7. The History of the General Data
protection Regulation
• In 1995, the European Data protection Directive (Directive 95/46
CE) on the protection of individuals with regard to the processing
of personal data and on the free movement of these data was
adopted.
• For the first time, a definition of «personal data» was provided:
«any information relating to an identified or identifiable natural
person; an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity»
• The Directive specified the meaning of processing data, with a
broad definition: «any operation or set of operations which is
performed upon personal data, whether or not by automatic
means, such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction»
8. The History of the General
Data protection Regulation
• In 2011, the European Data Protection Supervisor published
an Opinion on the European Commission Communication,
entitled «a comprehensive approach on the personal data
protection in EU»
• In 2012, the European Commission proposed a
comprehensive reform of the Directive 95/46 to streghten
online privacy rights and the European Data Protection
Supervisor adopted an opinion on the Commission’s data
protection reform package.
• In 2014, the European Parliament supported the new
regulation on data protection and in 2015 an agreement was
reached by the European Parliament, the Council and the
Commission.
• In 2016, the Regulation (EU) 2016/679 (GDPR) on the
protection of natural persons with regard to the processing
of personal data and on the free movement of such data was
published and entered into force from 24th May 2016.
• From 25th May 2018, the GDPR started to be applied
9. General
Data
Protection
Regulation
The General Data Protection Regulation (EU) 2016/679
The same law and the same text for all the member States
Approved on May 2016 – Came into force on May 2018
It is applicable also to non European entities where they
offer products or services or when they monitor European
citizens (eg Google Maps, Facebook, Instagram, etc.)
10. GDPR - a common framework
• The difference between the Directive and the GDPR is that the GDPR does not require the
implementation into the national legal framework by the Member States. In fact, the
Directive soght to harmonise the protection of fundamental rights and freedoms of natural
persons
• So, the GDPR is a common framework in all the Member States, without any differences.
• The most important aims of GDPR are:
- to promote the protection of personal data of natural persons both in the Community and
in the external context
- to update the legislation on data protection in Europe, with a common framework, that is
more adequate to be modified in order to the technological and sociological scenario.
• «In order to prevent creating a serious risk of circumvention, the protection of
natural persons should be technologically neutral and should not depend on the
techniques used ». (Whereas 15).
11. GDPR - a common framework
• The Whereas specified the most relevant purposes of the GDPR.
The protection of natural persons in relation to the processing of personal data is a fundamental right.
• Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the
European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
Article 8:
«1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid
down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.»
Article 16:
«1. Everyone has the right to the protection of personal data concerning them.
2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the
protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States
when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these
rules shall be subject to the control of independent authorities.
The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.»
12. The scope of GDPR
• The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing
other than by automated means of personal data which form part of a filing system or are intended to form part
of a filing system.
• Only to the processing of personal data of natural persons.
• To the processing of personal data in the context of the activities of an establishment of a Controller or a
Processor in the Union, regardless of whether the processing takes place in the Union or not.
• To the processing of personal data of data subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are related to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such
data subjects in the Union;
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
13. The scope of
GDPR
The processing of personal data should be designed to serve mankind.
But the right to the protection of personal data is not an absolute
right: it must be balanced against other fundamental rights, in
accordance with the principle of proportionality.
The GDPR respects all fundamental rights and observes the freedoms
and principles, specifically:
-the respect for private and family life, home and communications;
-the freedom of expression and information;
- freedom to conduct a business;
-the right to an effective remedy and to a fair trial, and cultural,
religious and linguistic diversity.
The GDPR does not apply to issues of protection of fundamental rights
and freedoms or the free flow of personal data related to activities
which fall outside the scope of Union law, such as activities concerning
national security.
Member States may, as far as necessary for coherence and for making
the national provisions comprehensible to the persons to whom they
apply, incorporate elements of the Regulation 679/2016 into their
national law.
14. Definitions
The Article 4 of GDPR provides the most important definitions:
Personal data
Processing
Controller
Processor
Data Subject
any information relating to an identified or identifiable natural person (“the data subject”); for instance, a
name, an identification number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity
the identified or identifiable natural person, that can be identified directly or indirectly, whose personal data is
being collected, held or processed.
any operation or set of operations which is performed on personal data or on sets of personal data, whether or
not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
The natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data.
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
Controller;
15. Definitions
• There are special categories of personal data, including the
personal data that reveal:
1. racial or ethnic origin;
2. political opinions;
3. religious or philosophical beliefs;
4. trade union membership;
Or:
1. genetic data, biometric data;
2. concerning health or a natural person's sex life or sexual
orientation.
3. data relating to criminal convictions and offences.
Another category consists in anonymous information: the
anonymous information is the one that does not relate to an
identified or identifiable person or to personal data rendered
anonymous in a such manner that the data subject is not or no
longer identifiable. But the GDPR does not concern the
processing of anonymous information, including for statistical or
research purposes.
16. Principles relating to processing of personal data
• Lawfulness, fairness and
transparency
• Purpose limitation
• Data minimisation
Personal data shall be processed lawfully, fairly and in a
transparent manner in relation to the data subject.
The data subject must be informed about the processing of these
data and the purposes.
The Processing shall be lawful only if and to the extent that at
least one of the conditions, provided by the Article 6 of GDPR.
Personal data shall be collected for specified, explicit and
legitimate purposes and not further processed in a manner that is
incompatible with those purposes
Personal data shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed
17. Principles relating to processing of personal data
• Accuracy
• Storage limitation
• Integrity and
confidentiality
Personal data shall be accurate and, where necessary, kept up to
date.
Personal data shall be kept in a form which permits identification
of data subjects for no longer than is necessary for the purposes
for which the personal data are processed
Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate
technical or organisational measure.
18. The principle of accountability
The GDPR introduced a new
principles to data protection, that
of accountability.
Controllers and processors have to
take responsibility for their
processing activities and for how
they comply with data protection
principles and they must be able
to demonstrate compliance.
Being responsible for compliance
means being proactive and
organised about data protection,
while demonstrating compliance
is the ability to present evidence
of the steps taken to comply.
19. Consent
• Processing of personal data is lawful only under one of the six legal basis, provided by the
Article 6 of GDPR.
• The first condition is CONSENT. The data subject has to give his or her consent to the
processing of personal data for one or more specific purposes.
What does consent mean? And what are the GDPR requirements ?
Consent of the data subject means “any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or her”.
So, the consent must:
1. be freely given;
2. be specific;
3. be informed;
4. be unambiguous.
The controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal
data.
The data subject shall have the right to withdraw his or her
consent at any time. The withdrawal of consent shall not
affect the lawfulness of processing based on consent
before its withdrawal.
20. Other legal
basis
• Contractual perfomance: the processing is necessary for
the performance of a contract to which the data subject is
party or in order to take steps at the request of the data
subject prior to entering into a contract.
• Legal obligation: the processing is necessary for
compliance with a legal obligation to which the controller
is subject.
• Vital interest: the processing is necessary in order to
protect the vital interests of the data subject or of another
natural person.
• Public interest or acting under official public authority:
the processing is necessary for the performance of a task
carried out in the public interest or in the exercise of
official authority vested in the controller.
• Legitimate interest: processing is necessary for the
purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of
personal data, in particular where the data subject is a
child.
21. What are the rights of the data subject?
• the right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not
personal data concerning him or her are being processed
• the right to rectification: the data subject shall have the right to obtain from the controller without undue delay the
rectification of inaccurate personal data concerning him or her.
• the right to erasure: the data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay.
• the right to restrict processing: the data subject shall have the right to obtain from the controller restriction of processing,
in case of lack of accuracy, when the processing is unlawful, and when the controller no longer needs the personal data for
the purposes of the processing.
• the right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which
he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to
transmit those data to another controller without hindrance from the controller to which the personal data have been
provided.
• the right to object to processing: the data subject shall have the right to object, on grounds relating to his or her particular
situation, at any time to processing of personal data
• the rights in relation to automated decision making and profiling: the data subject shall have the right not to be subject to a
decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her.
22. The right to be
informed
There is a need for transparency regarding the gathering and use of
data in order to allow EU citizens to exercise their right to the
protection of personal data.
The GDPR acknowledges to individuals the right to be informed about
the collection and use of their personal data, which leads to a variety
of information obligations by the controller.
There are two cases:
1. Where data is obtained directly, the data subject must be
immediately informed, at the time the data is obtained. In
terms of content, the Controller’s obligation to inform includes
his or her identity, the contact data of the Data Protection
Processor (if available), the processing purposes and the legal
basis, any legitimate interests pursued, the recipients when
transmitting personal data, and any intention to transfer
personal data to third countries.
2. If personal data is not obtained from the data subject, he or she
must be provided the information within a reasonable period of
time, but at latest after a month. In cases where the gathered
information is used to directly contact the data subject, he or
she has the right to be informed immediately upon being
approached. As far as content is concerned, the controller has
to provide the same specific information as if the personal data
would have been directly obtained from the data subject.
23. The obligations of Controller
The data Controller determines the purposes for which, the means by which personal data is processed. But, also the Controller
determines the nature, the storage of the processing, and also the data categories.
The Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that
processing is performed in accordance with this Regulation.
Indeed, taking into account the nature, scope, context and purposes of processing, the Controller shall implement appropriate
technical and organisational measures, such as pseudonymization and data minimization.
The data pseudonymization consists in substituting the identity of the data subject in such a way that additional information is
required to re-identify the data subject. It is different from anonymization, that actually consists in irreversibly destroying any way of
identifying the data subject.
The Controller shall maintain a record of processing activities under its responsibility, for instance: the purposes of the processing; a
description of the categories of data subjects and of the categories of personal data; where applicable, transfers of personal data to a
third country or an international organisation, including the identification of that third country or international organization etc.
24. The role of the Data Processor
The data processor processes
personal data only on behalf of the
controller.
Where processing is to be carried out on
behalf of a Controller, the Controller shall
use only Processors providing sufficient
guarantees to implement appropriate
technical and organisational measures in
such a manner that processing will meet
the requirements of this Regulation and
ensure the protection of the rights of the
data subject.
Processing by a Processor shall be
governed by a contract or other legal act
under Union or Member State law, that is
binding on the processor with regard to the
Controller and that sets out the subject-
matter and duration of the processing, the
nature and purpose of the processing, the
type of personal data and categories of
data subjects and the obligations and rights
of the controller.
The Processor and any person acting under
the authority of the controller or of the
processor, who has access to personal data,
shall not process those data except on
instructions from the Controller.
25. What does DATA
BREACH mean?
Personal data breach means a breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise processed.
In case of data breach, the controller should communicate to the data
subject, without undue delay, where that personal data breach is likely to
result in a high risk to the rights and freedoms of the natural person in
order to allow him or her to take the necessary precautions.
The communication should describe the nature of the personal data
breach as well as recommendations for the natural person concerned to
mitigate potential adverse effects. Such communications to data subjects
should be made as soon as reasonably feasible and in close cooperation
with the supervisory authority, respecting guidance provided by it or by
other relevant authorities such as law-enforcement authorities.
Indeed, the Controller shall notify the personal data breach to the
supervisor authority not later than 72 hours (unless the personal data
breach is unlikely to result in a risk to the rights and freedoms of natural
persons).
26. The role of DPO
• The controller and the processor shall designate a data protection officer in
any case where:
1. The processing is carried out by a public authority or body;
2. When the processing operations require regular and systematic
monitoring of data subjects on a large scale;
3. When the processing on large scale involves special categories of data.
The data protection officer shall have these tasks:
1. to inform and advise the Controller or the Processor and the employees
who carry out processing of their obligations pursuant to this
Regulation and to other Union or Member State data protection
provisions;
2. to monitor compliance with this Regulation, with other Union or
Member State data protection provisions and with the policies of the
controller or processor in relation to the protection of personal data;
3. to provide advice where requested;
4. to cooperate with the supervisory authority
27. The role of the
Data Protection Authority
Each Member State shall provide for one or more independent public
authorities to be responsible for monitoring the application of GDPR, in order to
protect the fundamental rights and freedoms of natural persons in relation to
processing and to facilitate the free flow of personal data within the Union.
• Each supervisory authority shall act with complete independence in
performing its tasks and exercising its powers.
• Member States shall provide for each member of their supervisory authorities
to be appointed by means of a transparent procedure by:
- their Parliament;
- their Government;
- their head of State; or
- an independent body entrusted with the appointment under Member State
law
Each member shall have the qualifications, experience and skills, in particular in
the area of the protection of personal data, required to perform its duties and
exercise its powers.
28. Cooperation, mutual
assistance and consistency
Each supervisory authority shall contribute to the consistent application of this
Regulation throughout the Union. For that purpose, the supervisory authorities shall
cooperate with each other and the Commission.
• Supervisory authorities shall provide each other with relevant information and
mutual assistance in order to implement and apply this Regulation in a consistent
manner, and shall put in place measures for effective cooperation with one
another.
• Mutual assistance shall cover, in particular, information requests and supervisory
measures, such as requests to carry out prior authorizations and consultations,
inspections and investigations.
The supervisory authorities shall cooperate with each other and, where relevant, with
the Commission, through the consistency mechanism.
This mechanism should in particular apply where a supervisory authority intends to
adopt a measure intended to produce legal effects as regards processing operations
which substantially affect a significant number of data subjects in several Member
States. It should also apply where any supervisory authority concerned or the
Commission requests that such matter should be handled in the consistency
mechanism. The mechanism should be without prejudice to any measures that the
Commission may take in the exercise of its powers under the Treaties
29. The role of
the EDPB
The European Data Protection
Board is established as a body
of the Union, shall have legal
personality and shall act
independently when
performing its tasks.
The Board shall ensure the consistent
application of GDPR. Some of the
relevant tasks of the Board are:
• advise the Commission on any issue
related to the protection of personal
data in the Union, including on any
proposed amendment of the
Regulation;
• advise the Commission on the format
and procedures for the exchange of
information between controllers,
processors and supervisory authorities
for binding corporate rules;
• issue guidelines, recommendations, and
best practices on procedures for erasing
links, copies or replications of personal
data from publicly available
communication services;
• examine, on its own initiative, on
request of one of its members or on
request of the Commission, any
question covering the application of the
Regulation and issue guidelines,
recommendations and best practices in
order to encourage consistent
application of the Regulation
30. Data protection and
copyright
How could a balance be possible between the data protection and the right to
information, to ensure protection to copyright?
The problem of the legitimate restriction of the right to the protection of personal data for
the protection of intellectual rights arises with particular reference to the disclosure
mechanism, by certain intermediaries, involving the personal data of third parties,
previously collected by them for the provision of their services, to copyright holders, to
allow to see the violations against them.
Examples of violations are:
1. File-sharing networks
2. Peer-to-peer
In order to be able to fully exercise their right of defense, the holders of intellectual
property rights need to provide contact information relating to offenders, this information
that is held by the providers of the connectivity services and/or the hosting providers.
31. Data protection and copyright
The main issue is whether the transfer of this category of data to the copyright holders
is lawful without the express consent of the data subjects.
Could the transfer only appear as an unauthorized and as unlawful processing of
personal data?
On one hand, disclosure of data for the identification of infringers could be considered
as a transfer to third parties without a legal basis; on the other hand, in the absence of
such information, the other subjects may remain unprotected without the possibility
to end the violations and obtaining compensation for the economic damages suffered.
Is there a right to information that is superior than the personal data protection?
32. Data
protection
and copyright
• The Article 6 of the Directive 2004/48/EC on the enforcement of intellectual
property rights, provides:
1. Member States shall ensure that, on application by a party which has presented
reasonably available evidence sufficient to support its claims, and has, in
substantiating those claims, specified evidence which lies in the control of the
opposing party, the competent judicial authorities may order that such evidence be
presented by the opposing party, subject to the protection of confidential
information. For the purposes of this paragraph, Member States may provide that a
reasonable sample of a substantial number of copies of a work or any other
protected object be considered by the competent judicial authorities to constitute
reasonable evidence.
2. Under the same conditions, in the case of an infringement committed on a
commercial scale Member States shall take such measures as are necessary to enable
the competent judicial authorities to order, where appropriate, on application by a
party, the communication of banking, financial or commercial documents under the
control of the opposing party, subject to the protection of confidential information.
33. Data protection and copyright
The Article 8 of the Directive 2004/48/EC on the enforcement of intellectual property rights,
entitled «Right to information» states:
1. Member States shall ensure that, in the context of proceedings concerning an
infringement of an intellectual property right and in response to a justified and proportionate
request of the claimant, the competent judicial authorities may order that information on
the origin and distribution networks of the goods or services which infringe an intellectual
property right be provided by the infringer and/or any other person who:
(a) was found in possession of the infringing goods on a commercial scale; (b) was found to
be using the infringing services on a commercial scale; (c) was found to be providing on a
commercial scale services used in infringing activities;
(b) or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in
the production, manufacture or distribution of the goods or the provision of the
services.
34. Data protection and copyright
Type of information:
(a) the names and addresses of the producers,
manufacturers, distributors, suppliers and other
previous holders of the goods or services, as well as
the intended wholesalers and retailers;
(b) (b) information on the quantities produced,
manufactured, delivered, received or ordered, as well
as the price obtained for the goods or services in
question.
But this provision shall apply without prejudice to other
provisions, such as:
“govern the protection of confidentiality of information
sources or the processing of personal data”.
35. Data protection and copyright
• On the other hand, the Article 23 of GDPR, entitled «Restrictions», provides
that the union or the Member states law may restrict the data subject rights
when such a restriction respects the essence of the fundamental rights and
freedoms and is a necessary and proportionate measure in a democratic
society to safeguard:
(d) the prevention, investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, including the safeguarding against and the
prevention of threats to public security;
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims
36. Data protection and copyright
Peppermint case law- 2003
In 2006, the German record label
Peppermint Jam Records Gmbh
sent out 3,636 notices of
copyright infringements to alleged
Italian file-sharers informing them
that they have been found guilty
of uploading copyrighted songs.
Peppermint had watched over
consumers in their personal use of
the Internet, with the help of their
providers, and managed to get
users’ data, monitoring their
movements.
Peppermint in these notices
invited the users to pay a
compensation for the damage for
copyright infringement.
The Italian Association consumer
consulted the Supervisor
Authority, condemning the
procedures though which the
Peppermint had collected users’
data (IP addresses) ( i.e. without
any consent of the users).
The final judgement stated that
the data collected and the way, in
which they were obtained, is
unlawful.
37. Data
protection
and
copyright
• Stichting Brein vs Ziggo BV, XS4ALL Internet BV case-law 2017
• Stichting Brein is a foundation governed by Netherlands Law,
whose main purpose is to combat the illegal exploitation of subject
matter protected by copyright and related rights, and to protect in
that area the interests of the holders of those rights.
• Ziggo BV and XS4ALL Internet BV (‘XS4ALL’), are companies
governed by Netherlands law whose activity consists, inter alia, in
providing consumers with an internet service.
• Stichting Brein asked to block the access to the Ziggo and
XS4ALL Internet BV services by recipients to the internet addresses
of the website of TPB, an engine for peer-to-peer file-sharing. The
application is based on the fact that the recipients, using those
services, commit large-scale copyright infringements, by sharing
files containing protected subject matter (mainly music and films)
without the authorization of the copyright holders.
• Supreme Court of the Netherlands noted, however, that the
Court’s case-law did not allow to reply with any certainty to the
question as to whether the online sharing platform TPB consisted in
a communication to public within the meaning of Article 3(1) of
Directive 2001/29, in particular:
• – by creating and maintaining a system in which internet
users connect with each other in order to be able to share, in
segments, works present on their own computers;
• – by operating a website from which users can download
torrent files which refer to segments of those works; and
• – by indexing the torrent files placed online on this website
and by categorising them in such a way that the segments of those
underlying works can be located and the users can download
those works (as a whole) onto their computers.
• The CJEU answered to the request of the Court of Netherlands,
clarifying that the peer-to-peer tools used by the Website of TPB
falls under the concept of communication to public.
• For peer to peer tools is meant a sharing platform, which, by
means of indexation of metadata relating to protected works and
the provision of a search engine, allows users to locate those
works and to share them.
• Article 3
• 1. Member States shall provide authors with the
exclusive right to authorise or prohibit any
communication to the public of their works, by wire
or wireless means, including the making available to
the public of their works in such a way that members
of the public may access them from a place and at a
time individually chosen by them.
• 2. Member States shall provide for the exclusive
right to authorise or prohibit the making available to
the public, by wire or wireless means, in such a way
that members of the public may access them from a
place and at a time individually chosen by them:
• (a) for performers, of fixations of their
performances;
• (b) for phonogram producers, of their
phonograms;
• (c) for the producers of the first fixations of
films, of the original and copies of their films;
• (d) for broadcasting organisations, of fixations of
their broadcasts, whether these broadcasts are
transmitted by wire or over the air, including by
cable or satellite.