An adequacy decision is a decision by the European Commission that a non-EU country’s data protection laws provide an adequate level of protection for personal data that is transferred from the EU to that country.
Anonymisation / Pseudonymisation
Anonymisation: The process by which personal data is irreversibly altered in such a way that an individual can no longer be identified or is identifiable directly or indirectly. Once data is truly anonymous the GDPR does not apply (recital 26 GDPR).
Pseudonymisation: Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the research participant to be directly identified. It is different from anonymisation as, in many cases, it still allows identification using indirect identifiers.
California Consumers Privacy Act (CCPA)
The California Consumers Privacy Act (CCPA) is a 2018 California regulation that focuses on protecting consumer data rights for California residents. These rights include the right to know about the personal information businesses are collecting, the right to obtain the data collected, and the right to delete the information provided (with some exceptions). The CCPA is comparable to the GDPR.
Controller & Processor
Under the EU General Data Protection Regulation (GDPR), the controller and the processor are two key roles in the processing of personal data.
The controller is any entity, which determines the purposes and means of the processing of personal data. In other words, the controller decides why and how personal data should be processed, and is responsible for ensuring that the processing is done in compliance with the GDPR.
The processor is any entity, which processes personal data under the controller’s instructions. As most service providers, JENTIS is a processor and JENTIS’ customers are controllers under the GDPR. This means that JENTIS must maintain appropriate security measures, process data only in accordance with the instructions of the customer and assist him in meeting his GDPR obligations, but the customer still bears the primary responsibility for compliance.
The controller and processor have distinct responsibilities under the GDPR, and are required to have a Data Processing Agreement in place that sets out the terms of their relationship, including the obligations and responsibilities of each party regarding the protection of personal data. The contract should address, among other things, the purpose and duration of the processing, the types of personal data involved, and the security measures that must be taken to protect the data.
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Breaches may be the result of accidental or deliberate causes. A data breach is not limited to personal data.
Only the minimum amount of personal data necessary to accomplish a specific purpose should be collected. Personal data must not be collected just in case they might become useful in the future. There must be a clear, specified need for collecting the personal data.
Data Processing Agreement
A legally binding contract (required under GDPR Article 28 Section 3) that states the rights and obligations of the data processor and data controller concerning the protection of personal data.
Data Protection Impact Assessment (DPIA)
A method of identifying and addressing privacy risks in compliance with data protection laws.
Data Protection Officer (DPO)
A data protection officer (DPO) is a role within an organisation responsible for ensuring compliance with data protection laws and regulations. Specifically, a DPO’s primary responsibility is to monitor and advise the organisation on its data protection obligations and to act as a point of contact between the organisation and data protection authorities and individuals whose personal data is processed by the organisation.
Under the General Data Protection Regulation (GDPR), organisations operating within the European Union (EU) or processing personal data of individuals in the EU, are required to appoint a DPO.
The role of a DPO may include tasks such as providing advice and guidance on data protection matters, monitoring compliance with data protection laws and policies, conducting data protection impact assessments, and serving as a point of contact for data subjects and data protection authorities. The DPO should also be independent and report directly to senior management to ensure their autonomy in carrying out their duties.
Data sovereignty refers to a group or individual’s right to control and maintain their own data, which includes the collection, storage, and interpretation of data.
Data Subject Rights
Data Subject: identified or identifiable natural person from whom or about whom information is collected. A company or organisation cannot be a data subject.
A data subject has rights under the GDPR that aims to protect its privacy and right to self-determination.The GDPR is built around requirements on organisations that use personal data (controllers and processors) to protect the rights of the data subjects.
Data Transfers to Third Countries
Data transfers to third countries refer to the transfer of personal data from the European Union (EU) or the European Economic Area (EEA) to countries outside of these regions.
EDPB is the European Data Protection Board. It is an independent body that promotes cooperation between data protection authorities in the European Union.
European Data Protection Supervisor (EDPS)
The European Data Protection Supervisor (EDPS) is an independent supervisory authority established by the EU. Its objective is to ensure that the EU treats personal data fairly and protects the privacy of individuals. The EDPS is responsible for monitoring the EU’s handling of personal data, including ensuring that the EU complies with the provisions of the GDPR. The EDPS also provides guidance on data protection issues and promotes public awareness of data protection rights and obligations.
The ePrivacy Directive of the European Parliament and of the Council is currently controlling the privacy rights applied to electronic communications technology and content. It was amended in 2009 and is legally binding on all EU member states and requires local implementation.
Among many requirements, the legislation mandates websites obtain consent before placing cookies for marketing purposes.
EU-US Data Transfers
The situation regarding data transfers between the European Union (EU) and the United States (US) is complex and evolving, with several legal mechanisms in place for transferring personal data between the two regions.
The EU’s General Data Protection Regulation (GDPR) requires that personal data transferred outside of the EU is subject to appropriate safeguards to ensure a level of protection equivalent to that provided by the GDPR. One such mechanism for data transfers is the use of standard contractual clauses (SCCs), which are pre-approved contractual clauses that can be used to govern the transfer of personal data.
However, in July 2020, the European Court of Justice invalidated the EU-US Privacy Shield, which was a framework that allowed for the transfer of personal data between the EU and US. The court found that the Privacy Shield did not provide adequate protection for personal data due to concerns over US surveillance practices.
As a result of the Privacy Shield invalidation, organisations relying on the framework for data transfers have been required to seek alternative transfer mechanisms, such as SCCs or binding corporate rules (BCRs). However, the use of SCCs has also come under scrutiny, with some data protection authorities indicating that additional safeguards may be required in certain circumstances.
Fundamental Rights & Freedoms
Fundamental rights and freedoms refer to a set of individual rights such as the right to life, liberty, and security of a person; freedom of expression, religion, and association; the right to a fair trial; and the right to privacy. These rights are typically protected by domestic law, as well as international human rights law, such as the Universal Declaration of Human Rights and the European Convention on Human Rights.
In the context of data protection law, fundamental rights and freedoms are particularly relevant, as they inform the legal framework for protecting individuals’ personal data.
The EU General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). This Regulation replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy.
Under the GDPR, a joint controller refers to two or more controllers who jointly determine the purposes and means of processing personal data. This means that they share the responsibility for complying with the GDPR in relation to that processing activity.
Joint controllers must have a transparent arrangement between them that sets out their respective responsibilities and obligations under the GDPR. They must also inform individuals about their joint controller status and provide them with information about their respective roles in relation to the processing of personal data.
Joint controllers may be held jointly and severally liable for any GDPR violations related to their joint processing activities. This means that each joint controller is responsible for ensuring compliance with the GDPR and for any fines or penalties imposed for non-compliance.
In the context of data protection and privacy laws such as the GDPR, legitimate interest refers to one of the legal bases for the processing of personal data. It allows an organisation to process personal data without the explicit consent of the individual, where such processing is necessary for the legitimate interests of the organisation, provided that the individual’s fundamental rights and freedoms are not overridden.
Legitimate Interest Assessment (LIA)
A Legitimate Interest Assessment (LIA) is a process that organisations use to assess and balance their interests with the privacy rights and freedoms of individuals when processing their personal data.
A LIA is a structured approach that involves identifying and documenting the legitimate interest pursued by an organisation, assessing the necessity and proportionality of processing personal data to achieve that interest, and balancing it with the individual’s rights and freedoms.
The LIA should take into account factors such as the type of data being processed, the purpose of the processing, the potential impact on the individual, and any safeguards that can be implemented to mitigate the risks to their privacy.
The GDPR requires organisations to conduct an LIA before processing personal data based on legitimate interests, and to document the results of the assessment to demonstrate compliance with the regulation.
Chairman and founder of noyb (Noneofyourbusiness), a “privacy enforcement platform” that brings data protection cases to the courts under the EU General Data Protection Regulation. Schrems first came to notoriety as an Austrian law student, who filed a complaint to the Irish Data Commissioner that Facebook Ireland was illegally sharing his personal data with the U.S. government, following the revelations of Edward Snowden. The case, known as “Schrems I,” eventually led to the invalidation of the Safe Harbor data-transfer agreement between the EU and U.S. (see “Safe Harbor” and “Privacy Shield”). Schrems later amended his complaint against Facebook Ireland with the Irish Data Protection Commission after Facebook switched its transfer mechanism from Safe Harbor to standard contractual clauses, leading to a new referral to the CJEU implicating both standard contractual clauses and the EU-U.S. Privacy Shield Framework. On July 16, 2020, the Court of Justice of the European Union invalidated Privacy Shield (“Schrems II”), and placed additional requirements for companies using standard contractual clauses to third countries outside the EU.
One Stop Shop
Many businesses have locations across a number of EU Member States. The One-Stop-Shop concept allows companies to deal with the lead GDPR regulator in their home country, not all regulators in all countries in which they operate.
Personal data means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly.
Principles relating to the Processing of Personal Data
The GDPR sets out seven principles relating to the processing of personal data: Lawfulness, fairness & transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality (security), Accountability.
Privacy by Design & Privacy by Default
Privacy by design aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.
Privacy by default is a related concept that requires organisations to ensure that privacy settings are set to the most privacy-friendly option by default, rather than requiring users to change settings to achieve greater privacy.
The proportionality principle is a fundamental principle in law that is underpinned by the need for fairness and justice. In the context of data protection law, this means that any processing of personal data must be necessary for a specific purpose and not go beyond what is necessary to achieve that purpose.
Relation between National law and European law / What are Preliminary Rulings?
The relationship between national and EU law is governed by the principle of supremacy of EU law. This principle means that EU law takes precedence over conflicting national law in cases where both are applicable. EU law consists of treaties, regulations, directives, and case law from the European Court of Justice (ECJ). The principle of supremacy of EU law was established by the ECJ in the landmark case of Costa v ENEL.
National courts are responsible for interpreting and applying EU law in their respective jurisdictions. When a national court is faced with a question of interpretation or validity of an EU law provision, it may refer the matter to the ECJ for a preliminary ruling. This mechanism enables national courts to ensure consistent and uniform interpretation and application of EU law across the EU.
Sensitive Personal Data
Personal data, revealing race or ethnicity, political opinions, religion or beliefs, trade-union membership, physical or mental health or sex life. The GDPR adds genetic data. Data relating to criminal convictions or related security measures are also treated as sensitive in many Member States.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses are GDPR-compliant clauses that can be used (or added to an agreement between a data controller and data processor) when personal data is to be transferred between a country within the EEA and one without an official adequacy decision. They aim to ensure the protection of the personal data when being transferred internationally to a place that may not have adequate security to meet GDPR standards.
The ePrivacy Directive exempts access to and storage of information on the end user device which is strictly necessary in order to provide a website service explicitly requested by the user.
“Strictly necessary” cookies are essential for the basic services of a website and its ancillary functionalities, which an average user would expect when surfing through a webpage. Such cookies enable users to access particular features or services on a website and are necessary for the website to function.
Supervisory authorities are the national data protection authorities tasked with privacy and personal data protection. Each member state appointed a supervisory body to implement and enforce local data protection law, and to offer guidance. Supervisory authorities have significant enforcement powers, including the ability to levy substantial fines.
The term “terminal equipment” refers to the device a cookie is placed on – typically a computer or mobile device, but also other equipment such as wearable technology, smart TVs, and connected devices including the ‘Internet of Things’.
The Telecommunications Act (Telekommunikationsgesetz – TKG) regulates competition in the telecommunications sector. In this context, telecommunications refers to the transmission of information of any kind (spoken and written texts, images and films) with the aid of technical equipment, in particular (mobile) telephones.
The TTDSG/TTDPA stands for the Telecommunications and Telemedia Data Protection Act (Telekommunikations- und Telemedien-Datenschutzgesetz) in Germany. It is a federal law that regulates the protection of personal data in the telecommunications and telemedia sectors.
The TTDSG/TTDPA implements the EU’s ePrivacy Directive, which requires telecommunications and telemedia service providers to protect the privacy of their users’ communications and related personal data.
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.