Privacy in a Human Rights and Social Justice Context
UIA Madrid Seminar (17-04-15)
1. GDPR: Material scope, what’s new?
Esfera Legal Victor Roselló Mallol
www.esferalegal.cat
Pau Claris 144, 1º, 08009 Barcelona | Tel: 93 434 44 48
Paseo de la Castellana, 179, Ascensor C, 1ª planta, 28046 Madrid Tel:
Madrid Tel: 91 286 56 95
Share it:
#UIAdata
@vic_rosello
@esfera_legal
2. What IS Personal Data?
Any information: regardless its nature (subjective
and objective; not only true information); its content
(not only intimate data) and its format (paper or
computer).
Relating to: content, purpose OR result.
Identified or identifiable: all means reasonable.
Natural person: regardless country of residence,
living persons; legal persons only Italy, Austria and
Luxembourg.
Spain: NOT legal persons and contact details of such
legal persons even if they are natural persons.
3. Current Directive Case Law
Rechnungshof vs Osterrichscher Rundfunk.
20.05.03: Scope does not depend on whether
processing of PD has a connection with free
movement between MS.
Lindquist, 6.11.03: loading PD on an Internet Site
is processing by automating means.
Nikolau vs Commission. 12.09.07: personal
information in a press release, is PD.
Huber vs Germany. 16.12.08: Art. 3 (2) excludes
processing of PD concerning public security,
defense and criminal activities.
4. Current Directive Case Law
Markus Schecke GbR v. Land Hessen. 9.11.10: legal
persons can claim protection under art. 7 and 8 CFR only if
official title of legal person identifies the natural person.
Under art. 8 no principle justifies exclusion of activities of
professional nature from the notion of private life.
Worten-Equipamentos para o Lar SA vs ACT. 30.05.13: PD
contained in working time records, relating to working and
rest periods, is personal data.
Google Spain SL vs AEPD 13.05.14: Searching engine
activities constitute processing of personal data. Collects,
retrieves, records and organize.
Schwarz vs Bochum. 17.10.14: fingerprints constitute PD.
Rynes vs Urad pro ochranu osobnich udaju. 11.12.14: image
of a person recorded by a camera, constitutes PD.
5. DP Definition GDPR vs Directive
“… any information relating to an identified or
identifiable natural person (“data subject”); and
identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification
number, location data, unique
identifier, or to one or more factors specific to
the physical, physiological, genetic, mental,
economic, cultural or social or gender
identity of that person.”
6. Scope GDPR vs Directive
Art. 2 GDPR: This Regulation applies to the
processing of personal data wholly or partly by
automated means, irrespective of the
method of processing, and to the
processing other than by automated means of
personal data which form part of a filing system or
are intended to form part of a filing system.
‘Filing system' means any structured set of personal
data which are accessible according to specific
criteria, whether centralized, decentralized or
dispersed on a functional or geographical basis;
7. Household exemption
Art. 2.2 d) and Recital 15: GDPR does not apply to
processing of data, exclusively personal, family-
related, or domestic, such as correspondence and
the holding of addresses or a private sale and without
any connection with a professional or commercial
activity. It does apply to DC and DP which provide de
means for such processing.
8. ECJ preliminary ruling 11/12/14
Czech citizen installs a fix camera, without real
time view, to protect his house and family.
The camera recorded the entrance of his home,
the public footpath and the entrance to the
opposite house.
Household exemption must be “narrowly
constructed”.
Processing of data must be carried out purely for
personal or household purposes.
When monitoring also public space, household
exemption does not applies.
9. What about…
Legal persons…GDPR does not apply.
Individuals representing legal persons… “content”, “purpose”
and “result” criteria should apply.
Unborn and dead…genetic data?
Anonymous data…GDPR does not apply.
Pseudonymous data…not significant impact on DS interests,
except DS pseudonymous data might be related to a DS.
IP, cookies, RFI tags…within GDPR scope, except they do not
relate to identifiable or identified natural person.