Short considerations regarding the Controller and Processor and their legal liability pursuant to GDPR rules
In accordance to the provisions of art. 16 (2) of the Treaty on the Functioning of the European Union (TFEU) the European Parliament and the Council proceeded towards the adoption of Regulation (EU) 2016/679 (Regulation/GDPR) in Brussels on 27th of April 2016. This secondary EU legislation will soon replace Directive 95/46/CE, with the objective of having a common corpus legis that regulates data protection in European Union territory. Regulation (EU) 2016/679 will become appliable on 25th of May 2018.
The reasons underlying the implementation of this EU law are to be found in it`s recitals, the most important ones being that of assuring the natural persons right to the protection of personal data concerning him or her, in respect to the technological developments and the necessity to insure the EU`s economic growth, stability and social integration.
Similar to the free movement of persons, goods, services and capital, the provisions of Regulation (EU) 2016/679 allows the free movement of personal data within the EU borders. However, any transfer towards a third country or international organisation must be compliant with a series of special conditions, in addition to the regular ones foresaw in the law (e.g. the need of an adequacy decision[1] ruled out by the EU Commission, standard contractual rules, binding corporate rules, certification mechanism, codes of conduct etc).
Nonetheless, those who process personal data within the European Economic Area must comply with a series of binding rules. In what follows, I will focus on the different aspects regarding the Controller and the Processor, as these two entities are the main two subjects of the provisions of Regulation (EU) 2016/679, that have to bear a series of responsibilities in order to process data according to the GDPR rules.
First, I will explain what Controller and Processor are, based on the provisions of the Regulation, and by giving practical examples.
According to article 4 (7), (8) of the Regulation, “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law whilst a “processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. It is important to say that according to the provisions of article 4 of the Regulation, both the Controller and the Processor can be a natural or legal person, public authority, agency or other body.
For example, if a marketing firm (Company A) is commissioned by a commercial company (Company B) to expand its customers base with 500 new interested clients, Company A will have to conduct a research and marketing campaign to fulfil Company`s B demand of extending their clientele. Since no other indication was given to the marketing company regarding which individuals to target, the nature of the personal data to be gathered or how to collect and store the data, the purpose and means of data processing will be decided by Company A, which will be a Controller under the GDPR rules.
By contrast, if the logistic activity of an e-market business (Company A`) is outsourced to a specialized logistic company (Company B`), which process personal data according to the instructions given by Company A`, it would mean that Company B` is a Processor in accordance with the regulations foreseen in the GDPR. That`s because the logistic company will not determine the scope and the means in which personal data is processed (i.e.: data referring to the delivery of a particular product to a person) and will only record, register, consult or use data provided by Company A` on behalf of the vendor.
Notwithstanding the foregoing, the two roles – that of a Controller and a Processor, can be met at the same company or institution. For instance, if we return to the second example stated above, the logistic company is a Processor in relation with the e-market company, but it will be a Controller if the logistic company will proceed towards processing the data of their own clients or their employees, as it can be expected. To conclude, an entity will be a Controller or a Processor, or both of the aforementioned in respect with all the particular processing actions taken by the entity in its activity.
Regarding the responsibilities of the Controller and the Processor, each of them must grant that a number of principles and rights, for example the right to be forgotten or the right to data portability, belonging to the data subjects are guaranteed before or during data processing. Moreover, both the Controller and the Processor must be in compliance with a suite of rules that impose obligations necessary to insure the security and the conformity of data processing with the rights ruled in the GDPR`s provisions. For example, the Controller and Processor must implement appropriate technical and organisational measures to ensure, by default, that only personal data which are necessary for each specific purpose of the processing are being processed, or that thorough records containing specified information regarding processing activities are being kept.
If one or several obligations are breached by the Controller or the Processor, each of these two can be hold accountable by the Supervisory authority, which is an independent public authority, established in every Member State. The liability can vary, as the provisions of article 58 (2) of Regulation (EU) 2016/679 states that each Supervisory authority has the power to apply the following corrective measures:
- to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
- to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
- to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
- to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
- to order the controller to communicate a personal data breach to the data subject;
- to impose a temporary or definitive limitation including a ban on processing;
- to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19
- to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
- to order the suspension of data flows to a recipient in a third country or to an international organisation.
It can be assessed that each Supervisory authority will have a wide range of powers that it may use, in case the Controller or Processor will not obey and implement the rules and measures provided by the GDPR`s regulations. Probably the most appalling sanction that exists in the GDPR`s provisions is that of art. 58 (2) corroborated with art. 83 of Regulation (EU) 2016/679. The provisions institutes the power of the Supervisory authorities to impose administrative fines. The reason is that the administrative fines can range from 10.000.000 EUR or up to 2 % of the total worldwide annual turnover of the preceding financial year (in case of an undertaking) to a 20.000.000 EUR fine or 4 % of the total worldwide annual turnover of the preceding financial year (in case of an undertaking), whichever of these is higher. Putting it into perspective, it would mean that a leading technological company that has an annual global revenue of approximately 250 billion euros, could be fined by a Member State`s Supervisory authority with a maximum amount of 10 billion euros. This is equivalent to about 5 % of Greece GDP or 82 % of Bulgaria`s National Debt. Needless to say, the figures are important no matter whom it may concern. The exact amount of the fine will be considered by the State Supervisory authority, based on different criteria that are found in article 83 paragraph 2 of the GDPR. Among those are the intentional or negligent character of the infringement, the action taken by the controller or processor to mitigate the damage suffered by data subjects, any relevant previous infringements by the controller or processor etc.
An important specification is that each Member State will have the ability to decide whether and to what extent administrative fines could be imposed on public authorities and bodies established in that Member State, according to art. 83 (7) of GDPR. Thus, public authorities may be exempted from such cumbersome costs.
So what kind of infringements generates such significant penalties?
The answer can be found in the provisions of art. 83 (4), (5), (6) of the Regulation, which states the following:
(4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43
- the obligations of the certification body pursuant to Articles 42 and 43;
- the obligations of the monitoring body pursuant to Article 41(4).
(5) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
- the data subjects’ rights pursuant to Articles 12 to 22;
- the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
- any obligations pursuant to Member State law adopted under Chapter IX;
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
(6) Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In what follows, I will make a brief examination of some of the cases that leads to the possibility of a Supervisory authority to fine a Controller or Processor based on the GDPR`s provisions.
According to Article 83 (4) a) of the Regulation, violation of Articles 8, 11, 25 to 39 and 42 and 43 will lead to the possibility of a Supervisory authority to impose a fine of 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover.
Article 8 – Conditions applicable to child’s consent in relation to information society services
Article 8 of the GDPR regulates the conditions applicable to child’s consent in relation to information society services. According to this article, in order to process data an information society willing to offer it`s services directly to a child (of at least 16 years old), must previously obtain the child`s assent, or the consent of the holder of parental responsibility (if the child is less than 16 years old). Each Member State may stipulate an inferior age for obtaining the consent directly from a child, as long as the age is not lower than 13 years.
Article 11 – Processing which does not require identification
Article 11 of Regulation (EU) 2016/679 sets the manner in which a Controller should act, in case the purposes for personal data processing do not or do no longer require the identification of a data subject. The article states that a Controller should not collect excess data that will allow the Controller to identify a person, for the sole purpose of complying with the GDPR`s art. 15-20 rules. This is an expression of the broader necessity principle or the “‘data minimisation” principle, found in Article 5 (1) c) of Regulation. Thus, the Controller will be exempted from the applicability of articles 15-20, which regulates a series of rights belonging to the data subjects. Among those are the right of access – in which the data subjects can obtain the personal data and a series of information regarding data processing, the right to rectification – that allows data subjects to obtain the rectification of inaccurate personal data concerning him or her, or the right to be forgotten – that allows data subjects to demand the Controller erasure of all personal data concerning him or her. If the manner in which data are being processed does not allow the identification of data subjects, the Controller will have to prove that it is not in a position to identify data subjects.
We can imagine that a fine could be applied if the purpose of data processing does not require the identification of a data subject, and the Controller continues to collect data that allows the identification. Another example would be the case in which the Controller refuses to comply with the provisions of art. 15-20 of GDPR but is not able to demonstrate that it cannot identify data subjects. For example, the process of pseudonymisation does not allow Controllers to make use of article 11 of GDPR, for the reason that this processing still grants access to the identification of data subjects by using additional information, even though they are held separately.
Article 25 – Data protection by design and by default
Article 25 of the Regulation describes some data protection policies that Controllers must implement. According to article 25 paragraphs 1 and 2 of the GDPR:
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Disregarding the provisions of article 25 of the Regulation and not implementing any measures or the necessary ones that ensures the legality of data processing with respect to the rights and freedoms of the natural persons and the principles provided in article 5, will hold the Controller or Processor liable for a fine of up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual revenue.
Article 26 – Joint controllers
Article 26 of Regulation (EU) 2016/679 governs the manner in which Joint Controllers operate. According to Article 26, Joint Controllers are two or more Controllers who together determine the purpose and means of processing. Controllers must agree in respect to the aspects pertaining to their responsibilities in order to comply with the GDPR`s provisions. In particular, they must agree upon the exercising of the rights of the data subject and their respective duties to provide the information referred to in Article 13 – Information to be provided where personal data are collected from the data subject and Article 14 – Information to be provided where personal data have not been obtained from the data subject. Such agreement is made through an arrangement, that has to duly reflect the roles and relationships of the joint controllers relative to the data subjects. However, the joint parties won`t be obliged to conclude such an arrangement, in case the respective responsibilities of the Controllers are determined by Union or Member State law to which the Controllers are subjected.
Article 27 – Representatives of controllers or processors not established in the Union
Article 27 of GDPR regulates the case in which data are being processed by a Controller or a Processor that is not established in the European Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
In such cases, according to article 27 of Regulation, the Controller or Processor will have to designate in writing a Representative in the Union. The Representative`s headquarter shall be located within one of the Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. Thus, the Representative will receive a mandate from the Controller or Processor, based on which Supervisory authorities or data subjects can directly address all issues related to processing activities, besides the possibility of data subjects or Supervisory authorities to address their needs to the Controller or Processor. Failing to designate such a Representative in accordance with the provisions of article 27 of the GDPR could draw a sanction based on dispositions of article 87 paragraph 4 of Regulation (EU) 2016/679.
Article 28 – Processor
Article 28 of the Regulation pertains to a series of conditions that must be fulfilled by a Processor in order to be in agreement with the GDPR`s rules. Most notably aspects consist in the fact that a Processor will not usually be able to engage with another Processor without a prior written assent issued by the Controller, and that processing data by a Processor must be governed by a contract or other legal act according to Union or Member State law. A number of specified conditions which should be included in the contract or the legal act are mentioned at Paragraph 3 of the Article 28 of GDPR. According to them, the Processor should:
- process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required pursuant to Article 32;
- respect the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- take into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III
- assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
- make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
According to Paragraph 10 of Article 28, without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing. In other words, if a Processor exceeds its competences, by determining the purpose and means of processing, contrary to the regulations of GDPR, the Processor will be deemed as a Controller in that particular processing and will be liable for any infringements of the data subject`s rights, notwithstanding the fact that the responsibility for the violated rights, would have normally been incumbent to the Controller.
Article 29 – Processing under the authority of the controller or processor
Pursuant to Article 29 of the Regulation, the Processor and any person acting under the authority of the controller or of the Processor, who has access to personal data, shall not process those data except on instructions from the Controller, unless required to do so by Union or Member State law. Processing data by the Processor without Controller`s instructions will allow the Supervisory authority to apply the Processor a fine of up to 10.000.000.000 EUR or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Article 30 – Records of processing activities
Article 30 of the GDPR regulates the Controller`s duty and, where applicable, the Controller’s Representative obligation to keep a record of data processing activities. The record must submit to a number of conditions regarding its content, which are:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
In a similar manner, according to the second paragraph of article 30 of GDPR, each Processor and, where applicable, the Processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The records can be kept both in writing, and in an electronic format, and must be presented to the Supervisory authority at its demand. The reason why Controllers and Processors must store such records consists in facilitating the access of Supervisory authority to certain general information of immediate need. According with Paragraph 5 of Article 30, enterprises and organisations with less than 250 employees are not obliged to keep such records, unless the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. Failing to store such accounts will result in the susceptibility of either the Controller, the Processor or their representative to be fined with up to 10 000 000 000 EUR or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, according to Article`s 83 (4) a) of Regulation (EU) 2016/679.
Article 31 – Cooperation with the supervisory authority
Article 31 of the Regulation establishes the obligation of the Controller, Processor and, where applicable, their representatives to cooperate, if requested, with the Supervisory authority. Failure to comply with the provisions of Article 31 will result in the liability of the aforementioned based upon the provisions of Article`s 83 (4) a) of Regulation (EU) 2016/679.
Security of personal data
Article 32 – Security of processing
Articles 32-34 of the GDPR regulates the security measures that must be implemented by Controllers and Processors in order to legally process data. According to Article 32, such technical and organisational measures are, amongst others:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Each Controller or Processor much assess the security measures needed in order to insure an adequate level of protection. According to paragraph 2 of Article 32, such evaluation will be made judging the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. In order to prove that security measures are appropriate for data processing, Controllers or Processors can adhere to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42.
Article 33 – Notification of a personal data breach to the supervisory authority
According to Article 33 of GDPR, in case of a personal data breach, the Controller must notify the competent Supervisory authority without undue delay and within 72 hours after becoming aware of such alteration. Pursuant to first Paragraph of Article 33, if the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons that caused the delay.
The data breach notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Processor shall notify the Controller if it becomes aware of a data breach. Thus, a Supervisory authority will always be notified by a Controller, regardless the fact that the data breach occurs while data is being processed by the Controller or the Processor. Failing to notify the Supervisory authority, shall be penalized with a fine of up to 10.000.000 000 EUR or 2% of the total worldwide annual turnover.
Article 34 – Communication of a personal data breach to the data subject
The Controller must inform data subjects regarding a data breach, if such malicious access is able to result in a significant risk to the rights and freedoms belonging to the natural persons. The notification shall describe in clear and plain language the nature of the data breach and shall at least:
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
According to Paragraph 3 of Article 34 of the Regulation, such communication won`t be necessary if:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Data protection impact assessment and prior consultation
Article 35 – Data protection impact assessment
Articles 35 and 36 of Regulation (EU) 2016/679 determines the obligations of Controllers to assess the impact of their envisaged data processing on the protection of personal data and to consult the Supervisory authority prior to any processing activity.
Such assessments are made when new technologies of data processing are used, and when considering the nature, scope, context and purposes of the processing, it is likely that a high risk will result for the rights and freedoms of natural persons. According to Paragraph 3 of Article 35, such evaluation is needed in particular where:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
The Supervisory authority must draft and publish a list of types of data processing operations, where Controllers have to assess the data protection impact. Each Supervisory authority will have the faculty to establish and make public a list of data protection operations types that don`t need any data protection assessment. Both of these lists will be conveyed by the Supervisory authority to the European Data Protection Board.
Pursuant to Paragraph 7 of Article 35 of the GDPR, the data protection evaluation shall at least contain:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Article 36 – Prior consultation
Article 36 of the GDPR regulates the obligation of Controllers and Member States to consult the Supervisory authority. The Controller will consult the Supervisory authority prior to any data processing, if a data protection impact assessment indicates that such processing would generate a high risk to the rights and freedoms of data subjects. In such cases, the Supervisory authority will provide a written advice in a eight weeks period of time, and may use any of its powers as referred to in Article 58 (e.g.: order the controller and the processor to provide any information it requires for the performance of its tasks; carry out investigations in the form of data protection audits etc).
When consulting the Supervisory authority, the Controller must provide the following information:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- the purposes and means of the intended processing;
- the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
- where applicable, the contact details of the data protection officer;
- the data protection impact assessment provided for in Article 35; and
- any other information requested by the supervisory authority.
Member States shall consult the Supervisory authority when preparations for a proposal of legislative data protection measure or a regulatory measure based on such a legislative measure are being made by a national parliament. Surely, such consultation is not binding to the national parliament, but in case the EU law is breached, the Supervisory authority or the European Data Protection Board could inform the European Commission, which in turn could commence an infringement procedure, according to art. 258 of the Treaty on the Functioning of the European Union.
Data protection officer
Article 37 – Designation of the data protection officer
Provisions of Articles 37-39 of Regulation (EU) 2016/679 pertains to the data protection officer. According to Article 37, a data protection officer will be designated by the Controller or Processor, each time when:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Pursuant to Paragraph 4 of the article, in cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. That is, Article 37 Paragraph 4 is both a “jus dispositivum” or a suppletive norm and a “jus cogens” or a peremptory norm, in which the Controller and Processor are able to adopt different behaviours based on such provisions. According to the first thesis of the above stated article, the Controller and Processor can choose to either designate or not designate a data processor officer, if the given situation does not comply with any of the three cases stipulated within Paragraph 1 and the Union or Member State law don`t require to do so. As a result of allowing such a permissive behaviour, Article 37 of GDPR is a suppletive norm. If the Union or Member State legislation impose the necessity of a designated data protection officer notwithstanding the processing operations of the Controller or Processor, or if such law further determines different cases where a designated data protection officer is needed, then the Controller and Processor shall act accordingly to such EU or national law. Controllers and Processors will not be able to choose one or more patterns of conduct, considering that the second thesis of Article 37 enforce them to designate a data protection officer, if required by Union or Member State law. That makes Article 37 a hybrid law text, which contains suppletive as well as peremptory norms.
The data protection officer will be designated based on his/her professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39, as Paragraph 5 of the article states. According to the last two paragraphs of Article 37, the data protection officer may be a staff member of the Controller or Processor, or fulfil the tasks on the basis of a service contract and the Controller or the Processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Article 38 – Position of the data protection officer
Article 38 refers to the position of the data protection officer in relation to the Controller and the Processor. The most important aspects are that the Controller and the Processor must ensure that the data protection officer is involved in all issues pertaining to the protection of personal data and that the data protection officer is provided with all the needed resources in order to carry out the tasks set out in Article 39. The data processor officer is bound by confidentiality and is independent in his activity. As a result, the Controller or Processor cannot interfere with the officer`s work. Moreover, a data processor officer can`t be dismissed or penalised by the Controller or the Processor for performing his tasks and will report directly to the highest management level of the entity. According to Paragraph 4 of the article, data subjects may contact the data protection officer with regard to all issues related to the processing of their personal data and to the exercise of their rights under the Regulation`s provisions.
Article 39 – Tasks of the data protection officer
In accordance with Article 39 of the GDPR, the data protection officer will have at least the following responsibilities:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Due to the fact that Article 39 regulates obligations that are exclusively incumbent upon the data protection officer, one could presume that the provisions of Article 83, 4th paragraphs that makes the Controller and Processor accountable for the infringements of the obligations provided in Article 39 are, in this regard, obsolete and void. Instead, a better reasoning regarding those provisions is that the Controller and Processor will be held liable for the activity of their data protection officer. The reason consists in the fact that the data protection officer is independent in his activity and cannot be held responsible for his work. Thus, the Controller and Processor will be upmost interested in providing the best tools to ensure that the data protection officer`s tasks can be duly accomplished. The employment or service contract on the basis of which the data protection officer acts, will be a veritable intuitu personae agreement. Hence, the Processor or the Controller must be highly diligent when offering such a mandate to a particular person. Credentials and data protection knowledge should be up most important criteria taken into consideration for such a nomination.
According to article 83 paragraph 5 letter (a) and (b) of the Regulation, violation of Articles 5, 6, 7 and 9 and 12 to 22 will lead to the possibility of a Supervisory authority to impose a fine of up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover. In the next part of this article, I will make a concise summary of these GDPR`s provisions.
Articles 5, 6 and 9 of the GDPR refers to the basic principles of data processing and Article 7 pertains to the conditions for obtaining a data subject`s consent.
Principles of Regulation (EU) 2016/679
- Principles relating to processing of personal data;
- Lawfulness of processing;
- Principles relating to processing of special categories of personal data
- Principles relating to processing of personal data
According to Article 5 of Regulation, personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- Lawfulness of processing
Article 6 – Lawfulness of processing
Article 6 of the Regulation (EU) 2016/679 lays out the lawfulness principle, according to which data processing is lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Principles pertaining to processing of special categories of personal data
Article 9 – Processing of special categories of personal data
According to Article 9 of the Regulation, it is forbidden to process personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and to process data relating to genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are some exemptions from this principle, as the second paragraph stipulates:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Under provisions of Article 83 (5) (a) of Regulation (EU) 2016/679, violation of any of the principles exposed above, can be penalized by the Supervisory authority with a fine of up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover, whichever is higher.
Article 7 – Conditions for consent
Article 7 of the GDPR regulates the conditions needed to be followed in order to obtain a data subject`s consent, where data are processed based on such agreement.
According to article 7, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The request for consent has to be presented in a clear and distinguishable manner and the form has to be intelligible and easy accessible, using clear and plain language. The data subjects will have the right to withdraw his/her consent and such withdrawing shall be given as easy as the data processing assent. Infringements of any conditions pertaining to consent shall be punishable with a fine of up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover based upon art. 83 (5) (a) of GDPR.
Data subjects` rights
The data subjects` rights are governed by the provisions of articles 12 to 22 of the GDPR. Those rights are:
- Article 12 of Regulation – the right of access to transparent information, communication and modalities for the exercise of the rights of the data subject;
- Article 13 of the Regulation – right of access to information and access to personal data;
- Article 14 of the Regulation – right of access to information where personal data have not been obtained from the data subject;
- Article 15 of the Regulation – right of access;
- Article 16 of the Regulation – right to rectification;
- Article 17 of the Regulation – right to erasure or “the right to be forgotten”;
- Article 18 of the Regulation – right to restriction of processing;
- Article 19 of the Regulation – the right to be notified regarding rectification or erasure of personal data or restriction of processing;
- Article 20 of the Regulation – right to data portability;
- Article 21 of the Regulation – right to object;
- Article 22 of the Regulation – the right to not be the subject of a decision based solely on automated processing, including profiling, which produces legal effects.
Any infringements to the previously mentioned data subjects` rights, will be sanctioned by the Supervisory authority with a fine of up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover based upon art. 83 (5) (b) of GDPR.
Summing things up, in the context of the new technologies, mass data processing, complex algorithms that can be used to predict behaviours and thus to influence masses, we can observe that the European Union chose to strongly regulate data protection not only to guarantee individuals their fundamental rights, but also to ensure an economic and politic stability. Moreover, it is obvious that sanctions of Regulation (EU) 2016/679 will have a deterring effect for any entity that might be regarded as a Controller or Processor. Such entities will have to obey GDPR`s regulations, in order to avoid burdensome fines that could lead to bankruptcy, for those that are more economically vulnerable.
Lastly, I apologize for the length of this article and I am greatly thankful towards those who had the patience and curiosity to follow through all its content. In my defence, I must say there is plenty of space for more writing and a thorough analysis would probably take dozens of pages. The article`s objective was not to closely examine all the cases pertaining to the sanctions of the GDPR, but to present some of the rights and sanctions stipulated in the Regulation (EU) 2016/679, so that one could get an overview regarding the sanction mechanism foreseen in the GDPR. I hope I have reached this purpose and that the article will prove useful for some of you interested in the GDPR`s rules.
References:
- Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016;
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Personal data protection – Personal data protection impact on the business environment, Assessments of romanian experiences and the new challenges set by Regulation (Eu) 2016/679. Academic`s Editor, Bucharest 2017. Authors: Irina Alexe, Daniel-Mihail Șandru, Dragoș Alin Călin, Constantin Mihai Banu, Nicolae Dragoș Ploeșteanu, Andrei Mariș, Simona Șandru, Andreea Lisevici, Valerius M. Ciucă, Silviu-Dorin Șchiopu, Cornelia Bucin, Bogdan-Petru Mihai, Marius Eftimie, Adina Rus, Alexandru Georgescu, Bianca Luntraru, Vlad Bărbat, Mihai Bârloiu, Dan Dragomirescu, Adnrei Săvescu, Daniel Mihail Șandru.
- https://ec.europa.eu .
[1] So far, the EU Commission recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.