GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Google: The non-compliant nature of processing may arise from a breach of any conditions of lawfulness imposed by the directive, including data quality and legitimacy. Here, the grounds for legitimacy were those in Article 7(f), which permits processing where necessary for the purposes of the legitimate interests pursued by the controller or third party to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights of the data subject, requiring a balancing of interests. The balancing provided in Article 14 allows account to be taken of all circumstances surrounding data subject’s particular situation.
Interest of the data subject: search of an individual’s name enables any internet user to obtain through a list of results a structured overview of the information relating to the data subject that can be found on the internet, potentially concerning a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or only with great difficulty, therefore enabling a detailed profile. The interference with the rights of the data subject are heightened because of the important role played by the internet and search engines in modern society.
Interests of search engine: These are economic interests, which cannot justify the potential seriousness of the interference with the data subject ‘s rights.
Interests of internet users: The data subject’s rights generally override those of internet users, but the balance may depend on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, which may vary by the role played by the data subject in public life. The interference may be justified by the preponderant interests of the general public in having access to the information.
ESTABLISHMENT OF THE CONTROLLER
Google: Google Spain, a subsidiary of Google Inc. on Spanish territory, is an “establishment” within the meaning of Article 4(1)(a) because it engages in the effective and real exercise of activity through stable arrangements in Spain.
The processing of personal data by the controller is also “carried out in the context of the activities” of an establishment, even though Google Spain is not involved in the processing at issue (carried out exclusively by Google Inc.) but rather only in advertising in Spain. Article 4(1)(a) does not require that the processing in question be carried out “by” the establishment concerned, but only “in the context of the activities” of the establishment. In light of objective of effective protection of fundamental rights, those words cannot be interpreted restrictively. The activities of the search engine and those of its establishment in the Member State are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that engine is the means enabling those activities to be performed.
Weltimmo: Article 4(1)(a) of Directive 95/46 permits the application of data protection law of a Member State other than the Member State in which the controller is registered, insofar as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity, even minimal, in the context of which the processing is carried out. To establish whether the controller has an establishment in that Member State, both the degree of stability of the arrangements and the effective exercise of activities in the other Member State must be interpreted in light of the specific nature of the economic activities and provision of services concerned, particularly for undertakings offering services exclusively over the internet. The presence of only one representative can suffice to constitute a stable arrangement if he/she acts with a sufficient degree of stability through the presence of the necessary equipment for the provision of the specific services concerned in the Member State. Further, the concept of “establishment” extends to any real and effective activity, even a minimal one, exercised through stable arrangements.
Here, the activity of the controller consists in the running of property dealing websites concerning properties in Hungary and written in Hungarian and thus pursues a real and effective activity in Hungary. Further, it has a representative in Hungary responsible for recovering the debts resulting from that activity and representing the controller in administrative and judicial proceedings relating to the processing of the data concerned. It has a bank account in Hungary intended for the recovery of debts and uses a letter box in Hungary for the management of everyday affairs. That is capable of establishing the existence of an “establishment”.
The processing is done in the context of the activities, which Weltimmo pursues in Hungary. Thus Hungarian data protection law would apply with respect to that processing. (By contrast the nationality of the persons concerned by such data processing is irrelevant.)
INDEPENDENCE OF DPA
Germany: Independence normally means a status, which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. There is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective "complete" implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. The guarantee of independence of DPAs is intended to ensure the effectiveness and reliability of the supervision of compliance with data protection provisions, to strengthen the protection of individuals and bodies affected by their decisions. DPAs must act impartially and must remain free from any external influence, including that of the State or Lander. Independence precludes not only any influence exercised by supervised bodies, but also any directions or other external influence which could call into question the performance of those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.
State scrutiny in principle allows the government of the respective Land to influence the decision of the supervisory authority or cancel and replace those decisions. This is not consistent with the principle of independence.
Austria: By failing to take all measures necessary to ensure that the Austrian national legislation meets the requirement of independence with regard to the DSK, Austria has failed to fulfill its obligations under the second subparagraph of Article 28(1) of Directive 95/46 and Article 8(3) of the Charter of Fundamental Rights of the EU and Article 16(2) TFEU. The establishment in Member States of independent supervisory authorities is thus an essential component of the protection of individuals with regard to the processing of personal data.
The words “with complete independence” must be given an autonomous interpretation. Supervisory authorities must enjoy an independence with allows them to perform their duties free from external influence, direct or indirect, which is
liable to have an effect on their decisions. The fact that the DSK has functional independence insofar as its members are “independent and [are not] bound by instructions of any kind in the performance of their duties” is an essential, but not sufficient, condition to protect it from all external influence.
Here, the national legislation provides only for the operational autonomy of the supervisory authority, but does not preclude the DSK from performing its duties free from all indirect influence, for the following reasons:
The managing member of the DSK need not always be an official of the Federal Chancellery (although it always has been), and all day-to-day business is thus de facto managed by a federal official, who remains bound by the instructions issued by his employer and is subject to supervision. It is conceivable that the evaluation of the managing member by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of “prior compliance”. Moreover, the Chancellery is subject to the supervision of the DSK, so the DSK is not above all suspicion of partiality. The service-related link between the managing member of the DSK and the Chancellery affects the DSK's independence. The fact that the appointment of the managing member rests on an autonomous decision of the DSK does not protect the independence;
The office of the DSK is structurally integrated with the departments of the Federal Chancellery, and all DSK staff are under the authority of the Federal Chancellery and subject to its supervision. The DSK need not be given a separate budget to satisfy the criterion of independence. The DPA may come under a specified ministerial department. However, the attribution of the necessary equipment and staff to DPAs must not prevent them from acting with complete independence. Here, since they are subject to supervision by the Chancellery, it is not compatible with the requirement of independence.
The Federal Chancellor has the right to be informed of all aspects of the work of the DSK. This precludes the DSK from operating above all suspicion of partiality.
Hungary: Establishment in Member States of independent supervisory authorities is an essential component of the protection of individuals with regard to the processing of personal data. Operational independence of supervisory authorities, in that members are not bound by instructions of any kind in the performance of their duties, is an essential condition that must be met to respect the independence requirement, but this is not sufficient. The mere risk that the state could exercise political influence over decisions of supervisory authorities is enough to hinder independence. If it were permissible for the Member State to compel the supervisory authority to vacate office before serving full term, even if this comes about as a result of restructuring or changing of the institutional model, the threat of such premature termination could lead the supervisory authority to enter into a form of prior compliance with the political authority, which is incompatible with the requirement of independence, and the supervisory cannot be regarded as being able to operate above all suspicion of partiality. Member States are free to adopt or amend the institutional model they consider most appropriate for supervisory authorities. However, they must ensure that the independence of the authority is not compromised, which entails the obligation to allow that authority to serve its full term.
Schrems: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of the DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection.
DPA POWERS
Weltimmo: In the event that the Hungarian DPA should consider that Weltimmo has an establishment not in Hungary, but in another Member State, then in accordance with Article 28(4), it may exercise its powers conferred under Article 28(3) only within its own territory, and it may, irrespective of the applicable law and before even knowing which national law is applicable, thereby investigate the complaint. If it becomes apparent that it is the law of another Member State that applies, that DPA cannot impose penalties outside the territory of its own Member State. In fulfillment of the duty of cooperation laid down in Article 28(6), it requests the DPA of that Member State to establish an infringement of its national law and impose penalties if
Comments (0)