GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
F-30/08, NANOPOULOS V. COMMISSION, 11.5.2010 (“NANOPOULOS”) (ON APPEAL, CASE T-308/10)
Action for non-contractual liability against the Commission pursuant to Article 340 TFEU. A journalist sent a letter to the Commission asking about anonymous allegations that the applicant favored companies of his own nationality in performing his duties as a Director in the Commission. The Commission reassigned the applicant to a post of principal advisor to the Director General, and opened a disciplinary proceeding against the applicant. Two leaks occurred: one concerning the plan to reassign the applicant; and one concerning the Commission's decision to open a disciplinary proceeding against the applicant. Journal Articles thereafter were published with the applicant's name including these facts.
Non-contractual liability: The normal rule is that the burden of proof is on the applicant to establish: i) the illegal action of an institution; ii) damages; iii) proof that the damages were caused by the illegal action of the institution. However, the burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. The publication of the applicant's name could only have resulted from a leak by the Commission. The burden of proof was on the Commission to prove that it was not the source of the leak.
Damages: The leak by the Commission of the complainant's name as one of the officials undergoing a disciplinary procedure constitutes a violation of Regulation 45/2001, which was sufficient to engage its responsibility. 90.000 euros damages were awarded (70.000 moral prejudice and 20.000 fault of service linked to moral prejudice).
F-46/09, V & EDPS V. EUROPEAN PARLAMENT, 5.7.2011 (“V”)
Application for annulment of a decision of the European Parliament, withdrawing a 2008 offer of employment to the applicant on grounds of unfitness to be hired. The
Commission Medical Service had determined that the applicant was not fit; she had appealed, and the Commission had affirmed the conclusion. She filed an Article 90 complaint, which the Commission rejected, then a lawsuit against that decision, which the Court of First Instance rejected. In 2008, she was offered a post as contractual agent with the Parliament. The Parliament requested and received a copy of her medical file from the Commission medical service and thereafter withdrew its offer on the ground that she was unfit to work in any of the EU institutions. The applicant filed an Article 90 complaint against this decision, which the Parliament rejected. In the action before the court, the applicant alleged that her medical dossier collected by the Commission should have been used only with respect to her recruitment by the Commission. Further, the medical counsel of the Parliament should have only examined her and not inquired on her past medical history. (The EDPS brief stated that the transfer violated Regulation 45/2001. First, the data are not part of the applicant's medical dossier as former temporary agent and former contractual agent of the Commission. The procedural manual of the Commission's medical service does not indicate the ends for which medical data collected during a recruitment procedure are saved in the archive for more than 6 months, nor the conditions under which they are accessible. In opinions to the Parliament and Commission, he recommended that for candidates deemed unfit for hiring, the medical data collected during the recruitment procedure should only be held for a limited period, corresponding to the period during which it is possible to contest the data or the decision taken on the basis of the data. Further, the transfer is governed by Article 7, without prejudice to Articles 4, 5, 6 and 10. Respect of Article 7 thus does not render the transfer and ultimate use of the data legal under the Regulation in its totality. By virtue of Article 10, paragraph 1, the processing of special categories of data is prohibited and the protection of such data has, for the ECHR, a fundamental importance for exercise of the right to privacy, guaranteed by Article 8 of the Convention. The applicant did not give her consent to the transfer, in accordance with the exception foreseen in Article 10, paragraph 2. Further, the Parliament did not show that the transfer was really necessary to respect the statute, within the meaning of the Article 10(2)(b). It would have been possible to obtain the information in a less intrusive manner. Once received by the Parliament, the data were no longer being used for the purpose for which they were collected. The transfer and use of the data violated Article 4(1)(b) and (e).)
Article 8 ECHR: This is a fundamental right, which covers the right to secrecy of one's medical state. The transfer of that data to a third party, even another EU institution, is an interference with that right, whatever the final use. Such interference may be justified if it is "in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
In accordance with the law: Regulation 45/2001 establishes that inter- institutional transfers are foreseen. However, Article 7 is very general. Further,
Article 6 states that personal data shall only be processed for purposes other than those for which they were collected if the change of purpose has been expressly foreseen by the rules of the EU institution, which was not the case here.
Necessary in a democratic society: This criterion is met if it is necessary to respond to a social imperative, and if proportionate to the legitimate end and the reasons specified are relevant and sufficient. The national authority has a limited margin of discretion. The right to privacy of medical data is protected by EU juridical order, not only to protect the private life of the sick but also to preserve their confidence in the medical body and the medical services in general. The possibility to transfer such data to another institution calls for a particularly rigorous examination. Thus the interest of the Parliament to recruit a person able to exercise his duties must be balanced against the gravity of the interference of the right of the person concerned. The interest of the Parliament to conduct the medical examination does not justify the transfer without the consent of the person concerned. The data are very sensitive, were collected nearly two years before, for a specified purpose, by an institution for which the applicant did not work. The need of the Parliament could have been met by less intrusive means.
Article 6 and 7: Article 1 specifies that EU institutions protect the fundamental rights of natural persons, in particular their right to privacy with respect to processing their personal data. Thus, the provisions of the Regulation may not be read as legitimising an interference to the right to privacy. The purpose for the Commission's collection of the data was to determine the applicant's fitness to perform the duties in the Commission's post. Using them to determine her fitness for the post with the Parliament constituted a change of purpose. Each institution is an independent employer, and is autonomous in the management of its personnel. The change of purpose was not foreseen in any legal text.
Sensitive data: The applicant did not consent to the transfer of her data. The transfer was not "necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law," in accordance with Article 10(2)(b). The Parliament's obligation to control fitness for duty could have been achieved by less intrusive means. Nor does Article 10(3) justify the transfer.
Damages: 5000 euros material damages, 20.000 moral prejudice.
LAWS:
GOOGLE CASE
In this case the Complaints were made by two organisations, noyb (Non of Your Business) and LQDN (La Quadrature du Net), in May 2018, relating to Google’s forced consent to continue users data. The complaint related to Android users who, when setting up a new Android phone, were forced to follow Android’s onboarding process which included forced consent for the processing of their data. Both groups
said Google had no legal basis to process the personal data of its users “ particularly for ads personalization purposes”.
GDPR requires the data controller to provide its users with the option to opt-in to have their data processed whereas, before the regulation's implementation, users were required to opt-out.
"This is the first time that the CNIL (Commission nationale de l'informatique et des libertés it means board which enforces law on data protection) has applied the new maximum penalties provided by the GDPR. The amount withheld, and the advertising of the fine, at first justified by the seriousness of the deficiencies that affect the essential principles of GDPR:
The maximum fines for GDPR are €20 million or 4% of the company's annual turnover, whichever is greater. In this case, Google could have theoretically faced a maximum fine of almost €4 billion. Google has been hit with a landmark fine €50 million GDPR fine, issued by the Frnech policy watchdog CNIL – the largest in the GDPR’s history.
The landmark fine was justified by Google's lack of action following the claim. CNIL said that the violations are continuing to this day and are ongoing violations of the GDPR.
GERMAN COURTS - WHETHER AN INFRINGEMENT OF THE GDPR ALSO QUALIFIES AS UNFAIR-COMPETITIVE BEHAVIOR
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).
In a decision of August 7, 2018 a company asked for injunctive relief against a competing company because the competing company’s website privacy policy failed to comply with the information requirements under Art. 13 GDPR. The court stressed in its decision that it is still disputed under German law, whether a violation of the GDPR can serve as a claim against a competitor under the UWG. The court refused to grant injunctive relief in that case on the grounds that the GDPR does not allow competitors to claim infringements of data protection law – only the data subjects and, under certain conditions, non-profit bodies can do this. The court concluded that, “the EU legislature did not intend to extend a similar possibility to competitors of an infringer.”
Case details:
Date: 08/07/2018
Dish: Regional Court Bochum
Chamber: 12th Civil Chamber
Entscheidungsart: Partial default and final judgment
Docket: I-12 O 85/18
ECLI: ECLI: DE: Igbo: 2018: 0807.I12O85.18.00
In a decision of September 13, 2018 LG Würzburg, Beschluss v. 13.09.2018 – 11 O 1741/18 UWG also relates to a claim for injunctive relief
Comments (0)