GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
GDPR Articles With Commentary & EU Case Laws
GDPR Articles With
Commentary & EU Case Laws
Author
Adv. Prashant Mali
[M.Sc.(Computer Science), CCFP, CISSA,LLM, Ph.D(Pursu.)]
About Author:
Author is International Cyber Law & Privacy Expert and a practicing High Court Lawyer based out of Mumbai in India. He is Masters in Computer Science and Masters in Law with Certification in Computer Forensics & Information Systems Security Auditing and prior working experience in the field of Software, Networking & IT Security. He is Chevening (UK) Cyber Security Fellow & IVLP (USA). He is the founder president of a law firm named Cyber Law Consulting. He was awarded as Cyber Security Lawyer of the year (Asia Pacific) in 2016 and Cyber Security Lawyer of the Year by Financial Monthly Magazine of UK. He has been a sought after speaker on National and International forums and is interviewed by BBC World, Bloomberg, Zee News, NDTV, CNBC, Al Jazeera etc. His articles are published in various magazines across the world and he is been quoted by leading daily newspapers. He has conducted various workshops on GDPR in various countries and has unique way of explaining GDPR with examples and by comparing it to existing laws of the country.
Note:
Every effort has been made to avoid errors or omissions in this, errors may creep in any mistake, error or discrepancy noted may be brought to our notice which shall be taken care of in the next edition. It is notified that neither the publisher or the author or seller will be responsible for any damages or loss of action to any one, of any kind, in the manner, there from. It is suggested that to avoid any doubt the reader should cross- check all the facts, law and contents of the publication with original Government publication or notification.
All rights reserved. No part of this work may be copied, reproduced, adapted, abridged or translated. Stored in any retrieval system, computer system, photographic or other system or transmitted in any form by any means whether electronic, mechanical, digital, optical photographic or otherwise without the prior written permission of cyber Infomedia. Any breach will entail legal action and prosecution without further notice.
INDEX
Articles
Particular
CHAPTER 1 : GENERAL PROVISIONS
1
GDPR Subject-matter and objectives
2
GDPR Material scope
3
GDPR Territorial scope
4
GDPR Definitions
CHAPTER 2 : PRINCIPLES
5
GDPR Principles relating to processing of personal data
6
GDPR Lawfulness of processing
7
GDPR Conditions for consent
8
GDPR Conditions applicable to child's consent in relation to information society services
9
GDPR Processing of special categories of personal data
10
GDPR Processing of personal data relating to criminal convictions and offences
11
GDPR Processing which does not require identification
CHAPTER 3 : RIGHTS OF THE DATA SUBJECT
Section 1 : Transparency and modalities
12
GDPR Transparent information, communication and modalities for the exercise of the rights of the data subject
Section 2 : Information and access to personal data
13
GDPR Information to be provided where personal data are collected from the data subject
14
GDPR Information to be provided where personal data have not been obtained from the data subject
15
GDPR Right of access by the data subject
Section 3 : Rectification and erasure
16
GDPR Right to rectification
17
GDPR Right to erasure (‘right to be forgotten’)
18
GDPR Right to restriction of processing
19
GDPR Notification obligation regarding rectification or erasure of personal data or restriction of processing
20
GDPR Right to data portability
Section 4 : Right to object and automated individual decision-making
21
GDPR Right to object
22
GDPR Automated individual decision-making, including profiling
Section 5 : Restrictions
23
GDPR Restrictions
CHAPTER 4 : CONTROLLER AND PROCESSOR
Section 1 : General obligations
24
GDPR Responsibility of the controller
25
GDPR Data protection by design and by default
26
GDPR Joint controllers
27
GDPR Representatives of controllers or processors not established in the Union
28
GDPR Processor
29
GDPR Processing under the authority of the controller or processor
30
GDPR Records of processing activities
31
GDPR Cooperation with the supervisory authority
Section 2 : Security of personal data
32
GDPR Security of processing
33
GDPR Notification of a personal data breach to the supervisory authority
34
GDPRCommunication of apersonal databreach to the datasubject
Section 3 : Data protection impact assessment and prior consultation
35
GDPR Data protection impact assessment
36
GDPR Prior consultation
Section 4 : Data protection officer
37
GDPR Designation of the data protection officer
38
GDPR Position of the data protection officer
39
GDPR Tasks of the data protection officer
Section 5 : Codes of conduct and certification
40
GDPR Codes of conduct
41
GDPR Monitoring of approved codes of conduct
42
GDPR Certification
43
GDPR Certification bodies
CHAPTER 5 :TRANSFERS OFPERSONALDATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
44
GDPR General principle for transfers
45
GDPR Transfers on the basis of an adequacy decision
46
GDPR Transfers subject to appropriate safeguards
47
GDPR Binding corporate rules
48
GDPR Transfers or disclosures not authorised by Union law
49
GDPR Derogations for specific situations
50
GDPR International cooperation for the protection of personal data
CHAPTER 6 : INDEPENDENT SUPERVISORY AUTHORITIES
Section 1 : Independent status
51
GDPR Supervisory authority
52
GDPR Independence
53
GDPR General conditions for the members of the supervisory authority
54
GDPR Rules on the establishment of the supervisory authority
Section 2 : Competence, tasks and powers
55
GDPR Competence
56
GDPR Competence of the lead supervisory authority
57
GDPR Tasks
58
GDPR Powers
59
GDPR Activity reports
CHAPTER 7 : COOPERATION AND CONSISTENCY
Section 1 : Cooperation
60
GDPR Cooperation between the lead supervisory authority and the other supervisory authorities concerned
61
GDPR Mutual assistance
62
GDPR Joint operations of supervisory authorities
Section 2 : Consistency
63
GDPR Consistency mechanism
64
GDPR Opinion of the Board
65
GDPR Dispute resolution by the Board
66
GDPR Urgency procedure
67
GDPR Exchange of information
Section 3 : European data protection board
68
GDPR European Data Protection Board
69
GDPR Independence
70
GDPR Tasks of the Board
71
GDPR Reports
72
GDPR Procedure
73
GDPR Chair
74
GDPR Tasks of the Chair
75
GDPR Secretariat
76
GDPR Confidentiality
CHAPTER 8 : REMEDIES, LIABILITY AND PENALTIES
77
GDPR Right to lodge a complaint with a supervisory authority
78
GDPR Right to an effective judicial remedy against a supervisory authority
79
GDPR Right to an effective judicial remedy against a controller or processor
80
GDPR Representation of data subjects
81
GDPR Suspension of proceedings
82
GDPR Right to compensation and liability
83
GDPR General conditions for imposing administrative fines
84
GDPR Penalties
CHAPTER 9 :PROVISIONSRELATING TOSPECIFIC PROCESSING SITUATIONS
85
GDPR Processing and freedom of expression and information
86
GDPR Processing and public access to official documents
87
GDPR Processing of the national identification number
88
GDPR Processing in the context of employment
89
GDPR Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
90
GDPR Obligations of secrecy
91
GDPR Existing data protection rules of churches and religious associations
CHAPTER 10 : DELEGATED ACTS AND IMPLEMENTING ACTS
92
GDPR Exercise of the delegation
93
GDPR Committee procedure
CHAPTER 11 : FINAL PROVISIONS
94
GDPR Repeal of Directive 95/46/EC
95
GDPR Relationship with Directive 2002/58/EC
96
GDPR Relationship with previously concludedAgreements
97
GDPR Commission reports
98
GDPR Review of other Union legal acts on data protection
99
GDPR Entry into force and application
CASE LAWS
SUMMARY OF EU COURT DECISIONS RELATING TODATAPROTECTION (INNUMERICALORDER OF CASENUMBER)
1
COURT OF JUSTICE DECISIONS
1.1
C-450/00, COMMISSION V. LUXEMBOURG, 4.10.2001(“LUXEMBOURG”)
1.2
C-465/00 AND C-138/01, RECHNUNGSHOF V. OSTERREICHISCHER RUNDFUNK, 20.5.2003
(“RECHNUNGSHOF”)
1.3
C-101/01, LINDQUIST, 6.11.2003 (“LINDQUIST”)
1.4
C-317 AND 318/04, PARLIAMENT V. COUNCIL (PNR), 30.5.2006 (“PNR”)
1.5
C-275/06, PROMUSICAE, 29.1.2008
(“PROMUSICAE”)
1.6
C-301/06, IRELAND V. PARLIAMENT AND COUNCIL, 10.2.2009 (“IRELAND”)
1.7
C-524/06, HUBER V. GERMANY, 16.12.2008 (“HUBER”)
1.8
C-73/07, TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“TIETOSUOJAVALTUUTETTU”)
1.9
C-518/07, COMMISSION V. GERMANY, 9.3.2010(“GERMANY”)
1.10
C-553/07, COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)
1.11
C-557/07, LSG-GESELLSCHAFT ZURWAHRNEHMUNG VON
LEISTUNGSSCHUTZRECHTEN GMBH V. TELE2 TELECOMMUNICATION GMBH, 19.2.2009 (“LSG”)
1.12
C-28/08, COMMISSION V. BAVARIAN LAGER CO., 29.6.2010 (“BAVARIAN LAGER”)
1.13
C-92/09 VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, AND C-93/09, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.11.2010 (“SCHECKE”)
1.14
CASE C-70/10,SCARLET EXTENDEDSA V. SOCIETE BELGE DES AUTEURS, COMPOSITEURS ET EDITEURS SCRL (SABAM), 24.11.2011(“SCARLET”)
1.15
CASE C-461/10, BONNIER AUDIO AB ET AL. V. PERFECT COMMUNICATION SWEDEN, 19.4.2012 (“BONNIER”)
1.16
JOINED CASES C-468/10 AND C-469/10, ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.11.2011 (“ASNEF”)
1.17
C-614/10, COMMISSION V. AUSTRIA, 16.10.2012 (“AUSTRIA”)
1.18
C-614/10, COMMISSION V. AUSTRIA, 16.10.2012 (“AUSTRIA”)
1.19
C-131/12, GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.5.2014 (“GOOGLE”)
1.20
C-141/12 AND C-372/12, MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“M”)
1.21
C-288/12, COMMISSION V. HUNGARY, 8.4.2014(“HUNGARY”)
1.22
C-291/12, SCHWARZ V. BOCHUM, 17.10.2014(“SCHWARZ”)
1.23
C-293/12 AND C-594-12, DIGITAL RIGHTS IRELAND LTD V. IRELAND, 8.4.2014 (“DRI”)
1.24
C-342-12, WORTEN-EQUIPAMENTOS PARA O LAR SA
ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)1.25
C-473/12, IPI V. ENGLEBERT (“ENGLEBERT”)
1.26
C-486/12, X, 12.12.2013 (“X”)
1.27
C-212/13, RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
1.28
C-615/13 P, CLIENT EARTH ET AL. V. EFSA, 16.7.2015 (“CLIENTEARTH”)
1.29
C-201/14, SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
1.30
C-230/14, WELTIMMO S.R.O. V. NEMZETI ADATVEDELMI ES INFORMACIOSZABADSAG HATOSAG (HUNGARIANDPA), 1.10.15(“WELTIMMO”)
1.31
C-362/14, SCHREMS V. DATA PROTECTION COMMISSIONER, 6.10.2015 (“SCHREMS”)
2
GENERAL COURT DECISIONS
2.1
T-320/02, ESCH-LEONHARDT AND OTHERS V EUROPEAN CENTRAL BANK, 18.2.2004 (“ESCH- LEONHARDT”)
2.2
T-198/03, BANK AUSTRIA CREDITANSTALT AG V COMMISSION OF THE EUROPEAN COMMUNITIES, 30.5.2006 (“BANK AUSTRIA”)
2.3
T-259/03, NIKOLAOU V. COMMISSION, 12.9.2007 (“NIKOLAOU”)
2.4
T-161/04, JORDANA V. COMMISSION, 7.7.2011 (“JORDANA”)
2.5
T-82/09, DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (“DENNEKAMP I”)
2.6
T-190/10, EGAN & HACKETT V. EUROPEAN PARLAMENT, 28.3.2012 (“EGAN &HACKETT”)
2.7
T-115/13, DENNEKAMP V. EUROPEAN PARLIAMENT (15.7.2015) (“DENNEKAMP II”)
2.8
T-496/13, MCCULLOUGH V. CEDEFOP (11.6.2015)(“MCCULLOUGH”)
3
CIVIL SERVICE TRIBUNAL DECISIONS
3.1
F-30/08, NANOPOULOS V. COMMISSION, 11.5.2010 (“NANOPOULOS”) (ON APPEAL, CASE T-308/10)
3.2
F-46/09, V & EDPS V. EUROPEAN PARLAMENT, 5.7.2011 (“V”)
4
POST GDPR IMPLEMENTATION CASE LAWS
4.1
GOOGLE CASE
4.2
GERMAN COURTS - WHETHER AN INFRINGEMENT OF THE GDPR ALSO QUALIFIES AS UNFAIR- COMPETITIVE BEHAVIOR
4.3
GOOGLE IN LANDMARK NORDIC LEGAL CASE ON THE “RIGHT TO BE FORGOTTEN.”
4.4
GDPR FINE –BARREIRO MONTIJO HOSPITAL CENTER IN PORTUGAL CASE
4.5
FACEBOOK BREACH IN GDPR TEST CASE.
SUMMARY OF EU COURT DECISIONS RELATING TO DATA PROTECTION (ORGANISED BY TOPIC)
1
GENERAL
1.1
DEFINITION OF PERSONAL DATA
1.2
DEFINITION OF PROCESSING
1.3
DEFINITION OF CONTROLLER
1.4
LEGAL PERSONS
1.5
SENSITIVE PERSONAL DATA
1.6
CONSENT
1.7
NECESSITY/PROPORTIONALITY
1.8
SECURITY
1.9
DEROGATIONS
1.10
NON-CONTRACTUAL LIABILITY
2
DATA SUBJECT RIGHTS
2.1
INFORMATION
2.2
ACCESS
2.3
ERASURE
3
BALANCING FUNDAMENTAL RIGHTS
3.1
PROTECTION OF PROPERTY AND AN EFFECTIVE REMEDY
3.2
FREEDOM OF EXPRESSION
3.2
ACCESS TO DOCUMENTS
4
TRANSFERS
4.1
APPROPRIATE LEGAL BASIS
4.2
ADEQUATE LEVEL OF PROTECTION
4.3
SAFE HARBOUR
5
REGULATION 45/2001
5.1
SCOPE
5.2
LAWFULNESS
6
DIRECTIVE 95/46
6.1
SCOPE
6.2
LAWFULNESS
6.3
ESTABLISHMENT OF THE CONTROLLER
6.4
INDEPENDENCE OF DPA
6.5
DPA POWERS
6.6
PROCESSING FOR SOLELY JOURNALISTIC PURPOSES
6.7
PROCESSING FOR PURELY PERSONAL OR HOUSEHOLD ACTIVITY
6.8
TRANSPOSITION/HARMONISATION
6.9
DIRECT APPLICABILITY
7
DIRECTIVE 2002/58
7.1
SCOPE
7.2
TRAFFIC DATA
8
DIRECTIVE 2006/24
8.1
APPROPRIATE LEGAL BASIS
8.2
SCOPE
8.3
LAWFULNESS
9
ARTICLES 7, 8 CFR
10
ARTICLE 8 ECHR
APPENDIX 1: RECITALS [1 to 173]
APPENDIX 2: EU/EEA NATIONAL
SUPERVISORY AUTHORITIES
APPENDIX 3: LOOPHOLES IN GDPR
APPENDIX 4: FLOW CHART – COMPOSITION OF EUROPEAN DATA PROTECTION BOARD
342
PREFACE
I was the early starter to get awakened towards GDPR due to my practice in cyber and privacy law. When I first started the firm EUGDPR Institute, I was sure about writing a book on GDPR but never knew the connotations it would have. I was involved in training participants from many large IT Companies like Tech Mahindra, TCS, Oracle, IBM, Cognizant etc. and obviously partners from large law firms then I decided to pen this book as the legal language and its interpretation was always a challenge to these technology or GRC migrants. Being author of published and famous books on cyber law made the structure of this book clear in my mind. Articles of GDPR do have a typical international law kinda language and often raises more than one questions or doubts in the avid reader of the topic.
This book is a series of articles and interpretations. It deals with questions of applicability of GDPR articles in various scenarios; at its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments -- almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analysed and, perhaps most importantly, stored by organisations
In this busy age, when we are all bombarded with information, it is helpful, I think, to be offered a chance to take a breath and do things simply. There is something meditative about reading the GDPR articles one by one and again going through it next time. There is something therapeutic in watching people’s faces light up when they find they are compliant to particular article of GDPR. There is something healing in the simple task of being aware about applicability of GDPR to the organisation. GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU, which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation and practitioner in the world will need this book to understand, implement, comply and re-comply with GDPR.
Whether you are a DPO, a auditor, a lawyer, a student, a GRC professional, a privacy devotee, a lonely heart nostalgic for GDPR trainings — I hope you find something of value in
Comments (0)