Handbook on European data protection law

[Pages:402]HANDBOOK

Handbook on European data protection law 2018 edition

European Data Protection Supervisor

The manuscript for this handbook was completed in April 2018.

Updates will become available in future on the FRA website at fra.europa.eu, the Council of Europe website at coe.int/dataprotection, on the European Court of Human Rights website under the Case Law menu at echr.coe.int, and on the European Data Protection Supervisor website at edps.europa.eu.

Photo credit (cover & inside): ? iStockphoto

? European Union Agency for Fundamental Rights and Council of Europe, 2018 Reproduction is authorised, provided the source is acknowledged. For any use or reproduction of photos or other material that is not under the European Union Agency for Fundamental Rights/Council of Europe copyright, permission must be sought directly from the copyright holders.

Neither the European Union Agency for Fundamental Rights/Council of Europe nor any person acting on behalf of the European Union Agency for Fundamental Rights/Council of Europe is responsible for the use that might be made of the following information.

Luxembourg: Publications Office of the European Union, 2018

CoE: FRA ? print: FRA ? web:

ISBN 978-92-871-9849-5 ISBN 978-92-9491-903-8 ISBN 978-92-9491-901-4

doi:10.2811/58814 doi:10.2811/343461

TK-05-17-225-EN-C TK-05-17-225-EN-N

Printed by Imprimerie Centrale in Luxembourg

Printed on process chlorine-free recycled paper (PCF)

This handbook was drafted in English. The Council of Europe (CoE) and the European Court of Human Rights (ECtHR) take no responsibility for the quality of the translations into other languages. The views expressed in this handbook do not bind the CoE and the ECtHR. The handbook refers to a selection of commentaries and manuals. The CoE and ECtHR take no responsibility for their content, nor does their inclusion on this list amount to any form of endorsement of these publications. Further publications are listed on the internet pages of the ECtHR library at echr.coe.int.

The content of this handbook does not present an official position of the European Data Protection Supervisor (EDPS) and does not bind the EDPS in the exercise of his competences. The EDPS takes no responsibility for the quality of the translations into languages other than English.

European Data Protection Supervisor

Handbook on European data protection law 2018 edition

Foreword

Our societies are becoming ever more digitised. The pace of technological developments and how personal data are being processed affects each of us every day and in all sorts of ways in the light of these changes. Legal frameworks of the European Union (EU) and the Council of Europe that safeguard the protection of privacy and personal data have recently been reviewed.

Europe is at the forefront of data protection worldwide. The EU's data protection standards are based on Council of Europe Convention 108, EU instruments ? including the General Data Protection Regulation and the Data Protection Directive for Police and Criminal Justice Authorities ? as well as on the respective case law of the European Court of Human Rights and of the Court of Justice of the European Union.

The data protection reforms carried out by the EU and the Council of Europe are extensive and at times complex, with wide-ranging benefits and impact on individuals and businesses. This handbook aims to raise awareness and improve knowledge of data protection rules, especially among non-specialist legal practitioners who have to deal with data protection issues in their work.

The handbook has been prepared by the EU Agency for Fundamental Rights (FRA), with the Council of Europe (together with the Registry of the European Court of Human Rights) and the European Data Protection Supervisor. It updates a 2014 edition and is part of a series of legal handbooks co-produced by FRA and the Council of Europe.

We express our thanks to the data protection authorities of Belgium, Estonia, France, Georgia, Hungary, Ireland, Italy, Monaco, Switzerland and the United Kingdom for their helpful feedback on the draft version of the handbook. In addition, we express our appreciation to the European Commission's Data Protection Unit and its International Data Flows and Protection Unit. We thank the Court of Justice of the European Union for the documentary support provided during the preparatory works of this handbook.

Christos Giakoumopoulos Giovanni Buttarelli

Michael O'Flaherty

Director General of Human Rights and Rule of Law Council of Europe

European Data Protection Director of the European

Supervisor

Union Agency for

Fundamental Rights

3

Contents

FOREWORD....................................................................................................................................................................................................... 3

ABBREVIATIONS AND ACRONYMS.........................................................................................................................................9

HOW TO USE THIS HANDBOOK............................................................................................................................................... 11

1 CONTEXT AND BACKGROUND OF EUROPEAN DATA PROTECTION LAW.......................15 1.1. The right to personal data protection ............................................................................................. 17 Key points............................................................................................................................................................................................ 17 1.1.1. The right to respect for private life and the right to personal data protection: a brief introduction.........................................................................................................18 1.1.2. International legal framework: United Nations...................................................................21 1.1.3. The European Convention on Human Rights........................................................................22 1.1.4. Council of Europe Convention 108................................................................................................24 1.1.5. European Union data protection law...........................................................................................27 1.2. Limitations on the right to personal data protection ..................................................... 35 Key points............................................................................................................................................................................................ 35 1.2.1. Requirements for justified interference under the ECHR............................................37 1.2.2. Conditions for lawful limitations under the EU Charter of Fundamental Rights...................................................................................................................................42 1.3. Interaction with other rights and legitimate interests................................................... 52 Key points............................................................................................................................................................................................ 52 1.3.1. Freedom of expression ..........................................................................................................................54 1.3.2. Professional secrecy..................................................................................................................................69 1.3.3. Freedom of religion and belief..........................................................................................................72 1.3.4. Freedom of the arts and sciences..................................................................................................74 1.3.5. Protection of intellectual property.................................................................................................75 1.3.6. Data protection and economic interests...................................................................................78

2 DATA PROTECTION TERMINOLOGY......................................................................................................................... 81 2.1. Personal data.............................................................................................................................................................. 83 Key points............................................................................................................................................................................................ 83 2.1.1. Main aspects of the concept of personal data....................................................................83 2.1.2. Special categories of personal data..............................................................................................96 2.2. Data processing........................................................................................................................................................ 97 Key points............................................................................................................................................................................................ 97 2.2.1. The concept of data processing.......................................................................................................97 2.2.2. Automated data processing................................................................................................................99 2.2.3. Non-automated data processing.................................................................................................100 2.3. Users of personal data...................................................................................................................................101 Key points.........................................................................................................................................................................................101

5

2.3.1. Controllers and processors................................................................................................................101 2.3.2. Recipients and third parties..............................................................................................................110 2.4. Consent...........................................................................................................................................................................111 Key points.........................................................................................................................................................................................111

3 KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW...........................................................115 3.1. The lawfulness, fairness and transparency of processing principles.........117 Key points.........................................................................................................................................................................................117 3.1.1. Lawfulness of processing...................................................................................................................117 3.1.2. Fairness of processing...........................................................................................................................118 3.1.3. Transparency of processing.............................................................................................................119 3.2. The principle of purpose limitation..................................................................................................122 Key points.........................................................................................................................................................................................122 3.3. The data minimisation principle..........................................................................................................125 Key points.........................................................................................................................................................................................125 3.4. The data accuracy principle.....................................................................................................................127 Key points.........................................................................................................................................................................................127 3.5. The storage limitation principle...........................................................................................................129 Key points.........................................................................................................................................................................................129 3.6. The data security principle........................................................................................................................131 Key points.........................................................................................................................................................................................131 3.7. The accountability principle.....................................................................................................................134 Key points.........................................................................................................................................................................................134

4 RULES OF EUROPEAN DATA PROTECTION LAW......................................................................................139 4.1. Rules on lawful processing.......................................................................................................................141 Key points.........................................................................................................................................................................................141 4.1.1. Lawful grounds for processing data..........................................................................................142 4.1.2. Processing special categories of data (sensitive data)..............................................159 4.2. Rules on security of processing...........................................................................................................165 Key points.........................................................................................................................................................................................165 4.2.1. Elements of data security..................................................................................................................165 4.2.2. Confidentiality.............................................................................................................................................169 4.2.3. Personal data breach notifications.............................................................................................171 4.3. Rules on accountability and promoting compliance.....................................................174 Key points.........................................................................................................................................................................................174 4.3.1. Data Protection Officers......................................................................................................................175 4.3.2. Records of processing activities....................................................................................................178 4.3.3. Data protection impact assessment and prior consultation..................................179 4.3.4. Codes of conduct.......................................................................................................................................181 4.3.5. Certification....................................................................................................................................................183 4.4. Data protection by design and by default ..............................................................................183

6

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download