INTRODUCTION TO GENERAL DATA PROTECTION REGULATION Regulation (EU) 2016/679, 27 avril 2016 Directive (EU) 2016/680, 27 avril 2016

Cathy VRANCKX Monday, 24 April 2018 © Cathy Vranckx 2018 - Website: the butterfly's Netways

TABLE OF CONTENTS 1.

INTRODUCTION ................................................................................. 4

2.

THE SCOPE ...................................................................................... 5

2.1.

MATERIAL SCOPE ................................................................................. 5

2.2.

TERRITORIAL SCOPE .............................................................................. 6

3.

DEFINITIONS ..................................................................................... 7

3.1.

PERSONAL DATA OF NATURAL PERSON............................................................. 7

3.1.1.

Definition ................................................................................ 7

3.1.2.

Constituent items ...................................................................... 7

3.2.

PROCESSING ...................................................................................... 8

3.2.1.

Definition ................................................................................ 8

3.2.2.

Constituent items ...................................................................... 8

3.2.3.

Special cases .......................................................................... 8

3.2.4.

Processing of personal data in specific situations ................................ 10

3.3.

CONTROLLER .................................................................................... 11

3.3.1. 3.4. 4.

Definition.............................................................................. 11

PROCESSOR...................................................................................... 11

PRINCIPLES .................................................................................... 12

4.1.

LAWFULNESS OF PROCESSING: ART 6............................................................. 13

4.2.

CONSENT: ART 7 ................................................................................ 13

4.2.1.

Generality .............................................................................. 13

4.2.2.

Specific case: the child’ consent: art 8 ............................................. 14

4.3.

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA: ART 9 ................................ 14

4.4.

PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES: ART 10 ... 14

4.5.

PROCESSING WHICH DOES NOT REQUIRE IDENTIFICATION ......................................... 15

5.

PERSONS ....................................................................................... 16

5.1.

CONCERNED PERSONS AND ROLES ................................................................ 16

5.2.

PREREQUISITE: INFORMATION AND COMMUNICATION DUTIES OF THE CONTROLLER (ART 13 -14) .. 16

5.2.1.

Types of information.................................................................. 17

5.2.2.

Information from data subject ....................................................... 17

5.2.3.

Information not from data subject................................................... 17

5.3.

RIGHTS OF THE DATA SUBJECT ................................................................... 18

Page 1 of 37

5.3.1.

Right to access (art 15) .............................................................. 18

5.3.2.

Right to rectification (art 16) ......................................................... 18

5.3.3.

Right to erasure (art 17) ............................................................. 18

5.3.4.

Right to restriction of processing (art 18) .......................................... 19

5.3.5.

Right to data Portability (art 20) ..................................................... 19

5.3.6.

Right to object (art 21) ............................................................... 20

5.4.

CONTROLLER .................................................................................... 20

5.4.1.

Responsibility and burden of proof ................................................. 20

5.4.2.

Type of controllers .................................................................... 21

5.4.3.

Duties .................................................................................. 21

5.5.

PROCESSOR...................................................................................... 24

5.5.1.

Contract ................................................................................ 24

5.5.2.

Duties .................................................................................. 24

5.6.

DATA PROTECTION OFFICER ..................................................................... 25

5.6.1.

Duties .................................................................................. 26

6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATION ...................................................................................... 27 6.1.

7.

TYPES OF TRANSFERS ............................................................................ 27

6.1.1.

On basis of an adequacy decision (art 45): ....................................... 27

6.1.2.

Transfers subject to appropriate safeguards (art 46) ............................ 27

6.1.3.

Transfers or disclosures not authorised by Union Law ( art 48) ................ 28

6.1.4.

Derogations ........................................................................... 28

6.1.5.

International cooperation (art 50) ................................................... 28

INDEPENDENT SUPERVISORY AUTHORITIES ......................................... 30

7.1.

DEFINITION ...................................................................................... 30

7.2.

MEMBER NOMINATION AND DUTIES ............................................................... 30

7.3.

COMPETENCES AND TASKS ....................................................................... 30

8.

COOPERATION AND CONSISTENCY ..................................................... 32

8.1.

THE LEAD SUPERVISORY AUTHORITY ............................................................. 32

8.2.

THE EUROPEAN DATA PROTECTION BOARD....................................................... 32

9.

8.2.1.

Members ............................................................................... 32

8.2.2.

Duties .................................................................................. 33

REMEDIES, LIABILITIES AND PENALTIES............................................... 34

9.1.

PROCEEDING ITEMS .............................................................................. 34

9.1.1.

Representation of data subject .................................................... 34 Page 2 of 37

9.1.2.

Suspension of proceedings .......................................................... 34

9.2.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY ................................ 34

9.3.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY .................. 34

9.4.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A CONTROLLER OR PROCESSOR ............... 34

9.5.

RIGHT TO COMPENSATION AND LIABILITY ......................................................... 35

9.6.

ADMINISTRATIVE FINES ........................................................................... 35

10.

9.6.1.

Art 83§ 4 ............................................................................... 36

9.6.2.

Art 83 § 5 .............................................................................. 36

9.6.3.

Penalties ............................................................................... 36

LINK REPOSITORY ........................................................................... 37

10.1. EUROPEAN SOURCES ............................................................................. 37 10.2. NATIONAL SOURCES ............................................................................. 37

Page 3 of 37

1.

INTRODUCTION

The General Data Protection Regulation1 , which came into force on 24/05/2016, will apply from 25/05/2018 in all European members’ states. The main purpose of such a legal instrument aims to harmonize the data privacy rules across Europe: “the aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”2 The starting point comes from the art 8 of the EU fundamental rights3: “ 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data, which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”

The following items are mandatory: 1. 2. 3. 4.

Everyone is concerned (= people, companies, authority) Consent from natural person (= data subject including children) Access to its own data Compliance controlled by an independent Authority

What are the key points? 

  

Territorial scope : the new GDPR aims to harmonise the data protection across the Union AND includes processing of data from EU citizens by extra EU controller(s) and or processor(s) Penalties : administrative fines applied to controller and or processor Consent : the request for consent must easy and accessible Data subject rights : o Breach : notification and a control of this by supervisory authority o Right to access o Right to be forgotten ( =erasure and or restriction of processing) o Data portability ( = communication and information that processing and or data have been transferred to another controller and/or processor) o Privacy by design : only the necessary data for processing ( = data minimisation) and strictly used for the processing system designed

1 2

Page 4 of 37

2.

THE SCOPE

2.1.

Material scope

Nowadays, we live in digital age and we use data for everything and from everyone .Further we need to have a free access to our data and manage who can read and /or use them. The data privacy was a first step in 1995 but we need to go further. The European Data Protection Directive (EDPD) (Directive 95/46/EC) states :” the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”4 As we are now on a digital market, rules and controls are required to manage the data processing:    

Protect citizens according to processing data and the free movement of such data Secure the personal data by safeguards against misuses Supervise the storage of personal data Make business easy or allowed by a consent from citizens for uses

However, the application of this Directive shows differences in level of protection5:      

No prevention of fragmentation of data protection across EU Legal gap Public perception of significant risk with online features Free flow of personal data Obstacle or distortion in economic activities Responsibilities of authorities

The scope of the GDPR is quite as the same as the Directive of 1995.

The art 2 § 2 states when this regulation does not applied:  In the course of an activity, which falls outside the scope of Union, law.  By the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU.  By a natural person in the course of a purely personal or household activity.  By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is the subject of another important Directive , DIRECTIVE (EU) 2016/680, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of

Page 5 of 37

the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

2.2.

Territorial scope

The art 3 defines who is concerned in data processing in three type of situations:  The context of the activities of an establishment of a controller or a processor in the Union  any companies that have a headquarter or a management entity in EU 

the processing of personal data of data subjects who are citizens in the Union by a controller or processor not established in the Union o the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union o he monitoring of their behaviour as far as their behaviour takes place within the Union  any companies from abroad that use online activities 

A controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

 Diplomatic or consulate services abroad  Bodies of governments representatives abroad ( e.g. chamber of commerce, governmental economic agency

Please note We have to distinguish the main establishment6 and a corporate entity or agency that can be able to take decision about processing personal data: For a processor The main establishment in EU is “the place of its central administration in the Union”. Exception: the place where the main processing activities take place is in the EU wherever the central administration is located, is to be considered the main establishment For a controller The main establishment in EU is “the place of its central administration in the Union”. Exception: the decision about processing personal data has been taken by another establishment in the Union that has the power to take such decision, is to be considered the main establishment.

6

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

Page 6 of 37

3.

DEFINITIONS

The art.4 provides the definitions of terms, persons or entity involved in GDPR. 3.1. 3.1.1.

Personal data of natural person Definition

Personal data in Art 4 (1): “any information relating to an identified or identifiable natural person (‘data subject’);” Data subject in art 4 (1) : “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” 3.1.2.

Constituent items

The personal data keep attached to a natural person. The natural person is the individual, “whatever their nationality or place of residence, in relation to the processing of their personal data”7 . Please note This Regulation does not apply to legal person8 like companies, non-profit organisation or authority. Nevertheless, it covers the natural persons involved in legal person (e.g. Owner, founder) The personal data consist of any identifier that helps to find a natural person by:  Name  ID number  Location data  Online ID  Specific factors : physical, physiological, genetic, mental,, economic, cultural, social The regulation sets up some of them9 . Please note Some practices requires these “factors” to be recorded in databases but with strictly reserved uses like medical or professional confidentiality. In this case, we have two situations in which the author will be prosecuted for criminal offences further the law enforcement ratione loci (= where), ratione materiae (= what), ratione personae (=who): - A breach of confidentiality by the data holder10 - A data robbery with help or not of the data holder

Page 7 of 37

3.2. 3.2.1.

Processing Definition

Art 4 (2) “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

3.2.2.

Constituent items

Any operation on personal data or set of operations make up the processing. It can be automatic or not. Type of operation:  Collection  Recording  Organisation  Structuring storage  Adaptation or alteration  Retrieval  Consultation  Use  Disclosure by transmission  Dissemination  Alignment or combination  Restriction  Erasure or destruction

3.2.3.

Special cases 3.2.3.1.

restriction of processing

Art 4(3): “the marking of stored personal data with the aim of limiting their processing in the future;”

The art 15 introduces a protection Data term and the limitation from the Data subject: “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” 11

Page 8 of 37

3.2.3.2.

Profiling

Art 4 (4): “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”

This section aims to fix the purposes and the uses within data analyse  For insurance or banking products in which some personal data are eligibility criteria (e.g. health, age, location).  For marketing and or commercial issues ( e.g. survey ,targeting audience, social networks)

3.2.3.3.

Pseudomisation

Art 4 (5): “ the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;” The reason to use this method “can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations”12. Actually, online identifiers provided by devices link the users like natural person (= individual), applications or tools (e.g. Protocols- http, ftp, pop, SMTP -, cookies, radio frequency identification tags). This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” The art 89 stipulates the conditions of derogations for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes: they “shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.”13

3.2.3.4.

Filing system

Art 4(6): “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;” A lot of company for recording customers’ contact details uses this type of processing. However, some personal data must be protected against intrusion like medical personal data (e.g. illnesses like diabetes or chronic diseases like VIH), insurance and banking data (e.g. account, investments)

Page 9 of 37

The filing is a big part for creating personal data storage: it must be secure  For storage infrastructure  For storage access control  For storage types ( e.g. cloud computing, data warehouses)  For storage categories (e.g. private or public ,share) 3.2.3.5.

Cross-border processing

Art 4 (23): “ 1-processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or 2-processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.” This case concerns the following type of enterprises:  Companies that have an headquarter for general management in a member state and a technical unit (datacentre) in another member state  Companies that have several activities running in different member states 3.2.4. 



 





Processing of personal data in specific situations

Processing and freedom of expression and information (art 85): Member States have to adapt their rules according to the present regulation with the right to freedom of expression and processing for journalistic, academic , artistic or literary expression purposes Processing and public access to official documents (art 86) :allowance for communication in order “to reconcile public access to official documents with the right to the protection of personal data”14 Processing of the national identification number (art 87) : rules defined by member States Processing in the context of employment (art 88): Member States may by law or collective agreements provide specific rules in the employment context. Therefore, those rules must include “suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.”15 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Art89 ) : they have to be appropriate and ensure that technical and organisational measures are activated ( see pseudonymisation, data minimisation, encryption) Obligations of secrecy (art 90): member States may adopt specific rules according to confidentiality but only for personal data covered by this confidentiality.

Page 10 of 37



Existing data protection rules of churches and religious associations (art91): those rules have to be brought into line with this Regulation to be continue to apply. Those churches and or associations shall be subject to the supervision of an independent supervisory authority

3.3. 3.3.1.

Controller Definition

The controller is actually in charge of processing definition framework: (s) he “determines the purposes and means of the processing of personal data16” so (s) he is the contact person and the contracting party with the data subject. The controller can be “the natural or legal person, public authority, agency or other body […] alone or jointly with others” Where Union or Member state law determines the processing, the controller must be eligible according to the specific criteria for its nomination […] provided for by Union or Member State law;”17 More details about rights and obligations see infra Controller 3.4.

Processor

The processor is in charge of processing operations on behalf of the controller. The processor can be “the natural or legal person, public authority, agency or other body “. The controller must check if the granted processors are eligible: “providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”18 More details about rights and obligations see infra Processor

Page 11 of 37

4.

PRINCIPLES

This section aims to define roles and duties of the main actors involved within GDPR:  Data subject: natural person related to personal data. 

e.g. the citizens of this member state who has claim for a new passport Controller: legal or natural person who define purposes and or means for processing.



e.g. member state law: new format of passport with biometrics Processor: legal or natural person who executes the processing operation. e.g. the company that produce this type of document



Supervisory authority: authority, established in a Member state, who ensures and controls the application of this Regulation on the territory of this Member state. e.g. the citizen complaints to supervisory authority on infringements about processing by a controller and or a processor

 

Data Protection Officer: legal or natural person who is involved in impact assessment. Board: authority, established as EU body, who ensures the consistency of application of this Regulation on the territory of the Union.

The art 5 states that personal data shall be handled according to the following six key points: 1. Processed lawfully: this point refers to lawfulness, fairness and transparency (e.g. Facebook vs Cambridge Analytica trial: the quizz did not mentioned any data processing for a political purpose.) Moreover, “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.”19 2. Collected for specified, explicit a legitimate purpose: art 85 to 91 defines strictly the case of processing in specific situations. 3. Adequate, relevant and limited: this point defines the data minimisation 4. Accurate and kept up to date 5. Kept in a form, which permits identification of data subject for no longer than is necessary: this point introduces a term in duration of uses. 6. Processed in a manner that ensures appropriate security of personal data : this points refers to integrity and confidentiality

The main duty for a controller is accountability: (s) he must execute the performances of his/her tasks with transparency:  Responsible for data processing  Able to demonstrate compliance with the six key points mentioned above.

19

https://gdpr-info.eu/recitals/no-39/

Page 12 of 37

4.1.

Lawfulness of processing: art 6

What are the legal requirements?      

Consent from data subject. According to a contract and the application term of it. Compliance with a legal obligation. Protection the vital interest of data subject. Performance carried out in public interest. Legitimate interest except overriding by the fundamental rights of freedom.

What are the legal bases? 1. Union law 2. Member state law

What are the derogations?

Who? The controller What? The processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 How? Take into account:     

Any link between the purposes. Context and relationships between data subject and controller. Nature of personal Data. Consequences of processing. Existing safeguards (e.g. encryption or pseudonymisation).

4.2. 4.2.1.

Consent: art 7 Generality

The consent is mandatory and be demonstrated by controller (art7 § 1).The priority is given to consent, withdrawal is not required but the data subject has the right to do it or not (art7§3)

There are two specific cases: 1. When consent is freely given, check if the consent is a condition for the performance of the contract. 2. When the consent is given with a written declaration concerning other matters, it must be presented to be clearly distinguishable from the other matters:

Page 13 of 37

“ Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”20

4.2.2.

Specific case: the child’ consent: art 8

The legal condition is the child must be at least 16 years old to give its own consent. However some member states provides by law for a lower age but not below 13 year old. Below 16 years old, the consent must be given and /or authorised by the holder of parental responsibility over the child. The controller must check if this consent has been actually given by the holder of parental responsibility over the child. E.g., subscription by a kid of 10 to social network and or game platform: When the consent from parents is required, the subscription is based on processing of personal data of holder of parental responsibility. When a consent is not request from operator (= social network), the kid is by itself considered as an adult. This topic is closely related to parent control 4.3.

Processing of special categories of personal Data: art 9

Art 9§1 : Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

The §2 provide an exhaustive list of applications in which these personal data can be used after an explicit consent (see law exception) like specific right of controller(social security, taxes), health , judiciary and so on. Some provisions 4.4.

Processing of personal data relating to criminal convictions and offences: art 10

Only the official Authority allows the processing. However if some appropriate safeguards exists, the Union or member states can authorise the processing.

Page 14 of 37

E.g. criminal record 4.5.

Processing which does not require identification

When the purpose of processing does not require any identification of data subject, the processing can carry on: e.g. anonymous survey with no prior mail subscription

Page 15 of 37

5.

PERSONS 5.1.

Concerned persons and roles

The persons or entities concerned are the following ones:      

Data subject: natural person. Controller: natural or legal person. Processor: natural or legal person. Data protection Officer: natural or legal person. Supervising Authority: legal person, body or agency. Board: legal person, body of EU including Commission representatives.

5.2.

Prerequisite: Information and communication duties of the controller (art 13 -14)

The regulation defines the rights of data subject from art.12 to art 22. The exercise of these rights may restrict by way of a legislative measure in respect of fundamental rights and freedoms (art 23). This limitation must be proportionate “in a democratic society to safeguard” relevant interests like national security or enforcement of civil law claims (see list in art 23 §1). The art 12 refers to the transparency principle, the communication way (consent) especially in case of a child (see supra art 8). The controller has a list of duties: 

 

Take appropriate measures to provide any information, any communication in a concise, transparent, intelligible and easily accessible form, using clear and plain language (art12§1) or standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.( art 12§7 ) facilitate the exercise of data subject rights Provide information on action taken on a request o To get access to its own personal data. o To rectification o To erasure (“right to be forgotten’) o Restriction of processing o Data portability

Please note The art 19 states: the controller shall communicate any rectification or erasure of personal data or restriction of processing. He has to inform the data subject about the involved recipients.



bear the burden of demonstrating the manifestly unfounded or excessive character of the request

Page 16 of 37

5.2.1.

Types of information

The personal data are collected from the data subject. The controller provides information as legal notice to ensure communication as art 13§1:      

The identity and the contact details of the controller and, where applicable, of the controller's representative. The contact details of the data protection office. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. The legitimate interests. The recipients or categories of recipients. intention to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

5.2.2.

Information from data subject

The controller provides information as legal notice to ensure fairness and transparency as art 13§2:  

    

The period of storage. the right to send a claim request (= “the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability”). The right to withdraw consent. To lodge a complaint to the supervisory authority. Statutory or contractual requirement. The existence of automated decision-making, including profiling. Further, process the personal data for a purpose other than that for which the personal data were collected.

E.g. legal notice, disclaimer (for web site and app) or term and conditions can provide such an information 5.2.3.

Information not from data subject

The controller provides information as legal notice to ensure communication as art 13§ 1. The art 14§ 1 puts another item, the categories of personal data concerned. The controller provides information as legal notice to ensure fairness and transparency as art 13§2 and art 14§2 requires more:  

The legitimate interests. From which source the personal data come from.( see data transfer )

Page 17 of 37

Some additional conditions are required (art 14§3):   

Within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed. The time of the first communication. At the latest when the personal data are first disclosed.

Exceptions: no application insofar as    

The data subject already has the information. The provision of such information proves impossible or would involve a disproportionate effort. Union or Member State law expressly lays down or disclosure. The personal data must remain confidential subject to an obligation of professional secrecy.

5.3.       

Rights of the data subject

Right of access (art 15) Right of rectification (art 16) Right of erasure (art17) Right of restriction of processing (art 18) Right to data portability (art 20 ) Right to object (art 21) Automated individual decision-making , including profiling (art 22) 5.3.1.

Right to access (art 15)

The art 15 gives the right to data subject to get from the controller the confirmation that (s)he can access to personal data and information’s ( see art 13 and 14) . The controller should provide a copy and may charge some fee if necessary. Where the requester claims using an electronic form, the copy is provided on the same way. 5.3.2.

Right to rectification (art 16)

The controller makes rectification of inaccurate data without undue delay. 5.3.3.

Right to erasure (art 17)

Some Member states (e.g. France21) organized debates over this right “to be forgotten”. The Court of Justice evoked this right in the case law Google Spain SL v Agencia Española de Protección de Datos (AEPD) : ”The operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where

21

Page 18 of 37

that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful. “ 22 The GDPR fills in the gap including this right for the data subject: the controller has to erase personal data based on data subject’s claim request. It has to be proceed without undue delay. It is mandatory in the following reasons:      

Personal data are no longer necessary in relation to the purpose. The data subject withdraws consent (see art 6). The data subject objects (see infra art 21). Personal data unlawfully processed. Personal data have to be erased for compliance with a legal obligation. Application of art 8 (child consent).

The effect of such an erasure, when the personal data are public, by one controller is that the other controllers has to be informed not to use anymore these personal data :the requested controller has to “take reasonable steps, including technical measures, to inform controllers”( art 17 §2). This right has the following limitations, in which it cannot be applied for:     

exercising the right of freedom of expression and information compliance with legal obligations reasons of public interest in the area of Public Health ( see art 9) archiving purposes ( see art 89) Establishment, exercise or defence of legal claims.

5.3.4.

Right to restriction of processing (art 18)

The data subject may claim request to controller to get a restriction of processing in the following applies:    

Accuracy of personal data is contested: the controller must check the accuracy. Unlawful processing. No longer, need to use the personal data for processing but required for establishment, exercise or defence claim. Objection from data subject.

The effect is that these personal data must only be processed with data subject‘s consent. 5.3.5.

Right to data Portability (art 20)

Anyone can receive the personal data concerning him or her. Thus (s) he can consequently transmit those to another controller:  

When the processing is lawful and carried out by automated means. When it is technically feasible.

22

Page 19 of 37

The right does not apply in the following cases: 

Performance in public interest or exercise of official authority.

(E.g. processing data from social security to tax) 

Affection to the rights and freedoms of others. 5.3.6.

Right to object (art 21)

The data subject can refuse the processing of personal data at any time. Consequently, the controller stops the process in the following situation  

Particular situation of data subject unless the controller demonstrates overriding interest, rights and freedom or for establishment, exercise or defence of legal claims. Direct marketing purposes.

Specific case: the decision based on automated processing, including profiling. (Art 22) The data subject can object to such a decision. The controller implements measures to safeguard the data subject rights and freedom or at least allows the human intervention. However, some situations needs such a decision:   

Performance of a contract between data subject and controller. Authorisation by Law (Union or member state). Data subject ‘s explicit consent.

5.4. 5.4.1.

Controller Responsibility and burden of proof

According to the definition23 from the considerations of the current Regulation, the controller is in charge of processing of personal data. Consequently, the controller has a major responsibility in processing of personal data: he must implement appropriate technical and organizational measures to ensure and to prove24 the compliance with this Regulation. The controller receives the burden of proof. The measures aims to provide a data protection by design like pseudonymisation, data minimization, safeguards25 and by default “only personal data which are necessary for each specific purpose of the processing are processed”26 They must be reviewed and updated if necessary.

Page 20 of 37

In some cases, data protection policies27 must be implemented by controller according to processing activities. A code of conducts28 (art 40) or certification system can be implemented too. In some situations, several controllers can be in charge of processing the personal data: joint controllers29. They have to fix both their respective responsibility for compliance within the exercise of the rights of data subject (= who is responsible for?) and their respective duties to provide information and communication (see art 13 and art 14). That means, the data subject can activate each rights to each controller involved30. 5.4.2.

Type of controllers

The controller can be a natural or legal person, established in the Union. Nevertheless, representatives of controllers not established in the Union can be involved in processing. In this latter case, the controller must designate in writing a representative in the union (art 27§1) with two exceptions (art 27 §2), namely:  

When the processing is occasional or not risk generator against rights and freedoms of natural persons When the controller is a public authority or body

The duties of representative are to be:  

Established in one of the member state Mandated by controller to be addressed by supervisory authorities and data subjects 5.4.3.

Duties 5.4.3.1.

Contractual clauses

The controller is binding to a processor by a contract, in which contractual clauses determine duties and obligations of each other’s and in respect of this regulation. When the controller is a company or organization employing fewer than 250 persons or there are no risk against rights and freedoms of natural persons31, he must maintain a record of processing activities with required information (see art 30§1). It has to be available to supervisory authority on request (art 30§4). 5.4.3.2.

Cooperation with Supervising Authority

The controller cooperates with the supervisory authority in the performance of its tasks (e.g. CNPD (BE, FR, LU), CNIL (FR)). 5.4.3.3.

Security of personal Data

Within security of personal data (art 32), the controller implements appropriate technical and organizational measures including inter alia 

Pseudonymisation and encryption (e.g. online banking, online payment, e-commerce)

30 31

Page 21 of 37

    



Ensure confidentiality, integrity; availability and resilience of processing system. (e.g. prevent hacking). Restore availability and access in time in case of incident. (e.g. server down). Regular security test. (e.g. IT quality management) Risk assessment. Code of conducts (art40- 41): when enterprises decide to implement a code of conducts, the monitoring compliance and the approval must be undertake by the supervising authority or a body (regarding its independence and expertise in relation to the subject matter). Certification (art 42): o It is a voluntary step through a transparent process. o Certification bodies (art 43, 58 , 63) may deliver such a certification ( e.g. art 63 , European Data Protection Seal : this European label is delivered by a certified body, EuroPriSe ) o It has a duration of 3 years, renewable.

In case of personal data breach, 

Art 33: the controller must notify the breach to the supervisory authority without undue delay or within less than 72hrs after becoming aware of it, unless there is a risk to the rights and freedoms of natural persons. By default, the information can sent in phases. The notification must contain the following items: o o o o



Description of nature of personal breach Description of consequences of personal data breach Description of measures taken or proposed Communication of contact detail of Data protection Officer (DPO) or other person in charge. Art 34: the controller must communicate the personal data breach to data subject without undue delay. The communication must contain the following items “in clear and plain language”:





o Description of nature of personal breach o Description of measures taken or proposed The information and communication are not required in the following cases : o When the controller has already implemented measures that render the personal data unintelligible to anybody (e.g. encryption used in online banking or e-payment) o When the controller has taken measures to prevent risk of intrusion (e.g. Cybersecurity system ) o When the breach concerns a lot of data subjects with the same problem, the communication can be public (e.g. security failure announcement with security patch to load). Examples o Data breach Notification form available , LU o Data breach Notification form available , BE

Page 22 of 37

5.4.3.4.

Impact Assessment ( risk assessment)

The controller must carry out an assessment of impact (art 35): he must organize a risk management in processing of personal data. He requires the support of a Data Protection Officer if designated (see art 40). When an impact assessment is required? :    

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing processing on a large scale of special categories of data a systematic monitoring of a publicly accessible area on a large scale list of processing established by supervisory authority

Mandatory items:     

Description of processing and purposes and if necessary the legitimate interest = what? Assessment of the necessity and proportionality of the processing operations = Why? What for? Risk assessment regarding the rights and freedoms of natural persons = limitation? List and description of preventing measures ( risks) including safeguards , security measures = protection Compliance with approved codes of conduct

Please note The controller can ask to data subject its views about such a processing. The impact assessment is not mandatory when it has a legal basis or already done unless member states requires it. 5.4.3.5.

Prior consultation (art 36)

When a prior consultation is required? : 

The controller have to carry out an impact assessment in accordance to art 35. The controller provides a list of documents to describe responsibilities of controller, joint controller and processors, purposes, means, safeguards, contact details of DPO, impact assessment if required and any other information requested by supervisory authority. See single decision (LU) or authorization (LU)

  

The supervisory authority thinks that processing could be an infringement to the Regulation Member states prepare a legislative proposal or regulatory measure that can affect the processing Performance of task in the public interest, including social protection and public health 5.4.3.6.

Designation of a DPO

The controller and the processor may designate and appoint a Data protection Officer

Page 23 of 37

The have to communicate the contact details of DPO to supervising authority32 (e.g. when impact assessment is required or when DPO is required) and to data subject (e.g. case of breach of personal date, see art 33). 5.5.

Processor

According to the definition33 from the considerations of the current Regulation, the processor is in charge of processing operations.

5.5.1.

Contract

The contract is in writing, including electronic form. The Commission may lay down some standard contractual clause in case of subcontracting A Supervisory authority may adopt standard contractual clauses as well.

5.5.2.

Duties

He cannot engage another processor without prior written authorization of the controller. In this case, the second processor is subjected to the same data protection obligation set (art 28§4). He must respect the contract or other legal act that binds on him about the controller. Some mandatory clauses are listed in art 28§ 3. An approved code of conducts applied by subcontractor can be an asset to demonstrate sufficient guarantee. When a processor infringes this Regulation by determining purposes and means of processing, this processor is considered as controller. When the processor is acting under the authority of the controller or major processor, he have access to data but is not allowed to carry on processing without any expressed task allocation. When the controller is a company or organization employing fewer than 250 persons or there are no risk against rights and freedoms of natural persons34, he must maintain a record of processing activities with required information (see art 30§2). It has to be available to supervisory authority on request (art 30§4). The processor cooperates with the supervisory authority in the performance of its tasks (e.g CNPD (BE, FR, LU), CNIL (FR)). Within security of personal data (art 32), the controller implements appropriate technical and organizational measures including inter alia  

Pseudonymisation and encryption. (e.g. online banking, online payment, e-commerce) Ensure confidentiality, integrity; availability and resilience of processing system. (e.g. prevent hacking).

34

Page 24 of 37

   



Restore availability and access in time in case of incident. (e.g. server down). Regular security test. (e.g. IT quality management) Risk assessment. Code of conducts (art40- 41): when enterprises decide to implement a code of conducts, the monitoring compliance and the approval must be undertake by the supervising authority or a body (regarding its independence and expertise in relation to the subject matter). Certification (art 42): o It is a voluntary step through a transparent process. o Certification bodies (art 43, 58 , 63) may deliver such a certification ( e.g. art 63 , European Data Protection Seal : this European label is delivered by a certified body, EuroPriSe ) o It has a duration of 3 years , renewable

In case of personal data breach, the processor must notify the breach to the controller without undue delay after becoming aware of it.

5.6.

Data Protection Officer

The controller and the Processor both have to designate a DPO35 in the following situations:   

The processing is a carried out by a public authority or body. The core activities of the controller and /or the processor require a “regular and systematic monitoring of data subjects on a large scale”36 The processing consists of a large scale of special categories of data (art 9) or personal data related to criminal convictions and offences (art 10)

The controller and the processor both may appoint a DPO: that means that a group of companies or enterprises can appoint a single DPO but (s) he must be accessible for each establishment (e.g. case of companies established on more than one member state). Eligibility of the DPO  

(S) He is elected on basis of professional qualities and “in particular, expert knowledge of data protection law and practices”37. (S) He can be a member staff of the controller and/or processor or a service contractor.

Positions and relationship with stakeholders (art 38)  

The controller and processor ensure the involvement of DPO (manner, time, all issues concerned). The controller and processor ensure support to perform his/her task.

36

Page 25 of 37

 

The controller and processor ensure that the DPO does not receive any instructions regarding his/her tasks (= independency), he reports to the top management. Data subject can contact the DPO for all issues to processing of their personal Data. 5.6.1.

Duties

The DPO is bound to secrecy or confidentiality. The DPO may fulfil other tasks and duties .However, the controller and or the processor ensure that results no conflict of interest (art 38 §6).   

  

Reporting: (S) He reports to top management. Information and communication :( S) He informs stakeholders about their obligations. Quality control: (S) He monitors compliance with Regulation, member states data protection provisions and other policies of the controller or processor: o Assign responsibility o Training o Audits Advice for impact assessment (risk assessment) regarding art 35. Cooperation with the supervising authority. Prior consultation: (s) he is the contact point for the supervising authority.

Page 26 of 37

6.

TRANSFER

OF PERSONAL

DATA

TO THIRD COUNTRIES OR INTERNATIONAL

ORGANISATION

The art 44 states the general principle for transfers: any transfers take place only:  

If conditions of this Regulation are compiled by controller and processor. If all provisions are applied in order to ensure the level of protection is not undermined.

Example 1: transfer of air passenger name for US, Canada38 and Australia39 , Passenger Name Record and preventive measures against terrorism40 Example 2: Data protection and Brexit41 6.1. 6.1.1.

Types of transfers On basis of an adequacy decision (art 45):

The commission decided according to rule of law, existing of supervising authority or international commitments that third country and or International organisation ensures and adequate level of protection. Any specific authorisation is required. 6.1.2.

Transfers subject to appropriate safeguards (art 46)

In the absence of decision regarding art 45, the controller or processor may transfer persona data only if appropriate safeguards have been provided:  

A legally binding enforceable instrument between public authorities and bodies. Binding corporate rules (art 47): the formats and procedures for exchange of information about these rules may specify by Commission. o the supervisory authority may approve binding corporate rules according to consistency mechanism (art 63). o these rules are enforced by every member concerned , “group of enterprises engaged in a joint economic activity, including their employees”42 o these rules confer enforceable rights on data subjects. o fulfil requirements :  structure and contact details of groups stakeholders  data transfers or set of transfers  their legally binding nature  application of general data protection principles ( art 6)  the rights of data subjects ( art 22)

Page 27 of 37

        

    

Acceptance by controller and or processor established in EU of the liability for any breaches of binding corporate rules. Information and communication (art 13-14). The tasks of the DPO designated regarding art 37. Complaint procedure. Mechanisms for ensuring compliance control and insurance. Mechanisms for reporting and recording change of rule. Cooperation with supervisory authority. Reporting to supervisory authority any legal requirement. Appropriate data protection training for staff and employees.

Standard data protection clauses adopted by Commission (art 93) or adopted by a supervisory authority and approved by Commission. An approved Code of conducts (art 40). An approved certification mechanism (art 42). Contractual clauses between controller and processor. Provisions into administrative arrangement. 6.1.3.

Transfers or disclosures not authorised by Union Law (art 48)

Any judgment of a court or any decision from an administrative authority of a third country requiring transfer or disclosure of personal data can’t be recognised or enforced except if an international agreement ( mutual legal assistance treaty ) exists and be in force between EU and this third country. 6.1.4.

Derogations

In case of absence of decision from the Commission (art 45) or appropriate safeguards (art 46 ), a transfer can be allowed only according to the following conditions:      



Explicit consent of data subject (art 7). Transfer necessary for performance of a contract between data subject and controller. Transfer necessary for conclusion and or performance of a contract between controller and another legal or natural person in the interest of data subject. ( see child’s consent in art 8) Transfer necessary for public interest. Transfer necessary for the establishment , exercise or defence of legal claim. Transfer necessary in order to protect vital interest of data subject or others persons , where the data subject is physically or legally incapable of giving consent : babies, mentally disabled persons, persons into coma ) Transfer from a register open to public consultation for legitimate interest. 6.1.5.

International cooperation (art 50)

The Commission and supervisory authorities may take appropriate steps to   

Develop international cooperation mechanisms. Provide mutual assistance in enforcement of legislation for the protection of personal data. Liaise with the relevant stakeholders for further international cooperation.

Page 28 of 37



Promote exchange of documentation and best practice within EU including jurisdictional conflicts with third countries.

Page 29 of 37

7.

INDEPENDENT SUPERVISORY AUTHORITIES 7.1.

Definition

Each member state provide one or more independent public authorities responsible for monitoring the application of this Regulation in order to      

Protect the rights and freedoms of natural persons. Facilitate the free flow of personal data within EU. Contribute to the consistent application of this Regulation. Cooperate with other supervisory authorities and the Commission. Named “supervisory authority”. In case of several supervisory authority, the member state designates the one, which represents the other to the Board and define the compliance mechanism.

The main distinctive feature is the independence (art 52):      

Complete independence in performing tasks. Members remains free from external influence (no instruction for anyone). Members refrains any action incompatible with their duties. Member state ensures that each supervisory authority receives the right human, technical and financial resources. Member state ensures that each supervisory authority is free to recruit the right people. Member state ensures that each supervisory authority is subject to a financial control.

The member state provide establishment of its own supervisory authority (art 54). 7.2.

Member nomination and duties

The member state provides a transparent procedure by parliament, government, head of state or an independent body (e.g. in Belgium, the SELOR is the official public selection body). Each member must have the required qualifications, experience and skills to perform its tasks. The end of duties may trigger with the expiry of term of office, resignation or retirement. A dismiss is given in case of serious misconduct of if the member no longer fulfil the conditions of eligibility. 7.3.

Competences and tasks

Each supervisory authority is competent:    

For performance of the tasks assigned in accordance with this regulation. On territory on its own member state. To lead supervisory authority in case of main establishment of controller or processor in case of cross-border processing. To handle complaint if it is concerning a controller established on the same territory as it is.



For supervise processing operations of courts.

Not

Page 30 of 37

Each supervisory authority on its territory does:       

 

       

Monitor and enforce the application of this Regulation. Monitor relevant development. Promote public awareness. Promote awareness of controller and processor about their obligation and duties. Advice member states entities (parliament, government), controller and or processor (prior consultation). Provide information upon request. Handle complaints: art 58 §4 states that the supervisory authority may bring infringements to the attention of the judicial authorities and where appropriate to engage in legal proceedings. Cooperate with other supervisory authority (mutual assistance, share information) to ensure the consistency of application of this regulation. Conduct investigations (art 58 §1 ) (e.g. another supervising authority communicates about some critical information that must be checked) o Order the controller and or processor any information required (e.g. Personal data breach), notify any infringement, access to premises o Audits o Review of certification ( e.g. renewal , information about the misbehavior of a certified controller) o Issue warnings, reprimand to the controller and or the processor o Check compliance with current t processing o Order rectification ,erasure or restriction of processing ( art 16 to 18) Adopt standard contractual clauses, authorize clauses and provisions. Maintain a list for impact assessment. Encourage the drafting of codes of conducts, the certification. Approve codes of conducts, certifications, standard contractual clauses and binding corporate rules. Contribute to the board activities. Keep an internal record of infringements of regulation. Any tasks related to protection of personal data. Produce an annual report regarding its activities including a list of type of infringements and measures.( art 59).

Costs: free of charge for data subject and where applicable for DPO

Page 31 of 37

8.

COOPERATION AND CONSISTENCY 8.1.

The lead supervisory authority

A lead supervisory authority can be designated and is in charge to reach a consensus between all of them. (Art 60). Consequently, the lead supervisory authority may request a mutual assistance between all of local supervisory authorities or conduct joint operation (art 62) (e.g. investigation).Some procedure and duration of delay are defined within this Regulation (see art 60). The art 61 defines the mutual assistance between supervisory authorities: “Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.” The joint operations includes according art 62 §1: “joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.” Example: a processor (e-commerce web site) in one EU member processed personal data from data subject from another one and use it for other purposes (targeting for a new product). 8.2.

The European Data protection Board

The consistency mechanism contributes to the application of this Regulation, therefore the supervisory authorities cooperate with each other and where relevant with the Commission to another stakeholder: “the board” (see art 68): 

  

Provide issue an opinion in case of o Impact assessment o Draft a code of conducts o Accreditation of a certification body o Determine standard contractual clauses o Approval of binding corporate rules Be competent to adopt a binding decision in case of dispute between supervisory authorities or between the lead supervisory authority and another one. Chair of the board communicates all information received to the bard members and to the commission. Commission: communicates all relevant information.

A supervisory authority can make a derogation to this case: urgency procedure (see art 66). This case is active if the supervisory authority considers an urgent need to act in order to protect the rights and freedoms of data subjects. 8.2.1.

Members

The board is composed of the following membership:    

Head of one supervisory authority of each member state European Data Protection Supervisor : only voting right for principles (art 6 to 12) and rules Respective representatives Commission ( without voting right)

Page 32 of 37

Report (art 71): the board produce an annual report of activities. Vote: decision by simple majority (art 72) but could adopt its own rules for 2/3 majority. Some discussions can be covered by confidentiality as defined in its rules of procedure (art 76§1). The Chair represents the Board (art 73). (S)He is in charge of meeting request and agenda, notify decisions adopted by the board, ensure the timely performance of tasks (= operational management). The secretariat is provided by the European Data protection Supervisor (EDPS): the secretariat performs tasks under the instructions of the Chair. The EDPS is in charge of other duties about of the instructions of the Chair of the Board. In that case, the staff of the EDPs is subject to separate lines. Moreover, the EDPS and the Board establish and publish a “Memorandum of Understanding” to determine the terms of their cooperation ( see art 75 §4). 8.2.2.

Duties

The Board is an independent entity (art 69) It ensures the consistent application of the Regulation from its own initiative or from request from the Commission:        

Monitor and ensure correct application (type of arbitrage). Advice the Commission. Issue guidelines, documentation and best practice (erase link to personal data, breach, requests, binding corporate rules, transfer...) Encourage drafting of codes of conducts. Carry out the accreditation of certification bodies. Promote cooperation( exchange of information, exchange of knowledge …) Promote training. Maintain a public accessible register of all decisions taken by supervisory authorities and courts related to the consistency mechanism.

Page 33 of 37

9.

REMEDIES, LIABILITIES AND PENALTIES 9.1. 9.1.1.

Proceeding items Representation of data subject

The data subject can bring a proceeding by himself or can mandate a not-for-profit body, organisation, or even association, properly constituted in accordance to the member state law. Example: customers’ associations The member stat may provide that anybody from list mentioned above can lodge independently of the data subject‘s mandate (art 80 §2). 9.1.2.

Suspension of proceedings

When a competent court received information on a pending proceeding, concerning the same subject matter, the same processing and the same controller or processor, in another member state, it contacts that court to confirm such a proceeding. In this case, any competent court from a member state other than the first seized may suspends its own proceeding. 9.2.

Right to lodge a complaint with a supervisory authority

Every data subject have the right to send a complaint to the supervisory authority concerned: in the member state where he lives, he works or where the infringement took place. The supervisory authority informs the data subject on the progress and outcome of the complaint including the possible judicial remedy. 9.3.

Right to an effective judicial remedy against a supervisory authority

The art 78 §1 states: “each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. “ Consequently, each data subject have this right too, in particular when a complaint have been lodged and the supervisory authority do not carry on it. The court of member state, where the supervisory authority is established, is competent to proceed the trail case. Where an opinion from the Board about consistency mechanism has been conveyed, the supervisory authority concerned forwards it to the court. 9.4.

Right to an effective judicial remedy against a controller or processor

The art 79 §1 states : “each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.” The proceeding can be brought before the court of the following issues:  

Where the controller and or processor is established Where the data subject lives unless the controller or processor is a public authority.

Page 34 of 37

9.5.

Right to compensation and liability

Art 1382, CCIV, BE : “Tout fait quelconque de l'homme, qui cause à autrui un dommage, oblige celui par la faute duquel il est arrivé, à le réparer.”43 The same principle has been adapted in this Regulation: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” Consequently, any controller or processor involved must be liable to the damage caused by processing which infringes this Regulation. Exemption: the controller or processor proves that is not in any way responsible for the event giving rise to the damage:  

He has the burden of proof. He must proves that there is no causal connection.

The liability connects to each controller and or processor: it purposes to ensure an entire and effective compensation of the data subject. Then, when a controller and or a processor has paid full compensation, he is entitled to claim back from the other involved their part of compensation corresponding to their part of responsibility.

9.6.

Administrative fines

Each supervisory authority ensure that the imposition of administrative fines are” in each individual case be effective, proportionate and dissuasive” (art 83 §1). How to fix the amount of such administrative fines? The supervisory authority take into account the following items (= mitigating /aggravating factors):           

The nature, gravity and duration of the infringement. The intentional or negligent character. Any action taken by the controller or processor to mitigate the damage. The degree of responsibility. Any relevant previous infringements. The degree of cooperation with the supervisory authority. The categories of personal data. The manner in which the supervisory authority knew the infringement. Where measures referred to in Article 58(2) have previously been ordered. Adherence to approved codes of conduct. Any other aggravating or mitigating factor applicable to the circumstances of the case.

43

Page 35 of 37

Where the legal system of a Member state does not provide for administrative fine, the art 83 shall apply by default: “Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.” 9.6.1.

Art 83§ 4

Infringements of the following provisions: 

 

The obligations of the controller and the processor. o Specific child’s consent (art 8). o Processing which does not require identification (art 11). o Duties of controller and processor (art 25 to 39). o Certification (art 42-43). The obligations of the certification body (art 42-43). The obligations of the monitoring body: approval of codes of conducts (art 41).

Maximum: up to 10 000 000 EUR or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 9.6.2.

Art 83 § 5

Infringements of the following provisions: 

   

the basic principles for processing, including conditions for consent o (art 5 ) o lawfulness (art 6) o consent (art 7) o processing of special categories of personal data (art 9) The transfers of personal data (art 44 to 49). Any obligations pursuant to Member State law adopted under Chapter IX. The data subjects' rights (art 12 to 23). The application of art 58.

Maximum: up to 20 000 000 EUR or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

9.6.3.

Penalties

The members’ states may adopt other penalties applicable to infringements of this regulation: infringements, which are not subject to administrative fines pursuant to art 83. In this latter case, “each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.”

Page 36 of 37

10. LINK REPOSITORY

10.1.

European sources

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) European Data Protection Supervisor (EDPS)

Related web sites https://gdpr-info.eu/ https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation https://ec.europa.eu/info/departments/data-protection-officer_en https://edps.europa.eu/edps-homepage_en?lang=en https://edps.europa.eu/data-protection/our-work/publications/legislation/regulation-ec-no452001_en https://edps.europa.eu/data-protection/our-work/publications/legislation/decision-no12472002ec_en

10.2.

National sources

CNPD (LU) CPP (BE): CPVP(FR) – CBPL (NL) CNIL (FR)

Page 37 of 37