GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
Art. 89 GDPR Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational
measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing, which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfillment of those purposes.
Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.
Suitable Recitals
Processing for archiving, scientific or historical research or statistical purposes; (157) Information from registries and scientific research; (158) Processing for archiving purposes; (159) Processing for scientific research purposes; (160) Processing for historical research purposes; (161) Consenting to the participation in clinical trials; (162) Processing for statistical purposes; (163) Production of European and national statistics.
COMMENTARY:
Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's rights to access, rectification, restriction of processing and to object when it comes to the processing of their personal data for scientific, historical or statistical purposes.
Article 89(1) acknowledges that controllers may process data for these purposes where appropriate safeguards are in place (see section on lawfulness of processing and further processing and sensitive data and lawful processing). Where possible, controllers are required to fulfill these purposes with data which does not permit, or no longer permits, the identification of data subjects; if anonymisation is not possible, pseudonymization should be used, unless this would also prejudice the purpose of the research or statistical process.
Article 89(2) allows Member States and the EU to further legislate to provide derogations from data subject rights to access, rectification, erasure, restriction and objection (subject to safeguards as set out in Article 89(1)) where such rights “render impossible or seriously impair“ the achievement of these specific purposes, and derogation is necessary to meet those requirements.
The recitals add further detail on how “scientific research”, “historical research” and “statistical purposes” should be interpreted. Recital 159 states that scientific research should be “interpreted in a broad manner” and includes privately funded research, as well as studies carried out in the public interest. In order for processing to be considered statistical in nature, Recital 162 says that the result of processing should not be “personal data, but aggregate data” and should not be used to support measures or decisions regarding a particular individual.
The Directive already provided various exemptions from the principles of protection for processing for historical, statistical or scientific purposes. For example, Article 6 already provided that such processing was not deemed incompatible with various initial purposes, subject to safeguards under national law. Under the same condition, the data could also be stored longer than necessary for the initial purpose or even for a purpose deemed to be compatible. Still with appropriate safeguards, Article 11 (2) provided an exemption from the obligation to notify data subjects about processing for such purposes if the notification to the data person would be impossible or would imply disproportionate effort or if the legislation explicitly provided for data recording or communication.
Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States might, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data is processed solely for purposes of scientific research or are kept in a personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics (Article 13 (2)).
Art. 90 GDPR Obligations of secrecy
Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Suitable Recitals
Professional or other equivalent secrecy obligations.
COMMENTARY:
Member States may create their own rules in relation to controllers or processors that are subject to obligations of professional secrecy. Member States that adopt such rules must inform the Commission. This Article allows Member States to introduce specific rules to safeguard “professional” or “equivalent secrecy obligations” where supervisory authorities are empowered to have access to personal data or premises. These rules must “reconcile the right to protection of personal data against the obligations of secrecy”, and can only apply to data received or obtained under such obligation. Again, Member States must notify the Commission of any laws introduced under this Article by the time the GDPR enters into force, and must also notify it of any amendments.
Art. 91 GDPR Existing data protection rules of churches and religious associations
Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.
Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfills the conditions laid down in Chapter VI of this Regulation.
Suitable Recitals
No prejudice of the status of churches and religious associations.
COMMENTARY:
Where, in a Member State, churches and religious associations or communities impose rules regarding the processing of personal data, such rules may continue to apply, provided that they are brought into line with the provisions of the GDPR. Churches and religious associations that impose such rules are subject to the oversight of the relevant DPA.
This Article protects “comprehensive” existing rules for churches, religious associations and communities where these are brought into line with the GDPR’s provisions. Such entities will still be required to submit to the control of an
independent supervisory authority under the conditions of Chapter VI (see section on co-operation and consistency between supervisory authorities).
* * *
CHAPTER 10: DELEGATED ACTS AND IMPLEMENTING ACTSArt. 92 GDPR Exercise of the delegation
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Suitable Recitals
Delegated acts of the Commission; (167) Implementing powers of the Commission; (168) Implementing acts on standard contractual clauses; (169) Immediately applicable implementing acts; (170) Principle of subsidiarity and principle of proportionality.
COMMENTARY:
In order to fulfill the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardized icons and procedures for providing such icons. It is of particular importance that the Commission carries out appropriate consultations during its preparatory work, including at expert level.
The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council. In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on
the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organization; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.
The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organization does not ensure an adequate level of protection, and imperative grounds of urgency so require.
Art. 93 GDPR Committee procedure
The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Where reference is made to this paragraph, Article 8 of Regulation ((EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.
COMMENTARY:
Let’s recall that several provisions of the Regulation grant implementing competency to the Commission concerning, for example, approval of codes of conduct (Article 40 (9); the definition of technical standards for the certification mechanisms (Article 43 (9)); decisions relating to the adequate nature of the level of protection in a non-EU third country (Article 44 (3)); the
Comments (0)