Guidance on the obligations of very large online platforms and very large online search engines to provide access to data for the Digital Services Coordinator (DSC).
Advice on compliance of online intermediation services and online search engines with their information obligations towards business users to provide them access to their data.
The GDPR applies to the processing of personal data in the European Union related to the activities of a data controller or processor’s establishment in the Union. Even if you have no establishment in the EU, the GDPR applies to the processing of personal data of individuals for offering them goods or services. Similarly, if you observe the behavior of data subjects in the European Union, such as visitors to your website in the EU, you must ensure compliance with the GDPR.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. It also stipulates that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Under the GDPR, processing personal data is lawful only if there is a legal basis for it. One or more of six grounds for processing must apply:
Of these grounds, consent of the data subject and the legitimate interests of the data controller are the most commonly relied on.
Generally, under the GDPR, consent is needed for processing personal data if no other legal basis applies. Consent of the data subject is required for processing special categories of data, such as health data, unless such processing is necessary for one of the limited purposes permitted by the GDPR. Consent must also be obtained for processing personal data with web tracking tools. To be valid, consent must be given freely and explicitly by the data subject for one or more specific purposes. According to the European Court of Justice, pre-ticked checkboxes that require the user to deselect them to refuse consent, as well as cookie banners that imply consent if a website visitor continues to surf the site, are not sufficient for valid consent.
A DPIA ensures that the processing of personal data complies with the GDPR. A DPIA is required if the intended processing is likely to result in a high risk to the rights and freedoms of individuals and must be carried out before their personal data is processed. This can be the case where personal data is processed using new technologies, such as artificial intelligence, to interact with data subjects, or where the processing involves creating user profiles that provide information on consumers’ shopping preferences.
Transfers of personal data to third countries require either an adequacy decision by the EU Commission confirming that the third country ensures an adequate level of protection, or other appropriate safeguards. The EU Commission maintains a website with links to all such adequacy decisions currently in force. (Website)
If no adequacy decision is available for the destination country, personal data may only be transferred if the controller or processor has provided appropriate safeguards and if enforceable rights for data subjects and effective legal remedies are available in the destination country. The standard data protection clauses adopted by the EU Commission (SCC) and the binding corporate rules (BCR) are the most common of these safeguards.
For transfers to the United States, the EU-U.S. Data Privacy Framework is a mechanism that participating organizations can use if they have self-certified their adherence and have been placed on the Data Privacy Framework List, which is maintained by the International Trade Administration (ITA) within the U.S. Department of Commerce. However, the validity of this mechanism has recently been called into question following reports of the dismissal of the chairperson and two members of the Privacy and Civil Liberties Oversight Board (PCLOB), which shall ensure that U.S. intelligence agencies observe the fundamental rights of data subjects. Whether the EU Commission’s SCCs can fill a potential void arising from this development remains to be seen.
Depending on the nature of the violation, supervisory authorities can impose administrative fines for GDPR infringements of up to 20 million Euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Yes, principally. According to the GDPR, any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation from the controller or processor for the damage suffered. Therefore, data controllers are liable for damage caused by such infringements. However, they are exempt from liability if they prove that they are not responsible for the event that caused the damage.
Additionally, the European Court of Justice held that the GDPR does not preclude national legislation of EU Member States that allows consumer protection agencies to bring legal proceedings against infringers for unfair commercial practices, even without a mandate from the affected consumer (Judgment of the Court of April 28, 2022, Case C-319/20).
First, stay calm. Don’t act on impulse but rather make informed decisions. A data breach must principally be reported to the relevant supervisory authority without undue delay, and if feasible, no later than 72 hours after becoming aware of it. Failure to comply with this obligation constitutes a GDPR infringement and may result in an administrative fine or claims for damages from data subjects. Therefore, ignoring or covering up a breach is not an option.
The best way to avoid any incidents and the time pressure they can entail is to prevent a data breach by taking adequate technical and organizational measures. It is also prudent to have processes in place to ensure that the right steps are taken if an incident occurs. In this case, your top priority should be to involve your privacy officer, if you have one, and document the incident. Next, establish whether a personal data breach has occurred. If so, establish whether it must be reported to the supervisory authority — this is not always the case — and determine what measures, if any, can be taken to mitigate it.
If the breach must be reported, meet the deadline for your notification obligation and cooperate with your supervisory authority. If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, you must also inform those affected without undue delay.
If you have experienced a ransomware attack or other criminal incident, you should also report it to law enforcement. In addition to ensuring your compliance, You may also wish to consider hiring a specialist in crisis management who can advise you on how to avoid negative publicity, especially if the stakes are high.
Additionally, the GDPR mandates transparency about automated decision-making processes, including providing meaningful information about the logic involved.
Currently, there is no legal ownership of data in the European Union, and it is unlikely that this will change in the near future. Consequently, “data ownership” is a technical term with no legal meaning. However, an individual or organization that controls non-personal data can grant other parties access to it in a data use agreement. Since machine data collected by the service provider during predictive maintenance can contain details on new product designs and other non-disclosable information, it is advisable to clarify which data is collected during maintenance services and enter into data use agreements that clearly define the collection and use of such data.
