GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
processing by the latter in its capacity as recipient of those data. National law required the transfer of data necessary to certify that the person concerned qualifies as an insured person to CNAS. However, these do not include data relating to income, since the law recognises the right of persons without a taxable income as qualifying as insured. Thus, the national law cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the income data, and the transfer therefore violated Article 10.
Article 11 (information requirement where data not collected from the data subject) requires that specified information be provided to the data subject, including the categories of data concerned and the existence of the rights of access and rectification. Thus, the data subjects should have been informed of the processing by CNAS and categories of data concerned, but CNAS did not so inform them. The Protocol between the two agencies does not establish rules for derogating from this requirement, either under Article 11 or 13 of the Directive.
Derogations: Article 13(1)(e) and (f) provide exceptions for important economic or financial interest of a Member State and monitoring, inspection or regulatory function, respectively. However, Article 13 expressly requires that such restrictions are imposed by legislative measures. Here, however, the transfer was made on the basis of a protocol between the two authorities, which is not a legislative measure, and is not subject to an official publication. Thus, the conditions of Article 13 were not complied with.
C-230/14, WELTIMMO S.R.O. V. NEMZETI ADATVEDELMI ES INFORMACIOSZABADSAG HATOSAG (HUNGARIAN DPA), 1.10.15
(“WELTIMMO”)
Reference for a preliminary ruling by the Kuria (Hungary). The applicant, a Slovakian company with no registered office or branch in Hungary (but which carries out no activity where it has its registered office, in Slovakia), runs a website in Hungarian concerning Hungarian properties, with respect to which it processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable. Many advertisers sent a request by e-mail for deletion of their advertisements and their personal data following the one month period. The applicant did not delete the data and charged the interested parties for its services. These amounts were not paid, so the applicant forwarded the personal data of the advertisers to debt collection agencies. The advertisers lodged a complaint with the Hungarian DPA, which decided that the collection of the data constituted processing, and imposed a fine on the applicant for infringement of the Hungarian data protection law.
Questions referred: (1) Whether Article 28(1) of Directive 95/46 can be interpreted as meaning that the provisions of national law of a Member State are applicable in
its territory to a situation where the controller runs a property dealing website established only in another Member State and advertises properties in the territory of the first Member State and the property owners have forwarded their personal data to a facility for storage and data processing belonging to the operator of the website in that other Member State; (2) Whether Article 4(1)(a) (and other provisions) of Directive 95/46 can be interpreted as meaning that the Hungarian DPA may not apply Hungarian data protection law to an operator of a property dealing website established only in another Member State, even though it advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a server and processing belonging to the operator of the website; (3) Whether it is significant that the service provided by the controller of the website is directed at the territory of another Member State; (4) Whether it is significant that the data relating to the properties in the other Member State and the personal data of the owners are uploaded from the territory of the other Member State; (5) Whether it is significant that the personal data relating to those properties are that of citizens of another Member State; (6) Whether it is significant that the owners of the undertaking established in Slovakia live in Hungary; (7) Whether the Hungarian DPA can only exercise the powers provided by Article 28(3) of Directive 95/46 in accordance with the provisions of the national law of the establishment and accordingly not impose a fine.
Definition of processing: The operation of loading personal data on an internet page constitutes processing.
Establishment of the controller: Article 4(1)(a) of Directive 95/46 permits application of data protection law of a Member State other than the Member State in which the controller is registered, insofar as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity, even minimal, in the context of which the processing is carried out. To establish whether the controller has an establishment in that Member State, both the degree of stability of the arrangements and the effective exercise of activities in the other Member State must be interpreted in light of the specific nature of the economic activities and provision of services concerned, particularly for undertakings offering services exclusively over the internet. The presence of only one representative can suffice to constitute a stable arrangement if he/she acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State. Further, the concept of “establishment” extends to any real and effective activity, even a minimal one, exercised through stable arrangements.
Here, the activity of the controller consists in the running of property dealing websites concerning properties in Hungary and written in Hungarian and thus pursues a real and effective activity in Hungary. Further, it has a representative in Hungary responsible for recovering the debts resulting from that activity and representing the controller in administrative and judicial proceedings relating to the processing of the data concerned. It has a bank account in Hungary intended for the
recovery of debts and uses a letter box in Hungary for the management of everyday affairs. That is capable of establishing the existence of an “establishment”.
The processing is done in the context of the activities, which Weltimmo pursues in Hungary. Thus Hungarian data protection law would apply with respect to that processing. (By contrast the nationality of the persons concerned by such data processing is irrelevant.)
DPA powers: In the event that the Hungarian DPA should consider that Weltimmo has an establishment not in Hungary, but in another Member State, then in accordance with Article 28(4), it may exercise its powers conferred under Article 28(3) only within its own territory, and it may, irrespective of the applicable law and before even knowing which national law is applicable, thereby investigate the complaint. If it becomes apparent that it is the law of another Member State that applies, that DPA cannot impose penalties outside the territory of its own Member State. In fulfillment of the duty of cooperation laid down in Article 28(6), it requests the DPA of that Member State to establish an infringement of its national law and impose penalties if that law permits, based on the information which the first DPA has transmitted to second DPA. The second DPA may also find it necessary to carry out other investigations, on the instructions of the first DPA.
C-362/14, SCHREMS V. DATA PROTECTION COMMISSIONER, 6.10.2015 (“SCHREMS”)
Reference for a preliminary ruling by the Irish High Court. The applicant, an Austrian national residing in Austria, was a user of Facebook since 2008, for which he had concluded a contract with Facebook Ireland, a subsidiary of Facebook Inc. located in the USA. Some or all of Facebook Ireland’s users data of users who reside in the EU is transferred to the servers in the USA of Facebook Inc. and further processed. The applicant asked the defendant to prohibit Facebook Ireland from transferring his personal data to the USA, which does not ensure adequate protection against the surveillance activities engaged in there by public authorities, in particular the NSA. Defendant rejected the complaint on grounds that there was no evidence that it had been accessed by the NSA and that the Commission decision 2000/520 had found that the USA ensures an adequate level of protection in the Safe Harbor program.
Questions referred: (1) In the course of determining a complaint made to a national DPA that personal data is being transferred to a third country (the USA) the laws and practices of which, it is claimed, do not contain adequate protections for the dt subject, whether that office holder is bound by the EU finding to the contrary in Decision 2000/520, having regard to Articles 7, 8 and 47 CFR, and the provisions of Article 25(6) of Directive 95/46 notwithstanding; (2) Whether the DPA may and/or must conduct his/her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published.
Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State to a third country, as the transfer is processing carried out in the Member State.
An adequacy decision adopted by the Commission pursuant to Article 25(6) of Directive 95/46 is addressed to the Member States, which must take the necessary measures to comply with it. Until the Commission decision is declared invalid by the ECJ, it has legal effect in the Member States. However, it cannot eliminate or reduce the powers of the DPA accorded by Article 8(3) of the CFR, and therefore cannot prevent data subjects whose personal data has been transferred from lodging a claim pursuant to Article 28(4) with the DPA, alleging that an adequate level of protection is not ensured in that third country, which in essence challenges the validity of the Commission’s adequacy decision. But the ECJ alone has jurisdiction to declare that the decision is invalid; neither the DPA nor a national court may do so. The latter must refer the claim to the ECJ for a preliminary ruling to examine the validity of the Commission decision.
Article 3 of Decision 2000/520 lays down specific rules regarding DPA’s powers in light of a Commission adequacy finding (to suspend data flows to self-certified US organisations under restrictive conditions establishing a high threshold for intervention). It excludes the possibility of DPA’s taking action to ensure compliance with Article 25 (adequacy), in particular, it denies DPAs powers which they derive from Article 28 to consider a data subject claim which puts into question whether a Commission adequacy decision is compatible with protection of privacy and fundamental rights and freedoms of individuals. This goes beyond the power conferred on the Commission in Article 25(6). Thus, Article 3 is invalid.
Adequate level of protection: The word “adequate” in Article 25(6) signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed by the EU legal order. However, it requires the third country to ensure, by reason of its domestic law or international commitments, a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed by the EU by virtue of Directive 95/46 read in light of the CFR, otherwise that protection could be easily circumvented by transfers. Thus, the legal order of the third country covered by a Commission adequacy decision must have means to ensure protection essentially equivalent to that guaranteed within the EU. When examining the level of protection afforded by a third country, the
Comments (0)