GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
SECURITY
Worten: Article 17(1) requires controllers (not Member States) to adopt technical and organizational measures which, having regard to the state of the art and cost of their implementation, are to ensure a level of security appropriate to the risks represented. The obligation under national law to provide the national authority responsible for monitoring working conditions with immediate access to the record of working time does not imply that the data must be made accessible to persons not authorised for that purpose (as Worten claimed). Rather, Worten must ensure that only those persons duly authorised to access the personal data in question are entitled to respond to a request for access from a third party. Thus, Article 17(1) is not relevant here.
DEROGATIONS
Englebert: The activity of a body such as IPI (a professional body responsible for ensuring compliance with the rules governing the profession of estate agent which is a regulated profession in Belgium, through investigating and reporting breaches of those rules) corresponds to “the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions” and is capable of coming under that exception. The directive does not prevent such a professional body from having recourse to private investigators. Thus, if a Member State has chosen to implement the exception, then the professional body and private detectives may rely on it and are not subject to the obligation to inform the data subject. However, if the Member State has not implemented the exception, the data subjects must be informed.
Rules on access to a regulated profession form part of the rules of professional ethics, therefore investigations concerning the acts of persons who breach those rules by passing themselves off as estate agents are covered by the exception in Article 13(1)(d).
Bara: Article 13(1)(e) and (f) provide exceptions for important economic or financial interest of a Member State and monitoring, inspection or regulatory function, respectively. However, Article 13 expressly requires that such restrictions are imposed by legislative measures. Here, however, the transfer from the Member State tax authority to the health insurance authority on the data subject’s declared income was made on the basis of a protocol between the two authorities, which is not a legislative measure, and is not subject to an official publication. Thus, the conditions of Article 13 were not complied with.
NON-CONTRACTUAL LIABILITY
Nikolaou: The normal rule is that the burden of proof is on the applicant to establish: i) the illegal action of an institution; ii) damages; iii) proof that the damages were caused by the illegal action of the institution. However, the burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. The Court concluded that the OLAF staff member leaked information (including PD) to a journalist, which were published, and OLAF’s press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles.
A violation of Regulation 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. The objective of the Regulation is to confer such rights on data subjects.
A leak of personal data is necessarily a grave and manifest violation. The Director has a margin of appreciation on prevention, but here no showing was made regarding the exercise of the margin.
OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.
3000 euros damages were awarded.
V: 5000 euros material damages, 20.000 moral prejudice, were awarded.
RIGHTS
INFORMATION
Bara: The requirement of fair processing laid down in Article 6 of Directive 95/46 requires a public administrative body to inform the data subjects of the transfer of their data to another public administrative body for the purpose of their processing by the latter in its capacity as recipient of those data. National law required the transfer of data necessary to certify that the person concerned qualifies as an insured person to CNAS. However, these do not include data relating to income, since the law recognises the right of persons without a taxable income as qualifying as insured. Thus, the national law cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data is collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the income data, and the transfer therefore violated Article 10.
Article 11 (information requirement where data is not collected from data subject) requires that specified information be provided to the data subject, including the categories of data concerned and the existence of the rights of access and rectification. Thus, the data subjects should have been informed of the processing by CNAS and of the categories of data concerned, but CNAS did not so inform them. The Protocol between the two agencies does not establish grounds for derogating from this requirement, either under Article 11 or 13 of the Directive.
ACCESS
Rijkeboer: The right of access is necessary to enable the data subject to exercise his other rights (rectification, blocking, erasure, and notify recipients of same; object to processing or request damages). The right must of necessity relate to the past, otherwise the data subject would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for damages. Member States have some freedom of action in implementing the Directive, but it is not unlimited. Setting of a time limit on the right of access must allow the data subject to exercise his rights. It is for the Member States to fix a time limit for storage of information on the recipients and the content of the data disclosed, and to provide access to that information which constitutes a fair balance between the interest of the data subject in exercising his rights and the burden on the controller to store that information. In the present case, limiting storage of information on recipients and content to one year, while the basic data is stored much longer, does not constitute a fair balance, unless it can be shown that longer storage would constitute an excessive burden.
M: Regarding the right of access, protection of the fundamental right to respect for private life means that the person may be certain that the personal data concerning him are correct and that they are processed lawfully. It is in order to carry out the necessary checks that the data subject has, under Article 12(a), a right of access, which is necessary to obtain rectification, erasure or blocking of his data (Article 12(b)). The legal analysis is not in itself liable to be the subject of a check of its accuracy by the applicant and rectification, while the facts are. Moreover, the right of access is not designed to ensure the greatest possible transparency of the decision- making process of public authorities and to promote good administrative practices (as is the case for the right of access to documents).
To comply with the right of access under Article 12(a) and Article 8(2) of CFR, it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents.
X: Article 12(a) of Directive 95/46 does not require Member States to levy fees when the right of access to personal data is exercised, nor does it prohibit the levying of such fees as long as they are not excessive. Access must be without constraint, without excessive delay and without excessive expense. The fees should be fixed at a level which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular his right to have the data communicated to him in an intelligible form, and on the other, the burden which the obligation to communicate such data represents for the controller. The fees may not be fixed at a level likely to constitute an obstacle to the exercise of the right of access, and it should not exceed the cost of communicating such data.
ERASURE
Google: A supervisory authority or judicial authority may order a search engine operator to remove a link from a list of results without presupposing the previous or simultaneous removal of the underlying information from the web page on which it was published. Requiring the data subject to obtain erasure from web pages would not provide effective and complete protection of the data subject, especially because publishers may not be subject to EU data protection law or publication may be carried out “solely for journalistic purposes” and thus benefit from the derogation. Further, balancing would be different for processing by a search engine and processing by a web publisher.
The search engine operator must erase the information and links concerned in the list of results if that information appears, having regard to all circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine. Here, having regard to the sensitivity for the data subject’s private life of the information contained in announcements and the fact that initial publication occurred 16 years before, the data subject has established that the links should be removed.
RIGHTS
PROTECTION OF PROPERTY AND AN EFFECTIVE REMEDY
Promusicae: The requirements of protection of different fundamental rights must be reconciled,
Comments (0)