Amit Luhach - International Data Protection Laws

A controller is someone who determines the purposes and means of the processing of personal data. 8Under the GDPR, natural or legal persons, public authority or other body may act as a controller. With far-reaching consequences, CJEU in Holstein v. Wirtschaftsakademie held that “ the concept of ‘controller’ encompasses the administrator of a fan page hosted on a social network ”. 9Accordingly, the opinion of Article 29 Data Protection Working Party (WP29) 10was rejected by the CJEU. WP29 had stated that “ the preference should be given to consider as a controller the company or the body as such, rather than a specific person within the company or the body ”. 11In Google Spain v. AEPD , the CJEU held that “ the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as the processing of personal data, and the operator of the search engine must be regarded as the ‘controller’ concerning that processing” . 12

A processor is defined as a natural or legal person who processes personal data on behalf of a controller. 13

A recipient is a legal or natural person to whom the data is disclosed, whether a third party or not. In this context, the term recipient is wider than the term ´third party´. The distinction is essential to decide whether disclosure of data is lawful. For example, a third party would not be able to use personal data processed by a controller without some legal ground but a recipient need not fulfil any such requirement if it is an employee of that controller or processor. However, a public body receiving such data for a particular inquiry under Union or Member State law is not considered to be a recipient under the GDPR. 14

A third party is a natural or legal person who is different from the data subject, controller, processor and persons under the direct authority of the controller. 15This would cover organizations other than the controller´s, even if they belong to the same holding or group.

The GDPR does not define the data subject explicitly. An `identified or identifiable natural person` under the definition of `personal data` would qualify as a data subject.

2

The GDPR applies to the processing of personal data by automated means, wholly or partly, and where the processing is not by automated means if it forms part or intends to form part of a filing system. 1

The GDPR provides for several exemptions all of which are to be interpreted narrowly:

Public security, national security and defence2 as well as common foreign policy and security policy under Chapter 2 of Title V of the Treaty on the EU.3 Personal data collected for commercial purposes and later on used for security purposes may be covered by these exemptions.4

The data processing by a natural person for purely personal or household activity like keeping of an address book, correspondence not related to a business or professional activity as well as online activity and social networking for a domestic and social purpose.5 It is a probable extension of the CJEU´s narrow interpretation in Bodil Lindqvist, where the court held that the “exception must be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”.6 WP29 states that the publication of information to the world, by comparison to a limited friends group, maybe a deciding factor in applying for the exemption.7 In another narrowly interpreted case, the CJEU held that the “video surveillance [...] covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46/EC”.8

The GDPR exempts competent authorities9 i.e. police, prosecution, courts, etc. who process personal data for the matters covered by the Law Enforcement Directive (LED) such as prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including safeguarding against and prevention of threats to public security.10

It also excludes personal data processing by EU institutions, bodies, offices and agencies that are subject to the Regulation (EU) 2018/1725.11 The GDPR is not prejudicial to the E-Commerce Directive 2000/31/EC12, especially internet service provider liability rules under Article 12 to 15.13

The GDPR protects natural persons concerning the processing of their personal data in the EU regardless of their nationality or residence. 14The criteria ´personal data´ is the first important factor to enter the applicability of the GDPR – it is not a high one though.

It applies to the processing of personal data in the context of activities of EU established controllers and processors, irrespective of their place of processing . 15As we can see, this extends the reach of GDPR well over the territory of the EU Member States. The term `establishment` is not defined explicitly but Recital 22 states that it implies effective and real control through stable means regardless of its legal form. Moreover, the CJEU held that “ the concept of an `establishment` extends to any real and effective activity, even a minimal one, exercised through stable arrangements ” 16. In Google Spain v. AEPD , the CJEU held that an “ establishment on the territory of a Member State, implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor ”. 17In the context of activities of an establishment, the CJEU has stated that the phrase should not be interpreted restrictively. 18It further observed that “ the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed ”. 19

WP29 in its opinion has suggested that the GDPR would cover oversees organizations with EU offices involved in promoting, marketing, selling advertising or targeting EU individuals. 20Regardless of the place of residence the GDPR also applies to the processing of personal data of data subjects based in the EU by non-EU established organizations where such processing relates to the offering of goods or services to the data subjects or monitoring of their behaviour within the EU. 21This would include an information society service that has been defined as “ any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of service ”. 22It is therefore decisive to determine whether there is an EU relevant ´offering of goods or services´ and ascertaining whether the controller or the processor envisages the offering of goods or services to data subjects in one or more EU Member States. 23The CJEU while applying Brussels I 24in Pammer and Alpenhof held that “ whether, before the conclusion of any contract with the consumer, it is apparent from those websites and the trader’s overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member State of that consumer’s domicile, in the sense that it was minded to conclude a contract with them ”. 25The `monitoring of behaviour` covers internet tracking including potential subsequent use of personal data processing techniques consisting of profiling of natural persons to take decisions for analyzing or predicting his personal preferences, behaviour and attitudes. 26It brings under its ambit E-Commerce companies, advertising technology networks and many more service offerings. The GDPR also applies to the processing of personal data by a controller, not in the EU but where Member State law applies by virtue of Public International Law. 27This would cover ships, aeroplanes, diplomatic missions and consular posts. 28