EU data protection handbook highlights & quotes:
Handbook on European data protection law HANDBOOK © European Union Agency for Fundamental Rights, 2014 Council of Europe, 2014
Council of Europe website at coe.int/dataprotection, and on the European Court of Human Rights website under the Case-Law menu at: echr.coe.int.
The Council of Europe (CoE) and the European Court of Human Rights (ECtHR) take
European Union Agency for Fundamental Rights (FRA)
Updates will become available in future on the FRA website at: fra.europa.eu,
European law relating to asylum, borders and immigration.
the protection of personal data. Europe enjoys one of the most protective systems in this sphere, which is based on Council of Europe Convention 108, European Union (EU) instruments, as well as the case law of the European Court of Human Rights (ECtHR) and of the Court of Justice of the European Union (CJEU).
data protection rules in European Union and Council of Europe member states
designed for non-specialist legal professionals, judges, national data protection authorities and other persons working in the field of data protection.
Charter of Fundamental Rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right.
Contents FOREWORD 3 ABBREVIATIONS AND ACRONYMS 9 HOW TO USE THIS HANDBOOK . 11 1. CONTEXT AND BACKGROUND OF EUROPEAN DATA PROTECTION LAW 13 1.1. The right to data protection 14 Key points 14 1.1.1. The European Convention on Human Rights 14 1.1.2. Council of Europe Convention 108 . 15 1.1.3. European Union data protection law .. 17 1.2. Balancing rights 21 Key point 21 1.2.1. Freedom of expression .. 22 1.2.2. Access to documents . 26 1.2.3. Freedom of the arts and sciences 30 1.2.4. Protection of property .. 31 2. DATA PROTECTION TERMINOLOGY .. 35 2.1. Personal data . 36 Key points 36 2.1.1. Main aspects of the concept of personal data .. 36 2.1.2. Special categories of personal data .. 43 2.1.3. Anonymised and pseudonymised data 44 2.2. Data processing 46 Key points 46 2.3. The users of personal data .. 48 Key points 48 2.3.1. Controllers and processors 49 2.3.2. Recipients and third parties . 54 2.4. Consent .. 55 Key points 55 2.4.1. The elements of valid consent .. 56 2.4.2. The right to withdraw consent at any time 60 6 3. THE KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW . 61 3.1. The principle of lawful processing . 62 Key points 62 3.1.1. The requirements for a justified interference under the ECHR . 63 3.1.2. The conditions for lawful limitations under the EU Charter . 66 3.2. The principle of purpose specification and limitation . 68 Key points 68 3.3. Data quality principles . 70 Key points 70 3.3.1. The data relevancy principle . 70 3.3.2. The data accuracy principle . 71 3.3.3. The limited retention of data principle . 72 3.4. The fair processing principle .. 73 Key points 73 3.4.1. Transparency 74 3.4.2. Establishing trust 74 3.5. The principle of accountability .. 75 Key points 75 4. THE RULES OF EUROPEAN DATA PROTECTION LAW .. 79 4.1. Rules on lawful processing .. 81 Key points 81 4.1.1. Lawful processing of non-sensitive data 81 4.1.2. Lawful processing of sensitive data . 87 4.2. Rules on security
of processing . 90 Key points 90 4.2.1. Elements of data security .. 90 4.2.2. Confidentiality . 93 4.3. Rules on transparency of processing . 95 Key points 95 4.3.1. Information .. 96 4.3.2. Notification .. 98 4.4. Rules on promoting compliance .. 99 Key points 99 4.4.1. Prior checking . 100 4.4.2. Personal data protection officials . 100 4.4.3. Codes of conduct .. 101 5. THE DATA SUBJECT’S RIGHTS AND THEIR ENFORCEMENT 103 5.1. The rights of data subjects .. 105 7 Key points .. 105 5.1.1. Right of access .. 105 5.1.2. Right to object 112 5.2. Independent supervision 114 Key points .. 114 5.3. Remedies and sanctions . 118 Key points .. 118 5.3.1. Requests to the controller . 119 5.3.2. Claims lodged with the supervisory authority .. 120 5.3.3. Claim lodged with a court .. 121 5.3.4. Sanctions . 126 6. TRANSBORDER DATA FLOWS . 129 6.1. Nature of transborder data flows . 130 Key points .. 130 6.2. Free data flows between Member States or between Contracting Parties 131 Key points .. 131 6.3. Free data flows to third countries 133 Key points .. 133 6.3.1. Free data flow because of adequate protection 133 6.3.2. Free data flow in specific cases .. 135 6.4. Restricted data flows to third countries .. 136 Key points .. 136 6.4.1. Contractual clauses 137 6.4.2. Binding corporate rules .. 138 6.4.3. Special international agreements . 139 7. DATA PROTECTION IN THE CONTEXT OF POLICE AND CRIMINAL JUSTICE 143 7.1. CoE law on data protection in police and criminal justice matters . 144 Key points .. 144 7.1.1. The police recommendation . 144 7.1.2. The Budapest Convention on Cybercrime . 148 7.2. EU law on data protection in police and criminal matters 149 Key points .. 149 7.2.1. The Data Protection Framework Decision . 149 7.2.2. More specific legal instruments on data protection in police and lawenforcement cross-border cooperation . 151 7.2.3. Data protection at Europol and Eurojust 153 7.2.4. Data protection in the joint information systems at EU level 156 8 8. OTHER SPECIFIC EUROPEAN DATA PROTECTION LAWS .. 165 8.1. Electronic communications . 166 Key points .. 166 8.2. Employment data ..
170 Key points .. 170 8.3. Medical data .. 173 Key point .. 173 8.4. Data processing for statistical purposes . 175 Key points .. 175 8.5. Financial data 178 Key points .. 178 FURTHER READING 181 CASE LAW .. 187 Selected case law of the European Court of Human Rights 187 Selected case law of the Court of Justice of the European Union 191 INDEX 193
CCTV Closed circuit television CETS Council of Europe Treaty Series Charter Charter of Fundamental Rights of the European Union CIS Customs information system CJEU Court of Justice of the European Union (prior to December 2009, it was called the European Court of Justice, ECJ) CoE Council of Europe Convention 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe) CRM Customer relations management C-SIS Central Schengen Information System EAW European Arrest Warrant EC European Community ECHR European Convention on Human Rights ECtHR European Court of Human Rights EDPS European Data Protection Supervisor EEA European Economic Area EFTA European Free Trade Association ENISA European Network and Information Security Agency ENU Europol National Unit ESMA European Securities and Markets Authority eTEN Trans-European Telecommunication Networks EU European Union EuroPriSe European Privacy Seal eu-LISA EU Agency for Large-scale IT Systems 10 FRA European Union Agency for Fundamental Rights GPS Global positioning system JSB Joint Supervisory Body NGO Non-governmental organisation N-SIS National Schengen Information System OECD Organisation for Economic Co-operation and Development PIN Personal identification number PNR Passenger name record SEPA Single Euro Payments Area SIS Schengen Information System SWIFT Society for Worldwide Interbank Financial Telecommunication TEU Treaty on European Union TFEU Treaty on the Functioning of the European Union UDHR Universal Declaration of Human Rights UN United Nations VIS Visa Information System 11
data protection; it is intended for lawyers, judges or other practitioners as well as those working for other bodies, including non-governmental organisations (NGOs), who may be confronted with legal questions relating to data protection.
Automatic Processing of Personal Data
the Charter of Fundamental Rights of the European Union, as interpreted in the case law of the Court of Justice of the European Union (CJEU, otherwise referred to, before 2009, as the European Court of Justice (ECJ)). The case law described or cited in this handbook provides examples of an important body of both ECtHR and CJEU case law.
• data protection terminology; • key principles of European data protection law; • rules of European data protection law; • data subjects’ rights and their enforcement; • transborder data flow; • data protection in the context of police and criminal justice; • other specific European data protection laws. 13 EU Issues covered CoE The right to data protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), OJ 1995 L 281 ECHR, Article 8 (right to respect for private and family life, home and correspondence) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) Balancing rights CJEU, Joined cases C-92/09 and C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen, 2010 In general CJEU, C-73/07, Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy and Satamedia Oy, 2008 Freedom of expression ECtHR, Axel Springer AG v. Germany, 2012 ECtHR, Mosley v. the United Kingdom, 2011 Freedom of arts and sciences ECtHR, Vereinigung bildender Künstler v. Austria, 2007 CJEU, C-275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU, 2008 Protection of property CJEU, C-28/08 P, European Commission v. The Bavarian Lager Co. Ltd, 2010 Access to documents ECtHR, Társaság a Szabadságjogokért v. Hungary, 2009 Context and background of European data protection law
Convention 108 applies to all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities. It protects the individual against abuses, which may accompany the collection and processing of personal data, and seeks, at the same time, to regulate the transborder flow of personal data. As regards the collection and processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and automatic processing of data, stored for specified legitimate purposes and not for use for ends incompatible with these purposes nor kept for longer than is necessary.
In addition to providing guarantees on the collection and processing of personal data, it outlaws, in the absence of proper legal safeguards, the processing of ‘sensitive ’ data, such as on a person’s race, politics, health, religion, sexual life or criminal record.
The convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected.
Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), have been approved by all EU Member States and are also referred to as ‘primary EU law’.
free flow of data, which could not be realised unless the Member States could rely on a uniform high level of data protection.
the EU Member States have only limited freedom to manoeuvre when implementing the directive.
Outside its scope of application are, most importantly, matters of police and criminal justice cooperation.
achieve the necessary clarity in balancing other legitimate interests.
To grant protection to individuals, it brought fundamental rights into the so-called general principles of European law.
The rights described in the Charter are divided into six sections: dignity, freedoms, equality, solidarity, citizens’ rights and justice.
In January 2012, the European Commission proposed a data protection reform package, stating that the current rules on data protection needed to be modernised in light of rapid technological developments and globalisation.
The reform package consists of a proposal for a General Data Protection Regulation, 21 meant to replace the Data Protection Directive, as well as a new General Data Protection Directive 22 which shall provide for data protection in the areas of police and judicial cooperation in criminal matters.
purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (General Data Protection Directive),
One of the rights likely to come into conflict with the right to data protection is the right to freedom of expression.
This right includes the “freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers”.
Case law of the European Court of Human Rights concerning the protection of personal data, DP (2013) Case law, available at: www.coe.int/t/dghl/standardsetting/dataprotection/Judgments/DP 2013 Case Law_Eng_ FINAL.pdf.
in order to achieve a balance between the two fundamental rights, the derogations and limitations of the right to data protection must apply only insofar as is strictly necessary. In those circumstances, the Court considered that activities such as those carried out by Markkinapörssi and Satamedia concerning data from documents which are in the public domain under national legislation, may be classified as ‘journalistic activities’ if their object is the disclosure to the public of information,
European Data Protection Supervisor (EDPS)
1.2.3. Freedom of the arts and sciences Another right to balance against the right to respect for private life and to data protection is the freedom of the arts and sciences, explicitly protected under Article 13 of the Charter.
ECtHR, Vereinigung bildender Künstler v. Austria, No. 68345/01, 25 January 2007; see especially paras. 26 and 34. Context and background of European data protection law 31 section of the population. Those who created, performed, distributed or exhibited works of art contributed to the exchange of ideas and opinions and the state had the obligation not to encroach unduly on their freedom of expression. Given that the painting was a collage and used photos of only the heads of persons, and that their bodies were painted in an unrealistic and exaggerated manner, which obviously did not aim to reflect or even suggest reality, the ECtHR further stated that “the painting could hardly be understood to address details of [the depicted’s] private life, but rather related to his public standing as a politician” and that “in this capacity [the depicted] had to display a wider tolerance in respect of criticism”. Weighing the different interests at stake, the ECtHR found that the unlimited prohibition against further exhibiting the painting was disproportionate. The Court concluded that there had been a violation of Article 10 of the ECHR.
Several directives can be found in the EU legal order, aiming at the effective protection of intellectual property, in particular copyright. Intellectual property covers not only literary and artistic property but also patent, trademark and associated rights.
internet file-sharing platforms.
Directive on privacy and electronic communications (2002/58/EC), do not preclude Member States from laying down an obligation to disclose personal data in the context of civil proceedings, to ensure the effective protection of copyright.
Personal data Key points • Data are personal data if they relate to an identified or at least identifiable person, the data subject.
• A person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject.
• Data are anonymised if they no longer contain any identifiers; they are pseudonymised if the identifiers are encrypted.
Rights under the ECHR are guaranteed not only to natural persons but to everyone.
protection of natural persons; however, the contracting parties may extend data protection to legal persons, such as business companies and associations in their domestic law.
Under EU law as well as under CoE law, information contains data about a person if: • an individual is identified in this information; or • if an individual, while not identified, is described in this information in a way which makes it possible to find out who the data subject is by conducting further research.
Evidently identification requires elements which describe a person in such a way that he or she is distinguishable from all other persons and recognisable as an individual.
In exceptional cases, other identifiers can have a similar effect to a name. For instance, for public figures it may be enough to refer to the position of the person, such as President of the European Commission.
Date and place of birth are often used. In addition, personalised numbers have been introduced in some countries in order to better distinguish between citizens.
Biometric data, such as fingerprints, digital photos or iris scans, are becoming increasingly important to identifying persons in the technological age.
local authorities do not have a means of identification directly available to them, they will pass on the data to the competent authority, the police, who do have such means.
Authentication can be achieved by means of comparing biometric data, such as a photo or fingerprints in a passport, with the data of the person presenting himself or herself, for example, at immigration control; or by asking for information which should be known only to the person with a certain identity or authorisation, such as a personal identification number (PIN) or password; or by requiring the presentation of a certain token, which should be exclusively in the possession of the person with a certain identity or authorisation, such as a special chip card or key to a banking safe. Apart from passwords or chip cards, sometimes together with PINs, electronic signatures are an instrument especially capable of identifying and authenticating a person in electronic communications.
the term ‘private life’ must not be interpreted restrictively and that there is no reason of principle to justify excluding activities of a professional […] nature from the notion of private life”.
Written or spoken communications may contain personal data as well as images, 63 including closed-circuit television (CCTV) footage 64 or sound. 65 Electronically recorded information, as well as information on paper, may be personal data; even cell samples of human tissue may be personal data, as they record the DNA of a person.
On the definition of sensitive data, both Convention 108 (Article 6) and the Data Protection Directive (Article 8) name the following categories: • personal data revealing racial or ethnic origin; • personal data revealing political opinions, religious or other beliefs; and • personal data concerning health or sexual life.
‘trade union membership’ as sensitive data,
Data Protection Directive mandates EU Member States “to determine the conditions under which a national identification number or any other identifier of general application may be processed.”
Anonymised and pseudonymised data According to the principle of limited retention of data, contained in the Data Protection Directive
Data are anonymised if all identifying elements have been eliminated from a set of personal data. No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned.
appropriate safeguards against misuse
Pseudonymised data Personal information contains identifiers, such as a name, date of birth, sex and address. When personal information is pseudonymised, the identifiers are replaced by one pseudonym. Pseudonymisation is achieved, for instance, by encryption of the identifiers in personal data.
For everyone who is not in possession of the decryption key, pseudonymised data can be identifiable with difficulty. The link to an identity still exists in form of the pseudonym plus the decryption key.
For those who are entitled to use the decryption key re-identification is easily possible.
Use of encryption keys by unauthorised persons must be particularly guarded against.
“the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions or hobbies, constitutes the ‘processing of personal data wholly or partly by automatic means’
Whoever decides to process personal data of others is a ‘controller’ under data protection law; if several persons take this decision together, they may be ‘joint controllers’. • A ‘processor’ is a legally separate entity that processes personal data on behalf of a controller.
The most important consequence of being a controller or a processor is legal responsibility for complying with the respective obligations under data protection law.
Under EU law, private individuals, when processing data about others in the course of a purely personal or household activity, do not fall under the rules of the Data Protection Directive; they are not deemed to be controllers.
However, jurisprudence has found that data protection law will, nevertheless, apply when a private person, in the course of using the internet, publishes data about others.
A case involving the Society for Worldwide Interbank Financial Telecommunication (SWIFT) illustrates the Working Party’s position.
SWIFT disclosed such banking transaction data, stored in a computing service centre in the United States (US), to the US Treasury Department without being explicitly ordered to do so by the European banking institutions that employed it.