Exam Ready Notes
[CIPP-E]
0
, Module 1: Data Protection Laws
1 European Data Protection Timeline
1.1 1948 – the origin of modern day privacy can be tracked back to the United Nations' Universal Declaration
of Human Rights (1948, non-binding declaration, not a legally binding treaty) – most important contents
include: (i) Right to private life (Article 12); Right to freedom of expression (Article 19); and Article 29(2)
which states that rights are not absolute, and a balance should be struck between them. This applies to
United Nations members only, and was unrelated to the EU.
1.2 1950 – the European Convention of Human Rights ("ECHR", effective 1953 and signed 1950), which
contained: (i) Right to Privacy (Article 8), (ii) Right to Freedom of Speech (Article 10(1), and Balance
(Article 10(2)) – all of which echo and were formed on the basis of the Universal Declaration of Human
Rights.
1.3 1960s-1970s – economic and technological advancements meant more international trade and reliance
on computers and telecommunications. This gave rise to the development of extensive banks of personal
data and opportunities surrounding international data processing. Recognising that national legislation
was inadequate, the Council of Europe established a framework containing Recommendation 509 (1968),
which was later built upon by Resolutions 73/22 and 74/29 (which set out principles for protecting personal
data held in automated databanks), which tried to align the disparate national legislation which had been
springing up between 1960-1980.
1.4 1980s-1990s – two significant data protection initiatives sprung up:
(a) 1980, the Organisation for Economic Co-operation and Development (with help from the Council
of Europe) issued the Guidelines on the Protection of Privacy and Transborder Flowers of
Personal Data (the "OECD Guidelines") – these set out non-binding principles on (i)
transborder data flows and (ii) the protection of personal information, designed to serve as the
basis for legislation in countries with no data protection laws. The guidelines apply equally to the
public/private sector, and to personal information gathered manually/electronically (to avoid
circumvention by unscrupulous entities). The OECD Guidelines were later updated in 2013 (see
Schedule 1 (OECD Guidelines) for details).
(b) 1981, the Council of Europe developed Convention 108 (Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data), which was open to non-
European countries (i.e., Mauritius, Senegal and Uruguay have acceded to it). It differs from the
OECD Guidelines in that it is legally binding and requires signatories to take steps to reflect it
in their domestic legislation (rather than being designed to serve as the basis or "inspiration" for
legislation). Convention 108 was the first legally binding international instrument which tried to
balance privacy versus the need to maintain free flow of personal data for international trade.
Note, see 1.6(c) below for when the Additional Protocol was added in 2001, which covered cross-
border personal data flows. Also see 1.6(j) below on Convention 108+, which overhauled
Convention 108 in 2018.
1.5 1995, the EU Data Protection Directive (95/46/EC) ("Data Protection Directive") was adopted to address
the issues raised by Convention 108. Convention 108 was designed to internationally harmonised the
approach to data protection, but given that its implementation was left to the discretion of the signatories,
it led to a diverse range of approaches. To address this, the European Commission proposed the
introduction of a directive (directives require that a member state must achieve [X], but doesn't specify
how), which led to the Data Protection Directive. The Data Protection Directive first required the
establishment of national DPAs, and the Article 29 Working Party ("WP29"). The Data Protection Directive
was later repealed in 2018.
1.6 2000s, the following happened:
(a) 2000 – the Charter of Fundamental Rights of the EU was signed, which contains the general
principles found in the ECHR, but also (ii) requires the protection of personal data – this was later
made legally binding in 2009 (see (f) below);
(b) 2000 – the E-Commerce Directive (Directive 2000/31/EC) (the "E-Commerce Directive") states
that issues related to the processing of personal data are outside its scope;
1
, (c) 2001 – the "Additional Protocol" was added to Convention 108, which covered how personal
data should be transferred to countries who were not signatories to Convention 108;
(d) 2002 (later amended in 2009) – the Privacy and Electronic Communications Directive
(2002/58/EC) ("ePrivacy Directive") which applies to "the processing of personal data in
connection with the provision of publicly available electronic communications services in public
communications networks in the EU", note this doesn't cover private networks (e.g., employer's
intranet). The ePrivacy Directive governs the processing of location data, content data and traffic
data;
(e) 2006 – the EU Data Retention Directive (2006/24/EC) was adopted, later to be annulled in 2014
on the grounds that data retention is addressed by national laws across the EU;
(f) 2007 – the Treaty of Lisbon was signed (effective 2009), bringing the Charter of Fundamental
Rights of the EU into full legal effect in the EU. The Treaty of Lisbon also amended the Treaty
on European Union ("TEU") and the renamed Treaty on the Functioning of the European Union
("TFEU"), which are the central pillars of the EU;
(g) 2016 – the General Data Protection Regulation ("GDPR") replaced the EU Data Protection
Directive (see 1.5) following the 'trilogue' between the European Commission, European
Parliament, and Council of the EU. As a regulation, the GDPR applies directly to all member
states, without the need for transposition into national law;
(h) 2016 – the Law Enforcement Data Protection Directive ("LEDP Directive") is designed to
harmonise rules relating to the protection of citizen's fundamental rights where personal data is
used by criminal law enforcement authorities;
(i) 2016 – the Directive on security of network and information systems ("NIS Directive") was the
first EU-wide cybersecurity legislation;
(j) 2018 – Convention 108 was overhauled to be Convention 108+. Third countries now use
Convention 108+ to align with and get an adequacy decision for the GDPR since Recital 105 of
the GDPR requires that compliance with Convention 108+ be considered when determining
adequacy decisions; and
(k) 2018 – the Data Protection Act 2018 is the UK's implementation of the GDPR.
2 The European Court of Human Rights (ECtHR)
2.1 The ECtHR upholds privacy and data protection rules by enforcing the (i) the ECHR and (ii) Convention
108. The ECtHR is not a part of the EU.
3 The Council of Europe, the EU, and the EEA
3.1 Bodies of the European Union:1
European Parliament • All members are directly elected.
(Strasbourg) • Responsibilities include: (i) legislative development, (ii) supervisory
oversight of the other institutions, (iii) development of the EU budget,
and (iv) democratic representation.
• The European Parliament and the Council of the EU are co-
legislators and make legislation using the ordinary procedure,
consultation procedure and consent procedure. Legislation is always
first submitted by the European Commission.2
Council of the EU • The European Parliament and the Council of the EU are co-
legislators and make legislation using the ordinary procedure,
consultation procedure and consent procedure. Legislation is always
first submitted by the European Commission.
• Also inputs on the EU budget alongside the European Parliament.
1
Note, we have not included the European Central Bank and the Court of Auditors here.
2
Note, there are some circumstances where European Commission input isn't needed to propose legislation.
2
, • Meetings are attended by one minister from each member state; that
minister changes depending on the nature of the issues to be
discussed.
European Council • Comprised of the heads of state of all EU countries, plus: (i) the
European Council President, (ii) the European Commission
President, and (iii) the High Representative for Foreign Affairs and
Security Policy.
• Defines the EU's priorities and sets its political direction, making
binding decisions, not just being an advisory body.
European Commission • Implements the EU's decisions and policies.
• Has almost exclusive competence to propose legislation, which is
then discussed by the Council of the EU and the European
Parliament.
• Comprised of one commissioner per member state, who pledges to
respect the EU treaties.
• Responsible for member state implementation of EU legislation (e.g.,
GDPR), and may impose fines against member states in breach
(Article 226 and 228 of TFEU).
o The European Commission enforces the Charter of
Fundamental Rights of the EU, which is central to data
protection in the EU.
• Is the institution responsible for granting adequacy decisions.
Court of Justice of the EU • Not to be confused with the ECtHR (which enforces the European
("CJEU"). Convention of Human Rights (which is a pan-European convention
with many non-EU signatories)).
• Makes decisions on the topic of EU law, either on the topic of (i) an
action taken by the European Commission against a member state,
or (ii) an individual looking to enforce their rights under EU law, often
providing clarification and interpretation of EU law to national courts.
o Can invalidate adequacy decisions.
• Comprised of the European Court of Justice ("ECJ") and the
General Court.
4 Differences between the Data Protection Directive (gone) and the GDPR
Data Protection Directive GDPR
Placed obligations on Directly applicable and enforceable as law.
member states to locally
implement (i.e., ratify).
Limited to data Controller Imposes obligations on Controllers and Processors.
obligations only.
Was transposed into 28 Single set of unified rules.
national laws in the EU.
Applies whenever the Applies when the territorial and material scope are triggered. Also
Controller uses equipment applies where tracking Data Subjects on the internet to analyse or
situated within the EU in predict their personal preferences – i.e., Cookies (Recital 24), this is a
order to process data. significant widening.
Formed the WP29. Formed the European Data Protection Board ("EDPB"), who's main
objective is to ensure the correct application of the GDPR.
Set a higher bar for consent to be validly given (see consent).
Added information provision requirements (see Module 6 (Information
Provision Obligations)).
Differed across member Allows member states a degree of tailoring (~50 provisions in the GPDR
states. allow for local law clarification or exception).
Contained the: (i) right of Introduced the new rights of: (i) data portability, (ii) restriction of
access, (ii) right of processing, (iii) right to be forgotten, and (iv) rights relating to profiling
rectification, (iii) right to (see Module 5 (Data Subject's Rights)).
erasure, the (iv) right to
object.
New accountability regime involving (see Module 10 (Accountability)):
requirement to have data protection policies; data protection by design
and default; record-keeping obligations; cooperation with DPAs; carrying
out of DPIAs for high risk activities; prior consultation with DPAs before
high-risk activities; and requirement to have a DPO.
3
, Widened the circumstances where international data transfers can
happen to include binding corporate rules and standard contractual
clauses (see Module 7 (International Data Transfers)).
New requirement to notify the DPO of data breaches (see Notification of
Data Breaches to the DPA (Article 33)).
Increased sanctions, including fines. Individuals can now seek
compensation for breaches (see Remedies, Liabilities and Penalties).
Removed the notification obligation, instead opting for an accountability
regime
The GDPR succeeded in rolling out a uniform set of rules relating to privacy.
5 Interplay between the ePrivacy Directive and GDPR
5.1 The ePrivacy Directive was originally designed to align with the Data Protection Directive (replaced by the
GDPR in 2016). The ePrivacy Directive relates to "the processing of personal data in connection with the
provision of publicly available electronic communications services in public communications networks",
whilst the GDPR relates more generally to the "processing of personal data".
5.2 The EDPB has issued opinion (Opinion 5/2019) on the interplay between these two, which explains:
(a) Special provisions prevail over general rules (e.g., the range of possible lawful grounds of
processing personal data, as listed in Article 6 of the GDPR, cannot be applied by a provider of
electronic communications services to the processing of traffic data, because Article 6 of the
ePrivacy Directive explicitly limits the conditions in which traffic data, which includes personal
data, may be processed);
(i) where there is no specific provision, the general rule shall apply;
(b) Several ePrivacy Directive provisions complement GDPR provisions (e.g., several
provisions of the ePrivacy Directive seek to protect "subscribers" and "users" of a publicly
available electronic communications service, akin to the concept of protecting natural or legal
persons under the GPDR);
(c) Article 95 of the GDPR states that it will not impose additional obligations in relation to the
processing of data in connection with the provision of publicly available electronic
communications services in public communication networks in the EU for which there are already
specific obligations under the ePrivacy Directive; and
(d) That the GDPR shall avoid the imposition of unnecessary administrative burdens upon
Controllers who would otherwise be subject to similar but not quite identical administrative
burdens.
6 Balancing Data Protection against other Fundamental Rights
6.1 The right to data protection isn't absolute, you should balance it against the other fundamental rights, in
particular (Recital 4):
(a) the respect for private and family life, home and communications; the protection of personal data;
freedom of thought, conscience and religion; freedom of expression and information; freedom to
conduct a business; the right to an effective remedy and to a fair trial; and cultural, religious and
linguistic diversity.
4
, Module 2: Personal Data
1 What is personal data?
1.1 Personal data is defined in Article 4(1) as:
(a) any information;
(i) this can be any information, in any format;
(ii) the information doesn't have to be confined to that person's personal life (e.g., work
phone numbers can be personal data);
(iii) the information doesn't need to be true in order to be personal data;
(b) relating to;
(i) information may be considered to "relate to" a natural person if one of the following
elements apply:3
(A) "content" – where the content of the information relates to the person in the
most basic use of the word (e.g., test results clearly relate to a student);
(B) "purpose" – where purpose of the information being processed is to analyse,
consider or evaluate the person;
(C) "result" – where the result of processing the information has an impact on the
person's rights and interests;
(c) an identified or identifiable;
(i) "identified" means the person has been named or singled out by reference to specific
characteristics of that person;
(ii) a person is "identifiable" if it is possible to identify them – this can be done through a
single piece of information, or when information is combined with other information
(even if that other information isn't retained by the Controller);
(A) it can't just be that it is "hypothetically possible" that we could identify the
person, the possibility of identifying the individual (taking into consideration the
means reasonably likely to be used) must be reasonable;
(d) natural person.
(i) must be alive, as the personal data of dead people is dealt with under national law.
1.2 The more information you have aggregated, the harder it is to deidentify that information from the person
to which it relates. In other words, the more information you have relating to an identifiable person, the
more likely it is to be personal data.
1.3 Personal data may relate generally to a person, or relate to them in a professional capacity:
(a) "general personal data" includes: (i) gender, (ii) age, (iii) citizenship status, (iv) marital status, (v)
languages spoken, and (vi) veteran status; and
(b) "organisational personal data" includes: (i) phone numbers, (ii) email addresses, (iii) internal ID
numbers, (iv) government ID numbers, and (v) identity verification numbers.
3
This guidance was issued by WP29 in Opinion 4/2007.
5
,2 Anonymous and pseudonymous data
2.1 "Anonymous data" is not related to an identified or identifiable natural person, it has been rendered
unidentifiable and is therefore not protected by the GDPR. It is not always possible to anonymise data,
particularly within a single organisation.
2.2 "Pseudonymous data" is not anonymous, it has gone through a process to detach the aspects of the data
attributed to an identified or identifiable person (similar to creating an alias), (i) separating it from the rest
of the data, and (ii) subjecting it to organisational and technical measures to keep it pseudonymous.
Pseudonymous cannot be attributed to a particular Data Subject without additional information, which is
kept separate. Pseudonymous data is protected by the GDPR.
3 Special categories of personal data
3.1 Article 9(1) lists the special categories of personal data, the processing of which is prohibited. These
special categories of data include: racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a
natural person, health data, data relating to sex life or sexual orientation.
3.2 It can be difficult to determine whether a piece of personal data falls under the special categories.
(a) For example, a photograph of group of friends at a party where one has their arm in a sling may
constitute health data, but not by default (Recital 51);
(b) Financial/tax data (e.g., national insurance or social security numbers) are not special categories
of personal data
applying Article 9(1) is subjective test, so bear that in mind when determining whether personal data falls
into one of the special categories.
4 Personal data relating to criminal convictions and offences
4.1 Personal data relating to criminal convictions and offences may only be processed either: (i) under the
control of an official authority or (ii) when the processing is authorised by EU or member state law, which
should contain for appropriate safeguards for the rights and freedoms of Data Subjects (Article 10).
4.2 Comprehensive registers of criminal convictions may only be kept under the control of official authorities
(Article 10).
6
, Module 3: Controllers and Processors
1 Controller
1.1 The Controller determines (alone or jointly with others) the purposes (why) and means (how, e.g.,
collection, storage, use, alteration or disclosure) of the personal data being processed – they are the key
decision maker regarding the personal data. There is always a Controller.
1.2 A Controller is defined in Article 4(7) as:
(a) a natural person, legal person, public authority, agency or other body;
(b) which, alone or jointly with others;
(i) different entities may be separate Controllers of the same personal data but they are
not necessarily Joint Controllers (e.g., both Tesco and Google have my email address,
but they aren't Joint Controllers);
(A) Example of independent Controller versus Joint Controller status: where
numerous entities make up a corporate group, each benefiting from a
centralised IT database provided by the parent company. Each company is an
independent Controller with respect to the personal data of their
employees/customers held in the database; but if the parent company does
some processing of, for example, employee turnover within the Group, then it
may be a Joint Controller with its subsidiaries.
(B) In Joint Controllership circumstances, you must clarify the responsibilities of
both Controllers – the "essence of this arrangement" (Article 26) should be
made available to Data Subjects, and Data Subjects may pursue either Joint
Controller.
(c) determines the purposes and means of processing personal data;
(i) the "purpose" of the processing, if you dictate this, then you're likely to be the Controller;
(ii) the "means" of the processing is more complicated – it doesn't just mean the method of
processing – it also refers to deciding on (i) which third-parties have access to the data,
(ii) when will the data be deleted, and (iii) if the contract fell away, do you still retain the
data. If you control these aspects, then you're likely to be the Controller;
(A) If you delegate decisions about the technical methods of the processing (e.g.,
the software/methodology), but reserve the most important determinations of
purpose and means for yourself, then you're likely to be the Controller.
(iii) Control can stem from many places:
…from explicit legal Explicit appointment of the Controller under law – i.e.,
competence where the law obliges X to collect data.
…from implicit Control stems from common legal provisions or
competence established legal practice – i.e., when employers process
employee data, they have the capacity to determine the
purposes and means of processing.
…from factual Controllership can be determined based on an
influence assessment of the facts. Where the matter is not clear, you
should consider:
• the degree of actual control exercised by a party;
• the impression given to Data Subjects;
• the reasonable expectations of those Data Subjects.
7
,2 Processor
2.1 A Processor is defined in Article 4(8) as a (i) natural or legal person who (ii) processes personal data on
behalf of the Controller.
3 Differentiating Between Controller and Processor
3.1 Questions to ask include:4
(a) how much prior instruction was given, as this dictates the amount of independent judgement
which the Processor can exercise;
(i) Note, the Controller may have delegated technical or organisational issues to the
Processor (i.e., which software is being used to process). In other words, the Controller
can delegate the "how" but not the "why";
(b) how much monitoring is taking place, as this dictates whether the entity doing the monitoring
(Controller) has full and sole control of the Processing;
(c) how is it presented to the Data Subject and what does the Data Subject expect;
(d) who has more expertise, the more expertise that the service provider has relative to its customer,
the greater likelihood that it will be a Controller;
(e) who determines which third-parties have access to the data;
(f) who determines when will the data be deleted; and
(g) if the contract fell away, who would retain the data.
4
These questions derive from Opinion 1/2010 of WP29.
8
, Module 4: Processing Personal Data
1 Data processing
1.1 Processing is defined as "any operation performed upon personal data or on sets of personal data,
whether or not by automated means" (Article 4(2)), including:
(a) recording, restriction (asking for personal data as part of a security verification process),
retrieval (accessing), consultation (querying for information), collection (collection of customer
satisfaction data), organisation (organising results into groups), adaptation (digitising),
alteration, structuring (using data against the backdrop of other data), use, disclosure,
erasure, destruction, storage, alignment or combination (combining data sets together, like
employee performance over the years).
2 The GDPR Processing Principles
2.1 Article 5 sets out the "processing principles", inspired by the OECD Guidelines' (see Schedule 1 (OECD
Guidelines)), which are:
Lawfulness, Personal data may only be processed lawfully, fairly and in a transparent manner.
fairness, and • Lawful – one of the lawful grounds must apply;
transparency • Fair – the processing must not, without justification, detriment the Data
of processing Subject; and
• Transparent – the Data Subject must be informed about the nature of the
processing (see Module 6 (Information Provision Obligations)).
Purpose Personal data may only be collected and processed for specified, explicit and
limitation legitimate purposes.
Any subsequent processing must be compatible with these initial purposes – to
determine if this is the case, the following must apply:
• is there a link between the original processing and the subsequent
processing?
• would the Data Subject reasonably expect subsequent processing?
• are there any consequences of subsequent processing?
• are there appropriate safeguards in place for the subsequent processing?
If the subsequent processing is incompatible with the initial, then another lawful
ground will be needed (see 3.2), except where it is being processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes (Article 5(1)(e)).
Data Personal data must be adequate, relevant and limited to what is necessary in
minimisation relation to the purposes for which they are processed.
In other words, the personal data being collected must be:
• Necessary – ask yourself "do we need to process this?" or "could this
achieve the same goal if it were anonymous?"
• Proportional – ask yourself "do we need to process this much personal data
to achieve our goal?"
Accuracy Personal data must be accurate, complete and up to date, meaning the Controller
must implement reasonable measures to prevent and correct inaccuracies.
Storage Personal data must be kept for no longer than is necessary for the purposes for
limitation which the personal data are processed.
• the personal data should be deleted:
o when the specific purpose is achieved; and
o if there are no applicable statutory data retention periods.
Exception: you can keep personal data stored for longer if:
• it's being processed solely for archiving, scientific, historical research,
statistical or other purposes in the public interest;
• its fully anonymised (and thus not personal data).
Integrity and Personal data must, using appropriate technical or organisational measures, be
confidentiality protected from unauthorised or unlawful processing and against accidental loss,
destruction or damage.
9