Class notes
Summary (Lectures and Literature) Capita Selecta Privacy Data Protection 2020_2021
- Course
- Institution
Summary (Lectures and Literature) Capita Selecta Privacy Data Protection 2020_2021
[Show more]
2 reviews
By: rb96 • 2 year ago
By: stsagri • 3 year ago
Seller
Follow
machitsokou
Reviews received
Content preview
Summaries: Law and Technology LLM Tilburg UniversityAcademic Year: 2020-2021
! Disclaimer: Copyright of slides, schemes, pictures belongs to Tilburg University, its lecturers
and/or respective owners !
,Lecture 1: Territorial scope of the GDPR – Eleni Kosta
Lecture Notes
A. Territorial scope of the GDPR
From Directive to Regulation
• Because it was a Directive, each country had its own data protection legislation
(1) First Criterion: establishment criterion (this is
the same again in the GDPR)
(2) Second Criterion: when controller was not situated in MS, but national law applied by int law
(3) Third Criterion: when controller was not established in the EU, but used equipment situated on
territory of Member State
§ Notion of equipment was interpreted in a broad way
§ A29WP: cookies were considered as equipment
Article 3 GDPR à territorial scope
(1) Applies to the processing of personal data in the context of the activities of an establishment of a
controller or a processor in the Union, regardless of whether the processing takes places within the EU
(2) Applies to DS in the EU by a controller/processor not established in the Union
(a) Offering of goods of services
(b) Monitoring of the behavior
(3) Applies to processing of personal data by a controller not established in the Union, but in a place
where MS law applies by virtue of public international law (e.g. diplomats)
Who is protected? EDPB: any personal data processing, not only residents but everyone who is in the
EU regardless of location or nationality (includes also illegally residing people in the EU)
What is an establishment?
Recital 22: effective and real exercise of activity through stable arrangements and that the legal form
of such an establishment, whether simply a branch or subsidiary with a legal personality, is not the
determining factor (Weltimmo)
• Degree of stability of the arrangements and the effective exercise of activities
• Must be interpreted in the light of the specific nature of the economic activities and the provisions
of the services concerned (particularly true for undertakings offering services exclusively over the
Internet)
• Controller exercises through stable arrangements in the territory of that MS a real and effective
activity – even a minimal one – in context of which that processing is carried out
ð What was decided in Weltimmo was translated into Recital 22 GDPR
CJEU invited referring court to consider:
(i) that the activity of the controller in respect of that processing, in the context of which that
processing takes place, consists of the running of property dealing websites concerning
properties situated in the territory of that Member State and written in that Member State’s
language and that it is, as a consequence, mainly or entirely directed at that Member State, and...
, ii) that that controller has a representative in that Member State, who is responsible for
recovering the debts resulting from that activity and for representing the controller in the
administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is
irrelevant.
‘In the context of the activities’
• Not necessary that processing is carried out by the relevant EU establishment itself
• Inextricable link between: activities of the operator of search engine and those of its
establishment situated in MS concerned (Google Spain)
• processing of personal data is carried out in the context of the activities of an establishment
of the controller on the territory of a Member State...when the operator of a search engine sets
up in a Member State a branch or subsidiary which is intended to promote and sell advertising
space offered by that engine and which orientates its activity towards the inhabitants of that
Member State. (Google Spain)
• Revenue-raising is indicative of processing by non-EU controller being carried out in the
‘context of the activities of EU establishment’ and may be sufficient to result in the application
of EU law to such processing (EDPB Guidelines 3/2018)
• ‘Regardless of whether the processing takes place in the Union or not’ (EDPB Guidelines)
§ Place of processing not relevant in determining whether or not the processing, carried out
in the context of the activities of an EU establishment, falls within the scope of the GDPR
§ It is the presence and the fact that a processing takes place in the context of the activities of
this establishment that trigger application of GDPR
§ Example from EDPB Guidelines: Pharmaceutical company with HQ in Stockholm has
located all its personal data processing activities with regard to its clinical trial data in its
branch based in Singapore. While processing activities are taking place in Singapore, that
processing carried out in the context of the activities of the pharmaceutical company in
Stockholm i.e. of a data controller established in the Union (Article 3(1) applies)
• ‘Processing by a controller in the EU using a processor not subject to the GDPR’
§ Controller has to ensure that processor processes in accordance with GDPR through
contract or another legal act (Article 28(3) GDPR)
§ Obligations imposed on processors under Article 28,19,31,32,33,37,38
§ Provisions on transfers Chapter V
Data Subjects in the Union
• Recital 14: The protection afforded by GDPR should apply to natural persons, whatever their
nationality or place of residence
• EDPB: Not limited by citizenship, residence or other type of legal status. Requirement that the
data subject is located in the Union must be assessed at the moment when relevant trigger
activity takes place i.e. when offering or behavior is monitored, regardless of duration
Offering goods or services
• Recital 23: to determine whether a controller/processor is offering goods/services to data
subjects who are in the Union, it should be ascertained whether it is apparent that the controller
or processor envisages offering services to data subjects in the Union
• What could make it apparent? Use of a language or a currency generally used in one or more
MS with the possibility of ordering goods and services in that other language, or mentioning of
customers or users who are in the Union
Monitoring of behavior
• The behavior monitored must relate to a data subject in the Union
• The monitored behavior must take place within the territory of the Union
, • Recital 24: To determine whether an activity is considered monitoring; are natural persons
tracked on the internet? Including profiling a natural person, particularly in order to take
decisions concerning her/him or for analyzing or predicting his/her personal preferences...
• EDPB: neither Article 3(2)(b) nor Recital 24 introduce degree of ‘intention to target’, but the
use of word ‘monitoring’ implies that controller has a specific purpose in mind for the
collection and subsequent reuse of data about behavior
• EDPB: necessary to consider the controller’s purpose and any subsequent behavioral analysis
or profiling techniques involving that data
• List of monitoring techniques that could fall under ‘monitoring’:
§ Behavioral advertisement
§ Geo-localization activities, in particular for marketing purposes
§ Online tracking through the use of cookies or other tracking techniques such as fingerprints
§ Personalized diet and health analytics service online
§ CCTV
§ Market surveys and other behavioral studies based on individual profiles
§ Monitoring or regular reporting on an individual’s health status
Public International Law
• Article 3(3) GDPR, Recital 25: diplomatic mission or consular post
Under which Article does GDPR apply?
If there are different processors, does it apply to them? Advise to have a contract with controller as
prescribed by Article 28
B. Main Establishment and Competent SA
Article 29WP Opinion 244 ‘Guidelines for identifying lead supervisory authority’
‘Main Establishment’
• To find main establishment, first: identify central administration of the data controller in EU
• Central administration: place where decisions about the purposes and means of processing of
personal data are taken and this place has the power to have such decisions implemented
• Article 4(16) GDPR: ‘main establishment’ definition
• Recital 36: objective criteria to determine main establishment, should imply the effective and
real exercise of management activities determining the main decisions as to the purposes and
means of processing through stable arrangements. Presence of technical means is not a
determining criterion
Competent DPA
• Recital 36: in cases involving both the controller and the processor, the competent lead SA
should remain the supervisory authority of the MS where controller has its main
establishment
§ Still, SA of the processor should participate in cooperation procedure
• When draft decision concerns only the controller, then processor’s establishments not relevant
• Where group of undertakings: main establishment of them
• A29WP: where cross-border processing activities à single lead supervisory authority. There
might be cases however that establishment other than place of central administration makes
autonomous decisions concerning means and purposes of activity à more than one lead
authority can be identified (Example: multinational having separate decision-making centers in
different countries for separate processing activities)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller machitsokou. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $33.77. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
82871 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now