EU
standards originating from the Charter of Fundamental Rights and LED.62

6 Transatlantic Data Transfer: EU-US Standards

The EU-US Data Privacy Framework gives EU citizens new rights when their data
are transmitted to participating US organisations, such as access to their data and the
power to request changes or deletions of incorrect or unlawfully handled data. It also
includes redressal mechanisms for mishandled data, such as free independent dispute
resolution and an arbitration board. Companies in the USA can join the framework
by committing to privacy standards such as purpose limitation, data minimization
and data retention, as well as requirements for data security and third-party sharing.63

6.1 Validity of Safe Harbour Regime

Schrems v. Data Protection Commissioner (Schrems I) C-362/1464 -

Facts
Mr. Schrems has been a Facebook social network user since 2008. The entire judge-
ment is based on a complaint that Mr. Schrems had filed in 2013. He did not want his
personal data to go to the USA. He suggested that Facebook Ireland was transferring
and storing personal data on servers located in America. Mr. Schrems argued that the
level of legal protection and the practices followed in the USA were not adequately
protecting rights of EU data subjects. Further, the data stored in the USA were used

59 Recommendations 01/2021, 13.

60 Recommendations 01/2021, 13.
61 Recommendations 01/2021, 15.
62 Recommendations 01/2021, 15.
63 EU_US Privacy Framework, European Commission. https://ec.europa.eu/commission/pressc

orner/detail/en/qanda_23_3752. Accessed on 20th June 2024.

64 Schrems v Data Protection Commissioner (C-362/14) EU:C:2015:650 (06 October 2015)

(Schrems I).
6 Transatlantic Data Transfer: EU-US Standards 201

for government surveillance activities. He also referred to Edward Snowden’s alle-

gations about the activities of US intelligence services, the National Security Agency
(‘the NSA’).65
In the first instance, the complaint filed by Schrems was dismissed and it was
suggested that the Commissioner was not duty-bound to investigate issues raised
by Mr. Schrems. That there was no indication that NSA had access to his personal
data. The Commissioner suggested that any question about adequate data protection
has to be contextualised in the backdrop of the decision of the Commission [2000/
520]. This Decision summarised adequate level of data protection in the USA. It
was regarding “the adequacy of the protection provided by the safe harbour privacy
principles and related frequently asked questions issued by the US Department of
Commerce.”66
The High Court suggested that use of transferred personal data for electronic
surveillance met the public interest purpose. It went on to say that Edward Snowden’s
revelations have exposed the activities of federal agencies in the USA. The High Court
suggested that the Irish law prevents data transfer unless a foreign jurisdiction where
the data are transferred sufficiently protects data subjects’ rights. Any interference
with the rights guaranteed by the Irish Constitution must be proportionate and legal.
In the opinion of the High Court:

Schrems v. Data Protection Commissioner (Schrems I) C-362/14

“The High Court held that the mass and undifferentiated accessing of
personal data is clearly contrary to the principle of proportionality and the
fundamental values protected by the Irish Constitution. For interception of
electronic communications to be regarded as consistent with the Irish Consti-
tution, it would be necessary to demonstrate that the interception is targeted,
that the surveillance of certain persons or groups of persons is objectively justi-
fied in the interests of national security or the suppression of crime and that
there are appropriate and verifiable safeguards.”

Source Schrems v. Data Protection Commissioner (Schrems I) C-362/14

Therefore, the High Court suggested that mass collection of data should follow
the principle of proportionality.67 Thus, interception surveillance should be justified
by the cause of national security or the prevention of crimes.
The High Court considered the complaint a basis for implementing the EU law
and the Charter of Fundamental Rights [Articles 7 and 8]. It raised doubts about safe-
guarding the right to private life if State authorities were allowed to access personal
data generally. It was more so when they collect data without having any justification

65 Schrems I.
66 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32000D0520. Accessed 7
December 2023.
67 Schrems I.
202 5 Transfer of Personal Data to Third Countries

premised on protecting national security and the prevention of crime. At all times,
such collection must be proportional to the overarching purpose.68
Following the facts of the case, Mr. Schrems’s complaint questions the legality
of the safe harbour regime. This regime was an outcome of the decision 2000/520
taken by the Commission. Although Mr. Schrems never questioned the validity of
the Directive or the Decision, he questioned the role of the Commissioner. The issue
was whether the Decision of 2000/520 obligated the Commissioner or whether the
Commissioner could apply Article 8 of the Charter to question the Decision.
Questions

‘(1) Whether in the course of determining a complaint which has been made to
an independent office holder who has been vested by statute with the functions
of administering and enforcing data protection legislation that personal data
is being transferred to another third country (in this case, the United States of
America) the laws and practices of which, it is claimed, do not contain adequate
protections for the data subject, that office holder is absolutely bound by the
Community finding to the contrary contained in [Decision 2000/520] having
regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of
Article 25(6) of Directive [95/46] notwithstanding?
(2) Or, alternatively, may and/or must the office holder conduct his or her
own investigation of the matter in the light of factual developments in the
meantime since that Commission decision was first published?’.

Source Schrems v. Data Protection Commissioner (Schrems I) C-362/14

To answer these questions various Recitals and Articles of the old Directive were
considered.
Directive 95/46.69
“Recitals 2, 10, 56, 57, 60, 62 and 63 in the preamble to Directive 95/46 are worded
as follows:
(2) … data-processing systems are designed to serve man; … they must, whatever the
nationality or residence of natural persons, respect their fundamental rights and freedoms,
notably the right to privacy, and contribute to … the well-being of individuals;”70

It means the protection of personal data is not restricted to nationality or jurisdic-

tion where a natural person resides. Still, its foundation is in fundamental rights and
freedom connecting to the overall well-being.

68 Schrems I.
69 ‘Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement
of Such Data’, ‘Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the
Free Movement of Such Data’ (OJ L24 October 1995) accessed 7 December 2023 (Directive 95/
46/EC).
70 Directive 95/46/EC.
6 Transatlantic Data Transfer: EU-US Standards 203

Recital 10 discusses increasing the level of data protection, and the current mech-
anism for protecting personal data must be enhanced. The Directive is not intended
to inhibit personal data flow outside the EU, which is required for international trade.
Therefore, Recital 56 reflects upon the need to test the adequate protection level in
the third country and overall assessment of the protection level and existing legal
structure in the third country. As a result, as per Recital 56, a transfer may be prohib-
ited to third countries that do not ensure adequate protection.71 Therefore, transfer
to third countries can only happen in full compliance with Article 8 of the Charter
(Recital 60).72
Additionally, Recitals 62 and 63 also discuss the independence of supervisory
bodies in Member States and the degree of freedom with which they should act
to preserve the rights. As a result, supervisory agencies should have the resources
they need to carry out their responsibilities, such as investigations and interventions.
These are incidents in which people have filed complaints.73
Articles 1, 2, 25, 26, 28 and 31 of Directive 95/46:
In the context of personal data, Article 1 gives Member States’ the responsibility
to safeguard the rights of natural persons.74 Article 2 provides for definitions which
covers personal data, its processing and definition of controller.75
Article 25 sets the prerequisites for transferring personal data outside the EU,76
while Article 26 specifies situations where such transfers can occur without assessing
adequacy. These include scenarios based on unambiguous consent, performance of
contract and protecting interests of data subjects.77
In all of the above cases and for the rest, appropriate safeguards are required to
be taken to safeguard rights enshrined under the Charter.
Article 28 discusses supervisory authorities’ role in Member States.
These supervisory authorities have:
. Powers of investigation ranging from access to data and collection of all necessary
information for carrying out supervisory duties.
. Powers of intervention, including sharing opinions before processing happens to
the power of banning processing.
. The scope to hear complaints lodged by an individual in the context of the existing
rights.78
Further to the Articles and Recitals above, the Court also referred to the Decision
which led to transfer of data from the EU to the USA.

71 Directive 95/46/EC.
72 Directive 95/46/EC.
73 Directive 95/46/EC.
74 Directive 95/46/EC.
75 Directive 95/46/EC.
76 Directive 95/46/EC.
77 Schrems I.
78 Schrems I.
204 5 Transfer of Personal Data to Third Countries

6.1.1 Decision 2000/520 of the Commission—The Safe Harbour

Agreement79

Recitals 2, 5 and 8 in the preamble refer to the following ideas:

. They reflect similar approach to the adequacy discussions in the previous
sections.80
. The test of adequacy is met when data controllers follow safe harbour principles
while transferring personal data. They also need to abide by the FAQs published
by the US Government in 2000 that would provide guidance to implement the
principles. The data controllers must publicly disclose privacy policies as required
under Sect. 5 of the Federal Trade Commission (FTC) Act. It prohibits unfair or
deceptive practices.81
Recital 8 refers to a situation when the suspension of data transfer should be
justified even if an adequate decision exists. It is to maintain transparency in the
processing and to safeguard the ability of authorities in the Member States.82
The CJEU further considered Articles 1 to 4 of the Decision.
Article 1 refers to different annexures in the Decision that are meant to be followed.
Annexure 1- Safe harbour principles.
. Annexure II—FAQs helping implement the principles under Annexure I published
by the US Department of Commerce.
. Annexure III—The enforcement overview of the safe harbour.
. Annexure IV—A memorandum on damages for privacy breaches and authorisa-
tion under US law.
. Annexure V—Letter from the FTC.
. Annexure VI—A letter from the US Department of Transportation.
. Annexure VII—The statutory powers of the government bodies in the USA that
are empowered to investigate the complaint and provide redress against unfair
and deceptive practices.
Article 1 illustrates the situation when every act of transferring should meet certain
conditions. For instance, the recipient should unambiguously and publicly disclose to
comply with the FAQs that help them implement the safe harbour principles. Further,
government bodies are empowered to investigate the practices of the recipient.

79 ‘2000/520/EC: Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC

of the European Parliament and of the Council on the Adequacy of the Protection Provided
by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US
Department of Commerce (Notified under Document Number C (2000)’ (EUR). https://eur-lex.eur
opa.eu/legal-content/en/TXT/?uri=CELEX%3A32000D0520. Accessed 7 December 2023 (2000/
520/EC).
80 2000/520/EC.
81 2000/520/EC.
82 2000/520/EC.
6 Transatlantic Data Transfer: EU-US Standards 205

It refers to a system of self-certification. Through the process of self-certification,

the recipient should portray adherence to various annexures.83
Article 2 concerns only the transfer of data and adequacy of protection in the USA,
as summarised in the annexures. This Decision does not affect the application of
other Articles under the old Directive related to processing personal data within the
Member States.84
Article 3 refers to situations when data transfer may be suspended. The Article starts
by excluding supervisory authority’s powers under Article 25 of the Directive.
The objective is to protect the rights and freedoms of data subjects where:

“(a) the government body in the United States referred to in Annex VII to
this Decision or an independent recourse mechanism within the meaning of
letter (a) of the Enforcement Principle set out in Annex I to this Decision has
determined that the organisation is violating the Principles implemented in
accordance with the FAQs; or.
(b) there is a substantial likelihood that the Principles are being violated;
there is a reasonable basis for believing that the enforcement mechanism
concerned is not taking or will not take adequate and timely steps to settle the
case at issue; the continuing transfer would create an imminent risk of grave
harm to data subjects; and the competent authorities in the Member State have
made reasonable efforts under the circumstances to provide the organisation
with notice and an opportunity to respond.”

Source 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive

95/46/EC of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and related frequently
asked questions issued by the US Department of Commerce (notified under document
number C(2000) 2441)
The suspension shall stop when compliance with Annexure 1 and Annexure 2 is
assured. The Member States, on their part, would also inform the Commission about
the measures adopted. They should coordinate to notify each other that bodies respon-
sible for ensuring compliance have failed. The Commission shall further inform the
US Department of Commerce about issues of non-compliance and work towards
taking measures to suspend the present Decision or its scope.85
Article 4 refers to situations when there is a need to adapt to the changes in this
Decision. It could have been something to do with how the principles have been
implemented. The Commission shall anyways have a review mechanism in place
and every three years must report its findings alongside evaluating situations that
may affect the implementation process of Article 1.86

83 2000/520/EC.
84 2000/520/EC.
85 2000/520/EC.
86 2000/520/EC.
206 5 Transfer of Personal Data to Third Countries

The CJEU referred to several annexures in the judgement.

“Annexure 1
Safe Harbour Privacy Principles.
“… the Department of Commerce is issuing this document and Frequently
Asked Questions (“the Principles”) under its statutory authority to foster,
promote, and develop international commerce. The Principles were developed
in consultation with industry and the general public to facilitate trade and
commerce between the United States and European Union. They are intended
for use solely by US organisations receiving personal data from the European
Union for the purpose of qualifying for the safe harbour and the presumption
of “adequacy” it creates. Because the Principles were solely designed to serve
this specific purpose, their adoption for other purposes may be inappropriate.
…
Decisions by organisations to qualify for the safe harbour are entirely volun-
tary, and organisations may qualify for the safe harbour in different ways.
…
Adherence to these Principles may be limited: (a) to the extent necessary to
meet national security, public interest, or law enforcement requirements; (b) by
statute, government Regulation, or case-law that create conflicting obligations
or explicit authorisations, provided that, in exercising any such authorisation,
an organisation can demonstrate that its non-compliance with the Principles
is limited to the extent necessary to meet the overriding legitimate interests
furthered by such authorisation; or (c) if the effect of the Directive [or] Member
State law is to allow exceptions or derogations, provided such exceptions or
derogations are applied in comparable contexts. Consistent with the goal of
enhancing privacy protection, organisations should strive to implement these
Principles fully and transparently, including indicating in their privacy policies
where exceptions to the Principles permitted by (b) above will apply on a
regular basis. For the same reason, where the option is allowable under the
Principles and/or US law, organisations are expected to opt for the higher
protection where possible.”

Source 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive

95/46/EC of the European Parliament and of the Council
Annexure I thereby created a voluntary system for data controllers to qualify for
the threshold made under safe harbour principles. The second half of the paragraph
is interesting, wherein limitations are created within the safe harbour principles so
far as adherence is concerned. The reasonings could be based on national security,
public interest or other legal requirements.
6 Transatlantic Data Transfer: EU-US Standards 207

Annexure II: Frequently Asked Questions (FAQs)

The process of self-certification under Annexure II and the FAQs concerning self-
certification (FAQ 6):

“Annexure-II: Frequently Asked Questions (FAQs).

Q: How does an organisation self-certify that it adheres to the Safe Harbour
Principles?
A: Safe harbour benefits are assured from the date on which an organisation
self-certifies to the Department of Commerce (or its designee) its adherence to
the Principles in accordance with the guidance set forth below.
To self-certify for the safe harbour, organisations can provide to the Depart-
ment of Commerce (or its designee) a letter, signed by a corporate officer on
behalf of the organisation that is joining the safe harbour, that contains at least
the following information:
1. name of organisation, mailing address, e-mail address, telephone and fax
numbers;
2. description of the activities of the organisation with respect to personal
information received from the [European Union]; and.
3. description of the organisation’s privacy policy for such personal infor-
mation, including: (a) where the privacy policy is available for viewing by
the public, (b) its effective date of implementation, (c) a contact office for the
handling of complaints, access requests, and any other issues arising under the
safe harbour, (d) the specific statutory body that has jurisdiction to hear any
claims against the organisation regarding possible unfair or deceptive prac-
tices and violations of laws or Regulations governing privacy.. (e) name of
any privacy programmes in which the organisation is a member, (f) method of
verification (e.g. in-house, third party) …, and (g) the independent recourse
mechanism that is available to investigate unresolved complaints.”

Source 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive

95/46/EC of the European Parliament and of the Council
The current Decision does not stop a supervisory authority from questioning the
Decision at the time of reviewing of complaint concerning data protection rights.
The supervisory authority derives this right from Articles 7, 8 and 47 of the Charter.
The supervisory authority can indeed examine the situation when the complainant
suggests that the existing legal structure in a foreign jurisdiction is inadequate in
comparison to the EU.
208 5 Transfer of Personal Data to Third Countries

CJEU Comments on the Decision 2000/520

The CJEU observed that the Decision applies to recipients of personal data in the
USA.87 These safe harbour principles apply to self-certified US organisations and
do not extend to the public authorities in the USA. The most concerning issue for the
Court was to observe, “that ‘national security, public interest, or law enforcement
requirements’ have primacy over the safe harbour principles, primacy pursuant to
which self-certified United States organisations receiving personal data from the
European Union are bound to disregard those principles without limitation where
they conflict with those requirements and therefore prove incompatible with them.”88
Further, the Decision does not account for interferences in the USA that may
impede rights that data subjects enjoy in the EU. It did not refer to any legal protection
that safeguards interference from the State entities. As a result, it must be stated that
Article 1 of the Decision does not meet the conditions outlined in Article 25 of the
previous Directive. Hence, the Decision must be held invalid.
The CJEU was particularly harsh on the part of Article 3 of the Decision that gives
the impression of stopping the supervisory authorities from exercising their rights
derived under Article 25 of the Directive.
The Court believed,

Schrems V. Data Protection Commissioner (Schrems I) C-362/14

“The implementing power granted by the EU legislature to the Commission
in Article 25(6) of Directive 95/46 does not confer upon it competence to
restrict the national supervisory authorities’ powers referred to in the previous
paragraph of the present judgment.
That being so, it must be held that, in adopting Article 3 of Decision
2000/520, the Commission exceeded the power which is conferred upon it
in Article 25(6) of Directive 95/46, read in the light of the Charter, and that
Article 3 of the decision is therefore invalid.”

Source Schrems v. Data Protection Commissioner (Schrems I) C-362/14

While the safe harbour agreement was invalidated within a space of 5 years,
another Decision again questioned the transfer rule between the EU and USA. It
involved Mr. Schrems, and the judgement delivered by the CJEU is popularly known
as the Schrems II. In this judgement, the CJEU look at the implementation of the
privacy shield agreement between the EU and the USA.

87 Yann Padova, ‘The Safe Harbour is Invalid: What Tools Remain for Data Transfers and What
Comes Next?’ (2016) 6 IDPL 139.
88 2000/520/EC.
6 Transatlantic Data Transfer: EU-US Standards 209

6.2 Validity of Privacy Shield Regime

Case C-311/18 | Data Protection Commissioner v Facebook Ireland and Maximillian

Schrems (Schrems II).89
Facts
The facts and circumstances of Schrems II were very similar to Schrems I. Any
resident of the EU wishing to enter into an agreement with Facebook must do so with
Facebook Ireland, a subsidiary of Facebook Inc. As it happened, the data processed
as part of this agreement were stored on servers located in the USA.
Following the complaint of Mr. Schrems and the previous decision, the Commis-
sioner suggested Mr. Schrems reformulates his complaint since Facebook Ireland
was transferring data to the USA under the SCC Decision [on standard contractual
clauses for the transfer of personal data to processors established in third countries
under Directive 95/46/EC].90
It was claimed that Facebook was required to share data with federal agencies in
the USA. As these data were being used for monitoring and surveillance purposes,
the activity would be construed as against the ethos of Articles 7 and 8 of the Charter.
The Decision cannot justify such activity, and therefore, the transfer may stop.
The judgement considered multiple Recitals and Articles of the GDPR.91 We will
consider some of them and follow the previously discussed governance structure
under different circumstances.92 The CJEU put a lot of importance on the powers
of the supervisory authority. We will discuss in greater detail about supervisory
authority in the next section. However, for the purpose of this judgement, we will
touch upon certain fundamentals.
The supervisory authority have powers ranging from banning transfer and intro-
duce corrective measures.93 Data subjects can reach out to supervisory authorities
with their complaints.94 Furthermore, there is room for checks and balances against
a supervisory authority if it fails to process a complaint of a data subject or fails to
notify an outcome within 3 months of receiving the complaint.95

89 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/
18, ECLI:EU:C:2020:559, 16 July 2020 (Schrems II).
90 Commission Decision on standard contractual clauses for the transfer of personal data to

processors established in third countries under Directive 95/46/EC of the European Parliament and
of the Council (2010). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%
3A32010D0087#:~:text=Commission%20Decision%202002%2F16%2FEC,the%20European%
20Union%20to%20a. Accessed 20th May 2024.
91 Schrems-II.
92 Schrems-II.
93 Schrems-II.
94 Schrems-II.
95 Schrems-II.
210 5 Transfer of Personal Data to Third Countries

6.2.1 The Standard Contractual Clauses

Approved clauses ensure that data controllers follow certain objective standards when
it comes to data transfer.

Recital 11 of the SCC Decision Reads:

“Supervisory authorities of the Member States play a key role in this contractual
mechanism in ensuring that personal data are adequately protected after the
transfer. In exceptional cases where data exporters refuse or are unable to
instruct the data importer properly, with an imminent risk of grave harm to the
data subjects, the standard contractual clauses should allow the supervisory
authorities to audit data importers and sub-processors and, where appropriate,
take decisions which are binding on data importers and sub-processors. The
supervisory authorities should have the power to prohibit or suspend a data
transfer or a set of transfers based on the standard contractual clauses in those
exceptional cases where it is established that a transfer on contractual basis
is likely to have a substantial adverse effect on the warranties and obligations
providing adequate protection for the data subject.”

Source Schrems- II
The SSC empowers supervisory authorities to review practices of the data
importers. They may prohibit or suspend data transfer where evidence suggests that
such a transfer may adversely impact data subjects.
Article 1 of the SCC examines the scope of the Decision, which applies to personal
data transfer outside the EU.96
The annexe consists of 12 standard clauses97 out of which some of relevant clauses
in the present context have been considered.
. Clause 4: “Obligations of the data exporter”98 :

It is the obligation of the data exporter to certify that the transfer of data will happen
following statutory data protection protocols. Data exporter must advise any data
processor involved in data processing. Further, for particular categories of data, data
subjects should have enough warnings about the possibility of data transfer and the
jurisdiction receiving such transfer may not be a country with adequate protection.99
. Clause 5 “Obligations of the data importer …”:

The data importer at all times must follow the data transfer norms and instructions
of the data exporter. If, for whatever reasons, the data importer cannot comply, the

96 Schrems- II.
97 Schrems-II.
98 Schrems-II.
99 Schrems-II.
6 Transatlantic Data Transfer: EU-US Standards 211

data importer will promptly inform the data exporter. The data exporter can then
suspend the data transfer or terminate the contract. In the event that the data importer
is unable to fulfil its responsibilities due to legislative action or otherwise, the data
importer shall quickly notify the data exporter of the change. The data exporter then
can act accordingly.100
Further, clause 5 also refers to special circumstances where the data importer
should promptly inform the data exporter for legally binding disclosure required
by a law enforcement agency. This is with reference to the national legislation’s
mandatory requirements that apply to the data importer. It could be in relation to the
prevention, detection and prosecution of criminal offences and for the purposes of
national and public interests.101
. Clause 6, under the heading “Liability”, talks about the compensation liability of
the data exporter towards the data subject. Data importer should switch places
with the exporter in case of an inability to pay the compensation.102
. Clause 11 reflects upon the idea of “Sub-processing” where data importer is
not allowed to further delegate through a subcontract mechanism unless there
is a written consent from the data exporter. The subprocessor will have similar
obligations as the data importer.103
. Clause 12, “Obligation after the termination of personal data-processing services”,
requires a return of all that the data importer received to the data exporter. The
data importer shall destroy all such information unless legislation prevents such
an act.104

6.2.2 The Privacy Shield Decision [Commission Implementing Decision

(EU) 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the Adequacy
of the Protection Provided by the EU-US Privacy Shield]105

In 2015, the CJEU invalidated the safe harbour agreement between the EU and
the USA. Following that, the Privacy Shield Decision was adopted after assessing
the structure of US legislation. The objective was to correct the shortcomings of
the safe harbour agreement by adopting the privacy shield process. There was a
detailed representation of the safeguards adopted through this new avenue through
which data transfer will be made possible which included role of the Privacy Shield

100 Schrems-II.
101 Schrems-II.
102 Schrems-II.
103 Schrems-II.
104 Schrems-II.
105 COMMISSION IMPLEMENTING DECISION (EU) 2016/1250 of 12 July 2016 pursuant

to Directive 95/46/EC of the European Parliament and of the Council on the adequacy
of the protection provided by the EU-U.S. Privacy Shield (notified under document
C(2016) 4176). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.
01.0001.01.ENG. Accessed 7 December 2023 (Decision (EU) 2016/1250).
212 5 Transfer of Personal Data to Third Countries

Ombudsperson who would look after the proportionality of interference by the federal
agencies.106 In this regard:

Commission Implementing Decision (EU) 2016/1250 of 12 July 2016

“The Commission has assessed the limitations and safeguards available in U.S.
law regarding access and use of personal data transferred under the EU-U.S.
Privacy Shield by U.S. public authorities for national security, law enforce-
ment and other public interest purposes. In addition, the U.S. government,
through its Office of the Director of National Intelligence (ODNI) …, has
provided the Commission with detailed representations and commitments that
are contained in Annex VI to this decision. By letter signed by the Secre-
tary of State and attached as Annex III to this decision the U.S. government
has also committed to create a new oversight mechanism for national security
interference, the Privacy Shield Ombudsperson, who is independent from the
Intelligence Community. Finally, a representation from the U.S. Department
of Justice, contained in Annex VII to this decision, describes the limitations
and safeguards applicable to access and use of data by public authorities for
law enforcement and other public interest purposes. In order to enhance trans-
parency and to reflect the legal nature of these commitments, each of the docu-
ments listed and annexed to this decision will be published in the U.S. Federal
Register.”

Source Decision (EU) 2016/1250

In the USA, through Executive orders, there are two central legal instruments –
Executive Order 12333 and the Presidential Policy Directive 28. For our purpose,
ppd-28 essentially provides a sense of necessity and proportionality. The PPD -28,
which includes the limitations on signal intelligence operations, also applies to EU
data subjects.
The Decision points that the Foreign Intelligence Surveillance Court (FISC) under
Section 702 of the Foreign Intelligence Surveillance Act (FISA)107 does not autho-
rise surveillance of individuals. They have authorised surveillance programmes like
PRISM and UPSTREAM. FISA does provide remedies available to non-US resi-
dents, including challenging unlawful electronic surveillance. The individual chal-
lenging such surveillance can bring action against the US government.108 The US
government provided several alternative solutions to the EU data subjects for taking
legal recourse for using personal data for unlawful government access and national
security purposes.109 The US government pointed to the Freedom of Information

106 David Bender, ‘Having Mishandled Safe Harbor, Will the CJEU Do Better with Privacy Shield?
A US Perspective’ (2016) 6 IDPL 117.
107 50 U.S.C. § 1881.
108 Decision (EU) 2016/1250.
109 Decision (EU) 2016/1250.
6 Transatlantic Data Transfer: EU-US Standards 213

Act or FOIA.110 It is a tool that the EU data subjects may avail to access records of
personal data held by national agencies. However, Recital 115 pointed to a possible
legal basis [EO 12333] that US intelligence authorities may use and may not be
covered under this privacy shield.111
In this context, the CJEU commented,
“where judicial redress possibilities in principle do exist for non-U.S. persons, such as for
surveillance under FISA, the available causes of action are limited … and claims brought by
individuals (including U.S. persons) will be declared inadmissible where they cannot show
’standing’ …, which restricts access to ordinary Courts.”112

There was an additional redressal mechanism by creating an ombudsperson. The

privacy shield ombudsperson will have a different review mechanism. The other
review mechanism available must remedy any situation of non-compliance so that
the complainant receives a positive response from the ombudsperson.

Commission Implementing Decision (EU) 2016/1250 of 12 July 2016

Recital 140:
“on the basis of the available information about the U.S. legal order, including
the representations and commitments from the U.S. government, the Commis-
sion considers that any interference by U.S. public authorities with the funda-
mental rights of the persons whose data are transferred from the Union to
the United States under the Privacy Shield for national security, law enforce-
ment or other public interest purposes, and the ensuing restrictions imposed
on self-certified organisations with respect to their adherence to the Principles,
will be limited to what is strictly necessary to achieve the legitimate objec-
tive in question, and that there exists effective legal protection against such
interference.”

Source Decision (EU) 2016/1250

Article 1: Scope of the Privacy Shield Decision
Personal data transferred to US receivers under the EU-US Privacy Shield must be a
part of the Privacy Shield list that US Department of Commerce maintains.
The EU-US Privacy Shield standards, as specified in Annexure II by the US
Department of Commerce, state that adherence to these standards is limited to
national security, public interest or law enforcement objectives.
Section 4(d) of Presidential Policy Directive-28 (PPD-28)113 requires the Secre-
tary of State to select the Privacy Shield’s ombudsman who plays the role of Senior
Coordinator for International Technology Diplomacy. The ombudsperson will work

110 The Freedom of Information Act, 5 U.S.C. § 552.

111 Decision (EU) 2016/1250.
112 Decision (EU) 2016/1250.
113 Decision (EU) 2016/1250.
214 5 Transfer of Personal Data to Third Countries

with other officials representing different departments and agencies. The senior coor-
dinator will work independently from the intelligent community and directly report
to the secretary of state.114
Questions

“In circumstances in which personal data is transferred by a private company

from a European Union (EU) Member State to a private company in a third
country for a commercial purpose pursuant to [the SCC Decision] and may
be further processed in the third country by its authorities for purposes of
national security but also for purposes of law enforcement and the conduct of
the foreign affairs of the third country, does EU law (including the Charter)
apply to the transfer of the data notwithstanding the provisions of Article 4(2)
TEU in relation to national security and the provisions of the first indent of
Article 3(2) of Directive [95/46] in relation to public security, defence and
State security?”

Source “Schrems II case”

Article 4(2) of the TEU reaffirms that Member States are responsible for national
security within the EU. Article 2(2) of the GDPR, which pertains to personal or
household activities, will not cover the data transfer in question, from Facebook
Ireland to Facebook Inc. Therefore, Articles 2(2)(a), (b) and (d) are not applicable as
they relate to State or State authority activities. This means that the transfer cannot be
exempted from GDPR provisions, even if the third country’s authorities may process
data for public security or state security purposes. Articles 2(1) and (2) apply to
commercial transfers between an economic operator in the EU and an operator in a
foreign jurisdiction. In fact, adequacy assessment reports would consider legislation
that legitimises access to personal data by public authorities in the context of national
security.115
Similarly, the Court in C-306/21116 determined that “Article 2(2)(a) of the GDPR,
when read in conjunction with Recital 16 and Article 2(2)(b) of that Regulation,
as well as the first indent of Article 3(2) of Directive 95/46/EC of the European
Parliament and of the Council of October 24, 1995, on the protection of individuals
with regard to the processing of personal data and on the free movement of such data,
of which Article 2(2)(a) and (b) of that Regulation represents a partial continuation,
must be interpreted as having the exclusive goal of removing the processing of

114 Decision (EU) 2016/1250.

115 Schrems II.
116 C-306/21 Koalitsia ‘Demokratichna Bulgaria – Оbedinenie.
6 Transatlantic Data Transfer: EU-US Standards 215

personal data carried out by State authorities in the course of an activity meant to
protect national security.”117 ,118

“(2) (a) In determining whether there is a violation of the rights of an individual

through the transfer of data from the [European Union] to a third country under
the [SCC Decision] where it may be further processed for national security
purposes, is the relevant comparator for the purposes of [Directive 95/46]:
(i) the Charter, the EU Treaty, the FEU Treaty, [Directive 95/46], the [Euro-
pean Convention for the Protection of Human Rights and Fundamental Free-
doms, signed at Rome on 4 November 1950] (or any other provision of EU
law); or
(ii) the national laws of one or more Member States?
(b) If the relevant comparator is (ii), are the practices in the context of
national security in one or more Member States also to be included in the
comparator?
(3) When assessing whether a third country ensures the level of protection
required by EU law to personal data transferred to that country for the purposes
of Article 26 of [Directive 95/46], ought the level of protection in the third
country be assessed by reference to:
(a) the applicable rules in the third country resulting from its domestic law
or international commitments, and the practice designed to ensure compliance
with those rules, to include the professional rules and security measures which
are complied with in the third country;
or
(b) the rules referred to in (a) together with such administrative, regula-
tory and compliance practices and policy safeguards, procedures, protocols,
oversight mechanisms and non-judicial remedies as are in place in the third
country?
(6) (a) What is the level of protection required to be afforded to personal data
transferred to a third country pursuant to standard contractual clauses adopted in
accordance with a decision of the Commission under Article 26(4) [of Directive
95/46] in light of the provisions of [Directive 95/46] and in particular Articles 25
and 26 read in the light of the Charter?
(b) What are the matters to be taken into account in assessing whether the
level of protection afforded to data transferred to a third country under [the SCC
Decision] satisfies the requirements of [Directive 95/46] and the Charter?”

Source Schrems II case

117 C-306/21 - Koalitsia “Demokratichna Bulgaria - Obedinenie”’ (CURIA). https://curia.europa.

eu/juris/document/document.jsf?text=&docid=267409&pageIndex=0&doclang=EN&mode=lst&
dir=&occ=first&part=1&cid=14782348. Accessed 30th January 2024.
118 C-439/19 B v. Latvijas Republikas Saeima, EU:C:2021:504, para 63.
216 5 Transfer of Personal Data to Third Countries

The 2nd, 3rd and the 6th questions all point to the level of protection envisaged
in the context of personal data transferred to a country outside the EU based on
SCC. Also, various factors ensure that the level of protection is adequately fulfilled.
Without an adequacy decision, safeguards’ mechanism could be through the adoption
of the SCC approved by the Commission.

“ It follows that, since, first, a transfer of personal data, such as that at issue
in the main proceedings, for commercial purposes by an economic operator
established in one Member State to another economic operator established in a
third country, falls, as is apparent from the answer to the first question, within
the scope of the GDPR and, second, the purpose of that Regulation is, inter alia,
as is apparent from Recital 10 thereof, to ensure a consistent and high level of
protection of natural persons within the European Union and, to that end, to
ensure a consistent and homogeneous application of the rules for the protection
of the fundamental rights and freedoms of such natural persons with regard to
the processing of personal data throughout the European Union, the level of
protection of fundamental rights required by Article 46(1) of that Regulation
must be determined on the basis of the provisions of that Regulation, read in
the light of the fundamental rights enshrined in the Charter.”

Source Schrems II case

There is no list that can be considered for testing adequate protection. However,
following Article 46(1), three key terms are crucial: appropriate safeguards, enforce-
able rights and effective legal remedies. Therefore, when data are transferred
following SCC, data subjects must be afforded equivalent protection as one would
expect in the EU. Consequently, one must look at the contractual clauses agreed
between the stakeholders, particularly on the issue of access by public authorities
and relevant aspects of the legal system in the context of Article 45(2).

8th Question
“If a third country data importer is subject to surveillance laws that in the view
of a data protection authority conflict with the [standard contractual clauses] or
Article 25 and 26 of [Directive 95/46] and/or the Charter, is a data protection
authority required to use its enforcement powers under Article 28(3) of [Direc-
tive 95/46] to suspend data flows or is the exercise of those powers limited to
exceptional cases only, in light of Recital 11 of [the SCC Decision], or can a
data protection authority use its discretion not to suspend data flows?”

Source Schrems II case

Supervisory authorities in the Member States can verify whether data transfers
comply the Regulation. The supervisory authority has investigation capabilities to
determine the sufficiency of protection in the third nation. We have already briefly
come across the supervisory authorities’ roles and responsibilities. Also, there is a
scope of judicial remedy when the supervisory authority fails to act according to
6 Transatlantic Data Transfer: EU-US Standards 217

the Regulation. Unless an adequacy decisions fails before a Court, it legally binds
Member States and its organs, including the supervisory authorities. However, an
adequacy decision would not prevent a data subject raising a grievance with the
supervisory authority. It would have all its power despite the Decision and can exer-
cise its right to independently verify a complaint. Where relevant, they can involve
the national Courts to investigate the validity of such a Decision.

“unless there is a valid Commission adequacy decision, the competent super-

visory authority is required to suspend or prohibit a transfer of data to a third
country pursuant to standard data protection clauses adopted by the Commis-
sion, if, in the view of that supervisory authority and in the light of all the
circumstances of that transfer, those clauses are not or cannot be complied
with in that third country.”

Source Schrems II case

7th and the 11th Questions

“Does the fact that the standard contractual clauses apply as between the data
exporter and the data importer and do not bind the national authorities of
a third country who may require the data importer to make available to its
security services for further processing the personal data transferred pursuant
to the clauses provided for in [the SCC Decision] preclude the clauses from
adducing adequate safeguards as envisaged by Article 26(2) of [Directive 95/
46]?
Does the [SCC Decision] violate Articles 7, 8 and/or 47 of the Charter?”

Source Schrems II case

SCC Decision’s validity is in question under the 7th and 11th questions. While
these clauses are suitable to bind the sender and the recipient, they will not bind
authorities in the country of the recipient.
Simply because they are not a party to the agreement. As a result, there may be
scenarios in which the SCC is ineffective in protecting personal data in a third country.
These are scenarios in which the law of third country allows governmental officials to
gain access and so infringes on the rights of data subjects. There is no explicit refer-
ence, but all safeguards must be included in the SCC Decision. That is where the SCC
Decision differs from an adequacy decision adopted by the Commission if the third
country’s relevant legislation ensures adequate protection. With the limitations in
place, the controller or processor transferring such data should consider adding other
clauses to safeguard personal data—they could be like supplementing the provisions
of the standard protection clauses. The SCC clauses contractually guarantee that they
will work uniformly in all third countries, independent of the protection offered in
such countries. In case additional measures cannot be guaranteed beyond SCC, the
competent supervisory authority may suspend such data transfer. For instance, recip-
ient country may impose legal requirements that go against the contractual guarantee
218 5 Transfer of Personal Data to Third Countries

offered under the SCC. Therefore, the fact that SCC does not bind authorities in the
third countries owing to its contractual nature cannot affect the validity of the Deci-
sion. At all stages, the recipient in the third country must inform the controller about
its inability to carry out the contractual responsibilities entrusted under SCC. This
could be because of multiple situations, including the change in legal structure in the
recipient country.
In the context of Clause 5 [annex] of the SCC Decision (Standard Contractual
Clauses of Processors),119 the Advocate General suggested that, “compliance with an
obligation prescribed by the law of the third country of destination which goes beyond
what is necessary for those purposes must be treated as a breach of those clauses.”120
The responsibility, therefore, rests with the controller and the recipient for assessing,
in comparison to the EU, the level of protection available in the recipient country.
As a result, when the enforceability of SCC is difficult for the reasons stated above,
the appropriate supervisory body must suspend or prohibit such a transfer subject to
a valid adequacy Decision. There could be a situation where supervisory authorities
in different Member States adopt divergent decisions. To avoid such a situation, the
supervisory authority that believes that transfer should be avoided, must consult the
EDPB for an opinion, which will be binding on supervisory authorities.
Therefore, “the answer to the 7th and 11th questions is that examination of the
SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing
to affect the validity of that decision.”121

4th, 5th, 9th and 10th Questions

“(4) Given the facts found by the High Court in relation to US law, if personal
data is transferred from the European Union to the United States under [the
SCC Decision] does this violate the rights of individuals under Articles 7 and/
or 8 of the Charter?
(5) Given the facts found by the High Court in relation to US law, if personal
data is transferred from the European Union to the United States under [the
SCC Decision]:
(a) does the level of protection afforded by the United States respect the
essence of an individual’s right to a judicial remedy for breach of his or her
data privacy rights guaranteed by Article 47 of the Charter?
If the answer to Question 5(a) is in the affirmative:
(b) are the limitations imposed by US law on an individual’s right to a
judicial remedy in the context of US national security proportionate within the
meaning of Article 52 of the Charter and do not exceed what is necessary in a
democratic society for national security purposes?

119 Schrems-II.
120 Schrems-II.
121 Schrems-II.
6 Transatlantic Data Transfer: EU-US Standards 219

(9) (a) For the purposes of Article 25(6) of [Directive 95/46], does [the
Privacy Shield Decision] constitute a finding of general application binding on
data protection authorities and the Courts of the Member States to the effect that
the United States ensures an adequate level of protection within the meaning
of Article 25(2) of [Directive 95/46] by reason of its domestic law or of the
international commitments it has entered into?
(b) If it does not, what relevance, if any, does the Privacy Shield Decision
have in the assessment conducted into the adequacy of the safeguards provided
to data transferred to the United States which is transferred pursuant to the [SCC
Decision]?
(10) Given the findings of the High Court in relation to US law, does the
provision of the Privacy Shield ombudsperson under Annex A to Annex III to
the Privacy Shield Decision when taken in conjunction with the existing regime
in the United States ensure that the US provides a remedy to data subjects whose
personal data is transferred to the United States under the [SCC Decision] that
is compatible with Article 47 of the Charter?”

Source Schrems II case

It should be noted that the question was about the validity of the SSC Deci-
sion. However, it was further enquired about the status of the Privacy Shield Deci-
sion and its binding effect on different stakeholders. It was suggested that until the
Court declares the Decision invalid, the competent supervisory authority has no
role in prohibiting data transfer. However, fact remains, “when a person lodges a
complaint with the competent supervisory authority, that authority must examine,
with complete independence, whether the transfer of personal data at issue complies
with the requirements laid down by the GDPR and, if, in its view, the arguments
put forward by that person with a view to challenging the validity of an adequacy
decision are well founded, bring an action before the national Courts in order for
them to make a reference to the Court for a preliminary ruling for the purpose of
examining the validity of that decision.”122
In the present case, the complaint was brought to the notice of the referral Court.
Further, the referral Court has placed the matter before this Court.
According to the Advocate General, these considerations put into question the
Commission’s decision that the USA, through Privacy Shield, provides an acceptable
degree of protection to data transmitted from the EU. As a result, it calls into doubt
the Decision’s validity. Consequently, it should be further investigated whether the
Decision conforms to the EU data protection level.

122 Schrems-II.
220 5 Transfer of Personal Data to Third Countries

The CJEU pointed out the limitations of the ‘Privacy Shield Decision under
Annexure II. It relates to adherence to the Privacy Shield Framework Principles and
its limited application when it comes to the question of State requirements’. Like
Decision 2000/520, this Decision also indicates that certain requirements take prece-
dence over the principles. As a result, US organisations receiving personal data from
the EU must forego data protection principles when they clash with State necessities,
rendering them incompatible.123 The interference with personal data can range from
access to and use by public authorities through different surveillance programmes.

6.2.3 Adequate Level of Data Protection

It is observed that none of the provisions [Section 702, FISA EO, 12333 with PPD-28]
live up to the EU standard of data protection. Therefore, surveillance programmes
cannot be considered limited to absolute necessity.
“In those circumstances, the limitations on the protection of personal data arising
from the domestic law of the United States on the access and use by US public
authorities of such data transferred from the European Union to the United States,
which the Commission assessed in the Privacy Shield Decision, are not circumscribed
in a way that satisfies requirements that are essentially equivalent to those required,
under EU law, by the second sentence of Article 52(1) of the Charter.”124
The next question was about the role of the ombudsperson. We have noticed in the
previous sections that the power of the ombudsperson was limited, and there were
limitations concerning redressal mechanisms under various legislation. As a starting
point, data subjects must have the opportunity to appear before an independent and
impartial Court. However, it can be pointed out that there was nothing to suggest that
ombudspersons’ decisions were binding on intelligent services. It means that there
was absolutely nothing that data subjects can rely on. Therefore, the ombudsperson
mechanism did not guarantee the rights required as per Article 47 of the Charter.
So, expectations under EU data protection law would not match the Privacy Shield
Framework. Therefore, the Decision is invalid.

6.3 EU-US Privacy Framework Agreement

The European Commission has issued its third Decision for the EU-US Data Privacy
Framework on 10 July 2023, allowing personal data to flow safely from the EU
to US enterprises that participate in the Framework without additional data protec-
tion protections. The arrangement was formalised in October 2022 by President

123 Schrems-II.
124 Schrems-II.
6 Transatlantic Data Transfer: EU-US Standards 221

Biden’s Executive Order on “Enhancing Safeguards for United States Signals Intelli-
gence Activities”,125 which was supplemented by Regulations issued by US Attorney
General Garland.126 The new framework includes obligatory protections to address
concerns raised by the ECJ/CJEU, such as limiting US intelligence services’ access
to the EU data to what is necessary and proportional, as well as establishing a Data
Protection Review Court (DPRC) for the EU citizens.127
Significant changes to the previous Privacy Shield have been included such as the
DPRC’s ability to order the destruction of data gathered in contravention of the new
protections. The framework ensures that US corporations adhere to privacy standards
such as deleting personal data when it is no longer required and protecting data when
sharing it with other parties. EU citizens have several options for remedy if their data
are mistreated by US corporations, including free independent dispute resolution
channels and an arbitration tribunal. The US legal system also contains safeguards
for data obtained by public agencies for enforcement of criminal law and national
security, ensuring that access is necessary and appropriate.128
The authorities on both sides of the Atlantic will conduct periodic assessments
of the EU-US Data Privacy Framework, with the first review taking place within a
year of the adequacy decision entering into force. These reviews will ensure that
all elements have been implemented and work properly in practice. The Framework
strives to provide legal stability for businesses and trust for citizens, fostering stronger
economic links and shared values between the EU and the USA.129

125 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activ-
ities, (2022). https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/execut
ive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/. Assessed 20th
June 2024.
126 Data Protection: European Commission adopts new adequacy decision for safe and trusted

EU-US data flows. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721. Accessed

on 24th June 2024.
127 Commission Implementing Decision pursuant to Regulation (EU) 2016/679 of the European

Parliament and of the Council on the adequate level of protection of personal data under the EU-US
Data Privacy Framework, (10th July 2023). https://commission.europa.eu/document/download/
fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en?filename=Adequacy%20decision%20EU-US%20D
ata%20Privacy%20Framework_en.pdf. Accessed on 24th June 2024.
128 EU-US Data Privacy Framework (2023).
129 EU-US Data Privacy Framework (2023).
222 5 Transfer of Personal Data to Third Countries

7 Tracking the Development of Standard Contractual

Clauses Adopted

In 2021, the EC introduced two SCCs: for controllers and processors within and
outside the EEA.130
The Recent Changes in the SCC
The recent version of the SCC has been modernised, but the core elements that have
been part of the old Directive have been retained. Therefore, the required commit-
ments of the data importer and exporter are present in the recent version. Alongside
important changes have been introduced in this version.
. While the previous version of the SCC included scenarios of transfer between
controllers and controllers and processors to processors, the new version has
accommodated some additional transfer situations. Now the entire structure looks
something like this: controller to controller (module 1), controller to processor
(module 2), processor to processor (module 3) and processor to a controller
(module 4).131
. From a previous arrangement of three separate sets of SCCs, the new version
follows a modular structure with one set of SCCs. This meant that the general
clauses that apply to all four scenarios are included alongside the specific transfer
situation corresponding to a particular module.
. A docking clause has been now introduced. It is an optional clause using which
parties to the SCC can decide to include other parties who may be required to
join the existing contract in the future. The docking clause provides additional
flexibility.
. The annexes are comprehensive, providing specific information on transfers
starting from the parties, their roles, purposes and so forth.
. The substantive changes are:
– Enhanced transparency obligations by focussing on data subjects’ rights, data
breach notification and rules for onward transfers.
– The new enhanced SSC includes the requirements of Article 28 GDPR
[Processor]. Therefore, there is no further need to sign a separate contract
to comply with the requirements of Article 28.
– There is a mention of the transfer impact assessment for the parties to the SCC
to carry out. This development implements the outcome of the Schrems II
judgement. The transfer impact assessment report should document the specific
circumstances surrounding the transfer, the laws in the recipient country and
the presence of additional safeguards.

130 Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual
Clauses. https://commission.europa.eu/system/files/2023-05/%28Final%29%20Joint_Guide_to_A
SEAN_MCC_and_EU_SCC.pdf. Accessed 7 December 2023 (Joint Guide).
131 Joint Guide.
Suggested Readings 223

– There are new obligations added to cases where public authorities would be
accessing data transfer.
Questions:
1. What are the key considerations for transferring personal data to third countries
under GDPR?
2. How does an adequacy decision by the European Commission facilitate the
transfer of personal data to third countries?
3. Evaluate the validity and implications of the Privacy Shield regime in ensuring
data protection standards for transatlantic data transfers.
4. How do EU-U.S. Privacy Framework agreements contribute to maintaining data
protection standards?

Suggested Readings

1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers
of personal data between EEA and non-EEA public authorities and bodies adopted on 18th
January 2020.
2. DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016.
3. Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses.
4. Recommendations 1/2022on the Application for Approval and on the elements and principles
to be found in Controller Binding Corporate Rules (Art. 47 GDPR).
5. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of
personal data between EEA and non-EEA public authorities and bodies.
6. Kosta, Eleni; Boehm, Franziska The EU Law Enforcement Directive (LED): A Commentary
(2024).
7. Recommendations 01/2021 on the adequacy referential under the law enforcement directive.
8. Data Protection: European Commission adopts new adequacy decision for safe and trusted
EU-US data flows.
9. Massimo Marelli, ‘Transferring Personal Data to International Organizations under the GDPR:
An Analysis of the Transfer Mechanisms’ (2024) 14 IDPL 19
10. Bjørn Aslak Juliussen, Elisavet Kozyri, Dag Johansen, and Jon Petter Rui, ‘The Third Country
Problem under the GDPR: Enhancing Protection of Data Transfers with Technology’ (2023)
13 IDPL 22
11. Damon Greer, ‘Safe Harbor—A Framework That Works’ (2011) 1 IDPL 143
12. Lothar Determann, ‘Adequacy of Data Protection in the USA: Myths and Facts’ (2016) 6 IDPL
244
Chapter 6
Enforceability, Remedies, Liabilities
and Penalties

1 Introduction

The GDPR’s enforceability procedures which encompasses remedies, obligations

and penalties are crucial to its implementation. These provisions are important in
protecting individual’s right and ensuring accountability in data processing. Enforce-
ability entails an oversight by the supervisory authority with the aim of ensuring
consistent compliance throughout the EU Member States. Individuals can exercise
their rights in case of breach, thereby making the data controllers and processors liable
under GDPR. Penalties serve as a deterrent to non-compliance, reinforcing GDPR’s
commitment to robust data protection standards.1 Together, these elements form
a complete framework ensuing data protection measures protecting informational
privacy in today’s data centric world.
This chapter focuses on the supervisory authority—its roles and obligations,
penalties and imposition of fines under GDPR. Additionally, it provides a summary
of a recent document published by the EDPB of the steps that could be considered
to decide before a supervisory authority imposes fines.

2 Supervisory Authority

One important feature of European data protection Regulations is the establishment

of distinct regulatory agencies entrusted with supervising, promoting, and imple-
menting these rules. In EU nomenclature, these agencies are classified as, ‘supervi-
sory authorities’, however they are more popularly known as ‘Data Protection Author-
ities’ (DPAs). These agencies are frequently granted considerable ability to monitor

1Stephan Mulders, ‘The Relationship between the Principle of Effectiveness under Art. 47 CFR
and the Concept of Damages under Art. 82 GDPR’ (2023) 13 IDPL.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 225
I. Gupta et al., Introduction to Data Protection Law,
https://doi.org/10.1007/978-981-97-6355-9_6
226 6 Enforceability, Remedies, Liabilities and Penalties

and control processing by public and private sector enterprises. Their responsibilities
include handling complaints, giving information, and promoting public awareness
about data privacy issues.2

2.1 Structure and Establishment

Supervisory authorities are set-up to ensure that compliance measures can be effec-
tively implemented. They can independently perform their tasks enshrined under
GDPR. Member States can contemplate establishing multiple supervisory authori-
ties depending on their internal governance and administrative structure. They will
monitor the consistent and effective implementation of the different provisions of
GDPR. There should be internal coordination amongst all supervisory authorities to
assist the Commission.

Regulation (Eu) 2016/679 of the European Parliament and of the Council

“Article 51: Supervisory Authority
Each Member State shall provide for one or more independent public authori-
ties to be responsible for monitoring the application of this Regulation, in order
to protect the fundamental rights and freedoms of natural persons in relation
to processing and to facilitate the free flow of personal data within the Union
(‘supervisory authority’).
Article 52: Independence
1. Each supervisory authority shall act with complete independence in
performing its tasks and exercising its powers in accordance with this
regulation.
1.2. The member or members of each supervisory authority shall, in the perfor-
mance of their tasks and exercise of their powers in accordance with this Regu-
lation, remain free from external influence, whether direct or indirect, and shall
neither seek nor take instructions from anybody.
2.6. Each Member State shall ensure that each supervisory authority is subject
to financial control which does not affect its independence and that it has
separate, public annual budgets, which may be part of the overall state or
national budget.

2Kuner, Christopher; Bygrave, Lee. A., The EU General Data Protection Regulation (GDPR): A
Commentary(2020).
2 Supervisory Authority 227

Article 53: General conditions for the members of the supervisory

authority
3. Each member shall have the qualifications, experience and skills, in particular
in the area of the protection of personal data, required to perform its duties and
exercise its powers.
4. A member shall be dismissed only in cases of serious misconduct or if the
member no longer fulfils the conditions required for the performance of the
duties.”

Source Article 51, 52, 53, GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council

“Article 54: Rules on the Establishment of the Supervisory Authority

1. Each Member State shall provide by law for all of the following:
(c) the rules and procedures for the appointment of the member or
members of each supervisory authority;
(d) the duration of the term of the member or members of each super-
visory authority of no less than four years, Competence, tasks and powers of
supervisory authorities are captured under Articles 55 to 58.
Article 55: Competence
1. Each supervisory authority shall be competent for the performance of the
tasks assigned to and the exercise of the powers conferred on it in accordance
with this Regulation on the territory of its own Member State.
3. Supervisory authorities shall not be competent to supervise processing
operations of Courts acting in their judicial capacity.
Article 56: Competence of the lead supervisory authority
1. Without prejudice to Article 55, the supervisory authority of the main estab-
lishment or of the single establishment of the controller or processor shall be
competent to act as lead supervisory authority for the cross-border processing
carried out by that controller or processor in accordance with the procedure
provided in Article 60.
2. By derogation from paragraph 1, each supervisory authority shall be compe-
tent to handle a complaint lodged with it or a possible infringement of this
Regulation, if the subject matter relates only to an establishment in its Member
State or substantially affects data subjects only in its Member State.
1.3. In the cases referred to in paragraph 2 of this Article, the supervisory
authority shall inform the lead supervisory authority without delay on that
228 6 Enforceability, Remedies, Liabilities and Penalties

matter.2 Within a period of three weeks after being informed the lead supervi-
sory authority shall decide whether or not it will handle the case in accordance
with the procedure provided in Article 60, taking into account whether or not
there is an establishment of the controller or processor in the Member State of
which the supervisory authority informed it.
2.4. Where the lead supervisory authority decides to handle the case, the proce-
dure provided in Article 60 shall apply.2 The supervisory authority which
informed the lead supervisory authority may submit to the lead supervisory
authority a draft for a decision.3 The lead supervisory authority shall take
utmost account of that draft when preparing the draft decision referred to
in Article 60(3).
3.5. Where the lead supervisory authority decides not to handle the case,
the supervisory authority which informed the lead supervisory authority shall
handle it according to Articles 61 and 62.
4.6. The lead supervisory authority shall be the sole interlocutor of the
controller or processor for the cross-border processing carried out by that
controller or processor.”

Source Article 54, 55, 56

Further, Article 57 of the GDPR requires supervisory authorities to monitor and
enforce, raise public awareness, advise national bodies, handle complaints, conduct
investigations, monitor data processing developments, adopt standard clauses, main-
tain DPIA records, encourage and review codes of conduct, approve binding corpo-
rate rules, and contribute to the EDPB, often at no cost, unless the requests are
repeated.3
Additionally, supervisory authorities under Article 58 have a variety of powers,
including investigative, remedial, authorisation, and advising powers. They have the
ability to gather information, conduct audits, notify authorities of violations, and get
access to premises. Their corrective powers include issuing warnings, reprimands,
enforcing GDPR compliance, notifying data breaches, imposing processing prohi-
bitions, ensuring rectification and deletion, revoking certificates, levying fines, and
halting data transfers.4 They can also provide impartial opinions on data processing to
parliaments and governments, as well as draft Regulations and accreditation bodies.5
Member States opting for more than one supervisory authority should develop a
legal mechanism to ensure that these supervisory authorities participate adequately.
The supervisory authorities must undergo control mechanism, and their financial
expenditure is open to monitoring or judicial review. The Member States should
establish general conditions for members of supervisory authorities to follow.

3 Article 57, GDPR.

4 Anna Aurora Wennäkoski, ‘Mapping the Supervisory Authorities’ Activities: Pragmatic Problem-
Solvers or New Practice Creators?’ (2020) 3 JDPP 149.
5 Article 58, GDPR.
2 Supervisory Authority 229

The appointment should follow a transparent process. To ensure the supervisory

authority’s integrity and independence, members should not engage in actions that
are antithetical to the authority’s responsibilities.
A supervisory authority shall perform its task according to the GDPR. It should
handle all complaints made by data subjects, conduct investigations and promote
awareness about the rules, safeguards and risks of processing.
To ensure consistency in enforcing the Regulation uniformly in the Union, the
Member States should assign the same tasks and power to the supervisory authorities.
To name a few, it has investigatory, corrective, and advisory powers. They would also
have the power to ban personal data processing temporarily. Any legally binding
measures adopted by them should be clearly communicated.

2.2 Weltimmo Case, C-230/146

Facts
Weltimmo, a company registered in Slovakia, ran a website having descriptions of
properties in Hungary. Advertisers’ personal data were processed who wanted to
place their advertisements on Weltimmo’s website. Advertisements were free for
a month before subscription began. Advertisers, complained, their data never got
deleted of their advertisements after the initial period was over. It was suggested that
Weltimmo continue to charge these customers without deleting those data. When the
advertisers did not pay the amount, their details were forwarded to the debt recovering
agencies by Weltimmo.
Subsequently, the advertisers filed complaints with the Hungarian data protec-
tion authority, which asserted its competence to adjudicate the issue. Weltimmo then
appealed to the Budapest administrative authority, arguing that lacking an office
in Hungary shouldn’t affect jurisdiction, as the data processing concerned proper-
ties within Hungary. In its appeal, Weltimmo contended that the Hungarian data
protection authority (DPA) was not the right forum to hear the matter. In fact, they
should have reached out to the Slovak DPA to handle this complaint. In response,
the Hungarian DPA pointed to a representative of Weltimmo in Hungary involved
in administrative and judicial proceedings, and highlighted that while Weltimmo’s
Internet servers were in Germany or Austria, the company owners resided in Hungary.
Further, the data protection authority came to know from its counterpart in
Slovakia that Weltimmo did not carry out its activity from the registered office in
Slovakia. The registered office has moved from one State to another on multiple
occasions.
Weltimmo also developed the websites in the Hungarian language. To opera-
tionalise Weltimmo’s activities, there was a bank account in Hungary. The bank
account was towards recovery of debts and served a correspondence address to

6 C-230/14 Weltimmo, ECLI:EU:C:2015:639 (Weltimmo case).

230 6 Enforceability, Remedies, Liabilities and Penalties

carry out business activities. Weltimmo raised a technical issue to justify the non-
completion of the erasure activity. The advertisers were tasked with entering the data
and deleting them before the one-month period expired.7
Recital 19 of the Data Protection Directive helps to understand the meaning
associated with the establishment:

“…Whereas establishment on the territory of a Member State implies the effec-

tive and real exercise of activity through stable arrangements; whereas the legal
form of such an establishment, whether simply branch or a subsidiary with
a legal personality, is not the determining factor in this respect; whereas,
when a single controller is established on the territory of several Member
States, particularly by means of subsidiaries, he must ensure, in order
to avoid any circumvention of national rules, that each of the establish-
ments fulfils the obligations imposed by the national law applicable to its
activities.”

Source Directive 95/46/EC of the European Parliament

It means simply having an establishment is not enough if a data controller is not
engaging in meaningful activity. There are further responsibilities, and opening up
subsidiaries in different Member States may lead to the data controllers fulfilling
legal obligations in a Member State. This requirement is further illustrated under
Article 4 of the Directive.
Further, Article 28(3) and (6) of the old Directive empowers the supervisory
authorities with certain powers. They have investigative powers, power of interven-
tion and advisory power. Under the investigatory power, they can access data and
collect necessary processing information to perform their responsibilities. Super-
visory authorities can also intervene by giving opinions and orders about different
obligations under the Directive. While supervisory authorities act within the ambit
of Member States; however, they should all coordinate and exchange information to
implement GDPR.8
Questions

“(1)…Can Article 28(1) of Directive 95/46 be interpreted as meaning that the

provisions of national law of a Member State are applicable in its territory to
a situation where a data controller runs a property dealing website established
only in another Member State and also advertises properties situated in the
territory of that first Member State and the property owners have forwarded

7Weltimmo case.
8‘Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement
of Such Data’, accessed 8 December 2023.
2 Supervisory Authority 231

their personal data to a facility (server) for data storage and data processing
belonging to the operator of the website in that other Member State?
(2) Can Article 4(1)(a) of [Directive 95/46], read in conjunction with
Recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be inter-
preted as meaning that the Hungarian [data protection authority] may not apply
the Hungarian law on data protection, as national law, to an operator of a prop-
erty dealing website established only in another Member State, even if it also
advertises Hungarian property whose owners transfer the data relating to such
property probably from Hungarian territory to a facility (server) for data storage
and data processing belonging to the operator of the website?
(3) Isit significant for the purposes of interpretation that the service provided
by the data controller who operates the website is directed at the territory of
another Member State?
(4) Is it significant for the purposes of interpretation that the data relating to
the properties in the other Member State and the personal data of the owners
are uploaded in fact from the territory of that other Member State?
(5) Is it significant for the purposes of interpretation that the personal data
relating to those properties are the personal data of citizens of another Member
State?
(6) Is it significant for the purposes of interpretation that the owners of the
undertaking established in Slovakia live in Hungary?.”

Source Weltimmo Case

The data controller Weltimmo is registered under Slovak law, and the proper-
ties and details that form the subject matter of the published information are under
Hungarian law.
Here the CJEU suggested a broad interpretation of the words “in the context of
the activities of an establishment.”9 The objective enshrined was to protect the rights
of data subjects guaranteed under the Directive.
Therefore, we ought to have a suitable interpretation of an establishment and
depart from an interpretation that suggests that a controller is based where the under-
taking is registered. One has to consider a number of factors to make that call where
a controller is based other than the place of its registration.10
The Court suggested,” that the presence of only one representative can, in some
circumstances, suffice to constitute a stable arrangement if that representative acts
with a sufficient degree of stability through the presence of the necessary equipment
for provision of the specific services concerned in the Member State in question.”11

9 Weltimmo case.
10 Weltimmo case.
11 Weltimmo case.
232 6 Enforceability, Remedies, Liabilities and Penalties

The concept of establishment refers to any actual and functional action, which
can be minimum and provided through a permanent arrangement.
It is clear that Weltimmo ran property dealing websites. These properties are situ-
ated in Hungary. The properties were catered to those who read Hungarian. Adver-
tisements were allowed for a month for free and then on a chargeable basis. Therefore,
there is no doubt that Weltimmo follows a real and effective activity.
The representative of Weltimmo positioned in Hungary was a contact between
Weltimmo and those who lodged complaints. It also represented the company
different proceedings.
Therefore, it is essential to establish that activities pertaining to the establishment
in question led to data processing. In this matter, loading personal data would be
construed as processing information. These personal data, at times, was used for
invoicing the advertisements.
The point of nationality is of no relevance in this matter. It is not relevant in
deciding the national law that applies to data processing.

2.3 European Data Protection Board

To bring in consistency and uniform application of the Regulation, thereby reducing

conflicting positions in the administrative framework, the EDPB (Board) has been
set up.12 The Board has an independent persona. It is represented by a Chair and a
composition of representatives from all Member States’ supervisory authorities and
the European Data Protection Supervisor (EDPS).13 While the EDPS would have
voting rights, the Commission wouldn’t, although would participate in the activities
of the Board. They can advise the Commission about the data protection level in
a foreign jurisdiction and a certain international organisation.14 The Board would
promote cooperation amongst existing supervisory authorities. They are empowered
to adopt a legally binding in case of conflict between two supervisory authorities.15
Article 68 illustrates the scope of the Board’s work further.

Regulation (EU) 2016/679 of the European Parliament and of the Council

“Article 70: Tasks of the Board
(a) monitor and ensure the correct application of this Regulation in the cases
provided for in Articles 64 and 65 without prejudice to the tasks of national
supervisory authorities;

12 Article 68, GDPR.

13 Article 68, GDPR.
14 Diogo Matos Brandão, ‘The One-Stop-Shop and the European Data Protection Board’s Role in

Combatting Data Supervision Forum Shopping’ (2023) 13 IDPL 313.

15 Article 68, GDPR.
2 Supervisory Authority 233

(b) advise the Commission on any issue related to the protection of personal
data in the Union, including on any proposed amendment of this Regulation;
(c) advise the Commission on the format and procedures for the exchange
of information between controllers,processors and supervisory authorities for
binding corporate rules;
(d) issue Guidelines, recommendations, and best practices on procedures for
erasing links, copies or replications of personal data from publicly available
communication services as referred to in Article 17(2);
(f) issue Guidelines, recommendations and best practices in accordance with
point (e) of this paragraph for further specifying the criteria and conditions for
decisions based on profiling pursuant to Article 22(2);
(g) issue Guidelines, recommendations and best practices in accordance with
point (e) of this paragraph for establishing the personal data breaches and
determining the undue delay…
(i) issue Guidelines, recommendations and best practices in accordance with
point (e) of this paragraph for the purpose of further specifying the criteria
and requirements for personal data transfers based on binding corporate
rules adhered to by controllers and binding corporate rules adhered to by
processors…
(k) draw up Guidelines for supervisory authorities concerning the applica-
tion of measures referred to in Article 58(1), (2) and (3) and the setting of
administrative fines pursuant to Article 83;
(n) encourage the drawing-up of codes of conduct and the establishment of
data protection certification mechanisms and data protection seals and marks
pursuant to Articles 40 and 42;
(q) provide the Commission with an opinion on the certification requirements
referred to in Article 43(8);
(r) provide the Commission with an opinion on the icons referred to in Article
12(7);
(s) provide the Commission with an opinion for the assessment of the adequacy
of the level of protection in a third country or international organisation….
(t) issue opinions on draft decisions of supervisory authorities pursuant to the
consistency mechanism…
(w) promote the exchange of knowledge and documentation on data protection
legislation and practice with data protection supervisory authorities worldwide.
(x) issue opinions on codes of conduct … .”

Source Article 70, GDPR

234 6 Enforceability, Remedies, Liabilities and Penalties

2.3.1 EDPB Safeguard Recommendations (Article 64)

They can share opinions with supervisory authorities in the following situations. For
this to happen, the supervisory authority must share the draft decision with the Board
for it to consider in the either of the following ways:

A.
. Adopting a list of processing that would require data protection impact
assessment.
. Matters related to codes of conduct.
. The accreditation and certification body requirements and the criteria for
certification.
. To determine standard data protection clauses
. To authorise contractual clauses
. To approve binding corporate rules.
B. Opinion sought by any supervisory authority, chair, or Commission on a general
issue impacting more than one Member State. This option can be availed where
there is lack of mutual assistance or failure to carry out joint operations amongst
supervisory authorities.16

2.3.2 Board’s Ruling on Dispute Resolution (Article 65)

When a concerned supervisory authority objects to the lead authority’s draft decision
under Article 60(4) and the objection is dismissed, the Board will issue a binding
decision to ensure consistency. This includes conflicts over jurisdiction and situations
in which a responsible authority fails to seek or consider the Board’s opinion (Article
64(1)). In such instances, any supervisory authority or the Commission may apply
for resolution.17

3 Remedies, Liability and Penalties

Article 8 of the EU Charter affirms rights of data subjects. Article 77 of the GDPR
allows data subjects to enforce this right by filing a complaint with a supervisory body.
The processes for lodging these complaints with administrative or judicial bodies
in Member States are not standardised by Union law. While Member States have
procedural autonomy, it is limited by Article 47 of the Charter. It ensures availability
of free and fair justice. Chapter VIII of the GDPR specifies specific procedures

16 Article 64, GDPR.

17 Article 65, GDPR.
3 Remedies, Liability and Penalties 235

for administrative and judicial bodies dealing with data protection issues, setting
numerous objectives that national laws must achieve.18

3.1 Enforcing GDPR: Lodging a Complaint

Every resident data subject can reach out to a supervisory authority with a complaint.
If a data subject believes that their rights under the Regulation have been violated,
there is a remedial process under Article 47 of the Charter. There is even an option
to file a complaint against a supervisory authority. There could be instances where
a supervisory authority may have failed to adequately protect the rights of a data
subject.19 The outcome of a complaint must be communicated to the data subject.
There could be instances when legally constituted representatives may act and
receive compensation of behalf of data subjects.20 They can act on an independent
mandate if it is legally permissible. For receiving compensation; however, the body
may not be allowed to receive compensation in case of an independent mandate. It
is further illustrated under Article 80 of GDPR.
A person can appear before a national Court to remedy the outcome of a legal
decision taken by a supervisory authority.21 It will not however impact the right
enshrined under Article 263 of the Treaty on the Functioning of the European Union
(TFEU).22 This decision could be in relation to investigative, corrective and autho-
risation powers or dismissal or rejection. However, it is limited to legally binding
decisions. The application should be filed where the supervisory authority is based
in the Member State.
This section is instrumental in establishing a framework for accountability and high-
lights individuals right to seek judicial remedies in case of infringements. The chapter
establishes the principle of compensation for both monetary and non-material losses
stemming from GDPR violations. It ensures a balanced approach to enforcement
with the aim to prevent non-compliance and providing individuals with avenues to
seek redressal.

Regulation (EU) 2016/679 of the European Parliament and of the Council

“Article 77: Right to lodge a complaint with a supervisory authority

18 Kuner, Christopher; Bygrave, Lee.A., The EU General Data Protection Regulation (GDPR): A
Commentary(2020)(Kuner, 2020).
19 Kuner 2020.
20 Kuner, 2020.
21 Kuner, 2020.
22 Kuner, 2020.
236 6 Enforceability, Remedies, Liabilities and Penalties

(1) Without prejudice to any other administrative or judicial remedy, every data
subject shall have the right to lodge a complaint with a supervisory authority,
in particular in the Member State of his or her habitual residence, place of
work or place of the alleged infringement if the data subject considers that the
processing of personal data relating to him or her infringes this Regulation.
Article 78: Right to an effective judicial remedy against a supervisory
authority
(2) Without prejudice to any other administrative or non-judicial remedy, each
data subject shall have the right to an effective judicial remedy where the
supervisory authority which is competent pursuant to Articles 55 and 56 does
not handle a complaint or does not inform the data subject within three months
on the progress or outcome of the complaint lodged pursuant to Article 77.
(4) Where proceedings are brought against a decision of a supervisory authority
which was preceded by an opinion or a decision of the Board in the consistency
mechanism, the supervisory authority shall forward that opinion or decision to
the Court.
Article 79: Right to an effective judicial remedy against a controller or
processor
Without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority pursuant
to Article 77, each data subject shall have the right to an effective judicial
remedy where he or she considers that his or her rights under this Regulation
have been infringed as a result of the processing of his or her personal data in
non-compliance with this Regulation."

Source Article 77,78,79, GDPR

3.2 The Issue of Compensation

A data subject has a right of compensation against a data controller and a processor.
Recital 146 reads, “ The concept of damage should be broadly interpreted in the
light of the case-law of the Court of Justice in a manner which fully reflects the
objectives of this Regulation. “23 This provision does not give an exact quantum of
damages. If a controller or processor is part of the same processing, they should be
liable for the entire damage. It has been further expanded under Article 82 of the
Regulation.24

23 Recital 146, GDPR

24 Article 82, GDPR.
3 Remedies, Liability and Penalties 237

For minor infringements, a reprimand may be issued or in situations where the data
subject may face additional disproportionate burden.25 However, certain parameters
are considered before deciding the quantum of fine.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Recital 148:
“nature, gravity and duration of the infringement, the intentional character
of the infringement, actions taken to mitigate the damage suffered, degree
of responsibility or any relevant previous infringements, how the infringement
became known to the supervisory authority, compliance with measures ordered
against the controller or processor, adherence to a code of conduct and any
other aggravating or mitigating factor. The imposition of penalties including
administrative fines should be subject to appropriate procedural safeguards in
accordance with the general principles of Union law and the Charter, including
effective judicial protection and due process.”

Source Recital 148, GDPR

Recital 149 also talks about Member States laying down rules of criminal penalties
within the scope of GDPR. Recital 150, calls upon strengthening and harmonising
administrative penalties. For that to happen, all supervisory authorities should have
similar powers. The quantum of fine should co-relate with the level of infringements,
and the supervisory authority should decide on the amount. At the time, the super-
visory authority should consider all the parameters discussed earlier. When it comes
to the amount of fine for public authorities, Member States determine the quantum
of fine.26
In a case where administrative penalties are not harmonised and where there
are instances of serious infringements, Member States should implement effective,
proportionate and dissuasive penalties. Member states can decide on the nature of
such penalties i.e., whether they should be criminal or administrative in nature.
Additionally, Article 83 provides for the general conditions for imposing admin-
istrative fines.27 The following are certain conditions that supervisory authorities
should consider at the time of deciding the quantum of the fine.
. The nature, gravity and duration of the infringement. The purpose has to be looked
at other than the number of affected data subjects and the extent of their suffering.
. Whether the infringement was intentional or negligent in nature.
. Whether the controller or processor has taken steps to mitigate the suffering of
the data subjects whose personal data have been processed.

25 Recital 148, GDPR.

26 Recital 149,150, GDPR.
27 Article 83, GDPR.
238 6 Enforceability, Remedies, Liabilities and Penalties

. The steps the controller and processor take to institutionalise technical and organ-
isational measures towards implementing data protection by design and by default
and security safeguard connected with the processing of personal data.
. Any instance of previous infringement by the controller or processor.
. The degree of co-operation with the supervisory authority to remedy the
infringement and mitigate possible adverse effects.
. The nature of the personal data involved in infringement.
. The notification process of a breach—the manner in which the controller or
processor acted upon.
. Extent of adherence to the codes of conduct and approved certification process.
. The gains made or losses avoided by the controller or the processor directly from
the infringement.28
Whether negligently or intentionally, if for the same or linked processing oper-
ations the controller or processor infringe multiple provisions of the GDPR, the
fine shall not be more than what is specified for the gravest infringement.29 For a
particular infringement, the administrative fines would be up to 10,000,000 EUR
(ten million).30 In case it is an undertaking, then it is up to 2% of the worldwide
turnover, and the highest amount of the two. The preceding year will be considered.
The provisions that will be considered are the following:
. Article 8: Conditions applicable to child’s consent in relation to information
society services
. Article 11: Processing which does not require identification
. Article 25: Data protection by design and by default
. Article 39: Tasks of the data protection officer
. Article 42: Certification
. Article 43: Certifications bodies
. Article 41(4): Obligations of monitoring body31
For certain infringements, the administrative fines would be up to 20,000,000
EUR (twenty million) . In case it is an undertaking, it is up to 4% of the worldwide
turnover, and the highest amount of the two.32 The preceding year will be considered.
The provisions that will be considered are the following:
. Non-fulfilment of data protection principles, including the requirement of
consent—all that have been included under Articles 5,6,7 and 9;
. The rights of the data subject—Articles 12 to 22;
. Transfer of personal data to a third country or an International Organisation—
Articles 44–49;

28 Article 83, GDPR.

29 Article 83(3), GDPR.
30 Article 83(4), GDPR.
31 Article 83(4), GDPR.
32 Article 83(5), GDPR.
3 Remedies, Liability and Penalties 239

. Obligations according to the Member State law, Chapter IX—Provisions relating

to specific processing situations;
. Non-compliance with an order of ban or suspension of data transfer [Art. 58(2)]
or failure to provide access [Art. 58(1)]33 ;
Without having any influence on the corrective powers of supervisory authorities,
Member States can decide on the quantum of fines for public authorities.34
The imposition of fines has been an ongoing issue. This section will concen-
trate on several issues pertaining to fines and how supervisory authorities may want
to decide. We will consider a few papers for public consultation, including the one
published by the EDPB as of May 2022. We will start with excerpts from a document
that highlights some of the challenges in the imposition of fines. The document enti-
tled “Data protection as a pillar of citizens’ empowerment and the EU’s approach
to the digital transition - two years of application of the General Data Protection
Regulation (2020)”35 is the primarily the review of GDPR after 2018.36 According
to the evaluation report,37 the GDPR met the majority of its objectives, particu-
larly by providing citizens with a solid set of enforceable rights and establishing a
new European structure of governance and enforcement. The GDPR showed to be
adaptable in supporting digital solutions in unexpected circumstances. The report
highlights effective harmonisation between Member States, however there remained
some fragmentation that requires attention. It also discovered that firms have grad-
ually developed a compliance culture and are increasingly leveraging strong data
protection as a competitive advantage. The report offers a set of activities to support
the future implementation of the GDPR for all stakeholders and to promote and
further create a truly robust European data protection culture.38
The Commission notes that there are differences in how different supervisory
authorities impose administrative fines.39 Depending on the extent of infringement,
the administrative fines range from a few thousand euros to several million. There
are other fines, including bans on processing, but they had a lesser impact than
cases where fines have been imposed. The evaluation report40 points to the objective
of the GDPR, which is to bring a cultural and behavioural change in all actors

33 Article 83(5), GDPR.

34 Article 83(7), GDPR.
35 ‘COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT

AND THE COUNCIL Data Protection as a Pillar of Citizens’ Empowerment and the Eu’s Approach
to the Digital Transition - Two Years of Application of the General Data Protection Regula-
tion, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264 ’, accessed
8 December 2023.
36 Data Protection as a Pillar of Citizens (2020).
37 Data Protection as a Pillar of Citizens (2020), 5.
38 Data Protection as a Pillar of Citizens (2020), 5.
39 Data Protection as a Pillar of Citizens (2020), 5.
40 Data Protection as a Pillar of Citizens (2020), 5.
240 6 Enforceability, Remedies, Liabilities and Penalties

involved for the benefit of data subjects. It also pointed out that developing a standard
data protection culture amongst supervisory authorities in the EU is still a work in
progress. There aren’t definitive indications to suggest that data protection authorities
have used the tools that GDPR provides, for instance, joint operations leading to joint
investigations.
In reality, it is often seen that organisations who fail to comply with the GDPR
may face stiff penalties.41 These fines act as a major deterrent to data breaches and
noncompliance, and aim to protect privacy and personal data within the EU. The
Virgin Media decision demonstrates the practical implementation of these sanctions,
emphasising the need of GDPR compliance.
The Virgin media decision42 is one of the best examples to understand the concept
of penalties and fines. The ICO decided on the quantum of penalty using the following
method.
. As a first step, the Commissioner considered the nature and seriousness of the
infringement. Therefore, the starting point for the penalty was fixed at GBP
50,000. Consequently, it opens up the conversation about interpreting the extent
of the infringement.
. The second step would be to consider aggravating or mitigating factors. These
factors may require the Commissioner to increase or reduce the starting point.
What were the aggravating conditions considered?
The expansion of business and financial gains of Virgin media through the emails
that they had sent.
What were the mitigating factors considered?
The Commissioner did not consider any mitigating factors in this case. It looked
at the proposed penalty and suggested that Virgin Media has access to financial
resources. Therefore, proportionately, there would be no financial hardship for them
to pay the recommended penalty. The penalty, therefore, is justified in the context of
this case. The circumstances did not warrant any increase or increase of the starting
point of GBP 50,000.43
According to the CJEU, an administrative fine under Article 83 GDPR can only
be assessed in cases where it can be proven that the controller infringed Articles
83(4)–(6) GDPR, either wilfully or by negligence.44

41 Data Protection as a Pillar of Citizens (2020).

42 https://ico.org.uk/media/about-the-ico/documents/4021725/virgin-media-limited-letter.pdf,
accessed 8 December 2023 (Virgin Media Case).
43 Virgin Media Case.
44 C-683/21- Nacionalinis visuomenės sveikatos centras, https://eur-lex.europa.eu/legal-content/

EN/TXT/?uri=CELEX%3A62021CJ0683. Assessed on 31st January 2024.

3 Remedies, Liability and Penalties 241

3.3 Guidelines on the Application and Setting

of Administrative Fines for the Purpose of Regulation
2016/679 [Article 29 Data Protection Working Party]

There are several steps the supervisory authorities should follow while deciding on
the fine. They are:
. Regulation breaches warrant “equivalent sanctions”45
The Regulation ensures consistent and robust data protection measures for data
subjects, removal of obstacles that impede smooth data flow and inconsistent
application of GDPR. Recital 11 highlights,
“equivalent powers for monitoring and ensuring compliance with the rules for the protection
of personal data and equivalent sanctions for infringements in the Member States.”46

The presence of equivalent sanctions in the Member States and effective cooper-
ation between supervisory authorities would help prevent divergences and meet the
Regulation’s goal. Although supervisory authorities enjoy complete independence,
they must cooperate to meet the larger goal of consistently applying and enforcing
GDPR.
. Administrative fines should be “effective, proportionate and dissuasive”47 :

As a general rule, the nature, gravity and consequences of a particular breach –

all three of them should be considered by the supervisory authority at the time of
deciding on the administrative fine. More on the parameters of effective, proportional
and dissuasive will be considered in the next section. While deciding on these three
parameters, the undertaking will be understood as an economic unit and involves all
subsidiaries.
. Assessment “in each individual case”48

Supervisory authorities should use fines under appropriate circumstances. Fines

should not be considered as a last resort, and the approach adopted should not,
on the other hand, devalue the effectiveness of this tool.
. Active participation and information exchange among Supervisory Authorities

45 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
46 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
47 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
48 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
242 6 Enforceability, Remedies, Liabilities and Penalties

There is a need for supervisory authorities to cooperate with each other using different
avenues, including formal and informal exchange of information. Through these
conversations, greater detail of information exchange is possible about the application
of the fining requirement.49
The document gives some indication about the different provisions under Article
83.

3.3.1 Interpretation of Article 83

. “The nature, gravity and duration of the infringement”50

The extent of infringement will be influenced by a three-factor test: scope, purpose

and number involved in data processing. Data subjects’ number should be considered
to identify the nature of the infringement—isolated, systematic breach or lack of due
diligence measures. This inference should not be considered to suggest that isolated
events should be enforceable. The supervisory authority should further observe two
aspects—purpose specification and compatible use when ascertaining the gravity.51

. “The intentional or negligent character of the infringement”52

An indicative list of intentional breaches could be situations where the DPO’s instruc-
tions are not followed by data controllers and processors or they disregard existing
policies or norms.53

. “Any action taken by the controller or processor to mitigate the damage suffered
by data subjects”54
Appropriate measures taken by a data controller may help the supervisory authority
decide the extent of the fine imposed. Supervisory authorities can show some degree
of flexibility to those data controllers and processors who own up to the infringements
and have taken further responsibility to correct or reduce the impact of such a breach.
Some of the examples cited are:

49 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
50 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
51 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
52 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
53 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
54 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
4 How Are Fines Calculated Under GDPR? 243

. “Contacting other controllers/processors who may have been involved in an exten-

sion of the processing e.g. if there has been a piece of data mistakenly shared with
third parties.
. timely action taken by the data controller/processor to stop the infringement from
continuing or expanding to a level or phase which would have had a far more
serious impact than it did.”55
. “Any relevant previous infringements by the controller or processor”56
In this regard, the supervisory authority should assess if the controller or processor
involved committed same infringement earlier or they have committed it in the same
manner. For instance, not following the internal governance structure, not responding
to data subjects, and inadequate risk assessment.57

4 How Are Fines Calculated Under GDPR?

The penalties imposed in Member States’ national laws for violations of EU data
protection rules frequently failed to be sufficiently ‘dissuasive’. The GDPR not only
broadens its reach to encompass international controllers and processors operating in
EU markets, but it also creates the possibility of implementing effective and dissua-
sive fines. Fines serve an important function in deterring infractions and encouraging
accountability. They act as a deterrent by imposing a credible threat of investigation
and penalties, so shifting the perceived balance of the expected benefits and costs
of non-compliance sufficiently to incentivise controllers to comply. Fines also have
a moral and supportive impact, sending a message to those who are naturally law-
abiding, as well as their internal advisers and data protection officials, confirming
their commitment to accountability and compliance.58

55 Guidelines on the application and setting of administrative fines for the purpose of regulation
2016/679.
56 Guidelines on the application and setting of administrative fines for the purpose of regulation

2016/679.
57 Guidelines on the application and setting of administrative fines for the purpose of regulation

2016/679.
58 Kuner, Christopher; Bygrave, Lee. A., The EU General Data Protection Regulation (GDPR): A

Commentary(2020)(Kuner).
244 6 Enforceability, Remedies, Liabilities and Penalties

4.1 Guidelines 04/2022 on the Calculation of Administrative

Fines59

The legal framework provided in this document intends to provide supervisory bodies
with clear and objective grounds for imposing administrative fines under the GDPR.
These rules, first accepted by the EDPB in 2018, were built on earlier principles
established by the WP29 in 2017. While the earlier recommendations focused on
incidents that warranted administrative fines under Article 83, the present Guide-
lines include a technique for establishing the appropriate fine amount. They aim
to align the starting points for assessment across individual cases, emphasising a
consistent approach rather than mandating a rigorous mathematical formula for deter-
mining fines. Instead, the final sum depends on the individual circumstances of each
instance.60
The EDPB’s goal is not to standardise the outcomes of every decision, but to
align the initial points of evaluation and the methodology utilised by regulatory
bodies. These rules require supervisory bodies to report the original proposed fine
amount and justify any subsequent revisions based on applicable EU and Member
State Regulations. By fostering openness and consistency, the EDPB hopes to ensure
that administrative fines are effective and reasonable methods for enforcing GDPR
compliance throughout the European Union.61

4.1.1 Methodology For Calculating the Amount of the Fine

The EDPB refers to five steps:

“Step 1: Identifying the processing operations in the case and evaluating the
application of Article 83(3) GDPR.
Step 2: Finding the starting point for further calculation based on an evaluation
of.
a) the classification in Article 83(4)–(6) GDPR;
b) the seriousness of the infringement pursuant to Article 83(2)(a), (b)
and (g) GDPR; c) the turnover of the undertaking as one relevant element
to take into consideration with a view to imposing an effective, dissuasive and
proportionate fine, pursuant to Article 83(1) GDPR.

59 Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted on 12th
May 2022, https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofad
ministrativefines_en.pdf . Accessed 8 December 2023 (Guidelines 04/2022).
60 Guidelines 04/2022.
61 Guidelines 04/2022.
4 How Are Fines Calculated Under GDPR? 245

Step 3: Evaluating aggravating and mitigating circumstances related to past or

present behaviour of the controller/processor and increasing or decreasing the
fine accordingly.
Step 4: Identifying the relevant legal maximums for the different processing
operations. Increases applied in previous or next steps cannot exceed this
amount.
Step 5: Analysing whether the final amount of the calculated fine meets the
requirements of effectiveness, dissuasiveness and proportionality, as required
by Article 83(1) GDPR, and increasing or decreasing the fine accordingly."

Source Guidelines 04/2022 on the Calculation of Administrative Fines Under the

GDPR
Infringements with fixed amounts.
Predetermining a fixed amount of fine for certain infringements is possible.
However, supervisory authorities cannot do so if such an activity is prohibited or
could possibly conflict with national law. Based on the nature, gravity and duration,
a supervisory authority is free to decide on the types of infringements that would fall
within such category of infringement. The EDPB recommends that the supervisory
authority communicates such amounts and circumstances in advance.62
Interpreting 83(3).
“83(3) If a controller or processor intentionally or negligently, for the same or linked
processing operations, infringes several provisions of this Regulation, the total amount of
the administrative fine shall not exceed the amount specified for the gravest infringement.”63

We will start with the possibility of concurrent infringements and their effect
on Article 83(3). To begin with, the supervisory authority needs to consider the
conduct and breaches upon which the fine will be based. Multiple circumstances
could connect with a case, and the document suggests they could be considered as one,
or they could be treated as different circumstances leading to sanctionable conduct.
The document also points to a possibility of one and the same conduct giving rise to
multiple infringements. It leads to the possibility of concurrent infringements. The
calculation of fines, as a result, could be calculated considering different possibilities.
Therefore, it is essential to ascertain the relevant sanctionable conduct out of
one or many to impose the fine. Circumstances connected to a matter would decide
whether they fall under one and same conduct or multiple conducts. That is where
the terms come in – for the same or linked processing operations – lead up to one or
the same conduct.64

62 Guidelines 04/2022.
63 Article. 83, GDPR.
64 Guidelines 04/2022.
246 6 Enforceability, Remedies, Liabilities and Penalties

The document further said that it is essential to ascertain the compliance of trans-
parency obligations at the time of determining the threshold for the same or linked
processing operations. Therefore, any infringement could possibly relate to the same
or linked processing operations. The document cites a few examples, and they are as
follows:

The same or linked processing operations

“A financial institution requests a credit check from a credit reporting agency
(CRA). The financial institution receives this information and stores it in its
system.
Although the collection and storage of the creditworthiness data by the finan-
cial institution each are by themselves processing operations, they form a set of
processing operations that are carried out by a unitary will and are contextually,
spatially and temporally related in such a close way that an outside observer
would consider them as one coherent conduct. Therefore, the processing oper-
ations performed by the financial institution are to be considered as being
“linked” and form the same conduct.”

Source Guidelines 04/2022 on the calculation of administrative fines under the GDPR

“Not the same or linked processing operations

(i) A building authority performs a background check of a job applicant. The
background check also includes the political affinity, union membership and
sexual orientation. (ii) Five days later, the building authority demands from its
vendors (sole traders) excessive self-disclosure regarding their business deals
with other entities, irrespective of any relevance to the contract with or compli-
ance obligations of the building authority. (iii) Another week later, the building
authority suffers a personal data breach. The network of the building authority
is hacked – despite having adequate technical and organizational measures in
place – and the hacker gains access to a system that processes personal data
of citizens that had filed requests with the building authority. Despite the data
were adequately encrypted in line with applicable standards, the hacker is able
to break it with military decryption technology and sells the data in the dark
net. The building authority refrains from notifying the supervisory authority,
despite its obligation to do so. The processing operations concerned in this
case i.e. the background check, the demands of self-disclosure from vendors
and the failure to notify a personal data breach, are not contextually related.
Therefore, they are not to be considered “linked”, but instead form different
conducts.”

Source Guidelines 04/2022 on the Calculation of Administrative Fines Under the

GDPR
4 How Are Fines Calculated Under GDPR? 247

In both these examples, there has to be a definite link between circumstances.

Otherwise, they would be considered separate, and the fines would therefore be
different.

4.1.2 Starting Point for Calculation

Having a harmonised starting point for deciding the amount of fine would not stop the
supervisory authorities from assessing each case on its merits. The penalty has to be
effective, dissuasive and proportionate. Other than this point, the EDPB documents
give a choice to the supervisory authority to categorise infringements under the low,
medium or high level of seriousness. For a low level of seriousness, the proposal is
to start between 0 and 10% of the applicable legal maximum, similarly for a medium
level—10 to 20% and for a high level of seriousness, between 20 to 100%.65
The EDPB document raises an important point here. As a starting point,
when calculating administrative fines, the GDPR structure treats micro-enterprises
and multinational corporations alike. Therefore the document suggests that a fair
approach would be to reflect upon the turnover.
Therefore, the supervisory authority may consider adjusting the starting point
where the infringement involves an undertaking with an annual turnover not
exceeding 2 million euros, 10 million euros and 50 million euros.66

The EDPB Provides a Model in This Regard:

“- For undertakings with an annual turnover of ≤ e2m, supervisory
authorities may consider to proceed calculations on the basis of a sum between
0.2% and 0.4% of the identified starting amount.
- For undertakings with an annual turnover of e2m up until e10m,
supervisory authorities may consider to proceed calculations on the basis of a
sum between 0.3% and 2% of the identified starting amount.
- For undertakings with an annual turnover of e10m up until e50m,
supervisory authorities may consider to proceed calculations on the basis of a
sum between 1.5% and 10% of the identified starting amount.
- For undertakings with an annual turnover of e50m up until e100m,
supervisory authorities may consider to proceed calculations on the basis of a
sum between 8 and 20% of the identified starting amount.
- For undertakings with an annual turnover of e100m up until e250m,
supervisory authorities may consider to proceed calculations on the basis of a
sum between 15 and 50% of the identified starting amount.

65 Guidelines 04/2022.
66 Guidelines 04/2022.
248 6 Enforceability, Remedies, Liabilities and Penalties

- For undertakings with an annual turnover of e250m up until e500m,,

supervisory authorities may consider to proceed calculations on the basis of a
sum between 40 and 100% of the identified starting amount.
- For undertakings with an annual turnover above e500m, supervisory
authorities may consider to proceed without an adjustment of the identi-
fied starting amount. Indeed, such undertakings will exceed the static legal
maximum and, thus, the size of the undertaking is already reflected in the
dynamic legal maximum used to determine the starting amount for further
calculation based on the evaluation of the seriousness of the infringement."

Source Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Adopted on 12th May 2022
Therefore, for a bigger undertaking, the category of starting amounts would have
a broader range. The supervisory authority may not want to adjust from the angles
of effectiveness, dissuasiveness and proportionality.

Example:
“A supermarket chain with a turnover of e450 million has infringed Article 12
GDPR. The supervisory authority, based on a careful analysis of the circum-
stances of the case, decided that the infringement is of a low level of seriousness.
To determine the starting point for further calculation, the supervisory authority
first identifies that Article 12 GDPR is listed in Article 83(5)(b) GDPR and that,
based on the turnover of the undertaking (e450 million), a legal maximum of
e20 million,- applies.
Based on the level of seriousness determined by the supervisory authority (low),
a starting amount between e0 and e2 million,- should be considered (between
0 and 10% of the applicable legal maximum, see paragraph 60 above).
The supervisory authority considers that an adjustment down to 90% of the
starting amount is justified based on the size of the undertaking, which has
a turnover of e450 million. This amount forms the basis for further calcula-
tion, which should result in a final amount not exceeding the applicable legal
maximum of e20 million."

Source Guidelines 04/2022 on the Calculation of Administrative Fines Under the

GDPR
One significant decision demonstrating computation of fines under the GDPR
is the case involving Google LLC, which was resolved by the French data protec-
tion regulator (CNIL) in 2019.67 This lawsuit focused on Google’s compliance with
the GDPR’s transparency and consent obligations for personalised adverts. In this

67The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against
GOOGLE LLC, (2019), https://www.edpb.europa.eu/news/national-news/2019/cnils-restricted-
committee-imposes-financial-penalty-50-million-euros_en. Accessed on 24th June 2024 (CNIL,
2019).
4 How Are Fines Calculated Under GDPR? 249

decision, CNIL levied a 50 million euro fine on Google for a lack of openness, inad-
equate information availability, and insufficient consent methods for personalised
advertising. The fine was calculated using numerous parameters indicated in Article
83 of the GDPR, such as the nature, gravity, time period of violation, number of
individuals impacted, and whether the infringement was purposeful or negligent.
CNIL’s ruling highlighted how these considerations determined the final fine
amount. It emphasised particular infractions of GDPR rules and the implications
for users’ privacy rights. The decision emphasised the importance of transparency in
data processing procedures and the need for strong consent systems, setting a prece-
dent for how supervisory authorities interpret and apply GDPR Regulations when
calculating administrative fines. This case demonstrates how supervisory authorities
manage the complexity of GDPR enforcement, employing a methodical approach to
assess fines that are both effective and commensurate to the gravity of the violations
committed by the controllers.68

4.1.3 Benchmarking Effectiveness, Proportionality and Dissuasiveness

While deciding the extent of the fine, all circumstances should be considered,
including possible multiple infringements and increase and increase of aggravating
or mitigating circumstances. The supervisory authority should not count the same
events twice.
Effectiveness
A fine is considered effective if it creates a deterrent effect. Recital 148 of the GDPR
states that effective imposition of penalties could strengthen the enforcement and
rules of this Regulation. Therefore, the supervisory authority needs to check the
effectiveness of the fine.69
Proportionality
The EDPB document suggests that when a choice between appropriate measures
exists, the least onerous has to be the choice. Further, the disadvantages, as a result,
should not be disproportionate to the aims of GDPR. The amount of the fine should
correlate to the gravity of the infringement. As a task, the supervisory authority should
ensure that the acceptable amount is proportionate to the infringement’s severity and
the undertaking’s size. Two factors require a detailed understanding of economic
viability and social and economic context.

68 CNIL, 2019.
69 Guidelines 04/2022.
250 6 Enforceability, Remedies, Liabilities and Penalties

. Economic viability: For a supervisory authority to rely on the economic viability,

the undertaking in question must provide financial data. The supervisory authority
will look at development factors such as solvency, liquidity and profitability.70
. Proof of value loss: The fine may be reduced if there is a possibility to jeopardise
the economic viability of the undertaking. It may lead to them losing all or most
of their value of assets. A direct causal link must be developed connecting the
fine imposed with the significant loss of asset value. One has to consider several
contributory conditions. For instance, if the undertaking decides to terminate its
activities and sell all its assets. The undertaking needs to show that there is no
alternative left with the undertaking due to the fine imposed other than to exit
the market and that the assets sold at a discounted price. The undertaking has to
showcase clear indications about the undertaking not in anyways continuing with
the operation.71
. Specific social and economic context: There could be a situation when the under-
taking is finding it difficult to obtain credit as a result of the economic conditions
in the jurisdiction. In that context, before imposing fines, consideration should be
towards the possible effect on unemployment.
After the criteria have been met, the supervisory authorities may reduce the fine
after considering the data controller’s inability to pay.72
Dissuasiveness
A dissuasive fine is the one which would create a deterrent for future infringe-
ments. The EDPB document refers to the two forms of deterrence—general and
specific. The general deterrence is to apply to different controllers who may commit
the same infringement. The specific deterrence is to discourage the data controller
from repeating the infringement. At the time of imposing the fine, the supervi-
sory authority should take into consideration general and specific deterrence. As
an example, a dissuasive fine is such that prevents the infringement of the relevant
law. The likelihood that a penalty will be imposed would have a more significant
effect. A supervisory authority may increase the fine if it is not dissuasive enough.73
Questions
1. How can individuals enforce their rights under GDPR by lodging a complaint
with a supervisory authority?
2. Explain the factors considered when calculating fines imposed on organisations
for GDPR violations.
3. What role does the European Data Protection Board (EDPB) play in overseeing
GDPR enforcement across EU member states?

70 Guidelines 04/2022.
71 Guidelines 04/2022.
72 Guidelines 04/2022.
73 Guidelines 04/2022.
Suggested Readings 251

4. Discuss the powers and responsibilities of supervisory authorities in enforcing

GDPR within their respective jurisdictions.
5. How does GDPR promote accountability and transparency through its enforce-
ment mechanisms and penalties?

Suggested Readings

1. Guidelines on the application and setting of administrative fines for the purposes of the
Regulation 2016/679.
2. Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted on 12th
May 2022.
3. COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT
AND THE COUNCIL Data Protection as a Pillar of Citizens’ Empowerment and the Eu’s
Approach to the Digital Transition - Two Years of Application of the General Data Protection
Regulation.
4. Stephan Mulders, ‘The Relationship between the Principle of Effectiveness under Art. 47 CFR
and the Concept of Damages under Art. 82 GDPR’ (2023) 13 IDPL 169
5. Donato La Muscatella, ‘Data Protection Officer: Tasks and Responsibilities of a Key Role for
the Innovation of the Relationship between Data and Data Subjects’ Rights’ (2020) 3 JDPP 403
6. Diogo Matos Brandão, ‘The One-Stop-Shop and the European Data Protection Board’s Role in
Combatting Data Supervision Forum Shopping’ (2023) 13 IDPL 313
7. Anna Aurora Wennäkoski, ‘Mapping the Supervisory Authorities’ Activities: Pragmatic
Problem-Solvers or New Practice Creators?’ (2020) 3 JDPP 149