GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
relating to the notification of data breach to the supervisory authority (Art. 33);
relating to the notification of data breach to the data subjects (Art. 34);
concerning the impact assessment regarding the data protection (Art. 35) and prior consultation of the supervisory authority (Art. 36);
concerning the designation of a data protection officer (Art. 37), its functions (Art. 38), its missions (Art. 39);
relating to certification (Art. 42) and the certification procedure (Art. 43).
obligations of the certification body in the meaning of Articles 42 and 43;
obligations of the body charged to monitor the adherence to the code of conduct in the meaning of Art. 41 (4)
Fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements to the following provisions (paragraph 5):
the basic principles for processing, including conditions for consent, pursuant to Articles 5 (Principles relating to processing of personal data), 6 (Lawfulness of
processing), 7 (Conditions applicable to consent) and 9 (Processing of specific categories of personal data);
the rights of data subjects within the meaning of Articles 12 to 22 of the Regulation;
rules relating to the transfers of personal data to a recipient in a third country or an international organization (Articles 44 to 49);
any obligations pursuant to Member State law adopted under Chapter IX; let’s remind that Chapter IX gives the Member States a certain discretion in view of processing of personal data and freedom of expression and information (see Art. 86); processing of a national identification number (Art. 87), etc.
non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58
(2) or failure to provide access in violation of Article 58 (1);
In addition, non-compliance with an order by the supervisory authority shall be subject to administrative fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. It should be noted that if a controller or processor intentionally or negligently, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58 (2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
Finally, where the legal system of the Member State does not provide for administrative fines, Article 83 may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts. In this case, those legal remedies must be effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In all cases, those fines must be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt not later than the day of entry of this Regulation into force pursuant to Article 99 (2) and also notify without delay any subsequent amendment law or amendment affecting them.
Directive relied totally on Member States regarding the sanctions in case of violation of provisions adopted in application of the Directive (Article 24).
The most obvious difficulty will be for recognition by each Member States legal system of such new powers to be exercised by the supervisory authorities and to provide specific procedural safeguards to be implemented in addition to the general
procedural rules. In Belgium for example, the possible recognition of such a power to impose fines of such an amount would change completely the relationship of individuals to the Commission for Protection of Privacy. The latter, as we have said, was designed more as a conciliatory body than a controlling authority and previously had no power to impose any fines. It should be noted that the power of the national authority could be limited to the initiation of the fine and only a court would have the competence to impose it. The questions are what the initiation power would cover and whether the court may or may not review or refuse to apply it in the context of its intervention.
Art. 84 GDPR Penalties
Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements, which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
Each Member State shall notify to the Commission the provisions of its law, which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Suitable Recitals
(149) Penalties for infringements of national rules; (150) Administrative fines; (151) Administrative fines in Denmark and Estonia; (152) Power of sanction of the Member States.
COMMENTARY:
Member States set their own rules on penalties applicable to infringements of the GDPR, in particular those infringements that are not subject to administrative fines. Member States may also provide their own rules on criminal sanctions for infringement of the GDPR. The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.
* * *
CHAPTER 9: PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS
Art. 85 GDPR Processing and freedom of expression and information
Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
Each Member State shall notify to the Commission the provisions of its law which it has adopted pursuant to paragraph 2 and, without delay, any subsequent amendment law or amendment affecting them.
Suitable Recitals
Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression.
COMMENTARY:
This provision requires Member States to introduce exemptions to the GDPR where necessary. Although this Article is wider in scope than Article 9 of the Data Protection Directive, Article 85 makes special provision for processing carried out for journalistic purposes, or for the purposes of academic, artistic or literary expression. Member States will be required to notify the Commission on how they have implemented this requirement and of any changes to such laws. The Directive already allowed Member States to provide for exemptions or derogations for personal data processing carried out solely for journalistic, artistic or literary expression, from the general conditions of lawfulness of processing (Chapter II), from the conditions of data transfer to third countries (Chapter IV) and from the competence of the supervisory authorities (Chapter VI) only insofar as they are necessary to reconcile the right to privacy with the rules governing freedom of expression.
Art. 86 GDPR Processing and public access to official documents
Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to
official documents with the right to the protection of personal data pursuant to this Regulation.
Suitable Recitals
Principle of public access to official documents.
COMMENTARY:
Personal data contained in official documents may be processed, in order to reconcile public access to official documents with the right to the protection of personal data. This provision expands on Recital 72 of the Data Protection Directive, and allows personal data within official documents to be disclosed in accordance with Union or Member State laws, which allow public access to official documents. This is not without limit - such laws should, according to Recital 154 GDPR. Directive 2003/98/EC (the “PSI Directive”) on the “re-use of public sector information” does not alter the obligations on authorities, or rights of individuals, under the GDPR.
Art. 87 GDPR Processing of the national identification number
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
COMMENTARY:
Member States are free to determine the conditions under which national ID numbers may be processed, subject to appropriate safeguards for the rights and freedoms of data subjects pursuant to the GDPR. This effectively replicates the right of Member States to set their own conditions for processing national identification numbers under the Data Protection Directive. The only expansion is to clarify that this requires appropriate safeguards to be put in place.
Pursuant to Article 8 (7) of the Directive, the Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed. An example is that Belgian and French legislatures have adopted specific laws governing the consultation and the use of the National Register of Natural Persons, of the National Repertory of Identification of Natural Persons (RNIPP).
Art. 88 GDPR Processing in the context of employment
Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the
purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
Each Member State shall notify to the Commission those provisions of its law, which it adopts pursuant to paragraph 1, by 25th May 2018 and, without delay, any subsequent amendment affecting them.
Suitable Recitals
Processing in the employment context.
COMMENTARY:
Member States may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards. Member States must inform the Commission of any laws adopted in this area.
Member States are permitted to establish (either by law or through collective agreements) more specific rules in respect of the processing of employee personal data, covering every major aspect of the employment cycle from recruitment to termination. This includes the ability to implement rules setting out when consent may be
Comments (0)