                                         European Cyberlaw

                                handout – privacy and personal data


           Brandeis, L. Warren, S. The Right to Privacy, Harvard Law Review, vol. 4(5).


That the individual shall have full protection in person and in property is a principle as old as
the common law; but it has been found necessary from time to time to define anew the exact nature
and extent of such protection. Political, social, and economic changes entail the recognition of
new rights, and the common law, in its eternal youth, grows to meet the new demands of society.
Thus, in very early times, the law gave a remedy only for physical interference with life and
property, for trespasses vi et armis. Then the "right to life" served only to protect the subject
from battery in its various forms; liberty meant freedom from actual restraint; and the right to
property secured to the individual his lands and his cattle. Later, there came a recognition of
man's spiritual nature, of his feelings and his intellect. Gradually the scope of these legal
rights broadened; and now the right to life has come to mean the right to enjoy life, -- the right
to be let alone; the right to liberty secures the exercise of extensive civil privileges; and the
term "property" has grown to comprise every form of possession -- intangible, as well as tangible.


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)


                                       Article 4 Definitions

For the purposes of this Regulation:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be provided for by Union or Member State
law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller;

                                Article 6 Lawfulness of processing

1.   Processing shall be lawful only if and to the extent that at least one of the following
applies:

(a) the data subject has given consent to the processing of his or her personal data for one or
more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or
in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is
subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of
another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller
or by a third party, except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of personal data, in particular
where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities
in the performance of their tasks.


                       Article 17 Right to erasure (‘right to be forgotten’)


1.   The data subject shall have the right to obtain from the controller the erasure of personal
data concerning him or her without undue delay and the controller shall have the obligation to
erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of
Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the
processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the processing
pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member
State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services
referred to in Article 8(1).


Article 22 Automated individual decision-making, including profiling

1.   The data subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her.

2.   Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a
data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also
lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate
interests; or

(c) is based on the data subject's explicit consent.

3.   In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall
implement suitable measures to safeguard the data subject's rights and freedoms and legitimate
interests, at least the right to obtain human intervention on the part of the controller, to
express his or her point of view and to contest the decision.


Article 44 General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after
transfer to a third country or to an international organisation shall take place only if, subject
to the other provisions of this Regulation, the conditions laid down in this Chapter are complied
with by the controller and processor, including for onward transfers of personal data from the
third country or an international organisation to another third country or to another international
organisation. All provisions in this Chapter shall be applied in order to ensure that the level of
protection of natural persons guaranteed by this Regulation is not undermined.


Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, and on the free movement of such data, and
repealing Council Framework Decision 2008/977/JHA


Cases:

Case C‑210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie
Schleswig-Holstein GmbH

Case C-582/14, Patrick Breyer v. Germany

Case C-230/14, Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság

Case C-362/14, Maximillian Schrems v Data Protection Commissioner

Case C-212/13, František Ryneš v Úřad pro ochranu osobních údajů

Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario
Costeja González

Joint cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communica-tions et al

Case C-461/10, Bonnier Audio AB et al. v Perfect Communication Sweden AB

Case C-557/07, LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2
Telecommunication GmbH

Case C-275/06, Productores de Música de España (Promusicae) v Telefónica de España SAU

Case C-101/01, Bodil Lindqvist