DATA PROTECTION LAW AND REGULATION
DATA PROTECTION CONCEPTS
1. PERSONAL DATA
● Any information relating to an identified or identifiable natural person (a living
individual): the ‘data subject’.
● An identifiable natural person is one who can be identified, or is identifiable, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
identity of that natural person. The term is defined in Art. 4 (1).
● In practice, these also include all data which are or can be assigned to a person in any
kind of way. For example, the telephone, credit card or personnel number of a person,
account data, number plate, appearance, customer number or address are all personal
data.
● The term ‘personal data’ is the entryway to the application of the General Data Protection
Regulation (GDPR). Only if a processing of data concerns personal data, the General
Data Protection Regulation applies.
● Personal data broadly interpreted: - work times, test results, opinions, credit worthiness
assessments.
● Information must refer to living natural person.
2. SENSITIVE PERSONAL DATA
● Recital 51 -Personal data which are, by their nature, particularly sensitive in relation to
fundamental rights and freedoms merit specific protection as the context of their
processing could create significant risks to the fundamental rights and freedoms. The
processing of photographs should not systematically be considered to be processing of
special categories of personal data as they are covered by the definition of biometric data
only when processed through a specific technical means allowing the unique
identification or authentication of a natural person.
● Article 9- Processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation shall
be prohibited.
3. PSEUDONYMOUS AND ANONYMOUS DATA
, ● Personal data that has been de-identified, encrypted or pseudonymised but can be used to
re-identify a person remains personal data and falls within the scope of the GDPR.
● Recital 26 - Personal data that has been rendered anonymous in such a way that the
individual is not or no longer identifiable is no longer considered personal data. For data
to be truly anonymised, the anonymisation must be irreversible.
● The principles of data protection should apply to any information concerning an
identified or identifiable natural person. Personal data which have undergone
pseudonymisation, which could be attributed to a natural person by the use of additional
information should be considered to be information on an identifiable natural person.
● To determine whether a natural person is identifiable, account should be taken of all the
means reasonably likely to be used, such as singling out, either by the controller or by
another person to identify the natural person directly or indirectly.
● To ascertain whether means are reasonably likely to be used to identify the natural
person, account should be taken of all objective factors, such as the costs of and the
amount of time required for identification, taking into consideration the available
technology at the time of the processing and technological developments.
● The principles of data protection should therefore not apply to anonymous information,
namely information which does not relate to an identified or identifiable natural person or
to personal data rendered anonymous in such a manner that the data subject is not or no
longer identifiable. This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research purposes.
4. PROCESSING
● The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide
possibility for so-called ‘commissioned data processing’, which is the gathering,
processing or use of personal data by a processor in accordance with the instructions of
the controller based on a contract.
● The relevant regulations for commissioned data processing already apply, if the
processing is connected to activities of an establishment within the EU.
● This means that it is sufficient if either the controller or the processor operates an
establishment in the EU, and the processing takes place in context of its activities.
● In a controller-processor relationship, the latter is only allowed to process personal data
based on the documented instructions from the controller.
● The processor cannot engage another processor to help fulfil a specific contract, without
the prior specific or general written authorisation of the respective controller. In case of a
general authorisation, the processor has to inform him about any relevant changes
regarding the processing.
● Art. 28(3) GDPR sets forth its minimum requirements of processing contract.
, ● The contract must contain, among other things, what type of personal data will be
processed, as well as the object and purpose of the processing.
● In addition, there are further obligations for the processor. For example, processor
maintain a record of the processing activities which includes the names and contact data
of each controller he is working for, as well as the processing categories which are
conducted for them. Furthermore, the index must include, if applicable, the transfer of
personal data to third countries and, if possible, a general description of technical and
organisational measures.
● The controller must ensure, in selecting the processor, that it has implemented sufficient
technical and organisational measures to ensure that processing meets the requirements of
the Regulation.
● Basically, the controller is the first contact for the data subject and responsible that the
data processing complies with the legal requirements.
● This does not mean, however, that the processor is free of liability. According to Art. 82
GDPR, he is jointly liable with the controller.
● As per Article 82 - Any person who has suffered material or non-material damage as a
result of an infringement of this Regulation shall have the right to receive compensation
from the controller or processor for the damage suffered .
● However, the processor’s liability is limited as per paragraph 2 to violations of
obligations which are specific to him. Both parties have the ability to exculpate
themselves. To do this, they must prove that they were not responsible in any way for the
event leading to the damages.
5. CONTROLLER
● A person or body, alone or jointly, which determines the purposes and means of
processing personal data. Article 4 (7)
● Article 24- Taking into account the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that processing is
performed in accordance with this Regulation. Those measures shall be reviewed and
updated where necessary.
● Where proportionate in relation to processing activities, the measures referred to in
paragraph 1 shall include the implementation of appropriate data protection policies by
the controller.
● Adherence to approved codes of conduct as referred to in Article 40 or approved
certification mechanisms as referred to in Article 42 may be used as an element by which
to demonstrate compliance with the obligations of the controller.
, ● Article 25 - Taking into account the state of the art, the cost of implementation and
the nature, scope, context and purposes of processing as well as the risks of varying
likelihood and severity for rights and freedoms of natural persons posed by the
processing, the controller shall, both at the time of the determination of the means for
processing and at the time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, which are designed to implement
data-protection principles, such as data minimisation, in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the requirements
of this Regulation and protect the rights of data subjects.
● The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific
purpose of the processing are processed.
● That obligation applies to the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility. In particular, such measures
shall ensure that by default personal data are not made accessible without the individual’s
intervention to an indefinite number of natural persons.
● An approved certification mechanism pursuant to Article 42 may be used as an element
to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this
Article.
● Article 26 - Where two or more controllers jointly determine the purposes and means of
processing, they shall be joint controllers.
● They shall in a transparent manner determine their respective responsibilities for
compliance with the obligations under this Regulation, in particular as regards the
exercising of the rights of the data subject and their respective duties to provide the
information referred to in Articles 13 and 14, by means of an arrangement between them
unless, and in so far as, the respective responsibilities of the controllers are determined by
Union or Member State law to which the controllers are subject. The arrangement may
designate a contact point for data subjects.
● The arrangement referred to in paragraph 1 shall duly reflect the respective roles and
relationships of the joint controllers vis-à-vis the data subjects. The essence of the
arrangement shall be made available to the data subject.
● Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject
may exercise his or her rights under this Regulation in respect of and against each of the
controllers.
● Article 27 - Where Article 3(2) applies, the controller or the processor shall designate in
writing a representative in the Union except where:-
● processing which is occasional,
● does not include, on a large scale, processing of special categories of data as referred to in
Article 9(1) or
DATA PROTECTION CONCEPTS
1. PERSONAL DATA
● Any information relating to an identified or identifiable natural person (a living
individual): the ‘data subject’.
● An identifiable natural person is one who can be identified, or is identifiable, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
identity of that natural person. The term is defined in Art. 4 (1).
● In practice, these also include all data which are or can be assigned to a person in any
kind of way. For example, the telephone, credit card or personnel number of a person,
account data, number plate, appearance, customer number or address are all personal
data.
● The term ‘personal data’ is the entryway to the application of the General Data Protection
Regulation (GDPR). Only if a processing of data concerns personal data, the General
Data Protection Regulation applies.
● Personal data broadly interpreted: - work times, test results, opinions, credit worthiness
assessments.
● Information must refer to living natural person.
2. SENSITIVE PERSONAL DATA
● Recital 51 -Personal data which are, by their nature, particularly sensitive in relation to
fundamental rights and freedoms merit specific protection as the context of their
processing could create significant risks to the fundamental rights and freedoms. The
processing of photographs should not systematically be considered to be processing of
special categories of personal data as they are covered by the definition of biometric data
only when processed through a specific technical means allowing the unique
identification or authentication of a natural person.
● Article 9- Processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation shall
be prohibited.
3. PSEUDONYMOUS AND ANONYMOUS DATA
, ● Personal data that has been de-identified, encrypted or pseudonymised but can be used to
re-identify a person remains personal data and falls within the scope of the GDPR.
● Recital 26 - Personal data that has been rendered anonymous in such a way that the
individual is not or no longer identifiable is no longer considered personal data. For data
to be truly anonymised, the anonymisation must be irreversible.
● The principles of data protection should apply to any information concerning an
identified or identifiable natural person. Personal data which have undergone
pseudonymisation, which could be attributed to a natural person by the use of additional
information should be considered to be information on an identifiable natural person.
● To determine whether a natural person is identifiable, account should be taken of all the
means reasonably likely to be used, such as singling out, either by the controller or by
another person to identify the natural person directly or indirectly.
● To ascertain whether means are reasonably likely to be used to identify the natural
person, account should be taken of all objective factors, such as the costs of and the
amount of time required for identification, taking into consideration the available
technology at the time of the processing and technological developments.
● The principles of data protection should therefore not apply to anonymous information,
namely information which does not relate to an identified or identifiable natural person or
to personal data rendered anonymous in such a manner that the data subject is not or no
longer identifiable. This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research purposes.
4. PROCESSING
● The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide
possibility for so-called ‘commissioned data processing’, which is the gathering,
processing or use of personal data by a processor in accordance with the instructions of
the controller based on a contract.
● The relevant regulations for commissioned data processing already apply, if the
processing is connected to activities of an establishment within the EU.
● This means that it is sufficient if either the controller or the processor operates an
establishment in the EU, and the processing takes place in context of its activities.
● In a controller-processor relationship, the latter is only allowed to process personal data
based on the documented instructions from the controller.
● The processor cannot engage another processor to help fulfil a specific contract, without
the prior specific or general written authorisation of the respective controller. In case of a
general authorisation, the processor has to inform him about any relevant changes
regarding the processing.
● Art. 28(3) GDPR sets forth its minimum requirements of processing contract.
, ● The contract must contain, among other things, what type of personal data will be
processed, as well as the object and purpose of the processing.
● In addition, there are further obligations for the processor. For example, processor
maintain a record of the processing activities which includes the names and contact data
of each controller he is working for, as well as the processing categories which are
conducted for them. Furthermore, the index must include, if applicable, the transfer of
personal data to third countries and, if possible, a general description of technical and
organisational measures.
● The controller must ensure, in selecting the processor, that it has implemented sufficient
technical and organisational measures to ensure that processing meets the requirements of
the Regulation.
● Basically, the controller is the first contact for the data subject and responsible that the
data processing complies with the legal requirements.
● This does not mean, however, that the processor is free of liability. According to Art. 82
GDPR, he is jointly liable with the controller.
● As per Article 82 - Any person who has suffered material or non-material damage as a
result of an infringement of this Regulation shall have the right to receive compensation
from the controller or processor for the damage suffered .
● However, the processor’s liability is limited as per paragraph 2 to violations of
obligations which are specific to him. Both parties have the ability to exculpate
themselves. To do this, they must prove that they were not responsible in any way for the
event leading to the damages.
5. CONTROLLER
● A person or body, alone or jointly, which determines the purposes and means of
processing personal data. Article 4 (7)
● Article 24- Taking into account the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that processing is
performed in accordance with this Regulation. Those measures shall be reviewed and
updated where necessary.
● Where proportionate in relation to processing activities, the measures referred to in
paragraph 1 shall include the implementation of appropriate data protection policies by
the controller.
● Adherence to approved codes of conduct as referred to in Article 40 or approved
certification mechanisms as referred to in Article 42 may be used as an element by which
to demonstrate compliance with the obligations of the controller.
, ● Article 25 - Taking into account the state of the art, the cost of implementation and
the nature, scope, context and purposes of processing as well as the risks of varying
likelihood and severity for rights and freedoms of natural persons posed by the
processing, the controller shall, both at the time of the determination of the means for
processing and at the time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, which are designed to implement
data-protection principles, such as data minimisation, in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the requirements
of this Regulation and protect the rights of data subjects.
● The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific
purpose of the processing are processed.
● That obligation applies to the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility. In particular, such measures
shall ensure that by default personal data are not made accessible without the individual’s
intervention to an indefinite number of natural persons.
● An approved certification mechanism pursuant to Article 42 may be used as an element
to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this
Article.
● Article 26 - Where two or more controllers jointly determine the purposes and means of
processing, they shall be joint controllers.
● They shall in a transparent manner determine their respective responsibilities for
compliance with the obligations under this Regulation, in particular as regards the
exercising of the rights of the data subject and their respective duties to provide the
information referred to in Articles 13 and 14, by means of an arrangement between them
unless, and in so far as, the respective responsibilities of the controllers are determined by
Union or Member State law to which the controllers are subject. The arrangement may
designate a contact point for data subjects.
● The arrangement referred to in paragraph 1 shall duly reflect the respective roles and
relationships of the joint controllers vis-à-vis the data subjects. The essence of the
arrangement shall be made available to the data subject.
● Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject
may exercise his or her rights under this Regulation in respect of and against each of the
controllers.
● Article 27 - Where Article 3(2) applies, the controller or the processor shall designate in
writing a representative in the Union except where:-
● processing which is occasional,
● does not include, on a large scale, processing of special categories of data as referred to in
Article 9(1) or
