General

Data Protection
Regulation (GDPR)
Guide
Contents
1 SCOPE, TIMETABLE AND NEW CONCEPTS 5 DATA TRANSFERS

Material and territorial scope Transfers of personal data

Key concepts for businesses
to consider
6 REGULATORS

2 PRINCIPLES Appointment of supervisory authorities

Competence, tasks and powers
Data protection principles Co-operation and consistency
Lawfulness of processing and between supervisory authorities
further processing European Data Protection Board
Legitimate interests
Consent
7 ENFORCEMENT
Children
Special categories of data and Remedies and liabilities
lawful processing
Administrative fines

3 INDIVIDUAL RIGHTS
8 SPECIAL CASES

Information notices
Derogations and special conditions
Subject access, rectification
and portability
Rights to object 9 DELEGATED ACTS AND IMPLEMENTING ACTS

Right to erasure and right to

restriction of processing Delegated acts, implementing acts and
final provisions
Profiling and automated
decision-taking

10 About Bird & Bird

ACCOUNTABILITY, SECURITY AND BREACH
4 NOTIFICATION

Data governance obligations

Personal data breaches
and notification
Code of conduct and certification

1 2 3 4 5 6 7 8 9 10 2
The General Data Protection Regulation
(“GDPR”) is the European Union’s cornerstone
data protection law. It applies to almost all
organisations doing business in or with the EU,
or individuals in the EU. The “Brussels effect”
means that many jurisdictions outside the
European Union (“EU”) have followed GDPR
concepts. So understanding the GDPR is important
for businesses around the world.

This guide summarises key aspects of the GDPR The European Union is also pursuing an
and highlights the most important actions which ambitious digital agenda with multiple pieces
organisations should take in seeking to comply of new legislation, which now complement
with it. the GDPR. We have indicated how the Digital
Markets Act, Digital Services Act, Data Act, Data
We have divided our summary into sections Governance Act and the NIS2 Directive need to
which broadly follow those used by the GDPR, be read alongside the GDPR. Although there is
sub-divided into themes. Each sub-section now also political agreement on the AI Act, as
starts with a speed-read summary and a list at the date of writing this introduction, there is
of suggested priority action points. We have no agreed text, so we have not (yet) included
also included a blue tab in each sub-section pointers to overlap with the AI Act. We will
to guide you to where you can find relevant continue to update this guide to take account
source material within the GDPR. We have of new cases, guidance and legislation. If you
also included details of key guidance materials would like to receive updates from us, please let
published by European regulators who form the us know. In the meantime, we hope that you will
European Data Protection Board (“EDPB”) (and its find this guide useful.
predecessor the Article 29 Working Party).

We finalised the updates to this guide in

December 2023 – by which date, we had seen
a significant number of cases from the Court of
Justice of the European Union (“CJEU”) analysing
the GDPR. We have referenced these cases
throughout the guide.

1 2 3 4 5 6 7 8 9 10 3
1. SCOPE, TIMETABLE AND NEW CONCEPTS

Material and
territorial scope
At a glance To do list
• The GDPR has extended the reach of EU data Organisations (i) with an EU establishment
protection law: or (ii) without an EU establishment but
who monitor or target with goods/services
— An EU-based data controller or processor EU-located individuals should:
falls into its scope where personal data is
processed “in the context of the activities” • understand the impact of the GDPR,
of its “establishment”. “In the context of” is and relevant case law/guidance which
a broadly-interpreted test, and the bar for has clarified the application of its extra-
what constitutes an “establishment” is low. territorial scope; and

— Where no EU presence exists, the GDPR • determine an approach to compliance,

will still apply whenever: (1) personal data and keep their compliance programmes
relating to a data subject located in the under review.
EU is processed in connection with goods/
services offered to him/her; or (2) the
behaviour of individuals located in the EU Organisations working in areas where
is “monitored”. “special”/sectoral rules are common
should assess if they are required to
• Despite being a Regulation, the GDPR allows comply with specific additional Member
Member States to legislate in many areas. This State laws and establish/maintain
has challenged the GDPR’s aim of consistency, appropriate compliance programmes
in areas such as employee data processing. accordingly.

• The GDPR does not apply to certain

activities – including processing covered Organisations should be aware that their
by the Law Enforcement Directive1, which was processing may additionally be regulated
adopted as EU 2016/680 on 27 April 2016, for (or soon be regulated) by the new “Big 5”
national security purposes and processing EU data laws (the Digital Services Act, the
carried out by individuals purely for Digital Markets Act, the Data Governance
personal/ household activities. Act, the Data Act and the AI Act). The Big
5 may apply to personal data, but also
• The GDPR has been in effect since to “data” more broadly (including non-
25 May 2018. personal data). Organisations will need
to expand their digital regulation
compliance programmes to cover
these additional obligations.

1. Full title: EU Directive 2016/680 on the protection of individuals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, and the free movement of such data, adopted on 27 April 2016

1 2 3 4 5 6 7 8 9 10 4
Territorial scope

EU “established” controllers or processors By contrast, the EDPB guidelines clarify that

the accessibility of a website alone is not an
Pursuant to Article 3(1), the GDPR applies to establishment in the EU. This also mirrors CJEU
organisations which have EU “establishments”, case law – VKI v Amazon – which previously
where personal data is processed “in the context found that a website is not an establishment.
of the activities” of such an establishment. If this The EDPB provides the example of a hotel
test is met, the GDPR applies irrespective of chain that targets EU consumers but has
whether the actual data processing takes place in no presence in the EU. The correct analysis
the EU or not. would be under Article 3(2) (the extraterritorial
provisions), not Article 3(1). The EDPB
“Establishment” was considered by the CJEU guidelines also confirm that just because an
in the 2015 case of Weltimmo v NAIH (C- organization may be considered “established”
230/14). This confirmed that establishment is for one activity will not render all its activities
a “broad” and “flexible” phrase that should not subject to GDPR.
depend on legal form. An organisation may be
“established” where it exercises “any real and Non-EU “established” organisations who
effective activity – even a minimal one” – through target or monitor EU data subjects
“stable arrangements” in the EU. The presence
of a single representative may be sufficient. Pursuant to Article 3(2), non-EU established
In that case, Weltimmo was considered to be organisations will be subject to the GDPR where
established in Hungary notwithstanding that it they process personal data about EU data
was incorporated in Slovakia. subjects in connection with:

The EDPB guidelines align on territorial scope • the “offering of goods or services” (payment is not
with the above case law, finding that “the required); or
threshold for ‘stable arrangement’ can be quite
low when the centre of activities of a controller • “monitoring” their behaviour within the EU.
concerns the provision of services online”. In some
cases if, “the presence of a single employee or agent For offering of goods and services (but not
acts with a sufficient degree of stability,” that will monitoring), mere accessibility of a site from
suffice. However the EDPB does clarify that the within the EU is not sufficient. It must be
mere presence of an employee in the EU may apparent that the organisation “envisages” that
not be sufficient; the processing must also be activities will be directed to EU data subjects.
carried out in the context of the activities of this In other words, the relevant determining issue
employee – so the fact that an organisation has will be evidence of intent. As listed in the EDPB
EU staff will not result in unconnected personal guidelines, relevant factors include:
data processing becoming subject to the GDPR.
• references to the EU or a Member State in
Organisations which have EU sales offices, promotional material;
which promote or sell advertising or marketing
targeting EU residents will likely be subject to • paying a search engine to facilitate access to
the GDPR - since the associated processing of a website in the EU or launching a marketing
personal data is considered to be “inextricably campaign directed at an EU audience;
linked” to and thus carried out “in the context of
the activities of” those EU establishments (CJEU • the international nature of the activity, such as
case Google Spain SL, Google Inc. v AEPD, Mario tourism-related activities;
Costeja Gonzalez (C-131/12)). The EDPB guidelines
offer the example of a Chinese e-commerce • providing local phone numbers or addresses in
website with an office in Berlin running association with a product or service;
commercial marketing campaigns towards EU
markets. Because the Berlin office helps make • using top-level domain names that refer to the
the e-commerce activity profitable in the EU, EU or a Member State (e.g. “.eu” or “.de”);
the EDPB states that this would be sufficient to
consider the Chinese company to be processing • providing travel instructions from a
personal data in the context of its German Member State;
establishment.

1 2 3 4 5 6 7 8 9 10 5
• mentioning international clientele or providing While the EDPB guidelines state that monitoring
customer testimonials in promotional material, need not happen online (for example wearable
in particular where the customers are based in technologies and other smart devices are clearly
the EU; called out by the EDPB), it is interesting that
most of the examples they provide are examples
• using an EU language or currency; and of online tracking. Other common use cases,
such as anti-money laundering checks, email
• offering delivery services in the EU. monitoring in the employment context and fraud
prevention are not referenced.
The EDPB guidelines do not state that any or
all of these factors must be present for GDPR The concept of “monitoring” is currently being
to apply, but rather that these are the sorts considered in regulatory decision-making
of indicators which supervisory authorities will around Clearview AI, which compiled a
look at when deciding if there is a sufficient database of facial data scraped from the
intention to target individuals in the EU. It is not internet. Several European regulators have
clear whether non-EU organisations offering argued that the GDPR applies to Clearview
goods and services to EU businesses (as opposed because the making available of its database
to individuals) will fall within the scope of the “relates to” the monitoring by its customers
“offering goods and services” test in Article 3(2)(a). of the individuals concerned.

“Monitoring”: In contrast to offering goods In respect of all three Article 3 GDPR criteria
and services, monitoring does not specifically (establishment, targeting and monitoring), a
require any indication of intent. Nonetheless, ruling on Soriano v Forensic News ([2021] EWCA
the EDPB guidelines state that “the use of the Civ 1952) in the UK Court of Appeal suggests
word ‘monitoring’ implies that the controller has that the criteria may be interpreted more
a specific purpose in mind for the collection and broadly than previously thought. The Court held
subsequent reuse of the relevant data about an that a group of US journalists associated with
individual’s behaviour within the EU”. The “key the Forensic News website had a “reasonable
consideration” for identifying monitoring is the prospect” of fulfilling any of the Article 3 criteria
presence of “any subsequent behavioural analysis (which means that the case is able to be heard).
or profiling techniques”. Profiling, as defined The Court said a “minimal activity” of publication
by GDPR, requires automated processing and subscriptions in the EU could constitute an
the evaluation of “personal aspects relating to establishment; that journalistic output could
a natural person”, such as predicting health, constitute “offering” services; and that the
personal preferences, economic situation, work collection and sorting of journalistic data about
performance or location or movements. an EU individual could constitute “monitoring”.
However, following Brexit the case may have
In other words, the passive collection over time more limited impact in the EU as opposed to the
of personal data concerning an individual’s UK, and has not yet been heard in full by the UK
behaviour in the EU is not enough to constitute Court of Appeal.
monitoring – there must be an evaluative
purpose. The EDPB guidance provides a list Organisations subject to Article 3(2) of the
of examples: GDPR must appoint an EU-based representative
in one of the Member States where the data
• behavioural advertising and geolocalisation of subjects whose data is processed are located.
content (particularly for advertising); An equivalent obligation to appoint a UK-
based representative currently exists under
• online tracking through cookies and device the UK GDPR too. The EDPB guidelines confirm
fingerprinting; that the GDPR does not establish substitutive
liability for representatives: they can only be
• an online personalised diet and health held liable for their direct obligations under
analytics service; the GDPR (i.e. Article 30 and Article 58(1)).
Bird & Bird now assists non-EU and non-UK
• CCTV; established organisations with this obligation
and can be appointed as both UK and EU GDPR
• market surveys and other behavioural studies representative. Contact Bird & Bird Privacy
based on individual profiles; and Solutions if you would like further details about
our GDPR representative services.
• monitoring or regular reporting on an
individual’s health status.

1 2 3 4 5 6 7 8 9 10 6
Where EU member state law applies by virtue
of public international law

Recital 25 gives the example of a diplomatic

mission or consular position. The EDPB
guidelines also have the example of a cruise
ship flying a German flag (because of its
incorporation) in international waters. In this
example, the cruise ship will be subject to the
GDPR, according to the EDPB guidelines. A similar
parallel could be made here with aircraft.

Exclusions

Certain activities fall entirely outside the GDPR’s • by a natural person or as part of a “purely
scope (listed below). personal or household activity”. This covers
correspondence and the holding of address
In addition, the GDPR acknowledges that data books - but it also covers the social networking
protection rights are not absolute and must be and online activities undertaken for social and
balanced (proportionately) with other rights – domestic purposes. It represents a widening
including the “freedom to conduct a business”. of the exemption from the principles set out in
(For the ability of Member States to introduce Bodil Lindqvist (C-101/01), before the advent of
exemptions, see section on derogations and social media. In this case, the CJEU noted that
special conditions). As the GDPR creates a strict sharing data with the Internet at large “so that
regime in many areas of data protection, with those data are made accessible to an indefinite
arguably more sticks than regulatory carrots, number of people” could not fall within this
businesses may find it helpful to refer back to exemption, which it stated should be limited to
this statement in Recital 4 as the need arises. activities “carried out in the course of the private
or family life of individuals”. Note also that
The GDPR does not apply to the processing the GDPR remains applicable to controllers
of personal data (these general exemptions and processors who “provide the means for
are very similar in the following cases to the processing” which falls within this exemption.
equivalent provisions included in the Data
Protection Directive): The GDPR is stated to be “without prejudice” to
the rules in the E-commerce Directive (2000/31/
• in respect of activities which fall outside the EC), in particular to those concerning the
scope of EU law (e.g. activities concerning liability of “intermediary service providers”. These
national security); liability exemptions have now been replaced by
equivalent (and updated) liability exemptions
• in relation to the EU’s common foreign and in the Digital Services Act (2022/2065), which
security policy; exempts mere conduit, caching and hosting
service providers from liability exposure
• by competent authorities for the purpose of in certain scenarios though also imposes
the prevention, investigation, detection or additional due diligence obligations on
prosecution of criminal offences and associated providers of those services. The relationship
matters (i.e. where the Law Enforcement between the GDPR, the E-commerce Directive,
Directive applies); the Digital Services Act, and other of the EU’s
“Big 5” new data laws (the the Digital Markets
• by EU institutions, where a specific instrument, Act, the Data Governance Act, the Data Act
Regulation (EU) 2018/1725, which came into and the AI Act) is not straightforward. The Big
force on 11 December 2018, aims to bring the 5 say that they are “without prejudice” to the
rules for EU institutions in line with those set application of the GDPR and in places stress
out in the GDPR. The rules are not however that protection in regard to the processing
identical; of personal data is “governed solely” by data
protection legislation. However, the Big 5 also
contain a number of provisions which directly

1 2 3 4 5 6 7 8 9 10 7
relate to data protection (for example, the Directive). Organisations should note that the
Digital Services Act’s prohibition on profiling Big 5 apply to both personal and non-personal
for advertising purposes based on minors’/ data, and in places create rights like data
special category data in certain scenarios) subject rights under GDPR in respect of non-
and so in practice enforcement may feasibly personal data too.
arise under multiple acts. In certain other areas
however the split is clearer (for example, the Organisations should be prepared to significantly
liability of ISPs for illegal content will likely expand their compliance programmes to deal
continue to be enforced under the Digital with Big 5 compliance.
Services Act, similarly to under the E-commerce

Regulation versus national law

As a Regulation, the GDPR is directly effective further specified or restricted by Member State
in Member States without the need for law. Processing of employee data is another
implementing legislation. significant area where Member States can take
divergent approaches.
However, on numerous occasions, the GDPR
does allow Member States to legislate on data Organisations working in sectors where special
protection matters. This includes occasions rules often apply (e.g. health and financial
where the processing of personal data is services) should: (1) consider if they benefit from
required to comply with a legal obligation, relates such “special rules” to the extent they have been
to a public interest task or is carried out by a introduced in relevant jurisdictions in order to
body with official authority. Numerous articles of particularise or liberalise the GDPR; and (2)
the GDPR also state that their provisions may be adapt accordingly.

Where can I find this?

Material Scope, Article 2, Recitals 15-21
Territorial Scope, Article 3, Recitals 22-25

1 2 3 4 5 6 7 8 9 10 8
1. SCOPE, TIMETABLE AND NEW CONCEPTS

Key concepts for

businesses to consider
At a glance
The following are key concepts under the GDPR • Personal Data Breach – reporting obligations
which should form the basis of businesses’ apply to all data controllers and all processors,
compliance programme structures: regardless of their sector. (Telco providers
are subject to breach notification obligations
• Transparency and Consent – the GDPR’s provided by the e-Privacy Directive).
stringent requirements regarding information
to be provided and permissions required • Data protection by design and accountability –
from individuals, including for consent to be organisations are required to adopt significant
unambiguous and not to be assumed from technical and organisational measures to
inaction, mean that many data protection comply and to be able to demonstrate their
notices, consent forms and “cookie consent GDPR compliance.
banners” require additional disclosures or
more granular levels of consent than in • Enhanced rights – Data subjects are given
other jurisdictions. substantial rights including the right to be
forgotten, data portability rights and the right
• Children’s privacy– given the focus on online to not be subject to significant automated
safety, a number of European regulators have decision making.
released specific guidance around how online
services can comply with the GDPR specifically • Supervisory authorities and the EDPB –
in relation to processing of children’s data and regulatory oversight of data protection
there have been significant fines in this area. is on a national basis through a network
In addition, where online/Internet-enabled of supervisory authorities, with the EDPB
services rely on consent as a legal basis for performing a co-ordination role. The EDPB
processing, they need to check ages and ask also oversees the Article 65 dispute resolution
for verifiable parental consent if the user is process relating to enforcement around
younger than a legally-specified age threshold cross-border processing.
(the “age of digital consent” – 16 by default,
though some Member States have lowered it
to 13, 14 or 15).
To do list
• Regulated data – the definitions of “personal
data” and “special categories of data” are broad.
In particular, regulatory guidance and case Refer to the To do list for later sections dealing
law suggests that “anonymous” data (which with each of these topics in more detail
will not qualify as personal data) will be a very
difficult standard to reach in practice, though
regulatory attitudes vary by jurisdiction.

• Pseudonymisation – a privacy-enhancing
technique where information which allows
data to be attributed to a specific person
is held separately and subject to technical
and organisational measures to ensure
non-attribution.

1 2 3 4 5 6 7 8 9 10 9
The GDPR’s provisions and obligations are
extensive, but the following are particularly
key concepts which organisations should
consider in their compliance programmes.
More detailed information on each appears
elsewhere in this guide.

Consent
The conditions for obtaining consent are strict: • There is a presumption that consent will not be
valid unless: (i) separate consents are obtained
• The Article 29 Working Party (now EDPB) for different processing activities, (ii) consent is
stated in its GDPR consent guidelines that at not a condition of receiving a service, and (iii)
least the following information is required there is no “imbalance of power” between the
for valid consent: (i) the controller’s identity, data subject and the organisation.
(ii) the purpose of each of the processing
operations for which consent is sought, (iii) Consent is not the only mechanism for justifying
what (type of) data will be collected and used, the processing of personal data as the other
(iv) the existence of the right to withdraw legal bases available are contractual necessity,
consent, (v) information about the use of compliance with a (Member State or EU) legal
the data for automated decision-making obligation, or processing necessary for legitimate
in accordance with Article 22 (2)(c) where interests, protecting vital interests, or processing
relevant, and (vi) the possible risks of data in the public interest.
transfers due to absence of an adequacy
decision and of appropriate safeguards as For more information on this topic, see
described in Article 46. sections on consent; children; and special
categories of data and lawful processing
(see the section on principles).

Transparency

Organisations need to provide extensive layering will not aid compliance to the extent
information to individuals about the processing it results in information overload for data
of their personal data. Breach of transparency subjects. The IDPC has also suggested (see
obligations by controllers has led to some of the separate decision in respect of WhatsApp’s
highest fines to date under the GDPR. transparency practices, currently under appeal)
that organisations will be expected to “link”
The list of information that must be provided together certain types of information in their
takes up several pages in the GDPR; yet data privacy notices (for example, categories of data,
controllers are nevertheless required to provide purpose, lawful basis, and third party recipients).
that information in a concise, transparent, Many controllers have started to do this by using
intelligible and easily accessible way. The use of a table format.
“layered” notices (with links to extra information)
is a common solution, although some regulators Organisations are discouraged from making use
(such as the Irish Data Protection Commissioner of “dark patterns” to manipulate the user into
(“IDPC”) in its decisions against Meta’s Instagram making detrimental privacy choices. The EDPB
and Facebook processing) have noted that issued guidelines on dark patterns which were

1 2 3 4 5 6 7 8 9 10 10
published in final form in 2023. There is a similar Where relevant, organisations are expected to
prohibition on online platforms’ use of dark implement privacy notices appropriate to the
patterns in the Digital Services Act, but this will age of the children who access them, which
not apply to practices covered by the GDPR. might involve (for example) utilising video, audio,
graphics, and/or simplified language.
The transparency information of services “likely
to be accessed by children” is held to a higher For more information on this topic, see section
standard by European data protection regulators. on information notices.

Children

Children’s privacy guidance The age of digital consent

The online safety of minors has become a highly In addition (and an overlapping but separate
debated topic both in Europe and worldwide point to the children’s privacy design guidance)
since the implementation of the GDPR. As such, children under the age of 13 can never,
a number of European supervisory authorities themselves, give consent to the processing of
have taken action in this area and have issued their personal data in relation to online/Internet-
specific guidance around the processing of enabled services.
children’s data.
Therefore, for children between the ages of 13
Examples include the UK Information and 15 (inclusive), the general rule is that if an
Commissioner’s Children’s Code, and the Irish organisation seeks consent as a GDPR legal basis
Data Protection Commissioner’s Fundamentals to process their personal data, then parental
for a Child-Oriented Approach to Data consent must be obtained, unless the relevant
Processing. Topics focus on service design and Member State legislates to reduce the default
include transparency, age assurance, default age threshold (16 years of age). They cannot
settings and “nudge” techniques. lower it below 13. Children aged 16 or older may
give consent for the processing of their personal
Organisations will not only have to comply with data themselves.
children’s privacy guidance if they directly target
children with their services, but also if their It should be noted however that consent is not
services are “likely to be accessed” by children. the only lawful basis available for the processing
Organisations will likely need to perform child of children’s personal data. For example, it may
accessibility assessments at the outset of still be possible for controllers of online services
designing their online services. to rely on contract or legitimate interest where
appropriate. However, it might be more difficult
There have been substantial fines based on to reach the required threshold for other legal
breaches of children’s privacy guidance to date. bases where children are concerned – for
For example, in 2022 the IDPC fined Meta 405 example, it might be more difficult to satisfy a
million Euros for making children’s contact legitimate interests assessment.
details public by default in breach of the GDPR.
There are no specific rules relating to
parental consent for offline data processing:
usual Member State rules on capacity would
apply here.

For more information on this topic, see section

on children.

1 2 3 4 5 6 7 8 9 10 11
Personal data/ sensitive data (“Special categories of data”)

The GDPR applies to data which can be related to purpose or effect” (Peter Nowak v Data Protection
a living individual that is identified or identifiable, Commissioner, C-434/16 [2017], [35]), which is a
whether directly or indirectly. Identifiability will be low bar and likely to be satisfied if an individual
assessed taking into account “all means reasonably is identifiable.
likely to be used” . Pre-GDPR, the CJEU’s October
2016 ruling in Patrick Breyer v Germany (C-582/14) The GDPR’s recitals highlight that certain
(“Breyer”) confirmed that an individual will not categories of online data may be personal – for
be identifiable where the risk of identification instance, data consisting of or associated with
“appears in reality to be insignificant”. online identifiers, device identifiers, cookie
IDs and IP addresses are given as examples.
Regulatory guidance differs as to whether We have known since Breyer that a dynamic
identifiability should be assessed from the IP address can be personal data; Recital 30
perspective of anyone in the world, or solely GDPR reinforces the point.
from the perspective of the party seeking to
consider the data anonymous. Breyer as well as “Special categories of data” (often referred to
General Court Case T‑557/20 appear to favour as sensitive data) include genetic data and
the latter interpretation. Whether data “relates biometric data used to identify data subjects.
to” a natural person will depend on whether it Processing of special categories of data is subject
is linked to that person by reason of its “content, to more stringent conditions.

Pseudonymisation

Pseudonymisation refers to the technique of • it is included as an example of a technique

processing personal data in such a way that it which may satisfy requirements to implement
can no longer be attributed to a specific “data “privacy by design and by default” (see section on
subject” without the use of additional information, data governance obligations);
which must be kept separately and be subject to
technical and organisational measures to ensure • it may contribute to meeting the GDPR’s data
non-attribution. security obligations (see section on personal
data breaches and notification); and
Pseudonymised information is still a form of
personal data, but the use of pseudonymisation is • for organisations wishing to use personal
encouraged, for instance: data for historical or scientific research or for
statistical purposes, use of pseudonymous
• it is a factor to be considered when data is emphasised.
determining if processing is “incompatible” with
the purposes for which the personal data was
originally collected and processed;

Personal data breach notification

The GDPR has a personal data breach Notification obligations (to supervisory authorities
notification framework for all data controllers and possibly to affected data subjects) are
(and all processors) regardless of the sector in potentially triggered by “accidental or unlawful
which they operate. Some organisations (mainly destruction, loss, alteration, unauthorised disclosure
telco providers) are subject to breach notification of, or access to, personal data”. For more
obligations provided by the e-Privacy Directive. information on this topic, see section on personal
data breaches and notification.

1 2 3 4 5 6 7 8 9 10 12
Data protection by design and accountability

Organisations must be able to demonstrate their authority (i.e. the data protection authority or
compliance with the GDPR’s principles, including “DPA”) and obtain its view on the adequacy of
by adopting certain “data protection by design” the measures proposed by the DPIA to reduce
measures (e.g. the use of pseudonymisation the risks of processing.
techniques), staff training programmes and
adopting policies and procedures. Controllers and processors may decide to
appoint a Data Protection Officer (“DPO”). This
Where “high risk” processing will take place is obligatory for public sector bodies, those
(such as monitoring activities, systematic involved in certain listed sensitive processing or
evaluations or processing special categories monitoring activities or where local law requires
of data), a detailed data protection impact an appointment to be made. Group companies
assessment (“DPIA”) must be carried out can jointly appoint a DPO.
and documented. Where a DPIA results in
the conclusion that there is indeed a high, For more information on these topics see section
and unmitigated, risk for the data subjects, on data governance obligations.
controllers must notify the supervisory

Enhanced rights for individuals

The GDPR provides for a wide range of rights for The Data Governance Act (“DGA”) anticipates
individuals in respect of their personal data. intermediary services, which will seek to help
data subjects exercise their rights and give
These include the right to be forgotten, the right organisations access to their data. Those
to request the porting of one’s personal data to providing data intermediation services must
a new organisation, the right to object to certain meet conditions set out in the DGA, which are
processing activities and an individual’s right designed to ensure that the services are fair
not to be subject to a decision based solely on and independent. They must also act in the best
automated processing which produces legal or interests of data subjects (DGA, Article12).
other significant effects on him/her.

For more information on these topics see section

on information notices and the immediately
following sections.

Supervisory authorities and the EDPB

Data protection regulators are referred to as The EDPB exists to (amongst many other
supervisory authorities. A single lead supervisory things) issue opinions on particular issues and
authority located in the Member State in which adjudicate on disputes arising from supervisory
an organisation has its “main” establishment will authority decisions under the Article 65 dispute
take the lead on cross-border complaints and resolution process.
investigations into that organisation’s compliance
with the GDPR. For more information on this topic see Section
6: Regulators.

1 2 3 4 5 6 7 8 9 10 13
2. PRINCIPLES

Data protection
principles
At a glance To do list
• The data protection principles are the Identify means to “demonstrate compliance”
building blocks of the wider GDPR. The with the data protection principles – e.g.
principles underpin the specific obligations on adherence to approved codes of conduct,
controllers that follow in later chapters. This “trails” of decisions relating to data
includes an accountability principle, requiring processing and, where appropriate, privacy
controllers to demonstrate how these impact assessments.
principles are met by their processing.

1 2 3 4 5 6 7 8 9 10 14
Commentary

The principles are the foundational building Storage limitation

blocks of the GDPR, upon which later obligations
on controllers are based. They are as follows: Personal data must be kept in a form which
permits identification of data subjects for no
Lawfulness, fairness and transparency longer than is necessary for the purposes for
which the personal data is processed. Personal
Personal data must be processed lawfully, fairly, data may be stored for longer periods insofar as
and in a transparent manner in relation to the the data will be processed solely for archiving
data subject. purposes in the public interest, or scientific
and historical research purposes or statistical
Purpose limitation purposes in accordance with Article 89(1), i.e.
subject to use of appropriate technical and
Personal data must be collected for specified, organisational measures, which some Member
explicit and legitimate purposes and not further States have addressed in national laws.
processed in a way incompatible with those
purposes. Integrity and confidentiality

Further processing of personal data for archiving Personal data must be processed in a manner
purposes in the public interest, or scientific that ensures appropriate security of the personal
and historical research purposes or statistical data, including protection against unauthorised
purposes is deemed to be compatible with the or unlawful processing and against accidental
original processing purposes, if conditions in loss, destruction or damage, using appropriate
Article 89(1) (which sets out safeguards and technical or organisational measures.
derogations in relation to processing for such
purposes) are satisfied. Accountability

Data minimisation A controller is responsible for and must be able

to demonstrate compliance with these principles.
Personal data must be adequate, relevant and
limited to what is necessary in relation to the Principles and enforcement
purposes for which it is processed.
Principles are regularly referenced by
Accuracy supervisory authorities as part of enforcement
action. Although certain obligations are subject
Personal data must be accurate and, where to a lower penalty threshold under Article 83(4)
necessary, kept up to date. Every reasonable GDPR, all breaches of the principles fall under
step must be taken to ensure that personal data the higher threshold under Article 83(5).
that is inaccurate is erased or rectified without
delay (having regard to the purposes for which
the data is processed).

Where can I find this?

Article 5 and Recital 39

1 2 3 4 5 6 7 8 9 10 15
2. PRINCIPLES

Lawfulness of processing and

further processing
At a glance To do list
• The GDPR sets out various grounds to lawfully Ensure you are clear about the
process personal data under Article 6. These grounds for lawful processing relied
include consent, contractual necessity, on by your organisation under the GDPR
legitimate interests, and legal obligations and that these are documented in your
among others. privacy notices.

• The requirements for valid consent are

onerous, and additional rules apply to the Where relying on consent, ensure the
processing of children’s data online. quality of that consent meets GDPR
requirements (see the section on consent
• There are specific restrictions on the ability for further details).
to rely on “legitimate interests” as a basis for
processing, particularly in the public sector.
Ensure that your internal governance
• There is a non-exhaustive list of factors to be processes will enable you to demonstrate
taken into account when determining whether how decisions to use personal data for
the processing of personal data for a new further processing purposes have been
purpose is incompatible with the purposes for reached and that relevant factors
which the personal data was initially collected. have been considered.

1 2 3 4 5 6 7 8 9 10 16
Commentary

In order for the processing of personal data to The recitals make it clear that the relevant “legal
be valid under the GDPR, data controllers must obligation” need not be statutory (i.e. common
satisfy a condition set out in Article 6(1) GDPR law would be sufficient, if this meets the “clear
(an additional legal basis is required to process and precise” test). A legal obligation could cover
special categories of data, over and above several processing operations carried out by
a legal basis in Article 6 – see the section on the controller so that it may not be necessary
special categories of data and lawful processing). to identify a specific legal obligation for each
The relevant legal basis for each purpose of individual processing activity.
processing must be described in notices (see our
section on information notices). As explained in 6(1)(d) – Necessary to protect the vital interests of
the sections on data subject rights, individuals a data subject or another person where the data
may have different rights depending on the legal subject is incapable of giving consent
basis relied upon for the processing. These legal
bases for processing are: Recital 46 suggests that this legal basis is
available for processing that is necessary
6(1)(a) – Consent of the data subject for humanitarian purposes (e.g. monitoring
epidemics) or in connection with humanitarian
The GDPR test for valid consent is onerous, and sets emergencies (e.g. disaster response). The recital
a high bar for data controllers (see the section on indicates that in cases where personal data
consent). Particular conditions are also imposed is processed in the vital interests of a person
where consent of children is sought online (see the other than the data subject, this legal basis for
section on children). processing should be relied on by exception, and
only where no other legal basis is available.
6(1)(b) – Necessary for the performance of a contract
with the data subject or to take steps preparatory to 6(1)(e) – Necessary for the performance of a task
such a contract carried out in the public interest or in the exercise
of official authority vested in the controller
Processing must be necessary for the entry
into or performance of a contract with the data Article 6(3) and Recital 45 make clear that this
subject. This is a preferable legal basis, where legal basis applies only where the task carried
available, given the additional rights available to out, or the authority of the controller, is laid
data subjects where controllers rely on consent down in Union law or Member State law to
or legitimate interests. which the controller is subject. This is the key
alternative for public authorities, who are not
In October 2019, the EDPB issued its final able to process personal data for their public
guidelines on the processing of personal data tasks on the basis of legitimate interests.
under Article 6(1)(b) in the context of the provision
of online services to data subjects. On the scope 6(1)(f) – Necessary for the purposes of
of this condition, the EDPB states that “[m]erely legitimate interests
referencing or mentioning data processing in a
contract is not enough it is important to assess what As set out above, this legal basis can no longer
is objectively necessary to perform the contract”. be relied on by public authorities processing
personal data in the exercise of their functions.
6(1)(c) – Necessary for compliance with a Recitals 47-50 add more detail on what may be
legal obligation considered a “legitimate interest”. Guidance from
the EDPB makes it clear that a documented
Article 6(3) and Recitals 41 and 45 make it clear balancing test (also called a legitimate interests
that the legal obligation in question must be: assessment or “LIA”) is expected where relying
on this legal basis, which must be made available
• an obligation of Member State or EU law to to data subjects on request (see the section on
which the controller is subject; and legitimate interests for further details).

• “clear and precise” and its application Member States are permitted to introduce
foreseeable for those subject to it. specific provisions to provide a basis under
Articles 6(1)(c) and 6(1)(e) (processing due to

1 2 3 4 5 6 7 8 9 10 17
a legal obligation or performance of a task in gatekeepers (listed here: Gatekeepers (europa.
the public interest or in the exercise of official eu)). The European Commission designates
authority). This has led to some variation across gatekeepers in respect of specific services.
the EU. (For further details see the section on Article 5 DMA prohibits gatekeepers from
derogations and special conditions). carrying out certain processing of personal
data unless the gatekeeper has the consent
The lawful bases that online platforms rely of the data subject – so, for these specific
on to process personal data have been processing activities, gatekeepers have less
considered by the CJEU and the EDPB. In the flexibility on lawful basis than other controllers.
Bundeskartellamt decision (C-252-121), the CJEU The restrictions apply to:
suggested a narrow interpretation of contractual
necessity, noting that it would cover processing • processing personal data of end users
which was “objectively indispensable” for the for online advertising services, where
main subject matter of the contract, and of the personal data relates to end-user’s
legitimate interests-based processing. However, interactions with third parties who use
the CJEU noted that the fact that a platform has the gatekeeper’s services;
a dominant position does not preclude it from
relying on user consent. • combining personal data from a regulated
service with personal data from other services;
In its Binding Decision 03/2022, the EDPB
directed the IDPC to find that performance of a • cross-using personal data from a regulated
contract was not a suitable legal basis on which service with personal data from other services;
Meta could rely to process personal data of users and
for targeted advertising. On 7th December 2023,
the EDPB adopted an urgent binding decision • signing end-users in to other services of the
on this topic, relating to use of performance of a gatekeeper in order to combine personal data.
contract and legitimate interests for processing
of certain data for targeted advertising. If the processing listed above is required by (EU
or member state) law, to protect vital interests,
Additional considerations on lawful basis apply or for a task performed in the public interest,
under the Digital Markets Act (“DMA”). The DMA is then the gatekeeper can still go ahead.
only applicable to a small number of very large

Further processing

The GDPR also sets out (at Article 6(4)) the • the nature of the personal data (particularly
factors a controller must take into account whether they are special categories of data or
to assess whether a new processing purpose criminal offence and convictions data);
is compatible with the purpose for which the
personal data was initially collected. Where such • the possible consequences of the proposed
processing is not based on consent, or on Union processing; and
or Member State law relating to matters specified
in Article 23 (general article on restrictions relating • the existence of safeguards (including
to the protection of national security, criminal encryption or pseudonymisation).
investigations etc.), the following factors should
be taken into account in order to determine Recital 50 and Article 5(1)(b) indicate that further
compatibility: processing for archiving purposes in the public
interest, for scientific and historical research
• any link between the original and proposed purposes or for statistical purposes should be
new purposes; considered as compatible processing (see the
section on derogations and special conditions).
• the context in which personal data have
been collected (in particular the relationship
between data subjects and the controller);

1 2 3 4 5 6 7 8 9 10 18
Impact of new EU laws

There are restrictions on the ability of

organisations who receive personal data
under the Data Act to make further use of
this data. The Data Act enhances the right
to portability, by allowing end-users better
access to data generated by connected devices
and related services. The end-user can direct
that this data should be made available to a
third party – for example, so that the third
party can provide support or after-care services
related to the connected device to the end-user.
Where third parties receive connected device
data under the Data Act, then Article 6 Data Act
imposes stricter purpose limitation restrictions
on the third party. The third party can only
use the data for the purposes and under the
conditions agreed with the user of the device.
The third party is also not allowed to share the
data with another third party unless this sharing
is also on the basis of a contract with the end-
user. This means that a third party who has
received personal (or other) data under the
Data Act is not able to make further, compatible,
use of the data; the third party can only use
the data for the original purpose for which it
was provided.

Further Reading:
• EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context
of the provision of online services to data subjects

• C‑268/21 Norra Stockholm Bygg addresses Articles 6(1)(e), 6(3) and 6(4) in the context of
civil disclosure.

• European Commission published in April 2019 a Q&A document looking into the interplay between
the EU Clinical Trial Regulation and the GDPR, addressing further processing.

• C-77/21 DIGI addresses further processing, explaining the need for a “concrete, logical and
sufficiently close link” between the initial and further processing, not deviating from the individual’s
“legitimate expectation”

• IDPC decisions against Meta which address the ability to rely on contractual necessity

Where can I find this?

Lawful basis for processing (personal data)
Articles 6-10, Recitals 40-50

1 2 3 4 5 6 7 8 9 10 19
2. PRINCIPLES

Legitimate interests
At a glance To do list
• Legitimate interests is the most flexible legal Ensure you have identified the
basis for most data controllers. relevant legal basis for processing
your organisation’s personal data, and
• The legitimate interest may be that pursued have documented this internally and in
by the controller or a third party, but must not information notices.
be overridden by the interests or fundamental
rights or freedoms of the data subject, in
particular where that individual is a child. If your organisation is a public authority,
ensure you have identified another legal
• Public authorities are unable to rely on basis for the processing of personal data
legitimate interests to legitimise data processing for your public functions (e.g. processing
carried out in the discharge of their functions. necessary in the public interest or in the
exercise of official authority).
• Controllers that rely on legitimate interests
should maintain a record of the assessment
they have made (i.e. an LIA). EDPB guidance Where legitimate interests are relied
states that this assessment should be on, ensure that the relevant legitimate
provided to data subjects on request, and that interest is identified in the information
individuals should be told that they have this that must be supplied to data subjects
right. This assessment will also be necessary pursuant to Articles 13 and 14 (see the
to help controllers show that they have section on information notices).
given proper consideration to the rights and
freedoms of data subjects.
Where relying on legitimate interests,
• Controllers should be aware that persona data ensure that decision-making in relation to
processed on the basis of legitimate interests is the balance between the interests of the
subject to a right to object – which can only be controller (or relevant third party) and
rejected where there are “compelling” reasons. the rights of data subjects is documented
in an LIA and that this is available to
be shared with data subjects where
requested. Ensure your information
notices tell people of this right.

1 2 3 4 5 6 7 8 9 10 20
Commentary

Article 6(1) GDPR states that personal data • Recital 50: reporting possible criminal acts
processing shall be lawful only where at least one or threats to public security to a competent
of the provisions at Article 6(1) (a)-(f) applies. authority.

Article 6(1)(f) applies where: Recital 47 also states that controllers should
consider the expectations of data subjects when
“processing is necessary for the purposes of the assessing whether their (i.e. the controllers’)
legitimate interests pursued by the controller or legitimate interests are outweighed by the
by a third party, except where such interests are interests of data subjects. The interests and
overridden by the interests or fundamental rights fundamental rights of data subjects “could in
and freedoms of the data subject which require particular override” that of the controller where
protection of personal data, in particular where the data subjects “do not reasonably expect further
data subject is a child.” processing”.

Article 6(1) makes clear that subsection (f) shall Recital 47 also sets out that controllers are
not apply to “processing carried out by public expected “at any rate” to carry out a “careful
authorities in the performance of their tasks”. This assessment” to determine whether there is
said, legitimate interests can still be relevant a legitimate interest. In order to comply
to public authorities to the extent that their with the accountability principle, controllers
processing is for a purpose outside of their should document this assessment or
public task. Additionally, the need to specifically “balancing test” in an LIA. According to
consider the interests and rights of children is the CJEU, this is a three part test, as set out
also new (see the section on children). in the Valsts policijas Rigas regiona parvaldes
Kartibas policijas parvalde v Rigas pašvaldibas
In practice, the major considerations for SIA ‘Rigas satiksme (C13/16) case:
organisations when they rely on legitimate
interests under the GDPR relate to accountability • identifying the relevant interests;
(the need to carry out and record the balancing
test via an LIA) and to the rights of data subjects • determining if the processing is necessary; and
attached to this condition for processing
(including rights to notice and to object). • balancing this with the interests of the individual.

What are legitimate interests? Information notices must set out legitimate
interests – and potentially how to access
The recitals to the GDPR give examples of details of balancing tests
processing that could be necessary for the
legitimate interest of a data controller. Where legitimate interests are relied on in relation
These include: to specific processing operations, this will need to be
set out in relevant information notices, by virtue of
• Recital 47: processing for direct marketing Articles 13 (1)(d) and 14 (2)(b).
purposes or preventing fraud;
The EDPB guidance on transparency expands on
• Recital 48: transmission of personal data this requirement: “as a matter of best practice, the
within a group of undertakings for internal controller can also provide the data subject with the
administrative purposes, including client information from the balancing test which must be
and employee data (note that international carried out to allow reliance on Article 6.1(f)[…] In any
transfer requirements will still apply – see the case, the [Article 29 Working Party] position is that
section on transfer of personal data); information to the data subject should make it clear
that they can obtain information on the balancing
• Recital 49: processing for the purposes of test upon request”.
ensuring network and information security,
including preventing access to electronic Controllers need to ensure that they specifically
communications networks and stopping name the relevant legitimate interests they rely
damage to computer and electronic upon in their information notices, and consider
communication systems; and telling individuals about their right to access
balancing tests at the same time. Although not

1 2 3 4 5 6 7 8 9 10 21
specifically named as an obligation in the GDPR Data transfers – a new ground, but unlikely to
itself, the EDPB guidance states that doing so is ever be of use in practice
considered “essential for effective transparency”.
A final outing for legitimate interests comes
Specific right to object in Article 49(1), which states that transfers
can be made based on “compelling legitimate
Data subjects are able to object to processing interests” where they are not repetitive, relate
based on legitimate interests, although they must to only a limited number of data subjects and
demonstrate that this is based on “grounds relating where the controller has assessed and ensured
to his or her particular situation”. The burden then adequacy. However, this ground can only be
lies on data controllers to prove that they have used where the controller cannot rely on any
compelling grounds to continue processing the other method of ensuring adequacy, including
data. This right to object can lead to the exercise of model clauses, binding corporate rules (“BCRs”),
rights to restrict and erase data (see the section on approved contracts and all derogations under
rights to object for more information). Article 49(1)(a)-(f). As set out in EDPB guidance
on the derogations under Article 49, “this
Check for Codes of Conduct derogation is envisaged by the law as a last resort”.
The controller would then need to notify the
Article 40 requires Member States, supervisory supervisory authority that it was relying on
authorities, the EDPB and the European this ground for transfer – although the EDPB
Commission to encourage the creation of codes guidance recognises that this is not a need to
of conduct in relation to a wide range of subjects seek authorisation.
including the legitimate interests pursued by
data controllers in specific contexts. Whilst
limited progress has been made on this to date,
members of trade associations or similar sector
specific bodies should watch for the creation
of such codes, which might impose particular
additional requirements.

Further Reading:
• EDPB Guidelines 8/2020 on the targeting of • IDPC decision against WhatsApp on the level
social media users of information required on legitimate interests
in privacy notices.
• EDPB Guidelines expected on legitimate
interests in 2024-2025 EDPB work programme • Forthcoming CJEU case C-621/22 will
investigate the ability to rely on solely
• EDPB Guidelines 2/2018 on derogations of commercial legitimate interests (which
Article 49 under Regulation 2016/679 has been narrowly approached by the
Dutch DPA).
• IDPC decisions against Meta which address
legitimate interest as a lawful basis

Where can I find this?

Legitimate Interests
Articles 6(1)(f), 13(1)(d), 14(2)(b) and 49(1)
Recitals 47, 48, 49, 50

1 2 3 4 5 6 7 8 9 10 22
2. PRINCIPLES

Consent
At a glance Where relying on consent as the basis for
lawful processing, ensure that:

• Consent has strict validity requirements under • consent is active, and does not rely on
the GDPR silence, inactivity or pre-ticked boxes;

• Consent must be a “freely given, specific, • consent to processing is distinguishable,

informed and unambiguous indication of the clear, and is not bundled with other
data subject’s agreement “. In practice this written agreements or declarations;
requires that consent be truly voluntary,
separate from other consent requests, actively • supply of services is not made
communicated, and as easily withdrawn as contingent on consent to processing
given. These requirements are often hard to which is not necessary for the service
meet in practice. being supplied (outside limited
permitted situations, see below);
• Specific rules also apply to children in relation
to information society services, where parental • data subjects are informed that
consent may be required they have the right to withhold or
withdraw consent at any time without
detriment but that this will not affect
the lawfulness of processing based on
consent before its withdrawal;
To do list
• there are simple methods for
withdrawing consent, including
Ensure you are clear about the legal methods using the same medium used
basis for lawful processing relied on to obtain consent in the first place;
by your organisation.
• separate consents are obtained for
distinct processing operations; and
Consider whether rules on children online
affect you, and, if so, which national • consent is not relied on where there
rules you need to follow when obtaining is a clear imbalance between the data
consent (see section on children for subject and the controller (especially if
further details). the controller is a public authority).

If your organisation relies on consent

to process personal data for the purpose
of scientific research, consider offering
data subjects the opportunity to consent
only to certain areas of research or
parts of research projects. Also consider
national research derogations as an
alternative (see section on derogations
and special conditions).

1 2 3 4 5 6 7 8 9 10 23
Commentary

What is consent, what is an unambiguous These are:

indication of wishes and when is it needed?
• Article 7(2): Consent to processing contained
Article 4(11) GDPR defines “the consent of the in a written declaration produced by the
data subject” as “any freely given, specific, informed controller must be distinguishable from other
and unambiguous indication of the data subject’s matters in that declaration, intelligible, easily
wishes by which he or she by statement or by a accessible and be in clear and plain language.
clear affirmative action, signifies agreement to the Recital 42 cites the Unfair Terms in Consumer
processing of personal data relating to him or her”. Contracts Directive (Directive 93/13/EEC)
as the inspiration for these obligations. In
Consent is one of a number of legal bases for practice, this will require consent to processing
processing permitted under Article 6 GDPR (see to be clearly distinguishable within broader
section on lawfulness of processing and further contracts or agreements.
processing).
• Recital 42 also notes that consent will be
Recital 32 suggests that an unambiguous informed only where the data subject is aware
indication of wishes may be signified by: of (at least) the identity of the controller and
the intended purposes of processing. This is
“ticking a box when visiting a… website, choosing supplemented by EDPB guidance on consent,
technical settings… or by any other statement or which says that additionally individuals must
conduct which clearly indicates… the data subject’s know what (type of) data will be collected and
acceptance of the proposed processing of their used, the existence of the right to withdraw
personal data. Silence, pre-ticked boxes or inactivity consent, information about the use of
should therefore not constitute consent.” automated processing techniques which have
legal or similarly significant effect and (if the
The EDPB has produced consent guidance that consent relates to transfers of data outside
additionally clarifies “the use of pre-ticked opt-in the EEA) information about the possible risks
boxes is invalid under the GDPR. Silence or inactivity of data transfers to third countries. All the
on the part of the data subject, as well as merely above elements must appear (if relevant) in
proceeding with a service cannot be regarded as an the text of the consent mechanism itself.
active indication of choice”.
• Article 7(3): This provision further explains that
Explicit consent is still required to justify data subjects must have the right to revoke
the processing of special categories of data their consent at any time, and it must be as
unless other grounds apply (on which see the easy to withdraw consent as it is to give it. In
section on special categories of data and lawful practice, at a minimum this is likely to require
processing). In addition, explicit consent, in the organisations to allow consent to be withdrawn
absence of adequacy or other conditions, can through the same medium (e.g. website, email,
be relied on under the GDPR for the transfer text) as it was obtained (the EDPB in its consent
of personal data outside the EU (see section guidelines stated that where obtained through
on transfers of personal data) and as one of a particular electronic interface, there is “no
the legal bases for the making of significant doubt a data subject must be able to withdraw
automated decisions relating to an individual consent via the same electronic interface, as
(see section on profiling and automated switching to another interface for the sole reason
decision-taking). of withdrawing consent would require undue
effort”). The GDPR acknowledges that the
Steps to validity – specified, informed, withdrawal of consent does not retrospectively
distinguishable, revocable, granular and render processing unlawful, and processing can
otherwise freely given continue on another legal basis if appropriate
but this requires the controller to inform data
Article 7(1) GDPR requires that where consent subjects of this before consent is given. The
is relied on as a ground for lawful processing, EDPB emphasised “controllers have an obligation
controllers should be able to demonstrate that to delete data that was processed on the basis of
consent was given by the data subject to the consent once that consent is withdrawn, assuming
processing. The rest of Article 7 is dedicated to that there is no other purpose justifying the
setting out the conditions for a valid consent. continued retention”.

1 2 3 4 5 6 7 8 9 10 24
• Article 7(4): Where the performance of a no genuine or free choice or is unable to refuse or
contract, including the provision of a service, is withdraw consent without detriment”. The EDPB
made conditional on consent to the processing consent guidance discusses detriment at some
of persona data that is not necessary for the length, stating that the GDPR does not “preclude
performance of that contract, this is likely to call all incentives” but that individuals must be able to
into question the extent to which consent can withdraw or withhold consent without incurring
be considered to be freely given. As a result, cost or “clear disadvantage”. Despite the absence
the provision of a service should not be made of opposition from the EDPB on the question of
contingent upon the data subject’s consent to incentivisation, it should be noted that certain
the processing of their data for purposes that supervisory authorities in Member States are
are unnecessary for the provision of the service. clearly opposed to such techniques (e.g. the
CNIL in France) whereas others (e.g. in Denmark
• The EDPB guidance on consent confirms and Finland) have concluded that this may permit
that “the element “free” implies real choice and organisations to make competitions or loyalty
control for data subjects” and “any element of scheme memberships contingent on consent to
inappropriate pressure or influence upon the marketing (see further reading).
data subject (which may be manifested in many
different ways) which prevents a data subject Children and research
from exercising their free will, shall render the
consent invalid”. Specific conditions apply to the validity
of consent given by children in relation to
Recital 43 GDPR indicates that consent will be information society services, with requirements
presumed not to be freely given if: to obtain and verify parental consent below
certain age limits (see the section on children for
• despite it being appropriate in the further details).
circumstances, there is no provision for
separate consent to be given to different Recital 33 GDPR addresses consent that is
processing operations; or obtained for scientific research purposes. It
acknowledges that “it is often not possible to fully
• “the performance of a contract, including identify the purpose of data processing for scientific
the provision of a service, is dependent on research purposes at the time of data collection”
the consent, despite such consent not being and states that:
necessary for such performance.”
• data subjects should be able to consent to
This is a requirement to ensure granularity certain areas of scientific research, where
of consent. The EDPB guidance warns that “if this meets “ethical standards” for such
the controller has conflated several purposes research; and
for processing and has not attempted to seek
separate consent for each purpose, there is a lack • data subjects should be able to grant
of freedom.” Controllers should take care not to consent only to “certain areas… or parts
combine multiple processing purposes into a of research projects to the extent allowed by
single consent. the intended purpose”.

Recital 43 also notes that imbalance of The EDPB guidance on consent emphasises that
power between the parties can lead to it is important that “consent for the use of personal
consent being considered invalid and not data should be distinguished from other consent
freely given. This Recital specifically points requirements that serve as an ethical standard
to this being likely in the case where the or procedural obligation”. There remains much
controller is a public authority. ongoing debate as to the most appropriate
legal basis for research, and the potential for
Another example is also given by the EDPB relying on a pre-existing legal basis for further
consent guidelines in relation to employers: processing (see the section lawfulness of
“given the imbalance of power between an employer processing and further processing).
and its staff members, employees can only give free
consent in exceptional circumstances, when it will Language of consent
have no adverse consequences at all whether or not
they give consent”. The GDPR requires that consent be intelligible,
informed and unambiguous. The EDPB
Finally, Recital 42 states that “consent should not guidelines on consent emphasise that “when
be regarded as freely given if the data subject has seeking consent, controllers should ensure that

1 2 3 4 5 6 7 8 9 10 25
they use clear and plain language in all cases. This
means a message should be easily understandable
for the average person and not only for lawyers”.
It is also unlikely that consent will meet these
requirements if the consent is in a foreign
language incomprehensible to the individual.

New EU laws

The DMA imposes additional restrictions on

consent. Article 5 DMA provides that if the
data subject refuses or withdraws consent, the
gatekeeper cannot repeat its request for consent
for that same purpose that same year.

Further Reading:
• EDPB Guidelines 8/2020 on the targeting of social media users

• EDPB Guidelines 5/2020 on consent

• EDPB Guidelines 3/2022 on dark patterns in social media platform interfaces

• Decisions by the Danish DPA and Finnish DPA on incentivizing consent

• CJEU case C-673/17 Planet 49 (consent must be active and cannot be sought through
pre-checked boxes)

• EDPB Cookie Banner Taskforce report

• CJEU case C-252/21 addressing whether consent can be freely given to a dominant undertaking
(Facebook/Instagram)

Where can I find this?

Articles 4(11), 6(1)(a), 7, 8 and 9(2(a))
Recitals 32, 33, 42 and 43

1 2 3 4 5 6 7 8 9 10 26
2. PRINCIPLES

Children
At a glance To do list
• There are a handful of child-specific Consider whether rules and guidance on
provisions in the GDPR, particularly in relation children are likely to affect you.
to legal basis for processing and notices.

• Children are identified as “vulnerable individuals” If your organisation offers information

and deserving of “specific protection”. society services directly to children
where consent is required, assess
• Processing of data relating to children is noted which national rules will apply and
to carry certain particular risks, and further ensure that appropriate parental
restrictions may be imposed as a result of consent mechanisms are implemented,
codes of conduct. including verification processes.

• Where online services are provided to a child

and consent is relied on as the basis for the Remain aware of national legislation
lawful processing of his or her data, consent and guidance for offline data processing
must be given or authorised by a person relating to children’s data.
with parental responsibility for the child. This
requirement applies to children under the
age of 16 (unless the Member State has made Where processing data of children
provision for a lower age limit - which may be no – whether targeted or not - ensure
lower than 13). notices are drafted clearly with a child’s
understanding in mind.
• Many national authorities have begun to adopt
child-specific guidance, and further guidance is
expected from the EDPB in 2024. Ensure any reliance on “legitimate
interests” to justify processing children’s
data is backed up with a careful and
documented consideration of whether a
child’s interests override those of
your organisation.

1 2 3 4 5 6 7 8 9 10 27
Commentary

The importance of protecting children is Notices addressed to children must be

mentioned several times in the GDPR, and has child-friendly
been highlighted in EDPB guidance. In practice,
the GDPR itself provides little harmonisation, and Article 12 GDPR provides that the obligations to
substantive restrictions come from national laws, ensure that information provided to data subjects
compliance with EDPB guidance or codes of is concise, transparent and in plain language are to
conduct (see the section on codes of conduct be met “in particular for any information addressed
and certifications for further details). specifically to a child”. Recital 58 expands:

Parental consent “Given that children merit specific protection, any

information and communication, where processing
The main provision in relation to children is is addressed to a child, should be in such a clear and
Article 8, which requires parental consent to be plain language that the child can easily understand.”
obtained for information society services offered
directly to a child under the age of 16 – although The GDPR recognises the UN Convention
this ceiling can be set as low as 13 by a Member definition of a child as anyone under the age
State, and only applies where the processing of 18. Controllers should therefore be prepared
would be based on the child’s consent. Member to address these requirements in notices
States have picked a wide range of ages, from directed at teenagers. The EDPB says that
Denmark, Belgium and others at the minimum of controllers should “ensure that the vocabulary,
13, Austria at 14, France and the Czech Republic tone and style of the language used is appropriate
at 15 and many such as the Netherlands and to and resonates with children.” The EDPB’s
Ireland retaining an age of 16. guidance does at least recognise that “with
very young or pre-literate children, transparency
The controller is also required, under Article measures may also be addressed to holders of
8(2) GDPR, to make “reasonable efforts” to verify parental responsibility given that such children
that consent has been given or authorised by will, in most cases, be unlikely to understand even
the holder of parental responsibility in light of the most basic written or non-written messages
available technology. concerning transparency”.

This only affects certain online data – offline Data Protection Impact Assessments –
data will continue to remain subject to the usual processing child data may contribute to
Member State rules on capacity to consent. processing being considered high risk in the
Article 8(1) is also not to be considered as circumstances
affecting the general contract law of Member
States regarding the validity, formation or effect As discussed elsewhere in this guide, a DPIA must
of a contract with a child. Organisations will still be carried out where a controller carries out
need to consider local laws in this area. high risk processing. EDPB guidance on DPIAs
has noted that processing the data of vulnerable
individuals – which include children - is one
criterion that may, when considered with other
factors, lead to a processing activity being high
risk “because of the increased power imbalance
between the data subjects and the data controller,
meaning the individuals may be unable to easily
consent to, or oppose, the processing of their data,
or exercise their rights”.

1 2 3 4 5 6 7 8 9 10 28
Miscellaneous provisions – helplines, codes of
conduct and work for supervisory authorities

Article 6(1)(f) GDPR notes that the rights and

freedoms of a data subject may “in particular”
override the interests of the controller or
third party where the relevant data subject
is a child. Controllers should ensure that
clear documentation is kept demonstrating
that relevant competing interests have been
appropriately considered in a balancing test
where relying on legitimate interests for
processing data relating to children.

Recital 38 notes that the use of child data

in marketing, or for profiling purposes or in
connection with the supply of services to children
are areas of concern requiring specific protection
under the GDPR. The recital also states that
parental consent should not be required in
the context of preventative and/or counselling
services offered directly to a child although this
suggestion does not appear to be reflected in the
articles of the GDPR itself.

Article 40 requires Member States, supervisory

authorities, the EDPB and the European
Commission to encourage the creation of
codes of conduct, including in the area of the
protection of children, and concerning the way
in which consent can be collected from the
holder of relevant parental responsibility.
Organisations that process personal data
relating to children should watch for the
creation of such codes, which might impose
particular additional requirements.

Since the UK’s Information Commissioner

published the Age Appropriate Design Code
in January 2020, some Member States have
adopted guidance on children’s data processing,
notably Ireland and France. The EDPB is also due
to release Guidelines on processing of children’s
data as part of its 2023-2024 work programme.

Finally, supervisory authorities, when promoting

public awareness and understanding of risks,
rules, safeguards and rights in relation to the
processing of personal data, pursuant to the
obligation imposed on them by Article 57(1)
(b), are required to give “specific attention” to
activities addressed to children.

Where can I find this?

Articles 6(1)(f), 8, 12(1), 40(2)(g), 57(1)(b)
Recitals 38, 58, 75

1 2 3 4 5 6 7 8 9 10 29
2. PRINCIPLES

Special categories of data

and lawful processing
At a glance To do list
• “Special categories of personal data” are Ensure you are clear about the grounds
data revealing “racial or ethnic origin, political relied on by your organisation to process
opinions, religious or philosophical beliefs, or special categories of data and have
trade union membership, and the processing considered the application of EU or
of genetic data, biometric data for the purpose Member State laws as necessary;
of uniquely identifying a natural person, data
concerning health or data concerning a natural
person’s sex life or sexual orientation” Where relying on explicit consent, ensure
the consent meets validity obligations (see
• The grounds permitting processing of special the section on consent); and
categories of data under the GDPR are narrow
and specific. In a number of cases, these
provisions still involve reliance on EU or Ensure you have checked and continue
Member State laws. to pay attention to national developments
as Member States have a broad right to
• There is also a broad ability for Member impose further conditions - including
States to introduce new conditions (including restrictions - on the grounds set out in
limitations) regarding the processing of genetic, the GDPR.
biometric or health data.

1 2 3 4 5 6 7 8 9 10 30
Commentary

Article 9(2) sets out the circumstances in which the 9(2)(b) – Necessary for the carrying out of
processing of special categories of data, which obligations under employment, social security or
is otherwise prohibited, may take place. These social protection law, or a collective agreement
involve the following categories of data, as set out
in Article 9(1): 9(2)(c) – Necessary to protect the vital interests of a
data subject who is physically or legally incapable of
• racial or ethnic origin; giving consent

• political opinions; 9(2)(d) – Processing carried out by a not-for-profit

body with a political, philosophical, religious or
• religious or philosophical beliefs; trade union aim provided the processing relates
only to members or former members (or those who
• trade union membership; have regular contact with it in connection with those
purposes) and provided there is no disclosure to a
• data concerning health or sex life and sexual third party without consent
orientation;
9(2)(e) – Data manifestly made public by the data
• genetic data; and subject

• biometric data where processed to uniquely 9(2)(f ) – Necessary for the establishment, exercise
identify a person. or defence of legal claims or where courts are acting
in their judicial capacity
Recital 51 suggests that the processing of
photographs will not automatically be considered 9(2) (g) – Necessary for reasons of substantial public
as processing of biometric data (as had been the interest on the basis of Union or Member State law
case in some Member States prior to GDPR); which is proportionate to the aim pursued and
photographs or footage will be covered only to which contains appropriate safeguarding measures
the extent they allow the unique identification or
authentication of an individual (such as when used This enables Member States to extend by law the
as part of an electronic passport). circumstances where special categories of data
may be processed in the public interest. In many
In the Bundeskartellamt case (C-252/21) the countries this has required no change, where
CJEU concluded that if someone visits a website such provisions have remained in pre-existing
or app which relates to one of the special legislation. In others, broad substantial public
categories, and registers with the site or places interest provisions exist in sectoral laws or in data
an order, then that data will be special category protection legislation.
data – including if it is automatically collected by
a social network which interfaces with the site 9(2)(h) – Necessary for the purposes of preventative
or app. The CJEU has also concluded that data or occupational medicine, for assessing the working
about your partner (such as their name) can capacity of the employee, medical diagnosis, the
reveal information about an individual’s sexual provision of health or social care or treatment or
orientation (C-184/20). management of health or social care systems and
services on the basis of Union or Member State law
The grounds for processing special categories are: or a contract with a health professional

9(2)(a) – Explicit consent of the data subject, unless AND

reliance on consent is prohibited by EU or Member
State law 9(2)(i) - Necessary for reasons of public interest in
the area of public health, such as protecting against
If relying on this ground, conditions for valid serious cross- border threats to health or ensuring
consent should be carefully considered (see the high standards of healthcare and of medicinal
section on consent). products or medical devices

1 2 3 4 5 6 7 8 9 10 31
These two provisions provide a formal legal
justification for uses of healthcare data in the
health and pharmaceutical sectors by providers
of social care. It is important to remember that
the first of these provisions does still require a
basis under EU or local law, and both conditions
require obligations of confidentiality to be in
place as an additional safeguard.

9(2)( j) - necessary for archiving purposes in the

public interest, or scientific and historical research
purposes or statistical purposes in accordance with
Article 89(1)

This makes provision for the processing of

special categories of data for the purposes
of archiving, research and statistics, subject
to compliance with appropriate safeguards,
including safeguards to ensure respect for
the principle of data minimisation (see the
section on derogations and special conditions
for further details).

Genetic, biometric, or health data

Member States are also entitled, under Article

9(4) GDPR, to maintain or impose further
conditions (including limitations) in respect of
genetic, biometric or health data.

Criminal convictions and offences

Data relating to criminal convictions and offences

are not categorised as a special category of data
for the purposes of the GDPR. This is consistent
with previous provisions as data of this kind was
not treated as a special category of data under
the Data Protection Directive.

Similarly, the rules under the GDPR in relation

to data concerning criminal convictions and
offences mirror those which applied under the
Data Protection Directive. Article 10 provides
that such data may be processed only under
the control of official authority or where the
processing is authorised by Union law or Member
State law that provides appropriate safeguards.
There is notable national divergence in this area.

1 2 3 4 5 6 7 8 9 10 32
3. INDIVIDUAL RIGHTS

Information notices
At a glance To do list
• Controllers must provide information notices, Audit existing information notices and
to ensure transparency of processing. review and update them.

• Specified information must be provided, and

there is also a general transparency obligation. For data which is collected indirectly,
ensure that notice is given at the
• There is an emphasis on clear, concise notices. appropriate time.

Work with relevant partners who may

collect data on your organisation’s behalf
to assign responsibility for notice review,
update and approval.

1 2 3 4 5 6 7 8 9 10 33
Commentary

The principle of “fair and transparent” processing are processed, the relevant EU or Member
means that the controller must provide State law on which the processing is carried
information to individuals about its processing out should be noted.
of their data, unless the individual already has
this information. The information to be provided • Recipients, or categories of recipients.
is specified in the GDPR and listed below. The According to the guidance, controllers must
controller may also have to provide additional provide information on recipients which is
information if, in the specific circumstances and most meaningful to the individual which will
context, this is necessary for the processing to be generally involve naming recipients. Recipients
fair and transparent. include controllers, joint controllers and
processors. According to the guidelines, where
The information must be provided in a concise, a controller chooses to name only categories
transparent, intelligible and easily accessible of recipients, this should be as specific as
way, using clear and plain language (in particular possible indicating the type of recipient,
where the data subject is a child). the industry, sector and sub-sector and the
recipients’ location.
What must a controller tell individuals?
• Details of data transfers outside the EU:
Additional guidance from the former Article
29 Working Party (“WP29”) on transparency — including how the data will be protected
is included below. Notably the former (e.g. the recipient is in an adequate country;
WP29’s guidance goes further than the GDPR Binding Corporate Rules are in place etc.);
requirements on a number of fronts: and

• Identity and contact details of the controller — how the individual can obtain a copy of the
(or its representative, for a non-EU established BCRs or other safeguards, or where such
controller); contact details of the Data safeguards have been made available.
Protection Officer. Guidance states the
controller should also allow for different — According to the guidance, the relevant
channels of communication (e.g. phone, email, GDPR article permitting the transfer and the
postal address etc.). corresponding adequacy mechanism should
be specified. Where possible, a link to the
• Purposes of processing and legal basis for adequacy mechanism used or information
processing – including the “legitimate interest” on where the document may be accessed
pursued by the controller (or third party) if should be included. The information
this is the legal basis. Guidance states that provided on transfers to third countries
that the purposes should be set out together should also be as meaningful as possible
with the relevant lawful basis relied on. This to individuals; according to the guidance
was confirmed by the EDPB binding decisions this will generally mean that third countries
in relation to the Irish Data Protection should be named.
Commissioner’s fines against Meta relating to
Facebook, Instagram and WhatsApp. It should • The retention period for the data – if not
also be made clear that the individual can possible, then the criteria used to set this.
obtain further information on the legitimate According to the guidance it is not sufficient
interest exercise on request (commonly for the controller to generically state that
abbreviated to LIA), where this information is data will be kept as long as necessary. Where
not already set out in the information notice. relevant, the different storage periods should
be stipulated for different categories of
• Where special categories of data are personal data and/or different processing
processed, the lawful basis provided by Article purposes, including where appropriate,
9 of the GDPR should be specified (and other archiving periods.
EU or Member State law where relevant).
Where criminal conviction and offence data

1 2 3 4 5 6 7 8 9 10 34
• That the individual has a right to access and Providing all of this information is hard to
port data, to rectify, erase and restrict his or reconcile with the GDPR’s own requirement
her personal data, to object to processing of conciseness and clarity. To help better
and, if processing is based on consent, to achieve this, there is an ability for the European
withdraw consent. According to the guidance Commission to introduce standardised icons
where Member State implementing legislation by means of delegated acts. If introduced,
qualify or restrict the data subjects’ rights, these would then also need to be displayed to
the controller must notify individuals of individuals.
any qualification to their rights which the
controller may rely on. When must a controller provide this
information?
• That the individual can complain to a
supervisory authority. Controller obtains information directly
from individual
• Whether there is a statutory or contractual
requirement to provide the data, or a • At the time the data is obtained.
requirement to provide data in order to enter
into a contract, and the consequences of not The controller must also tell individuals what
providing the data. information is mandatory and the consequences
of not providing information.
• If there will be any automated decision
taking – together with information Controller does not obtain information directly
about the logic involved and the from individual
significance and consequences of
the processing for the individual. • Within a reasonable period of having obtained
the data (max one month); or
In case of indirect data collection activities,
the controller must also tell individuals the • If the data are used to communicate with
categories of information and the source(s) of the individual, at the latest, when the first
the information, including if it came from publicly communication takes place; or
accessible sources. According to the guidance,
details should include the nature of the sources • If disclosure to another recipient is envisaged,
(i.e. publicly/privately held sources; the types at the latest, before the data are disclosed.
of organization/industry/sector; and where the
information was held (EU or non-EU). Possible supplemental Member State
disclosure requirements
The controller does not have to provide
this information to the individual if it would In addition to the requirements provided by
be impossible or involve a disproportionate Articles 13 and 14 of the GDPR, certain Member
effort. In these cases, appropriate measures States have added or maintained supplemental
must be taken to protect individuals’ interests elements to be addressed in information notices.
and the information notice must be made For instance, in France, information notices must
publicly available. indicate the existence of a right for data subjects
to give instructions concerning the use and
There is also no need to provide the disclosure of their personal data after their death.
information notice:

• if there is an EU or member state law

obligation for the controller to obtain/disclose
the information; or

• if the information must remain confidential,

because of professional or statutory secrecy
obligations, regulated by EU or Member
State law.

If the controller later processes personal data for

a new purpose, not covered in the initial notice,
then it must provide a new notice covering the
new processing.

1 2 3 4 5 6 7 8 9 10 35
Updates to the information notice

According to the former Article 29 Working Party,

controllers must take “all measures” necessary
to bring specific changes to the individual’s
attention (such communications should also
be separate from direct marketing content).
The former Article 29 Working Party provided
non-exhaustive examples of changes to an
information notice which should always be
communicated to an individual, these include: a
change in the processing purpose, a change in
the controller’s identity, and changes as to how
an individual can exercise their rights.

Further reading:
Article 29 Working Party Guidelines on transparency under Regulation 2016/679, endorsed by the EDPB

EDPB Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to
recognise and avoid them

Irish DPC decisions against Meta Ireland (Facebook and Instagram)

EDPB Binding Decisions on the dispute submitted by the Irish SA on Meta Platforms, WhatsApp,
Instagram and Facebook services

Where can I find this?

Articles 12-14
Recitals 58, 60, 61 and 62

1 2 3 4 5 6 7 8 9 10 36
3. INDIVIDUAL RIGHTS

Subject access, rectification

and portability
At a glance To do list
• Controllers must, on request: Review customer facing teams processes,
procedures and training – are they
— confirm if they process an individual’s sufficient to deal with the GDPR’s access
personal data; and portability rules?

— provide a copy of the data (in commonly

used electronic form in many cases); and Develop template response letters, to
ensure that all elements of supporting
— provide supporting (and detailed) information are provided.
explanatory materials.

• Data subjects can also demand that their Assess your organisation’s ability to
personal data be ported to them or to a new provide data in compliance with the
provider in machine readable format if the GDPR’s format and timing obligations. It
data in question was: 1) provided by the may be necessary to develop formatting
data subject to the controller (interpreted capabilities to meet access requests.
broadly); 2) is processed automatically; and 3)
is processed based on consent or fulfilment of
a contract. If portability applies, consider which
of your records are covered by this.
• The request must be met within one month Check if the data (and associated
(with extensions for some cases) and any meta data) can easily be exported in
intention not to comply must be explained to structured, machine-readable formats.
the individual. Look out for industry initiatives to
develop interoperable formats.
• Access rights are intended to allow individuals
to check the lawfulness of processing and the
right to a copy should not adversely affect the If you provide an IoT/ connected product,
rights of others unreasonably. or a related service for such a product, or
are a gatekeeper, check you can comply
with enhanced portability requirements.

Consider developing data subject access

portals, to allow direct exercise of subject
access rights.

1 2 3 4 5 6 7 8 9 10 37
Right of information and access
An individual has the following rights with controllers who use special formats, or who hold
regards to a data controller: paper records.

• to obtain confirmation whether their personal Recital 63 also suggests that, where possible, the
data are being processed; controller may provide a secure system which
would grant the data subject direct access to
• to access the data (i.e. to a copy not the actual their data. This seems to be encouraged rather
document); and than required.

• to be provided with supplemental information Supplemental information

about the processing.
The controller must also provide the following
As with all data subject rights, the controller information:
must comply “without undue delay” and “at the
latest within one month”, although there are • the purposes of processing;
some possibilities to extend this for a further
two months. • the categories of data processed;

Before providing any data to the requester, the • the recipients, or categories of recipients (in
controller must also use reasonable means to particular, details of disclosure to recipients
verify the identity of the person making the request in third countries or to international
which should be proportionate to the sensitivity organisations (bodies governed by public
of the data being processed– but should not keep international law or set up by agreement
or collect data just so as to be able to meet subject between countries)) – note on request this
access requests. These points are particularly includes the actual identity of those recipients
pertinent to online services. (CJEU C-154/21) however internal recipients
acting under the authority of the controller
Right of access to data organization (e.g. employees) are not generally
considered ‘recipients’ for this purpose.
The controller must provide “a copy of the Information about other employees who
personal data undergoing processing”. This is not accessed the data subject’s personal data
a right to the document but rather a copy of would only need to be provided if this was
the data (Case C-487/21).This case also made a essential to allow the data subject to exercise
number of other points clear in relation to the their rights – and even here the rights and
right of access to data: freedoms of those other employees should be
taken into account (Case C-579/21);
• the controller must give the data subject a
faithful and intelligible reproduction of all • the envisaged retention period, or, if this is
personal data undergoing processing; not possible, the criteria used to determine
this period;
• the right of access must not adversely affect the
rights and freedoms of others (which reiterates • the individual’s rights of rectification or
the necessity for controllers to carry out a erasure, to restrict processing or to object
balancing exercise between the data subjects’ to processing and to lodge a complaint to a
rights and the rights and freedoms of others). supervisory authority;

This must be provided free of charge, although • information regarding the source of the data
the controller may charge a reasonable, (if not collected from the data subject); and
administrative-cost fee, if further copies are
requested or where the request is manifestly • any regulated automated decision taking
unfounded or excessive which is a high bar (i.e. decisions taken solely on an automated
to satisfy. basis and having legal or similarly significant
effects; also, automated decision taking
If the request is made in electronic form, the involving special categories of data) – including
information should be provided in a commonly information about the logic involved and the
used electronic form (unless the data subject significance and envisaged consequences of
requests otherwise). This could impose costs on the processing for the data subject.

1 2 3 4 5 6 7 8 9 10 38
If the controller does not intend to comply with • the data subject’s right is “to be aware of and
the request or will not provide the response verify the lawfulness of the processing”. This
within the deadline, it must also provide reasons. confirms the comments made by the CJEU in
YS v Minister voor Immigratie, Integratie en Asiel
Exemptions (Case C-141/12) that the purpose of subject
access requests is to allow the individual to
The GDPR recognises that subject access may confirm the accuracy of data and confirm the
adversely affect others and provides that the right lawfulness of processing and to allow them
to receive a copy of the data shall not adversely to exercise rights of correction or objection
affect such rights. Recital 63 notes that this could if necessary. In other words, the purpose is
extend to protection of intellectual property rights related to the individual’s rights under data
and trade secrets (for example, if release of the protection legislation: requests made for
logic of automated decision taking would involve other, non-data protection purposes, may
release of such information). However, the recital possibly be rejected.
also notes that a controller cannot refuse to
provide all information, on the basis that access
may infringe others’ rights.

Article 23 GDPR allows under specific conditions,

a national or Union legislator to restrict, by
way of a legislative measure, the scope of the
obligations and rights provided for in the right
to access.

Recital 63 also contains two other useful limiting

provisions:

• if the controller holds a large quantity of data,

it may ask the data subject to specify the
information or processing activities to which
the request relates. (However, the recital
does not go on to say that there is any
exemption due to large volumes of relevant
data: the limitation seems to be more to
do with the specificity of the request, rather
than the extent of time and effort on the
controller’s part – although the two may, of
course, be linked);

Further reading:
EDPB Guidelines 01/2022 on data subject rights – Right of access

1 2 3 4 5 6 7 8 9 10 39
Rectification
Individuals can require a controller to rectify
inaccuracies in personal data held about them.
In some circumstances, if personal data are
incomplete, an individual can require the
controller to complete the data, or to record a
supplementary statement.

Portability
The subject access right provided under the right does not extend to personal data which is
GDPR already gives individuals the right to inferred or derived by the data controller (for
require their data to be provided in a commonly example, the results of an algorithmic analysis of
used electronic form. an individual’s behaviour).

Data portability goes beyond this and requires Whilst data portability applies only to data
the controller to provide information in a controllers, data processors will be under
structured, commonly used and machine- contractual obligations to assist controllers “by
readable form so that it may be transferred appropriate technical and organisational measures”
by the data subject to another data controller with responding to portability requests. Data
without hindrance. controllers should therefore implement specific
procedures with their processors on handling
Further, the controller can be required to such requests.
transmit the data directly to another controller
where it is technically feasible to do so. The Data portability must not prejudice the rights
GDPR encourages controllers to develop of others. However, according to supervisory
interoperable formats. authorities, the original data controller is not
responsible for the receiving data controller’s
Whereas subject access is a broad right, compliance. Instead, any organisation receiving
portability is narrower. It applies: the data must ensure that its use of the data
is lawful.
• to personal data which is processed by
automated means (no paper records); There are exemptions from portability - for
example, where this would adversely affect
• to personal data which the data subject has IPRs or trade secrets. Supervisory authorities
provided to the controller; and consider that this does not excuse all compliance
with the right.
• only where the basis for processing is consent,
or that the data are being processed to fulfil a Data portability requirements may also conflict
contract or steps preparatory to a contract. with other access and portability requirements
in sector-specific EU (e.g. the right to access
Data which the individual “has provided” is one’s bank account history under the Payment
interpreted widely. Pursuant to guidance from Services Directive 2) or member state legislation.
the former Article 29 Working Party, this is not Guidance from the Article 29 Working Party
limited to forms completed by an individual, explains that the GDPR portability right will
but to information gathered by the controller in not apply if the individual makes clear he is
the course of its dealings with the individual or exercising his rights under another law. If,
generated from observation of his or her activity. however, the individual seeks to exercise his
Examples of occasions when data portability will rights under the GDPR, the controller must
apply include: (i) data held by a music streaming assess the interplay between any competing
service, (ii) titles of books held by an online rights case-by-case, but the more specific
bookstore, (iii) data from a smart meter or other legislation will not automatically displace the
connected objects, (iv) activity logs, (v) history of GDPR right.
website usage, (vi) search activities or (vii) emails
sent to the individual. However, the portability

1 2 3 4 5 6 7 8 9 10 40
New EU laws Data which is generated only after additional
investment by the manufacturer is excluded
In practice, portability has had limited effect. This and there are protections for trade secrets. If
is because it only applies to some personal data someone other than the data subject to whom
(provided by the user) and when the lawful basis the data relates is the end user of the device,
for processing is consent or contractual necessity then the Data Act takes account of this by
- and the controller has one month to comply providing that data must only be made available
with requests. The Data Act and the Digital to that user when there is a lawful basis for this
Markets Act create stronger portability rights. under GDPR.

The Data Act applies to manufacturers of Overall, the right granted by the Data Act is
connected products where a connected product stronger than portability under GDPR: it is
generates data that is designed to be retrievable faster, and, applies to more data (it does not
by the manufacturer. It also applies to data need to be personal; it does not need to be
generated by related services – that is services provided by the data subject; and it is not
which allow the user to control the functionality dependent on the lawful basis used by the
of the connected product (for example, being manufacturer for its processing).
able to unlock a car remotely). The Data Act
provides that product data and related service The Digital Markets Act also extends portability.
data must be available to the user without For their regulated services, gatekeepers must
delay and without charge. Where relevant and ensure effective portability of data provided by
where technically feasible, there should be real the end user or generated through the end-user’s
time and continuous access. The user can also activity on the service, again, by continuous and
require that the data is provided to a third party. real time access to the data, free of charge.

Where can I find this?

Subject access, Article 15, Recitals 59, 63, 64

Rectification, Article 16

Portability, Article 20 and WP 242, Recital 68

1 2 3 4 5 6 7 8 9 10 41
3. INDIVIDUAL RIGHTS

Rights to object
At a glance To do list
• There are rights for individuals to object to Audit data protection notices and policies
specific types of processing: to ensure that individuals are told about
their right to object, clearly and separately,
— Direct marketing; at the point of ‘first communication’.

— Processing based on legitimate interests or

performance of a task in the public interest/ For online services, ensure there is an
exercise of official authority; and automated way for this to be effected.

— Processing for research or statistical

purposes. Review marketing suppression lists
and processes (including those operated
• Only the right to object to direct marketing is on behalf of your organisation by partners
absolute (i.e. no need to demonstrate grounds and service providers) to ensure they
for objecting, no exemptions which allow are capable of operating in compliance
processing to continue). with the GDPR.

• There are obligations to notify individuals of

these rights at an early stage - clearly and
separately from other information.

• Online services must offer an automated

method of objecting.

1 2 3 4 5 6 7 8 9 10 42
Rights to object
Three rights to object are given by the GDPR. The controller must then cease processing of the
All relate to processing carried out for specific personal data unless:
purposes, or which is justified on a particular
basis. There is no right for an individual to object • it can demonstrate compelling legitimate
to processing in general. grounds which override the interests of the
data subject; or
The rights are to object to:
• the processing is for the establishment, exercise
Processing which is for direct marketing or defence of legal claims.
purposes
So, once an individual objects, based on his
This is an absolute right; once the individual or her specific situation, the burden falls
objects, the data must not be processed to the controller to establish why it should,
for direct marketing any further. This nonetheless, be able to continue processing
includes profiling to the extent it relates personal data on this basis.
to direct marketing.
Article 23 GDPR allows under specific conditions,
Processing for scientific/historical/research/ a national or Union legislator to restrict, by
statistical purpose way of a legislative measure, the scope of the
obligations and rights provided for in the right
Less strong than the right to object to direct to object.
marketing – there must be “grounds relating to
[the data subject’s] particular situation”. In December 2023 the CJEU issued its judgment
in the combined Cases C-26/22 and 64/22
There is an exception where the processing is dealing with the retention of insolvency data by
necessary for the performance of a task carried Credit Reference Agencies (CRA) in Germany.
out for reasons of public interest. The Court found that, in circumstances where a
CRA sought to retain insolvency data beyond the
Processing based on two specific purposes: period during which it was permitted in German
law to be published, that retention was unlawful
Again, this can be exercised on grounds relating notwithstanding any code of conduct stating
to the data subject’s particular situation. the contrary issued by the competent data
protection authority. The data subjects had the
1. legitimate interest grounds (i.e. under Article right to object to the processing of their personal
6(1)(f)); or data beyond the statutory period for publication
and if the controller could not prove that it had
2. because it is necessary for a public interest task/ legitimate grounds to continue the processing
official authority (i.e. Article 6(1)(e)). which overrode the data subjects interests, then
the data subject data subject could ask for the
data to be erased under Article 17.

1 2 3 4 5 6 7 8 9 10 43
Notify individuals of their rights

In the case of processing for direct marketing

and processing based on tasks in the public
interest/legitimate interests, the individual’s
right to object must be explicitly brought to
his or her attention – at the latest at the time
of first communication with the individual. This
must be presented clearly and separately from
other information.

This need to inform the individual does not apply

to statistical/research based processing.

In the case of online services, the individual

must be able to exercise his or her right by
automated means.

Further reading:
EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR

Where can I find this?

Recitals 69 and 70, Article 21

1 2 3 4 5 6 7 8 9 10 44
3. INDIVIDUAL RIGHTS

Right to erasure and right to

restriction of processing
At a glance To do list
• More extensive, and unclear rights are Ensure that members of staff and
introduced: a right to be forgotten (now called suppliers who may receive data erasure
erasure) and for processing to be restricted. requests recognise them and know how to
deal with them.
• Individuals can require data to be ‘erased’
when there is a problem with the underlying
legality of the processing or where they Determine if systems are able to meet the
withdraw consent or when the data subject requirements to mark data as restricted
has objected to the legitimate interests of the whilst complaints are resolved: undertake
controller and there are no overriding grounds development work if needed.
to continue processing.

• The individual can require the controller

to ‘restrict’ processing of the data whilst
complaints (for example, about accuracy) are
resolved, or if the processing is unlawful but
the individual objects to erasure.

• Controllers who have made data public or

shared data with third parties which is then
subject to a right to erasure request, are
required to notify others who are processing
that data with details of the request. This is a
wide-ranging and challenging obligation.

• Where personal data is automatically obtained

from third parties which then becomes the
subject of an erasure request, controllers must
ensure that they request their data providers
to not re-provide the personal data that has
been erased.

1 2 3 4 5 6 7 8 9 10 45
Right to be forgotten
Individuals have the right to have their data ‘erased’ The last condition could, for example, apply if an
in certain specified situations - in essence where individual considers that a controller is retaining
the processing fails to satisfy the requirements personal data where legislation stipulates that
of the GDPR. The right can be exercised against such data (for example an employment related
controllers, who must respond without undue check) must be deleted after a specified period
delay (and in any event within one month, although of time.
this can be extended in difficult cases).
The general catch-all allowing erasure requests to
When does the right apply? be made where data are ‘unlawfully’ processed is
potentially onerous: there are many reasons why
• When data are no longer necessary for data could be processed unlawfully under the
the purpose for which they were collected GDPR (they may be inaccurate; an element of an
or processed. information notice may not have been provided
to the individual). However, it is not obvious that
• If the individual withdraws consent to this should grant a right for the data to be erased.
processing (and if there is no other justification It will be therefore important to consider how
for processing). Member States apply the exemption provisions.

— There is a further trigger relating to Data put into the public domain
withdrawal of consent previously given by a
child in relation to online services. However, If the controller has made personal data public,
this seems to add nothing to the general and where it is obliged to erase the data, the
principle that consent can be revoked and, controller must also inform other controllers who
where this is done, that the individual can are processing the data that the data subject has
require the data to be erased. requested erasure of those data. The obligation
is intended to strengthen individual’s rights in an
• To processing based on legitimate interests online environment.
- if the individual objects and the controller
cannot demonstrate that there are overriding The obligation is to take reasonable steps and
legitimate grounds for the processing. The account must be taken of available technology
burden of proof will be on the controller and and the cost of implementation. However, the
the particular situation of the individual must obligation is potentially wide-reaching and
be taken into account (see section on rights to extremely difficult to implement: for example, as
object above). this is now public domain data, one question is
how the original controller will be able to identify
• When the data are otherwise unlawfully the controllers it needs to notify.
processed (i.e. in some way which is otherwise
in breach of the GDPR). Other obligations to notify recipients

• If the data have to be erased to comply with If the controller has to erase personal data, then
Union or Member State law which applies to the controller must notify anyone to whom it
the controller. has disclosed such data, unless this would be
impossible or involve disproportionate effort.

1 2 3 4 5 6 7 8 9 10 46
Exemptions

The obligation does not apply if processing

is necessary:

• for the exercise of the right of freedom of

expression and information;

• for compliance with a Union or Member State

legal obligation;

• for performance of a public interest task or

exercise of official authority;

• for public health reasons;

• for archival, research or statistical purposes

(if any relevant conditions for this type of
processing are met); or

• if required for the establishment, exercise or

defence of legal claims.

See section on derogations and special conditions

for other occasions when exemptions may be
relevant - if provided for under Union or Member
State law.

Further reading:
EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under
the GDPR (part 1)

Where can I find this?

Right to erasure, Article 17 and 21, Recitals
38, 65 and 66 EDPB 5/2019

1 2 3 4 5 6 7 8 9 10 47
Right to restriction of processing

This replaces the provisions in the former Data When is restriction applicable?
Protection Directive on ‘blocking’. In some
situations, this right gives an individual an • When an individual disputes data accuracy,
alternative to requiring data to be erased; then personal data will be restricted for the
in others, it allows the individual to require period during which this is verified;
data to be held in limbo whilst other challenges
are resolved. • When an individual has objected to
processing (based on legitimate interests),
What is restriction? then the individual can require the data to
be restricted whilst the controller verifies the
If personal data are ‘restricted’, then the grounds for processing;
controller may only store the data. It may not
further process the data unless: • When the processing is unlawful but the
individual objects to erasure and requests
• the individual consents; or restriction instead; and

• the processing is necessary for the • When the controller has no further need
establishment, exercise or defence of for the data but the individual requires the
legal claims; for the protection of the rights personal data to establish, exercise, or defend
of another natural or legal person; or for legal claims.
reasons of important (Union or Member
State) public interest. The last condition, for example, means that
controllers are obliged to retain data storage
Where the data are processed automatically, solutions for former customers if the personal
then the restriction should be effected by data are relevant to proceedings in which the
technical means and noted in the controller’s individual is involved.
IT systems. This could mean moving the data
to a separate system; temporarily blocking Commentary in case law on the right to
the data on a website or otherwise making erasure or restriction of processing
the data unavailable.
Case C-60/22 considered a situation where the
If the data have been disclosed to others, then controller had failed to conclude an arrangement
the controller must notify those recipients determining joint responsibility for processing
about the restricted processing (unless this is (Article26) and to maintain a record of processing
impossible or involves disproportionate effort). activities (Article30)) and where a data subject
sought to assert that this triggered the right to
The controller must notify the individual before erasure. The CJEU determined that this does not
lifting a restriction. constitute unlawful processing conferring a right
on the data subject of erasure or restriction of
processing, where this failure does not amount
to infringement of the principle of “accountability”
set out in Article 5(2) GDPR.

Where can I find this?

Right to erasure, Article 17 and 19,
Recitals 65, 66, 73

Right to restriction, Article 18 and 19,

Recitals 67 and 73

1 2 3 4 5 6 7 8 9 10 48
3. INDIVIDUAL RIGHTS

Profiling and automated

decision-taking
At a glance To do list
• The automated decision-taking rules Check what significant automated
affect decisions: decision-taking is used. Identify any
decisions which rely on:
— taken solely on the basis of automated
processing; and • Consent;

— which produce legal effects or have similarly • Authorisation by law; or

significant effects.
• Data which relates to special category
• Where the decision is: data or children.

— necessary for the entry into or performance

of a contract; or If automated decision-taking is based on
consent, ensure this is explicit.
— authorised by Union or Member State law
applicable to the controller; or
If automated decision-taking relies on or
— relies on or uses individual’s explicit consent uses special categories of data:

then automated processing can be used. • Check if you can obtain explicit consent;
However, suitable measures to protect the
individual’s interests must still be in place. • If not, you can only carry out such
processing where authorised by Union
• There are additional restrictions on profiling or Member State law.
based on special category data – which need
explicit consent, or to be authorised by Union
or Member State law which is necessary on If automated decision-taking involves
substantial public interest grounds. children, seek advice: this is restricted.

1 2 3 4 5 6 7 8 9 10 49
Meaning of profiling
Profiling is “any form of automated processing During the original legislative process, there were
of personal data consisting of the use of personal attempts to introduce significant restrictions on
data to evaluate certain personal aspects relating all profiling. However, in the end, these were not
to a natural person, in particular to analyse or included – although Recital 72 does note that
predict certain aspects concerning that natural the EDPB may publish guidance on profiling. In
person’s performance at work, economic situations, May 2018, the EDPB endorsed the former Article
health, personal preferences, interests, reliability, 29 Working Party’s Guidelines on Automated
behaviour, location or movement”. Decision Making and Profiling (WP 251 rev.01).

Restrictions on automated decision-taking

with significant effects

Restrictions on decisions based solely on The CJEU rejected arguments that the lenders were
automated processing (which could include taking the decisions and that the credit reference
profiling), apply if the decisions produce legal agencies were engaging in preparatory acts.
effects or similarly significantly affects the data
subject. Recital 71 gives the examples of online Such significant automated processing can be
credit decisions and e-recruiting; it also makes used if it is:
clear that the objectionable element is the lack of
meaningful human intervention. • necessary to enter into, or to perform, a contract
between a data subject and a controller;
According to the EDPB Guidelines, “legal effects”
are those that have an impact on an individual’s • authorised by Union or Member State law; or
legal rights such as statutory or contractual
rights (for example an individual being refused • based on the individual’s explicit consent.
entry at a border, being denied a social benefit
granted at law or cancellation of a contract). Recital 71 also notes that such measures should
“Similarly significant effects” are those that are not concern children.
equivalent or similarly significant to legal effects.
The effect must be more than trivial and must Automated decisions based on explicit consent
have the potential to significantly influence or contractual fulfilment
the circumstances, behaviour or choices of the
individuals concerned (examples could include In the first and third cases (contract performance
automatic refusal of an online credit application and consent), the controller must implement
or e-recruiting practices without meaningful suitable measures to safeguard the data subject.
human intervention). Much depends on the At a minimum, this must include a right to obtain
context, and it is difficult to provide a fixed list of human intervention for the data subject to be
what might be considered ‘significant’. able to express his or her point of view and to
contest the decision.
In the Schufa case (CJEU C-634/21), the CJEU held
that credit reference agencies are undertaking The equivalent provisions in the former Data
automated individual decision making when Protection Directive stated that this was not
they create a probability based credit score and necessary if the effect of the decision was to
where third parties, such as lenders, rely heavily grant the individual’s request. This was not
on this when evaluating loan applications. carried across into the GDPR.

Recital 71 emphasises that appropriate statistical

techniques must be used; that transparency
must be ensured; that measures should be
in place to correct inaccuracies and risks of
errors; and that security must be ensured and
discriminatory effects prevented.

1 2 3 4 5 6 7 8 9 10 50
According to the above Guidelines, controllers New EU Laws
should carry out regular testing on the data sets
they process to check for any bias and measures Under the Digital Services Act, extra provisions
should be taken to prevent errors, inaccuracies or on profiling are outlined for online platforms
discrimination on the basis of special categories of that, at the request of the recipient of the
data. Audits of algorithms are also advised. service, store and disseminate information to
the public. Specifically, these platforms are
Authorisation by law prohibited from (i) using special categories
of data (e.g., racial, or ethnic origin, political
In the second case (authorisation by law) the beliefs, and health data) for profiling for
law itself must contain suitable measures to advertising (Article 26(3) DSA), and (ii) using
safeguard the individual’s interests. Recital profiling for advertising when it is known that
71 mentions profiling to ensure security and the user is a minor (Article 28(2) DSA).
reliability of services or in connection with
monitoring of fraud and tax evasion as types of The Digital Markets Act also contains provisions
automated decisions which could be justified on profiling. Gatekeepers are required to publish
based on Union or Member State law. information on their use of profiling and to
undergo an independent audit of their profiling.
Special category data The results of the audit must be shared with the
Commission which, in turn, will share this with
Automated decision-taking based on special EDPB (Article 15 DMA).
category data is further restricted. Decisions
based on these types of data may only take place:

• with explicit consent; or

• where the processing is necessary for

substantial public interest reasons and on the
basis of Union or Member State law – which
must include measures to protect the interests
of the data subjects.

Further reading:
Former Former Article 29 Guidelines on Automated Decision Making and Profiling (WP 251 rev.01)
(endorsed by EDPB).

EDPB Guidelines 10/2020 on restrictions under Article 23 GDPR

Judgment of the Court (First Chamber) of 7 December 2023. OQ v Land Hessen (SCHUFA Case C-634/21.

Case C-203/22 Dun & Bradstreet Austria

Where can I find this?

Article 4(4) & 22, Recitals 71 & 72

1 2 3 4 5 6 7 8 9 10 51
4. ACCOUNTABILITY, SECURITY AND BREACH NOTIFICATION

Data governance
obligations
At a glance To do list
• The GDPR requires all organisations to Assign responsibility and budget for
implement a wide range of measures to data protection compliance within your
reduce the risk of their breaching the organisation. Whether or not you decide
GDPR and to prove that they take data to appoint a DPO (or have to), the GDPR’s
governance seriously. long list of data governance measures
necessitates ownership for their adoption
• These include accountability measures being allocated.
such as: DPIAs, audits, policies, records of
processing activity and (potentially) appointing
a Data Protection Officer (“DPO”). Ensure that a full compliance programme
is designed for your organisation,
incorporating features such as: DPIAs,
regular audits, policy reviews and training
and awareness raising programmes.

Audit existing supplier arrangements and

ensure template RFP and procurement
contracts reflect the GDPR’s data
processor obligations.

Monitor the release of supervisory

authorities / EU and industry published
supplier terms and codes of practice
to see if they are suitable for use by
your organisation.

Refine and keep up to date records of your

organisation’s processing activities.

1 2 3 4 5 6 7 8 9 10 52
The GDPR enshrines a number of “data A general obligation is imposed upon
governance” concepts, the virtues of which controllers to adopt appropriate technical and
law makers and supervisory authorities organisational measures to meet their GDPR
have extolled for some time. These concepts obligations (and to be able to demonstrate that
create significant operational obligations they have done so).
and costs for many public and private
sector organisations.

Data Protection by Design & Default

(aka “Privacy by design”)

Controllers are required to put in place minimisation principle referenced in the GDPR
appropriate technical and organisational include adopting appropriate staff policies and
measures which: using pseudonymisation.

• are designed to implement data protection Further information about what organisations
principles and to integrate safeguards for the are expected to do may be the found in the
protection of data subjects’ rights; and EDPB’s Guidelines 4/2019 on Article 25 Data
Protection by Design and by Default (the
• ensure that, by default, only personal data “DPbyDD Guidelines”), which were adopted
that are needed for the specific purpose of the on 20 October 2020. The DPbyDD
processing are used. Guidelines focus on the interpretation of the
requirements in Article 25 GDPR, exploring
When considering the design of technical and the legal obligations imposed and providing
organisational measures, the GDPR directs a number of operational examples. Other
controllers to assess the state of the art, cost topics covered by the DPbyDD Guidelines
of implementation, and the nature, scope and include certification mechanisms for
reasons for use, together with the different compliance with Article 25, how Article 25
levels of risks posed to individuals’ rights and may be enforced by supervisory authorities,
freedoms by the given use of personal data. The and recommendations for stakeholders
GDPR states that such an assessment should be (which includes processors and technology
undertaken both when deciding how to process providers) on how the EDPB considers that
personal data and whilst processing personal data protection by design and default may be
data. Example measures to meet the data successfully implemented.

Joint controller arrangements

Joint controllers (that is, two or more controllers Whilst there is no legislative requirement for an
who jointly determine the purpose and means arrangement between joint controllers to be set
of processing) are required to arrange between out in a formal contract, it would be sensible to
themselves their respective responsibilities for do so e.g. for accountability reasons. The EDPB
compliance with the GDPR – and, in particular, in its Guidelines 07/2020 on the concepts of
the exercise of data subjects’ rights and provision controller and processor in the GDPR (“Concepts
of transparency information to individuals. The of C&P Guidelines”) adopted on 7 July 2021,
arrangement must set out the parties’ roles and confirm that documentation of “the relevant
responsibilities with respect to data subjects, factors and internal analysis carried out in order to
and the essence of the arrangement must be allocate the different obligations” is recommended.
made available to data subjects (e.g. by way of a The Concepts of C&P Guidelines focus on
privacy notice). the assessment around how a determination
of joint controllership may be found and

1 2 3 4 5 6 7 8 9 10 53
the requirements on the parties when joint Key cases include:
controllership is determined.
• the “Facebook Fan Page” case (Unabhängiges
Since the coming into effect of the GDPR, the Landeszentrum für Datenschutz Schleswig-
CJEU has issued a number of judgments which Holstein v Wirtschaftsakademie Schleswig-
explored the concept of joint controllership, Holstein GmbH (Case C-210/16));
albeit under the provisions of the Data
Protection Directive. A key takeaway from this • the “Jehovah’s Witness” case (referenced by
case law is that quite a broad interpretation of Tietosuojavaltuutettu (Case C-25/17)); and
joint controllership is emerging.
• The “Facebook ‘Like Button’” case (Fashion ID
GmbH & Co. KG v Verbraucherzentrale NRW eV
(Case C-40/17)).

Data Protection Impact Assessments (DPIAs)

What is a DPIA and when is it required? Organisations should take care to also check
local requirements. Most EU countries have
A Data Protection Impact Assessment, also issued and had approved by the EDPB their
known as a Privacy Impact Assessment, is a lists of personal data processing activities which
process for demonstrating compliance and require a DPIA or (as is the case for a handful) do
assessing and mitigating risk. The GDPR not under Articles 35(4) and (5).
formalises a requirement for DPIAs to be
carried out in certain circumstances. Specifically, Is there a set form for DPIAs?
controllers must ensure that a DPIA has been
completed with respect to any “high risk” There is no mandated form for a DPIA and,
processing activity before it is commenced. as noted by the DPIA Guidelines, numerous
“High risk” here is measured by reference to the templates already exist.
risk of infringing a natural person’s rights and
freedoms. Interestingly, the DPIA Guidelines took
account of two relevant ISO documents - one
Examples of high risk processing set out in the on risk management and one on DPIAs in an
GDPR include: information security context.

• systematic and extensive processing activities, As a minimum, the GDPR requires that a
including profiling and where decisions have DPIA include:
legal effects - or similarly significant effects -
on individuals; • A description of the envisaged processing
operations and the purposes of the processing;
• large scale processing of special categories of
data or criminal convictions or offence details; • An assessment of (i) the need for and
or proportionality of the processing and (ii) the
risks to data subjects (as viewed from the
• large scale, systematic monitoring of public perspective of data subjects) arising; and
areas (e.g. CCTV).
• A list of the measures envisaged to (i) mitigate
Guidelines (WP248 rev.01) issued in 2017 those risks (including non-data protection
and endorsed by the EDPB (the “DPIA Guidelines”), risks, such as infringements on freedom
indicate that other factors may increase risk, of thought and movement) and (ii) ensure
including the presence of vulnerable data compliance with the GDPR.
subjects (e.g. children and, notably, employees),
matching or combining data sets in unexpected What else are we required to do?
ways from the perspective of the affected
individuals, and processing designed to deny If a DPO has been appointed (see below),
an individual a right or access to a contract their advice on the carrying out of a DPIA must
or service. be sought.

1 2 3 4 5 6 7 8 9 10 54
Consulting the supervisory authority is required Controllers are directed to seek the views of
prior to any processing of personal data affected data subjects “or their representatives” in
whenever risks cannot be mitigated and remain conducting a DPIA, if appropriate. In the context
high - such as where individuals may encounter of HR data processing this has been interpreted
significant or even irreversible consequences as as an obligation to consult with employees, or
a result of the processing. The GDPR contains their representatives, such as works councils or
specific procedural directions for this process. Trade Unions.

Data Protection Officer (DPO)

Controllers and processors are free to voluntarily include: profiling and scoring (e.g. for credit
appoint a DPO, but the following are obligated to scoring, fraud prevention or for the setting
do so: of insurance premiums); location tracking;
fitness and health data tracking; CCTV;
• Public authorities (with some minor processing by connected devices (smart
exceptions); meters, smart cars etc); and data-driven
marketing activities (i.e. big data).
• Any organisation whose core activities require:
• “Large scale”: here, the EDPB says that it
— “regular and systematic monitoring” of data is not currently keen on precise numbers
subjects “on a large scale”; or being used as a benchmark for this term,
but that plans are afoot to publish
— “large scale” processing of special categories thresholds in the future. Instead, the DPO
of data or criminal convictions and offences Guidelines (last revised in April 2017) list
data; and some fairly obvious generic factors to be
considered in defining large scale (e.g.
• Those obliged to do so by local law (countries the number of individuals affected and
such as Germany are likely to fall into this geographic extent of processing). Examples
category). of large scale processing cited include: a bank
or insurance company processing customer
The DPO Guidelines (WP 243) can help data; and processing of an international fast
organisations interpret the terms “core food chain’s customer geo-location data
activities”, “regular and systematic monitoring” in real time for statistical purposes by a
and “large scale”. These guidelines include the specialist processor.
following points:
The DPO Guidelines confirm that where a DPO
• “Core activities”: Activities which are ‘an is appointed on a voluntary basis, the same
inextricable part’ of the controller’s / requirements as set by the GDPR to mandatory
processor’s pursuit of its goals are cited. DPOs will apply to them. Moreover, once an
Reassuringly the DPO Guidelines confirm organisation opts to appoint a DPO, it cannot
that an organisation’s processing of its staff circumscribe the scope of the DPO’s review –
information (which is highly likely to include the DPO must have the authority to review all
special categories of data) is ancillary to data processing.
its activities, not core. Examples of core
activities given include: a security company’s In response to an uncertainty in the GDPR,
surveillance where it is hired to safeguard the DPO Guidelines confirm that nothing
a public space; a hospital’s processing of prevents an organisation from assigning the DPO
patient health data and an outsourced with the task of maintaining the records of
provider of occupational health services’ processing operations.
processing of its customer’s employee data.
Interestingly, the DPO Guidelines also
• “Regular and systematic monitoring”: All forms recommend that an organisation which decides
of online tracking and profiling are called not to voluntarily appoint a DPO documents
out as examples by the EDPB, including for why it thinks that it is not subject to the DPO
the purpose of behavioural advertising and appointment criteria (as summarised above).
email retargeting. Other examples cited Such assessments should be kept up to date

1 2 3 4 5 6 7 8 9 10 55
and revisited when new activities or services data breach), and can operate independently
are contemplated. of instruction and will not be dismissed or
penalised for performing their task. It remains
If a DPO is not mandatory and a DPO is not to be seen how employment laws will interpret
appointed voluntarily, staff or consultants can this provision. Organisations must ensure there
be appointed to carry out similar tasks, but the is a secure and confidential channel by which
EDPB says that to avoid confusion they should employees can communicate with the DPO.
not be called DPOs.
The DPO Guidelines also state that if an
Where appointed, a DPO must be selected organisation’s management do not agree
by reference to their professional qualities with and decides not to follow a DPO’s
and expert knowledge (which employers are recommendation then they should formally
obliged to help maintain). Critically, while they record this and the reasons for their decision.
may be supported by a team, there can only The DPO Guidelines also warn that instruction
be one DPO per organisation and that person must not be given to the DPO regarding how
should preferably be located in the EU. The to deal with a matter, what results should be
DPO Guidelines note that the more sensitive achieved or whether or not to consult with a
or complex an organisation’s data processing regulatory authority.
activities are, the higher the level of expertise
that its DPO will be expected to have. The GDPR does not restrict DPOs from holding
other posts but expressly requires that
Organisations must ensure that their DPO’s organisations ensure that such other tasks
primary objective is ensuring compliance do not give rise to a conflict of interest for
with the GDPR. Their tasks should at a the DPO. The DPO Guidelines go further by
minimum include: advising their colleagues saying that a DPO cannot hold senior positions
and monitoring their organisation’s GDPR/ in management (i.e. as a CEO, COO or CFO).
privacy law/policy compliance, including via Other senior managers, including Head of
training and awareness raising, running audits, HR, Marketing or IT, or lower level employees
advising regarding DPIAs and cooperating with who make decisions about the purposes and
supervisory authorities. The DPO Guidelines means of processing are also barred from
stress that DPOs will not be personally liable for the position. If an external DPO (e.g. a lawyer)
their organisation’s failure to comply with the provides day-to-day DPO services to controllers
GDPR. Liability will fall upon the organisation, or processors, this may prevent this individual
including if it obstructs or fails to support the from representing those entities before courts in
DPO in meeting their primary objective. cases involving data protection issues.

Adequate resources must be provided to The DPO’s contact details must be published
enable DPOs to meet their GDPR obligations, and also notified to an organisation’s supervisory
and they should report to the highest level authority as the DPO is to be a point of contact
of management. for questions about data protection compliance
matters.
Group companies can appoint a single DPO.
A DPO can be a member of staff or a hired Bird & Bird assists organisations with this
contractor. Key features of a DPO’s skillset obligation and can be appointed as GDPR
(according to the DPO Guidelines) include DPO. Contact Bird & Bird Privacy Solutions
that they must be knowledgeable about the if you would like further details about our
organisations they represent and accessible DPO services.
- including that they are able to easily
communicate with supervisory authorities
and data subjects (e.g. customers and staff) in
countries in which the organisation operates. It
seems that the DPO Guidelines therefore expect
DPOs to be polyglots as well as data protection
experts - or at least to have easy access to good
translation facilities.

Controllers and processors must ensure that their

DPO is involved in all material matters regarding
data protection (including, according to the DPO
Guidelines on the topic, following a personal

1 2 3 4 5 6 7 8 9 10 56
“GDPR” Representatives

Many non-EU “established” organisations on the territorial scope of the GDPR states
which target or monitor EU data subjects are that “public body” should be interpreted in
required by the GDPR to designate in writing a accordance with national law, and that further
representative which is located in the EU. This guidance relating to “large scale” and “occasional”
“GDPR Representative” must be mandated by an processing may be found in its DPO Guidance
organisation as an alternative or additional port and position paper on Article 30 GDPR,
of call to which data subjects and supervisory respectively.
authorities may turn for all issues relating to the
processing which is in scope of the GDPR. Bird & Bird now assists non-EU established
organisations with this obligation and can be
A GDPR Representative need not be appointed appointed as GDPR representative.
by a public authority, or an organisation
which carries out occasional, non-large scale, Do not hesitate to contact Bird & Bird Privacy
processing of special categories of data or Solutions if you would like further details about
criminal convictions and offences data which our GDPR representative services.
is “unlikely to result in a risk to the rights and
freedoms of natural persons”. EDPB guidance

Using service providers (data processors)

Article 28 GDPR imposes a high duty of care On the 4 June 2021, the European Commission
upon controllers in selecting their personal data published a set of standard contractual clauses
processing service providers which will require between controllers and processors (“Article 28
procurement processes and request for tender Clauses”) to cover the requirements set out under
documents to be regularly assessed. Article 28 of the GDPR. These are not mandatory
clauses and are instead intended to provide
Contracts must be implemented with service an option for organisations to use as an annex
providers which include a range of information to commercial agreements in order to comply
(e.g. the data processed and the duration for with the Article 28 requirements. The Article
processing) and obligations (e.g. assistance where 28 Clauses should not be confused with the
a personal data breach occurs, appropriate standard contractual clauses discussed below in
technical and organisational measures taken and relation to international data transfers.
audit assistance obligations, to name but a few).
These obligations must also be flowed down where
a service provider engages a sub-processor.

1 2 3 4 5 6 7 8 9 10 57
Record of processing activities

Organisations are obliged to keep a record

of their processing activities (the type of data
processed, the purposes for which it is used etc).

Data processors are also required to

maintain such a record about personal
data which controllers engage them to
process, a requirement which is particularly
challenging for many cloud and communications
service providers.

Whilst an exemption from the above obligations

applies to organisations employing fewer than
250 people, this exemption does not apply
where data relating to criminal convictions and
offences are processed, as well as where special
categories of data are processed, which seems
likely to nullify its usefulness, particularly in the
employment context.

Where can I find this?

Privacy by Design, Article 25, Recitals 74-78

PIAs, Articles 35-36, Recitals 89-94

DPOs, Articles 37-39, Recital 97, WP 243

Using data processors, Articles 28 and 29,

Recital 81

Record of processing activities, Article 30,

Recital 82

1 2 3 4 5 6 7 8 9 10 58
4. ACCOUNTABILITY, SECURITY AND BREACH NOTIFICATION

Personal data breaches

and notification
At a glance To do list
• Data controllers and data processors are In line with the accountability principle
subject to a general personal data breach laid down by the GDPR, data controllers
notification regime. and data processors should ensure they
have in place internal breach notification
• Data processors must report personal data procedures, including incident identification
breaches to data controllers. systems and incident response plans.

• Data controllers must report personal data

breaches to the relevant supervisory authority Such procedures should be regularly
and in some cases, affected data subjects, in tested and re-reviewed.
each case following specific GDPR provisions.

• Data controllers must maintain an internal Work with your IT/IS teams to make
breach register. sure they implement appropriate
technical and organisational measures
• Non-compliance can lead to an administrative to render the data unintelligible in case
fine up to €10,000,000 or in case of an of unauthorised access.
undertaking, up to 2% of the total worldwide
annual turnover of the preceding financial
year, whichever is higher. Insurance policies should be kept under
review to assess the extent of their
• As things stand, the specific breach notification coverage in case of breaches.
regime for communications service providers,
set out in Commission Regulation 611/2013
on the measures applicable to the notification Template MSA/data protection clauses
of personal data breaches under the e-Privacy and tender documentation should: (i)
Directive 2002/58/EC, still applies (and forms require suppliers to proactively notify
part of retained law in the UK). breaches to them; and (ii) put a great
emphasis on the duty to cooperate
between the parties.

1 2 3 4 5 6 7 8 9 10 59
Incidents which trigger notification

The GDPR defines a personal data breach as 2. Obligation for data controllers to notify the
“a breach of security leading to the accidental or supervisory authority
unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data Timing:
transmitted, stored or otherwise processed”. On 28
March 2023, the EDPB also adopted Guidelines Without undue delay and, where feasible, not
9/2022 on personal data notification under later than 72 hours after becoming aware of it.
the GDPR which provided further guidance on
notifications (“Breach Notification Guidelines”). Exemption:
The breach notification regime under the GDPR
applies as follows: No reporting if the breach is unlikely to result
in a risk to the rights and freedoms of natural
1. Obligation for data processors to notify persons (e.g. the personal data are already
data controllers publicly available and a disclosure of such data
does not constitute a likely risk to the individual).
Timing:
Observations:
Without undue delay after becoming aware of it.
• In the Breach Notification Guidelines, the
Exemption: EDPB recognises that the precise moment a
controller becomes aware of a breach will
None. depend on the circumstances of the specific
breach. However, the guidelines state that
Observations: a controller should be regarded as having
becoming “aware” when the controller has a
• All breaches have to be reported by the reasonable degree of certainty that an incident
processor to the controller. Where there are has occurred that has led to the personal data
multiple controllers affected by the processor’s being compromised. The EDPB goes further
breach, the processor must notify each in stating that the controller’s technical and
affected controller. organisational measures should allow the
controller to establish immediately whether a
• The Breach Notification Guidelines breach has taken place.
recommend that the contract between the
controller and processor set out timing, which • In the EDPB’s view, the 72-hour period should
can include requirements for early notification be used by the controller to assess the likely
by the processor. risk to individuals in order to determine
whether the requirement for notification has
• The EDPB recommends phased notification been triggered, as well as the action(s) to
in order to help the controller meet the address the breach, including escalations to
requirement of notifying the supervisory the appropriate level of management. Such
authority within 72 hours. assessments may be influenced by DPIAs
previously conducted by the controller.
• The EDPB also acknowledges that, whilst the
legal responsibility to notify remains with • The GDPR provides the possibility for phased
the controller, a processor could make a notification in the event the controller is unable
notification on the controller’s behalf where to provide all the required information to the
the controller has authorised the processor to supervisory authority. However, when the
do so as part of the contractual arragements timing obligation is not met, reasons will have
between the parties. to be provided to the supervisory authority
(e.g. request from a law enforcement authority
or multiple data breaches over a short period
of time).

• In the Breach Notification Guidelines, the

EDPB recognises the possibility of a controller
submitting a “bundled” notification where the

1 2 3 4 5 6 7 8 9 10 60
 same event results in similar but multiple with data subjects may precede notification to
breaches. However, where a series of the supervisory authority; for example, where
breaches concern different types of personal there is an immediate threat of identity theft, or if
data, breached in different ways, then each special categories of data are disclosed online.
breach must be reported separately.
No reporting if:
3. Obligation for data controller to
communicate a personal data breach • the breach is unlikely to result in a high risk for
to data subjects the rights and freedoms of data subjects;

The data controller must communicate a • appropriate technical and organisational

personal data breach to data subjects only where protection were in place at the time of the
the breach is likely to result in a high risk to the incident that rendered the personal data
rights and freedoms of natural persons. unintelligible (e.g. encrypted data, where
the encryption key is still intact and the
If the data controller is yet to do so, the compromised data is still overwise available);
supervisory authority may compel the data
controller to communicate a personal data • immediately following the personal data
breach with affected data subjects unless one of breach, the controller has taken steps to
the exemptions is satisfied. ensure that the high risk posed to individuals’
rights and freedoms is no longer likely to
Timing: materialise; or

Without undue delay: the need to mitigate • this would trigger disproportionate efforts
an immediate risk of damage would call for (instead a public information campaign or
a prompt communication with data subjects “similar measures” should be relied on so
whereas the need to implement appropriate that affected individuals can be effectively
measures against continuing or similar informed).
data breaches may justify more time for
communication. The EDPB recognises that in
exceptional circumstances, communication

Cross-border personal data breaches

Where a personal data breach affects data Where an organisation established outside
subjects in more than one Member State, then of the EU is subject to the GDPR and
the data controller should notify, if it has a experiences a personal data breach, the
single or main establishment, its competent EDPB recommends that notification should
lead supervisory authority (see section be made to each supervisory authority for
on cooperation and consistency between which affected data subjects reside in their
supervisory authorities). This may not necessarily Member State. The Breach Notification
be where the affected data subjects are located Guidelines state that the mere presence of
or where the breach has taken place. When a representative in a Member State does not
notifying the lead authority, the data controller trigger the one-stop-shop mechanism.
should indicate whether the breach affects data
subjects in other Member States.

1 2 3 4 5 6 7 8 9 10 61
Documentation requirements

Internal breach register: obligation for the data data subjects concerned and the categories and
controller to document each incident “comprising approximate number of data records concerned,
the facts relating to the personal data breach, its etc.) and the communication to affected
effects and the remedial action taken”. It is also individuals (e.g. describe in clear and plain
advisable to have an internal personal data breach language the nature of the personal data breach
response plan that clearly sets out how such breaches and provide at least the following information:
and subsequent notifications are dealt with. The (i) the name and contact details of the DPO or
supervisory authority can be requested to assess other contact point where more information
how data controllers comply with their data can be obtained; (ii) the likely consequences of
breach notification obligations. the personal data breach; and (iii) the measures
taken or proposed to be taken by the data
There are also prescribed requirements to controller to address the personal data breach,
satisfy in the communication to the supervisory including, where appropriate, to mitigate its
authority (e.g. describing the nature of the possible adverse effects). Many supervisory
personal data breach, including, where possible, authorities have produced standard forms for
the categories and approximate number of notification of personal data breaches.

Sanctions in case of non-compliance

Failure to meet the above requirements exposes In addition, certain Member States are adding at
the organisation to an administrative fine of up to country level criminal liability sanctions in case of
€10,000,000 or in case of an undertaking, up to non compliance (e.g. France).
2% of the total worldwide annual turnover of the
preceding financial year, whichever is higher.

What about other EU breach notification regimes?

As things stand, Regulation 611/2013 – which ICO or relevant Secretary of State) (Electronic
details a specific procedure for breach notification Communications (Amendment etc). (EU Exit)
(laid out in Directive 2002/58/EC (the “e-Privacy Regulations 2019/919.
Directive”) as amended) - still applies to providers
of publicly available telecommunications services In addition, the breach notification
(e.g. telecommunication companies, ISPs and requirements under cybersecurity laws,
email providers). including in particular the new Directive (EU)
2022/2555 (the “NIS2 Directive”), will need to
At the time of writing, and seven years on from be considered. The NIS2 Directive will replace
when the European Commission published its the NIS Directive from 18 October 2024,
proposed text for the new e-Privacy Regulation amending the rules on the security of network
on 10 January 2017, a final draft of the e-Privacy and information systems in 18 sectors (see
Regulation has yet to be approved by the our NIS2 Directive Implementation Tracker).
European law makers. Once implemented locally by EU Member
States, the new enhanced cybersecurity and
For the UK, the substantive requirements reporting requirements will apply to a wide
of Regulation 611/2013 are retained in UK range of companies (including, cloud computing
law notwithstanding the UK’s exit from the service providers, data centres and online
EU – albeit with appropriate adjustments, marketplaces) that meet certain company size
(e.g. to replace references to the competent thresholds and provide their services or carry
supervisory authority with references to the out their activities within the EU.

1 2 3 4 5 6 7 8 9 10 62
If the NIS2 Directive, in conjunction with its local
implementation, applies to an organisation,
depending on the circumstances of an incident,
that organisation would also need to notify the
cybersecurity authorities and the recipients
of its services. In practice, this means that,
in preparation for such incident reporting,
organisations within the scope of this major
piece of cybersecurity legislation will need to:

• review current processes and procedures to

assess what changes need to be made to align
with the NIS2 requirements; and

• update incident response plans and processes,

including those aimed at complying with the
GDPR and other legislation.

Where can I find this?

Recitals 85-88, Articles 33, 34, 70, 83 & 84

1 2 3 4 5 6 7 8 9 10 63
4. ACCOUNTABILITY, SECURITY AND BREACH NOTIFICATION

Codes of conduct and

certifications
At a glance To do list
The GDPR makes provision for the approval of Organisations should follow developments
codes of conduct (“Codes”) and the accreditation and consider whether they will wish to
of certifications, seals and marks to help apply for certification or comply with
controllers and processors demonstrate a Code that has been approved and
compliance and best practice. published by the EDPB.

Codes of conduct:
Once certification schemes are
• Associations and representative bodies may established, controllers should familiarise
prepare Codes for approval, registration and themselves with relevant schemes and
publication by a supervisory authority, or, where take account of certifications, seals and
processing activities take place across member marks when selecting their processors/
states, by the EDPB. The European Commission service providers.
may declare Codes recommended by EDPB to
have general validity within the EU.

• Codes may be approved in relation to a wide

range of topics and adherence to Codes will
help controllers and processors demonstrate
compliance with GDPR obligations.

• Compliance with Codes will be subject to

monitoring, which may be carried out
by suitably qualified, accredited bodies.
Controllers and processors who are found
to have infringed a relevant Code may be
suspended from participation in the Code and
reported to the supervisory authority.

Certifications, seals and marks:

• The establishment of data protection

certification mechanisms and of seals and
marks is to be encouraged.

• Certificates will be issued by accredited

certifying bodies.

• Certification is voluntary but certification

will enable controllers and processors to
demonstrate compliance with the GDPR.

• Certificates will be valid for three years and

subject to renewal.

• EDPB will maintain a publicly available register of

all certification mechanisms, seals and marks.

1 2 3 4 5 6 7 8 9 10 64
Codes of conduct

Although not yet providing a significant aspect Approval of Codes

of the data protection regime in the EU, when
momentum grows in relation to Codes, it is Codes proposed by associations or
expected that they will become an important representative bodies in relation to data
component in broadening and adapting the tools processing activities that affect only one Member
for data protection compliance that controllers State are to be submitted to the competent
and processors can draw on, by way of a “semi- supervisory authority, for comment and –
self-regulating” mechanism. subject to possible modifications or extensions
– approval. Some supervisory authorities are
It is expected that Codes will provide authoritative taking steps towards implementing such Codes,
guidance on certain key areas including: for example the French supervisory authority
(the CNIL) has approved a Code relating to cloud
• legitimate interest in specific contexts; infrastructure providers and has indicated that
other sector- specific Codes such as for medical
• pseudonymisation; research are being prepared.

• exercise of data subjects’ rights; If a Code covers processing operations in

several Member States, it should be submitted
• protection of minors and modes of parental to the EDPB for an opinion. Subject to possible
consent; modifications or extensions, the Code and
the EDPB opinion may then be submitted to
• proper implementation of privacy by design and the European Commission which, upon due
by default, and security measures; examination, may declare its general validity.
Codes are to be kept and made available in
• personal data breach notification; and publicly accessible registers.

• dispute resolution between controllers and

data subjects.

The development and the approval of Codes are

likely to deliver a number of benefits including:

• establishing and updating best practice for

compliance in specific processing contexts;

• enabling data controllers and processors

to commit to compliance with recognised
standards and practices and be recognised for
doing so;

• adherence to Codes can demonstrate

that data importers (controllers as well as
processors) located outside the EU / EEA
have implemented adequate safeguards in
order to permit transfers under Article 46;
transfers made on the basis of an approved
Code together with binding and enforceable
commitments of the importer to apply
appropriate safeguards may take place without
any specific authorisation from a supervisory
authority and Codes may therefore offer
an alternative mechanism for managing
international transfers, standing on the same
level as standard contractual clauses and BCR.

1 2 3 4 5 6 7 8 9 10 65
Monitoring of compliance • the ability to deal with complaints about
infringements; and
Monitoring of compliance with Codes will be carried
out only by bodies accredited by the competent • that they have processes in place to avoid
supervisory authority. conflicts of interest.

In order to become accredited such bodies will Accreditations are revocable if the conditions for
have to demonstrate: the accreditation are no longer met.

• their independence and expertise; In June 2019, the EDPB adopted guidelines on
Codes of Conduct and Monitoring Bodies under
• that they have established procedures to Regulation 2016/679 (the “Code of Conduct
assess the ability of controllers and processors Guidelines”). The Code of Conduct Guidelines
to apply the Code, and to monitor compliance, set out the criteria against which Codes will be
as well as periodically review the Code; assessed and how they will be approved.

Certifications, seals and marks

The concept of certifying data processing together with binding and enforceable
operations is a significant development in commitments of the importer to apply
creating a reliable and auditable framework appropriate safeguards may take place without
for data processing operations. It is likely to any specific authorisation from a supervisory
be particularly relevant in the context of cloud authority and certificates therefore offer
computing and other forms of multi-tenancy an alternative mechanism for managing
services, where individual audits are often not international transfers, standing on the same
feasible in practice. level as standard contractual clauses and BCR.

Member States, supervisory authorities, the Certificates on processing operations will be

EDPB and the Commission are all encouraged issued for a period of three years, and are
to establish data protection certification subject to renewal or withdrawal where the
mechanisms, seals and marks, with regard to conditions for issuing the certificate are no
specified processing operations. longer met.

The competent supervisory authority or the The EDPB is to maintain a publicly available
EDPB will approve criteria for the certifications. register with all certification mechanisms, data
The EDPB may develop criteria for a common protections seals and marks. Certificates can
certification, the European Data Protection Seal. be issued by – private or public – accredited
certification bodies. National Accreditation
In 2018, the EDPB published guidelines on Bodies and/or supervisory authorities may
certification and identifying certification accredit certification bodies (so that they
criteria in accordance with Articles 42 and 43 can issue certificates, marks and seals), that
of the GDPR. (inter alia):

There are two key advantages of certificates: • have the required expertise and are
independent with regard to the subject matter
• controllers and processors will be able to of certification;
demonstrate compliance, in particular
with regard to implementing technical and • have procedures to review and withdraw
organisational measures. certifications, seals and marks;

• certificates can demonstrate that data • are able to deal with complaints about
importers (controllers as well as processors) infringements of the certifications; and
located outside the EU / EEA have
implemented adequate safeguards for the • have rules to deal with conflicts of interest.
purpose of Article 46; transfers made on the
basis of an approved certification mechanism

1 2 3 4 5 6 7 8 9 10 66
Criteria for accreditation will be developed by the
supervisory authorities or the EDPB and will be
publicly available.

Accreditations for certification bodies will be

issued for a maximum of five years and are
subject to renewals, as well as withdrawals in
cases where conditions for the accreditation are
no longer met.

The EDPB also published final guidelines on

the accreditation of certification bodies. Note
that the guidelines are primarily addressed to
Member States, supervisory authorities and
national accreditation bodies, and are not
directly relevant to controllers and processors.

Where can I find this?

Codes of conduct
Articles 24, 28(5) 32, 40, 41, 57, 58, 64, 70, 83
Recitals 77, 81, 98, 99, 148, 168

Certifications, seals and marks

Articles 24, 25, 28, 32, 42, 43
Recitals 77, 81, 100, 166, & 168

1 2 3 4 5 6 7 8 9 10 67
5. DATA TRANSFERS

Transfers of
personal data
At a glance To do list
• Transfers of personal data to recipients in “third Indentify all transfers of personal data;
countries” (i.e. outside the European Economic conduct transfer risk assessments and keep
Area (“EEA”)) are restricted. these under review; implement safeguards.

• The GDPR’s obligations are broadly similar

to those imposed by the Data Protection Review questions included in standard
Directive, with some compliance mechanism procurement templates and contract
improvements available, notably the removal of clauses to ensure that information
the need to notify standard contract clauses to about your supplier’s proposed transfer
supervisory authorities, and encouragement for of personal data for which you are
the development of transfer adequacy codes of responsible is included.
practice and certification schemes.

• Data transfer compliance remains a significant Review data transfers from the EEA to
issue for multinational organisations and also the UK; this will need to be mentioned in
for anyone using supply chains which process records of processing activity (and possibly
personal data outside the EEA. privacy notices).

• Breach of the GDPR’s data transfer

provisions is identified in the band of non- If you transfer personal data outside the
compliance issues for which the maximum EEA whilst supplying goods or services,
level of fines can be imposed (up to 4% of expect to be questioned by customers
worldwide annual turnover). about your (and your supplier’s) approach
to compliance.
• Non-compliance proceedings can be brought
against controllers and/or processors.

1 2 3 4 5 6 7 8 9 10 68
Commentary

Transfers of personal data to “third countries” Commission also has the power to repeal,
(i.e. outside of the EEA) are restricted. amend or suspend any adequacy decisions.
The EDPB issued guidelines for the European
The Article 29 Working Party published Commission and the EDPB in November 2017
guidelines on the interplay between the for the assessment of the adequacy of data
application of Article 3 GDPR and the provisions protection in third countries.
on international transfers as per Chapter V
of the GDPR. This notes that GDPR does not Other methods of transferring personal data:
define what a “transfer” is. The guidelines Standard contractual clauses (SCCs) (either
suggest three cumulative criteria: (i) the data adopted by the Commission or adopted by
exporter (a controller or processor) is subject a supervisory authority and approved by the
to the GDPR for the given processing; (ii) the European Commission) and binding corporate
data exporter transmits or makes available the rules (BCRs) and legally binding and enforceable
personal data to the data importer (a separate instruments between public authorities, are
legal person which is a controller, joint controller also accepted.
or processor); and (iii) the data importer is in a
third country or is an international organisation. Significantly, transfers are also permitted where
One point underlined in the guidance is that an approved code of conduct (based on the
controllers and processors which are subject to scheme in Article 40) or an approved certification
the GDPR on an extra-territorial basis (pursuant mechanism (based on the scheme in Article 42)
to Article 3(2)) will have to comply with Chapter is used, provided that binding and enforceable
V when they transfer personal data to a third commitments are made by the controller or
country or to an international organisation. processor in the third country to apply the
appropriate safeguards, including as regards
The European Commission has the power to the data subjects’ rights. There are also
determine that certain countries, territories, provisions for ad hoc safeguards to be agreed,
specified sectors or international organisations subject to authorisation from the competent
offer an adequate level of protection for data supervisory authority.
transfers. The list of countries which have
been approved by the European Commission The EDPB issued guidance on codes of conduct
is: Andorra, Argentina, Canada (where PIPEDA as tools for transfers; as well as guidelines on
applies), Switzerland, Faroe Islands, Guernsey, accreditation of certification bodies under Article
Israel, Isle of Man, Japan, Jersey, Eastern Republic 43 of the GDPR.
of Uruguay, New Zealand, the Republic of
Korea, the United Kingdom, the United States of Derogations (pursuant to Article 49 GDPR)
America (commercial organisations participating permit transfers of personal data in limited
in the EU-US Data Privacy Framework). Countries circumstances, which include: explicit consent,
to be added to or taken off this list shall be contractual necessity, important reasons of
published in the Official Journal. Note however public interest, legal claims, vital interests, and
that data transferred from the EEA to the UK for public register data. There is also a (limited)
the purposes of UK immigration control is not derogation for non-repetitive transfers involving
included in the adequacy decision. a limited number of data subjects where the
transfer is necessary for compelling legitimate
The GDPR provides more detail on the particular interests of the controllers (which are not
procedures and criteria that the European overridden by the interests or rights of the data
Commission should consider when determining subject) and where the controller has assessed
adequacy, stressing the need to ensure that the (and documented) all the circumstances
third country offers levels of protection that are surrounding the data transfer and concluded
“essentially equivalent to that ensured within the there is adequacy. The controller must inform
Union”, and providing data subjects with effective the supervisory authority and the data subjects
and enforceable rights and means of redress. when relying on this derogation. The EDPB
The European Commission shall consult with issued guidelines on the derogations of Article
the EDPB when assessing levels of protection 49 under the GDPR. It emphasied that this
and ensure that there is on-going monitoring compelling legitimate interest derogation “is
and review of any adequacy decisions made envisaged by the law as a last resort”.
(at least every four years). The European

1 2 3 4 5 6 7 8 9 10 69
Finally, the GDPR makes it clear that it is not
lawful to transfer personal data outside the EEA
in response to a legal requirement from a third
country, unless the requirement is based on
an international agreement or one of the other
grounds for transfer applies. The UK has opted
out of this provision.

Further reading:
EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on
international transfers as per Chapter V of the GDPR

EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance
with the EU level of protection of personal data

Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II)

Where can I find this?

Articles 44-50, Recitals 101-116

1 2 3 4 5 6 7 8 9 10 70
6. REGULATORS

Appointment of supervisory
authorities
At a glance To do list
• Supervisory authorities are established in No action is required, but it is a good idea
each Member State and are responsible for to establish or maintain a point of contact
monitoring the application of the GDPR. with your main supervisory authority.

• They must co-operate with each other and

with the European Commission, and contribute
to the consistent application of the GDPR
throughout the EU.

• They must act independently.

• Members of supervisory authorities must be

appointed in a publicly transparent way and be
skilled in data protection.

• There may be more than one supervisory

authority in a country (e.g. where the country is
composed of federal states).

1 2 3 4 5 6 7 8 9 10 71
Commentary

Supervisory authorities (also colloquially Member State law must establish a supervisory
known as “Data Protection Authorities” or “DPAs”) authority, prescribe the rules for the authority’s
are established in each Member State. They members, their qualifications and eligibility.
monitor the application of the GDPR to protect The (renewable) term of office of a supervisory
fundamental rights in relation to processing and authority’s members must be not less than
to facilitate the free flow of personal data within four years. Members’ duties of independence,
the EU. outlined above, must be embodied in national
law. Members of supervisory authorities and
They have to co-operate with each other and the their staff are bound by a duty of “professional
European Commission in order to contribute to secrecy” both when in office and subsequently.
the consistent application of the GDPR.
The provisions on setting up supervisory
States such as Germany can (and do) have more authorities are rather detailed - some points
than one supervisory authority, but one of them worth remarking on are: the specificity of
is nominated as the national representative in the term of appointment, the emphasis on
the EDPB. independence, the insistence on the provision
of adequate resources for each supervisory
Supervisory authorities must act with complete authority, and the requirement that “each
independence (subject to financial auditing and member [of supervisory authorities] shall have
judicial supervision). The members of supervisory the qualifications, experience and skills, in
authorities remain free from external influence particular in the area of the protection of
and must neither seek nor take instructions from personal data, required to perform its duties
anyone. Also, they must not act incompatibly with and exercise its powers.”
their duties nor, whilst in office, engage in an
incompatible occupation, whether or not gainful. New EU data laws

Member States must provide their supervisory The Data Act provides that where its provisions
authorities with the human, technical, financial and relate to processing of personal data, that data
other resources necessary to carry out all their tasks protection authorities will be competent for
and exercise their powers effectively. this processing and will be able to exercise the
powers set out in the Data Act, as well as those
Each supervisory authority chooses its own staff under GDPR.
and has sole direction of them. A supervisory
authority’s budget must be public and separately
identified, even if part of the national budget.

Where can I find this?

Recitals 117-123, Chapter VI Section 1,
Articles 51-54

1 2 3 4 5 6 7 8 9 10 72
6. REGULATORS

Competence, tasks
and powers
At a glance To do list
• Supervisory authorities are given specific If you carry out cross-border processing,
competence to act on their own territory. get to understand the lead-authority
system (for which see section on
• The lead authority (where existent) has co-operation and consistency between
competence in cross-border cases (see section supervisory authorities). Identify which
on co-operation and consistency between authority you think is your lead
supervisory authorities for further details). supervisory authority and prepare
compliance measures accordingly, for
• Supervisory authorities are given an extensive instance, incident response plans (see
list of specific powers and tasks. ‘Co-operation and consistency between
supervisory authorities’)

Familiarise yourself with the

comprehensive powers and tasks of
supervisory authorities.

1 2 3 4 5 6 7 8 9 10 73
Competence

Each supervisory authority has competence “for even if the processing is elsewhere in the EU.
the performance of the tasks assigned to and the This might have wide application to private
exercise of the powers conferred on it” as described sector bodies – e.g. financial institutions carrying
in the GDPR, on its national territory. Recital 122 out anti-money-laundering activities in relation
tells us that this competence includes “processing to customers elsewhere in the EU than their
affecting data subjects on its territory or processing home country.
carried out by a controller or processor not
established in the Union when targeting data Supervisory authorities cannot exercise
subjects residing in its territory”. jurisdiction over courts acting in their judicial
capacity. ‘Court’ is not defined and it is not
In cases where the legal basis for processing, entirely clear how far down the judicial hierarchy
whether by a private body or a public authority, this rule will extend.
is compliance with a legal obligation, acting
in the public interest or in the exercise of A lead-authority system is set up to deal
official authority, the supervisory authority of with cross-border processing (see section on
the relevant Member State has competence co-operation and consistency between
and the cross-border lead authority system is supervisory authorities for further information
disapplied. The language is rather obscure, but about this complex arrangement).
Recital 128 says that a supervisory authority
has exclusive jurisdiction over the processing In the Bundeskartellamt case (C-252/21), the
that is carried out in the public interest both by CJEU confirmed that a competition authority
public authorities and private bodies which in in a Member State could also reach a finding
either case are established on the territory of the on whether an undertaking complied with
Member State of that supervisory authority. It data protection law, where this was relevant
is not clear whether this contemplates multiple to a competition law query. The competition
establishments and is a means of excluding authority would have a duty of sincere co-
the one-stop shop or whether it gives exclusive operation with supervisory authorities for
jurisdiction to the home supervisory authority data protection.

Tasks

There is a very comprehensive list of tasks given investigations and especially co-operating with
to the supervisory authorities by Article 57 of the other supervisory authorities are all specifically
GDPR. There is no need to list them all, because mentioned, as is monitoring the development
the last on the list is “fulfil any other tasks related of technical and commercial practices in
to the protection of personal data”. Supervisory information technology.
authorities must therefore do anything that might
reasonably be said to be about the “protection of Supervisory authorities are to encourage
personal data”. the development of codes of conduct and
certification systems and they are to “draft
Some tasks are worth emphasising. Supervisory and publish the criteria for accreditation” of
authorities are to monitor and enforce the certification bodies and those which monitor
“application” of the GDPR and to promote codes of conduct.
awareness amongst the public, controllers
and processors. Supervisory authorities cannot charge data
subjects or Data Protection Officers for their
They are to advise their governments and services; the GDPR is however silent on whether
parliaments on proposed new laws. controllers and processors could be charged
fees in respect of services they receive from
Helping data subjects, dealing with and supervisory authorities.
investigating complaints lodged by individuals
or representative bodies, conducting

1 2 3 4 5 6 7 8 9 10 74
Powers

Article 58 of the GDPR lists the powers of the

supervisory authorities, to which Member
States can add if they wish. Many of the powers
correspond to the specific tasks listed in Article
57 and do not need repeating.

Worthy of mention are: ordering a controller or

processor to provide information; conducting
investigatory audits; obtaining access to premises
and data; issuing warnings and reprimands
and imposing fines; ordering controllers and
processors to comply with the GDPR and data
subjects’ rights; banning processing and trans-
border data flows outside the EU; approving
standard contractual clauses and binding
corporate rules. The exercise of powers by
a supervisory authority must be subject to
safeguards and open to judicial challenge.

Member States must give supervisory authorities

the right to bring matters to judicial notice
and “where appropriate, to commence or engage
otherwise in legal proceedings, in order to enforce
the provisions of this Regulation”.

Finally, supervisory authorities must produce

annual reports. In summary, the competence,
powers and tasks of supervisory authorities
are a comprehensive listing of everything a
supervisory authority must or might do.

Where can I find this?

Recitals 117-123, WP 244, Chapter VI Section
2 Articles 55-59

1 2 3 4 5 6 7 8 9 10 75
6. REGULATORS

Co-operation and consistency

between supervisory authorities
At a glance To do list
In cases of cross-border processing in the EU, If you are a non-EU based controller or
supervisory authorities have to cooperate in order processor (and are caught by the long arm
to ensure a consistent application of the GDPR. jurisdiction provisions of the GDPR), the
In qualifying cases, there is a lead authority, lead authority system is irrelevant to you.
which will be the supervisory authority for the
sole EU or main establishment (‘one-stop-shop’).
Supervisory authorities in other countries where a If you just operate in one Member State,
controller is established, or where data subjects the supervisory authority for that Member
are substantially affected, or authorities to whom State will be the lead authority for any
a complaint has been made, can be involved in cross-border processing. If you carry
the cases, and the lead authority must co-operate out activities in two or more Member
with them. States, find out if you meet the criteria
to have a lead authority (taking into
account the EDPB’s guidance) and engage
with that authority. Consider whether
those responsible for data protection
compliance in your organisation have
suitable language skills to communicate
with your lead authority.

1 2 3 4 5 6 7 8 9 10 76
Commentary

Lead Authority Competence controllers without any establishment

in the EU cannot benefit from the one-stop-
If a controller or processor carries out ‘cross- shop mechanism (the mere presence of an
border processing’ either through multiple EU representative does not trigger the one
establishments in the EU or even through only stop shop mechanism) – they must deal
a single establishment (where the processing with local supervisory authorities in every
is likely to substantially affect individuals in Member State they are active in, through
multiple Member States), the supervisory their local representative.
authority for the ‘main’ or single establishment
acts as lead authority in respect of that cross- By derogation from the one-stop-shop, a national
border processing. supervisory authority remains competent to
exercise powers if a complaint is made to it or
The EDPB has adopted guidelines for identifying an infringement occurs on its territory and if the
a lead supervisory authority. Where an subject matter of the complaint or infringement
organisation has multiple establishments, the relates only to an establishment on that territory
main establishment and therefore the lead or substantially affects data subjects only in that
authority is determined by where the decisions State. The EDPB guidelines contain guidance on
regarding the purposes and manner of the the meaning of ‘substantially affects’.
personal data processing in question takes
place - whilst this may be the place of central Such ‘local’ cases have to be notified to the
administration of the organisation, if decisions lead authority which has three weeks to
are actually taken in another establishment decide whether or not to intervene (taking
in the EU, the authority of that location is the into account whether there is an establishment
lead authority. The guidelines recognise that in the other state) in accordance with the
there can be situations where more than one co-operation procedure. If it does so, the
lead authority can be identified for different non-lead authority can propose a decision
processing activities, i.e. in cases where a to the lead authority.
multinational company decides to have separate
decision making centres, in different countries. If the lead authority does not intervene, the
local authority handles the case using, where
In relation to joint controllers, the guidelines necessary, the mutual assistance and joint
have clarified that it is not possible to designate investigation powers.
a common main establishment - and therefore,
a lead authority - for both joint controllers. In January 2019, the CNIL fined Google €50
Each joint controller may have its own main million for GDPR breaches which had a cross
establishment, but this cannot be considered border element. In light of Google’s European
the main establishment of the joint controllers operations being headquartered in Ireland
for the processing that is carried out under their (and the fact that Google considered the Irish
joint control. DPC to be their lead authority), this decision
was an interesting insight into how supervisory
Likewise, processors that provide services to authorities are interpreting the cooperation
multiple controllers do not really benefit from and consistency mechanisms. In the CNIL’s
the one-stop-shop in cases involving their view, considering that the controller of the
controllers, as the lead authority is the lead data processing at stake was Google LLC (and
authority for each controller. not Google France), Google Ireland Limited
could not be considered as Google LLC’s main
The guidelines also state that “the GDPR does establishment as it could not have any real
not permit ‘forum shopping’” – there must be and effective decision-making power over the
an effective and real exercise of management relevant processing activities at the relevant
activity or decision-making over the processing point in time. Consequently, in the absence
in the organisation’s main establishment. of a main establishment in the EU, Google
Organisations should be able to demonstrate LLC could not benefit from the lead authority
to supervisory authorities where decisions mechanism and the CNIL believed it was
about data processing are actually taken competent to act pursuant to Articles 55 and 58.
and implemented, as they may be asked to The CNIL’s decision was upheld by the highest
evidence their position. The guidance notes that administrative court in France.

1 2 3 4 5 6 7 8 9 10 77
In June 2021, the CJEU ruled on a case referred
to it by the Brussels Court of Appeal, concerning
legal action brought by the Belgian DPA against
Facebook for alleged GDPR infringements.
The CJEU ruled that under certain conditions, a
national supervisory authority may bring any
alleged infringement of the GDPR before a
court of its Member State, pursuant to Article
58(5) GDPR, even though that authority is not
the lead supervisory authority. This is the case
in principle when the non-lead authority is
competent to adopt a decision finding that the
processing infringes the GDPR under Article
56 and exercises this power with due regard
to the GDPR’s co-operation and consistency
mechanism, whilst there is no pre-requisite
that the controller has a main establishment
or another establishment on the territory of
that supervisory authority’s Member State.
The Court also confirmed the direct effect of
Article 58(5) GDPR, which stipulates that EU
Member States must provide that supervisory
authorities have the power to bring GDPR
infringements before judicial authorities
and engage in legal proceedings where
appropriate. This means that a supervisory
authority can rely on this provision, even
where this has not been specifically
implemented in the legislation of the
relevant Member State.

Where can I find this?

Recitals 124-138 and Chapter VII,
Sections 1 & 2

1 2 3 4 5 6 7 8 9 10 78
Co-operation Procedure significant number of its data subjects are likely
to be substantially affected.
The lead authority has to co-operate with other
“concerned” supervisory authorities. They have If local law permits, a host supervisory
to exchange information and try to reach authority can give formal investigatory powers
consensus. A supervisory authority is “concerned” to seconded staff. Supervisory authorities
where the controller (or processor) has an have conducted joint investigations pre-GDPR,
establishment on the territory of that authority’s so the GDPR in practice has developed and
Member State; where data subjects on that strengthened these arrangements.
territory are (likely to be) substantially affected
by the processing; or a complaint has been Where supervisory authorities take certain
lodged with that authority. formal steps or disagree or wish for action to
be taken by another supervisory authority, the
The lead authority has to provide information GDPR provides for a consistency and dispute
to the other supervisory authorities concerned resolution mechanism.
and it can seek mutual assistance from them and
conduct joint investigations with them on their The EDPB has to give opinions on various
territories. The lead authority must submit a draft supervisory authority proposals, including the
decision to concerned authorities without delay approval of binding corporate rules, certification
and they have four weeks in which to object. criteria and codes of conduct. If a supervisory
There can be another round of submitting draft authority fails to request the opinion of the EDPB
decisions with a two-week objection period. If the or does not follow an EDPB opinion, then the
lead authority does not wish to follow the views matter goes to the dispute resolution procedure.
of concerned authorities, it must submit to the
consistency procedure supervised by the EDPB. The dispute resolution procedure also applies to
lead authority/concerned authority disputes. In
There are detailed rules about which supervisory all these cases, the EDPB takes a binding decision
authority should adopt the formal decision on the basis of a two-thirds majority vote. If
and notify the controller, but the lead authority there is no such majority, then after a delay,
has the duty to ensure that, pursuant to a a simple majority will suffice. The supervisory
formal decision, compliance action is taken by a authorities involved are bound to comply and
controller in all its establishments. A concerned formal decisions have to be issued in compliance
supervisory authority can exceptionally, however, with the EDPB decision.
take urgent temporary action without waiting to
complete the consistency process. The most notable EDPB binding decisions under
the co-operation and consistency mechanism
The lead authority system has a number of concern the Irish DPA (the DPC) in cases
apparent weaknesses and could be undermined regarding WhatsApp (July 2021 and December
where non-lead authorities are able to assert 2022) and the Facebook and Instagram services
themselves on the grounds that data subjects of Meta Platforms (July 2022 and December
in their jurisdictions are substantially affected 2022). Following the EDPB’s binding decision
by processing conducted by a controller whose in the WhatsApp case of 2021, the DPC had to
main establishment is elsewhere. amend its draft decision regarding infringements
of transparency, the calculation of the fine,
Mutual Assistance, Joint Operations and the period within which WhatsApp had to
& Consistency bring its processing into compliance. WhatsApp
brought an action for annulment of the EDPB’s
Supervisory authorities are required to binding decision before the CJEU, which was
provide assistance to each other in particular declared inadmissible (currently under appeal).
in the form of information or carrying out
“prior authorisations and consultations, The far-reaching results of the consistency
inspections and investigations”. The European mechanism are also apparent in the EDPB’s
Commission can specify forms and procedures binding decisions of 2022 regarding the
for mutual assistance. Instagram, Facebook and WhatsApp cases: in the
first decision, concerning Instagram (July 2022),
Supervisory authorities can conduct joint the EDPB instructed the DPC to amend its draft
investigations and enforcement operations. decision to include an infringement of Article
A supervisory authority has a right to be included 6(1) GDPR, after concluding that Instagram
in such operations if the controller or processor unlawfully processed children’s personal data;
has an establishment on its territory or a also, to reassess the envisaged administrative

1 2 3 4 5 6 7 8 9 10 79
fine. In the decisions concerning Facebook and provisional measures intended to produce legal
Instagram (December 2022), the EDPB instructed decisions on its own territory which shall not
the DPC to include in its final decision an order exceed 3 months. This is what the Hamburg
for Meta to bring its processing of personal data DPA relied upon when it opened administrative
for behavioural advertising into compliance with proceedings against Google (whose lead
Article 6(1) GDPR within 3 months, and a finding authority is the Irish DPC) in August 2019 in
of infringement of the fairness principle, as well respect of Google’s Speech Assistant system; it
as a requirement to adopt appropriate corrective argued that effective protection of those affected
measures. Also, the EDPB’s binding decision led “from eavesdropping, documenting and evaluating
the DPC to significantly increase the fines in its private conversations by third parties can only be
final decisions (from a total of EUR 58 million in achieved by prompt execution”.
the draft decisions, to a total of EUR 390 million
in the final decisions). The EDPB also decided Where a supervisory authority has taken
that the DPC must carry out a new investigation provisional measures under the urgency
regarding the processing of special categories procedure and considers that final measures
of personal data. These decisions are currently need urgently to be adopted, it may request an
being challenged in the CJEU. urgent opinion or urgent binding decision from
the EDPB. The first such urgent binding decision
A similar position was taken in the EDPB’s was adopted by the EDPB in July 2021, following
binding decision of December 2022 in the a request from the Hamburg DPA, which had
WhatsApp case, whereby the EDPB instructed ordered as a provisional measure the ban on
the DPC to include in its final decision an processing of WhatsApp user data by Facebook
infringement of Article 6(1) GDPR and a for the latter’s own purposes. The EDPB
corresponding administrative fine, and an concluded that the conditions to demonstrate
infringement of the fairness principle, along with the existence of an infringement and an urgency
an order for WhatsApp to bring its processing were not met and decided that no final measures
operations into compliance within 3 months. needed to be adopted by the lead supervisory
The EDPB also decided that the DPC must carry authority (the Irish DPA).
out an additional investigation of WhatsApp’s
processing activities. This has created tension The EDPB has also looked at the cooperation
with the Irish DPA, which considered the EDPB’s and consistency mechanisms in some detail
direction for further investigations problematic as part of its contribution to the evaluation of
in jurisdictional terms and stated that it would GDPR under Article 97 (adopted on 18 February
take action for annulment before the CJEU, to the 2020) and has issued guidelines on this topic. It
extent the direction may involve an overreach on highlights that the implementation of the lead
the part of the EDPB. authority mechanism remains challenging and
its success going forward will depend on the
Under Article 66, in exceptional circumstances consistent interpretation of key GDPR terms, the
where a supervisory authority considers that alignment of national administrative procedures,
there is an urgent need to act in order to protect adequate human and financial resources of
the rights and freedoms of data subjects, it may, supervisory authorities, further improvement of
by way of derogation from the lead authority communication tools and reasonable timeframes
or consistency mechanism, immediately adopt for case handling.

Where can I find this?

Recitals 124-138 and Chapter VII,
Sections 1 & 2

1 2 3 4 5 6 7 8 9 10 80
6. REGULATORS

European Data
Protection Board
At a glance To do list
• The Article 29 Working Party, whose members No action is required.
were the EU’s national supervisory authorities,
the European Data Protection Supervisor
(“EDPS”) and the European Commission,
was transformed into the European Data
Protection Board (“EDPB”), with similar
membership but an independent Secretariat.

• The EDPB has the status of an EU body with

legal personality and extensive powers
to determine disputes between national
supervisory authorities, to give advice and
guidance and to approve EU-wide codes
and certification.

1 2 3 4 5 6 7 8 9 10 81
Commentary

As of 25 May 2018, the EDPB replaced the Article The EDPB is provided with a long and
29 Working Party, which was established under detailed list of tasks, but its primary role is
the Data Protection Directive. The EDPB is an to contribute to the consistent application of
EU body which consists of the heads of national the GDPR throughout the Union. It advises
supervisory authorities (or their representatives) the European Commission, in particular
and the EDPS. on the level of protection offered by third
countries or international organisations, and
The European Commission representative on promotes cooperation between national
the EDPB is a non-voting member and in states supervisory authorities. It issues guidelines,
(such as Germany) with multiple supervisory recommendations and statements of best
authorities, the national law must arrange for a practice: for example, on matters such as when
joint representative to be appointed. In dispute a data breach is “likely to result in a high risk to
resolution cases, where a binding decision is to the rights and freedoms” of individuals or on
be given, the EDPS voting powers are restricted the requirements for Binding Corporate Rules.
to circumstances in which the principles of the Note that during its first plenary meeting, the
case would be applicable to the EU institutions. EDPB endorsed the GDPR related Article 29
Working Party Guidelines which had been
The EDPB has a much enhanced status. It is published to date.
not merely an advisory committee, but an
independent body of the European Union with The EDPB’s most distinctive role is to conciliate
its own legal personality. and determine disputes between national
supervisory authorities. For more about that
It is formally represented by its Chair, who activity, see the section on competence, tasks
has the chief role in organising the work of and powers. The old Article 29 Working Party
the EDPB and particularly in administering the was often criticised for not consulting adequately
conciliation procedure for disputes between before taking decisions. The EDPB is required to
national supervisory authorities. The Chair consult interested parties “where appropriate”.
and two Deputies are elected from the Notwithstanding the “get-out” qualification, this
membership of the EDPB and serve for five is a major benefit to those who may be affected
years, renewable once. by opinions, guidelines, advice and proposed
best practice.
The EDPB normally decides matters by a
simple majority, but rules of procedure and EDPB discussions are to be “confidential where
binding decisions (in the first instance) are to be the Board deems it necessary, as provided for in its
determined by a two-thirds majority. rules of procedure”. This suggests that meetings
and discussions will, in principle, be public unless
The EDPB has adopted its own rules of otherwise determined.
procedure and organizational rules. The
independence of the EDPB is emphasised. There Finally, the EDPB publishes Annual Reports.
seems to be an implicit suggestion that the
Commission had exercised too great an influence
over the Article 29 Working Party in the past and
was seeking to consolidate this power.

The EDPB has its own Secretariat provided by the

EDPS, but which acts solely under the direction
of the Chair of the EDPB.

1 2 3 4 5 6 7 8 9 10 82
 Further reading:
EDPB Guidelines and reports:

EDPB Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

EDPB Guidelines 02/2022 on the application of Article 60 GDPR

EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

Contribution of the EDPB to the evaluation of the GDPR under Article 97

EDPB binding decisions:

Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority
regarding WhatsApp Ireland under Article 65(1)(a) GDPR

Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority
regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR

Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited
and its Facebook service (Article 65 GDPR)

Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited
and its Instagram service (Article 65 GDPR)

Binding Decision 5/2022 on the dispute submitted by the Irish SA regarding WhatsApp Ireland Limited
(Article 65 GDPR)

Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German)
Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited

Court cases

Case C‑645/19, Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA, v
Gegevensbeschermingsautoriteit

Case T-709/21, WhatsApp Ireland v European Data Protection Board

T-129/23, Meta Platforms Ireland v European Data Protection Board

Case C252/21, Meta Platforms Inc., Meta Platforms Ireland Limited, Facebook Deutschland GmbH v
Bundeskartellamt

CNIL v Google, Decision of 21 January 2019 (EDPB summary) and French Supreme Court decision
upholding CNIL’s decision (in French only)

Where can I find this?

Recitals 139 & 140, and Chapter VII Section 3

1 2 3 4 5 6 7 8 9 10 83
7. ENFORCEMENT

Remedies and liabilities

At a glance To do list
• Individuals have the following rights Controllers and their processors should
(against controllers and processors): ensure that data processing agreements
and contract management arrangements
— the right to lodge a complaint with clearly specify the scope of the processor’s
supervisory authorities where their personal responsibilities and should agree to
data has been processed in a way that does mechanisms for resolving disputes
not comply with the GDPR; regarding respective liabilities to settle
compensation claims.
— the right to an effective judicial remedy
where a competent supervisory authority
fails to deal properly with a complaint; Controllers and processors should
agree to report to other controllers or
— the right to an effective judicial remedy against processors that are involved in the same
a relevant controller or processor; and processing, any relevant compliance
breaches and any complaints or claims
— the right to compensation from a relevant received from relevant data subjects.
controller or processor for material or
non-material damage resulting from
infringement of the GDPR.

• Both natural and legal persons have the right

of appeal to national courts against a legally
binding decision concerning them made by a
supervisory authority.

• Individuals can bring claims for non-pecuniary

loss. The potential for actions to be brought by
representative bodies is facilitated.

• Judicial remedies and liability for

compensation extend to both data
controllers and data processors who
infringe the Regulation.

1 2 3 4 5 6 7 8 9 10 84
Complaints to supervisory authorities

The rights of data subjects to complain to Under the GDPR, data subjects whose
supervisory authorities are slightly strengthened personal data are processed in a way that
as compared to the Data Protection Directive. does not comply with the GDPR have a specific
The Directive obliged supervisory authorities to right to lodge a complaint with supervisory
hear claims lodged by data subjects to check the authorities and supervisory authorities must
lawfulness of data processing and inform data inform data subjects of the progress and
subjects that a check had taken place. outcome of the complaints.

Judicial remedies against decisions of

supervisory authorities

Both data subjects and other affected parties Recital 143 of the GDPR explains that decisions
have rights to an effective judicial remedy and actions that may be challenged in the courts
in relation to certain acts and decisions of include the exercise of investigative, corrective,
supervisory authorities. and authorisation powers by the supervisory
authority or the dismissal or rejection of
• Any person has the right to an effective complaints. The right does not encompass other
judicial remedy against legally binding measures by supervisory authorities which are
decisions concerning him/her, taken by a not legally binding, such as opinions issued or
supervisory authority. advice provided by supervisory authorities.

• Data subjects have the right to an effective

judicial remedy where a supervisory authority
fails to deal with a complaint or fails to inform
the data subject within 3 months of the
progress or outcome of his or her complaint.

Judicial remedies against data controllers

& data processors

Data subjects whose rights have been infringed

have the right to an effective judicial remedy
against the data controller or processor
responsible for the alleged breach. This extends
beyond the equivalent provision previously
contained in the Data Protection Directive, which
provided a judicial remedy only against data
controllers but not against data processors.

1 2 3 4 5 6 7 8 9 10 85
Liability for compensation

Any person who has suffered damage as a result The CJEU in the Österreichische Post case
of infringement of the GDPR has the right to (case C-300/21) determined that the right
receive compensation from the controller or the to compensation provided for by the GDPR
processor. Previously, under the Data Protection is subject to three cumulative conditions:
Directive, liability for compensation was limited (i) infringement of the GDPR, (ii) material
to controllers only. or nonmaterial damage resulting from that
infringement and (iii) a causal link between
The following provision is made for the allocation the damage and the infringement. As such, a
of liability for compensation between controllers mere infringement of the GDPR does not give
and processors: rise to a right to compensation. The CJEU also
held that there is no requirement for the non-
• controllers are liable for damage caused by material damage suffered to reach a certain
processing which is not in compliance with threshold of seriousness in order to confer a
the GDPR; right to compensation.

• processors are liable only for damage caused In December 2023 the CJEU further explored
by any processing in breach of obligations these issues in the case C-340/21 – Natsionalna
specifically imposed on processors by the agentsia za prihodite, involving the Bulgarian
GDPR, or caused by processing that is National Revenue Agency (the NAP). The Court
outside, or contrary to lawful instructions of the determined that the fear of a possible misuse of
controller; and personal data is capable, in itself, of constituting
non-material damage. However, where a person
• in order to ensure effective compensation for claiming compensation on that basis relies on
data subjects, controllers and processors that the fear that his or her personal data will be
are involved in the same processing and are misused in the future owing to the existence
responsible for any damage caused, each shall of such an infringement, the national court
be held liable for the entire damage. However, dealing with the case must verify that that fear
a processor or controller that is held liable to can be regarded as well founded, in the specific
pay compensation on this basis is entitled to circumstances at issue and with regard to the
recover from other relevant parties, that part of data subject.
the compensation corresponding to their part of
the responsibility for the damage. The GDPR provides that controllers and
processors are exempt from liability if they are
Whilst the Data Protection Directive referred “not in any way responsible for the event giving rise
only to the right to compensation for “damage”, to the damage”. This exemption appears to be
the GDPR makes clear that compensation may slightly narrower than the exemption that could
be recovered for both pecuniary and non- be claimed under the Data Protection Directive
pecuniary losses. This clarification is, however, by a controller who could prove “that he is not
consistent with current English law interpretation responsible for the event giving rise to the damage”.
of the meaning of damage for the purpose of
compensation claims previously made under the
Data Protection Act 1998 (see Google Inc. v Vidal-
Hall & Others [2015] EWCA Civ 311).

1 2 3 4 5 6 7 8 9 10 86
Representative bodies

The GDPR entitles representative bodies, Where empowered to do so by Member

acting on behalf of data subjects, to lodge State law, such representative bodies may,
complaints with supervisory authorities and independently of a data subject’s mandate, lodge
seek judicial remedies against a decision of a complaints with supervisory authorities and
supervisory authority or against data controllers seek judicial remedies against decisions of a
or processors. The provision applies to any supervisory authority or against data controllers
representative body that is: or processors.

• a not-for-profit body, organisation or The CJEU in Meta Platforms Ireland Limited v

association; Bundesverband der Verbraucherzentralen und
Verbraucherverbände – Verbraucherzentrale
• properly constituted according to Member Bundesverband e.V. (C-319/20) confirmed that
State law; Article 80(2) of the GDPR must be interpreted
as not precluding national legislation which
• with statutory objectives that are in the public allows a consumer protection association to
interest; and bring legal proceedings for infringements of
laws protecting personal data in the absence of
• active in the field of data protection. a mandate conferred on it for that purpose and
independently of the infringement of specific
Data subjects may also mandate such bodies rights of the data subjects.
to exercise on their behalf rights to recover
compensation from controllers or processors There were no equivalent provisions in the Data
provided this is permitted by Member State law. Protection Directive.

Where can I find this?

Articles 77-82, Recitals 141-147

1 2 3 4 5 6 7 8 9 10 87
7. ENFORCEMENT

Administrative fines
At a glance
• Supervisory authorities are empowered to
impose significant administrative fines on both
data controllers and data processors.

• Fines may be imposed instead of, or in

addition to, measures that may be ordered by
supervisory authorities. They may be imposed
for a wide range of contraventions, including
purely procedural infringements.

• Administrative fines are discretionary rather

than mandatory; they must be imposed on
a case by case basis and must be “effective,
proportionate and dissuasive”.

• There are two tiers of administrative fines:

— Some contraventions will be subject to

administrative fines of up to €10,000,000
or, in the case of undertakings, 2% of global
turnover, whichever is higher.

— Others will be subject to administrative

fines of up to €20,000,000 or, in the case
of undertakings, 4% of global turnover,
whichever is higher.

• Member States may determine whether, and

to what extent public authorities should be
subject to administrative fines.

1 2 3 4 5 6 7 8 9 10 88
General considerations

Administrative fines are not applicable exchange among supervisory authorities to

automatically and are to be imposed on a case ensure that equivalent sanctions are imposed
by case basis. Recital 148 clarifies that in the for similar cases.
case of a minor infringement, or where a fine
would impose a disproportionate burden on On the 12 May 2022, the EDPB released its draft
a natural person, a reprimand may be issued guidelines on the calculation of fines under the
instead of a fine. In its guidelines on the GDPR which were subsequently finalised and
application and setting of administrative fines, adopted in June 2023. The aim of the guidelines
the EDPB says supervisory authorities must is to harmonise the methodology supervisory
assess all the facts of the case in a manner authorities use when calculating the amount of
that is consistent and objectively justified. In the fine and complement the aforementioned
particular, supervisory authorities must assess EDPB guidelines on the application and setting
what is effective, proportionate and dissuasive of administrative fines. The guidelines set out a
in each case to meet the objective pursued 5-step calculation methodology: (i) DPAs have to
by the corrective measure chosen, i.e. to re- establish whether the case at stake concerns one
establish compliance with rules, or to punish or more instances of sanctionable conduct and
unlawful behaviour (or both). if they have led to one or multiple infringements
(to clarify if all the infringements or only some
There used to be a high degree of variation of them can be fined); (ii) DPAs have to rely on a
across Member States in relation to the starting point for the calculation of the fine for
imposition of financial penalties by supervisory which the EDPB provides a harmonised method;
authorities. Although arrangements under the (iii) DPAs have to consider aggravating or
GDPR make provision for maximum penalties mitigating factors that can increase or decrease
and allow supervisory authorities a degree of the amount of the fine, for which the EDPB
discretion in relation to their imposition, Recital provides a consistent interpretation; (iv) DPAs
150 indicates that the consistency mechanism must determine the legal maximums of fines
may be used to promote a consistent application as set out in Article 83 (4)-(6) GDPR and ensure
of administrative fines. This is reinforced in the that these amounts are not exceeded; and (v)
EDPB’s guidelines on the application and setting DPAs need to analyse whether the calculated
of administrative fines for the purposes of the final amount meets the requirements of
Regulation 2016/679 (3 October 2017) (WP253), effectiveness, dissuasiveness and proportionality
which push for a harmonised approach by or whether further adjustments to the amount
means of active participation and information are necessary.

Maximum administrative fines

The GDPR sets out two sets of maximum Infringement of the following GDPR provisions is
thresholds for administrative fines that may be subject to administrative fines up to €20,000,000
imposed for relevant infringements. or in the case of undertakings, up to 4% of global
turnover, whichever is higher:
In each case, the maximum fine is expressed
in € (euro) or, in the case of undertakings, as a • the basic principles for processing, including
percentage of total worldwide annual turnover of conditions for consent (Articles 5, 6, 7 and 9);
the preceding year, whichever is higher. Recital
150 confirms that in this context “an undertaking” • data subjects’ rights (Articles 12-22);
should be understood as defined in Articles 101
and 102 of the Treaty on the Functioning of the • international transfers (Articles 44-49);
European Union (“TFEU”) (i.e. broadly speaking, as
entities engaged in economic activity). • obligations under Member State laws adopted
under Chapter IX; and

1 2 3 4 5 6 7 8 9 10 89
• non-compliance with an order imposed by • on controllers and processors to co-operate
supervisory authorities (as referred to in Article with supervisory authorities (Article 31);
58(2)) or a failure to comply with a supervisory
authority’s investigation under Article 58(1). • to implement technical and organisational
measures (Article 32);
Other infringements are subject to
administrative fines up to €10,000,000 or, in • to report breaches when required by the GDPR
the case of undertakings, up to 2% of global to do so (Articles 33-34);
turnover, whichever is higher. Contraventions
subject to these maximum fines include • in relation to the conduct of privacy impact
infringement of the following obligations: assessment (Articles 35-36);

• to obtain consent to the processing of data • in relation to the appointment of Data

relating to children (Article 8); Protection Officers (Articles 37-39);

• to implement technical and organisational • imposed on certification bodies (Article 42-43 );

measures to ensure data protection by design and
and default (Article 25);
• imposed on monitoring bodies to take action for
• on joint controllers to agree to their respective infringement of codes of conduct (Article 41).
compliance obligations (Article 26);
In cases where the same or linked processing
• on controllers and processors not established in involves violation of several provisions of the
the EU to designate representatives (Article 27); GDPR, fines may not exceed the amount specified
for the most serious infringement.
• on controllers in relation to the engagement of
processors (Article 28); In December 2023 the CJEU delivered judgment
in Case C-683/21, involving the National Public
• on processors to subcontract only with the Health Centre under the Lithuanian Ministry of
prior consent of the controller and to process Health. It found as a matter of general principle
data only on the controller’s instruction that a controller can be found liable and be fined
(Articles 28-29); for the actions of a processor, performing data
processing operations on behalf of that controller,
• to maintain written records (Article 30); unless the processor was acting in a way that was
incompatible with the arrangements previously
agreed with the controller.

Factors to be taken into account

Article 83(2) lists factors to be taken into account • the degree of responsibility of the controller or
by a supervisory authority when determining processor;
whether to impose an administrative fine and
deciding on the amount of any fine to be imposed. • any relevant previous infringements;
These include:
• the degree of co-operation with the
• the nature, gravity and duration of the supervisory authority;
infringement having regard to the nature,
scope or purpose of the processing concerned • categories of personal data affected;
as well as the number of data subjects and level
of damage suffered by them; • whether the infringement was notified by the
controller or processor to the supervisory
• whether the infringement is intentional authority;
or negligent;
• any previous history of enforcement;
• actions taken by the controller or processor to
mitigate the damage suffered by data subjects;

1 2 3 4 5 6 7 8 9 10 90
• adherence to approved codes of conduct
pursuant to Article 40 or approved certification
mechanisms pursuant to Article 42; and

• any other aggravating or mitigating factors

applicable to the circumstances of the case
(e.g. financial benefits gained, losses avoided,
directly or indirectly, from the infringement).

Where fines are imposed on persons that

are not an undertaking, the supervisory
authority should also take account of a
person’s economic situation.

In setting the level of administrative fines within

each threshold, the EDPB’s guidelines on the
application and setting of administrative fines for
the purposes of the Regulation 2016/679 require
that supervisory authorities assess all the facts
of the case in a manner that is consistent and
objectively justified.

1 2 3 4 5 6 7 8 9 10 91
8. SPECIAL CASES

Derogations and special

conditions
At a glance To do list
Under the GDPR Member States retain the ability to Assess whether any processing you carry
introduce derogations where these are required for out may be subject to derogations or
the purposes of national security, prevention and special conditions under the GDPR, and
detection of crime and in certain other situations. check what has been implemented in
In line with case law of the Court of Justice of Member State laws applicable to you.
the European Union, any such derogation must
respect “the essence” of the right to data protection
and be a necessary and proportionate measure.

The GDPR either requires or permits Member

States to introduce supplemental laws for
certain special purposes. In the case of historical
and scientific research, statistical processing and
archiving, this can even provide a lawful basis for
processing special categories of data.

Other special topics where Member State law

is foreseen by the GDPR include processing of
employee data, processing in connection with
freedom of expression and professional secrecy
(where restrictions of supervisory authority audit
rights are foreseen).

Controllers (and, in some cases, processors) need

to check for and adjust to different Member State
approaches in these areas.

Local variations should be considered as they are

significant in many areas, e.g. HR data processing.

1 2 3 4 5 6 7 8 9 10 92
Commentary

Special cases In order for a measure to be acceptable, it must

(in accordance with Article 23(2)) include specific
The GDPR contains broad derogations and provisions setting out:
exemptions in two main areas: (1) in Chapter III
Section 5, regarding “restrictions” to obligations • the purposes of processing;
and data protection rights; and (2) in Chapter
IX, regarding “specific processing situations”. The • the affected categories of data;
EU Commission’s Directorate-General for Justice
and Consumers published a report, summarising • the scope of the restrictions to the GDPR which
Member States’ implementation of these specific are introduced by the measure;
provisions in January 2021.
• safeguards to prevent abuse, unlawful access
Article 23 – Restrictions or transfer;

Article 23 of the GDPR created the right for • the controllers who may rely on the restrictions;
Member States to introduce derogations in certain
situations. Member States are able to introduce • the applicable retention periods and security
derogations from transparency obligations and measures;
data subject rights, but only where the measure
“respects the essence of … fundamental rights and • the risk to data subjects’ rights and freedoms;
freedoms and is … necessary and proportionate … and
in a democratic society”.
• the right of data subjects to be informed about
Any derogation must safeguard one of the following: the restriction, unless this is prejudicial to the
purpose of the restriction.
• national security;
Articles 85-91: “Specific Data Processing
• defence; Situations”

• public security; The provisions in Chapter IX GDPR provide for

a mixed set of derogations, exemptions and
• the prevention, investigation, detection or powers to impose additional requirements,
prosecution of criminal offences or breaches of in respect of GDPR obligations and rights, for
ethics in regulated professions; particular types of processing.

• other important public interests, in particular Article 85: Freedom of expression and
economic or financial interests (e.g. budgetary information
and taxation matters);
This provision requires Member States to
• the protection of judicial independence and introduce exemptions to the GDPR where
proceedings; necessary to “reconcile the right to the protection
of personal data with the right to freedom of
• the exercise of official authority in monitoring, expression and information.” Article 85(2) makes
inspection or regulatory functions connected specific provision for processing carried out
to the exercise of official authority regarding for journalistic purposes, or for the purposes of
security, defence, other important public academic, artistic or literary expression. Member
interests or crime/ethics prevention; States were required to notify the European
Commission on how they implemented this
• the protection of the data subject, or the rights requirement and of any changes to such laws.
and freedoms of others; or

• the enforcement of civil law matters.

1 2 3 4 5 6 7 8 9 10 93
Article 86: Public access to official documents entitled “Recommendations on shaping technology
according to GDPR provisions - An overview on
This provision allows personal data within data pseudonymisation”, and guidelines on
official documents to be disclosed in accordance anonymization feature in the EDPB’s work
with Union or Member State laws which allow programme for 2023-2024.
public access to official documents. This is not
without limit - such laws should, according to Article 89(2) allows Member States and the EU
Recital 154 GDPR, “reconcile public access to to further legislate to provide derogations from
official documents…with the right to protection of data subject rights to access, rectification, erasure,
personal data”. restriction and objection (subject to safeguards as
set out in Article 89(1)) where such rights “render
Article 87: National identification numbers impossible or seriously impair“ the achievement
of these specific purposes, and derogation is
This maintains the right of Member States to necessary to meet those requirements.
set their own conditions for processing national
identification numbers, provided appropriate The recitals add further detail on how “scientific
safeguards are in place. research”, “historical research” and “statistical
purposes” should be interpreted. Recital 159
Article 88: Employee data states that scientific research should be
“interpreted in a broad manner” and includes
Member States are permitted to establish privately funded research, as well as studies
(either by law or through collective agreements) carried out in the public interest. In order for
more specific rules in respect of the processing processing to be considered statistical in nature,
of employee personal data, covering every Recital 162 says that the result of processing
major aspect of the employment cycle from should not be “personal data, but aggregate data”
recruitment to termination. This includes the and should not be used to support measures or
ability to implement rules setting out when decisions regarding a particular individual.
consent may be deemed valid in an employment
relationship. Such rules must include specific Article 89(1) and (3): Archiving in the
measures to safeguard the data subject’s “dignity, public interest
legitimate interests and fundamental rights” and
the GDPR cites transparency of processing, The same derogations and safeguards exist for
intragroup transfers and monitoring systems “archiving in the public interest” as are mentioned
as areas where specific regard for these issues above in respect of processing for research and
is required. Member States must notify the statistical purposes, except that derogations may
European Commission of any laws introduced also be granted for the right to data portability.
under this Article, and must also notify it of any Further detail is included in Recital 158, which
amendments. Details on this can be found on the suggests that this should only be relied upon by
European Commission website. bodies or authorities that have an obligation to
interact with records of “enduring value for general
Article 89(1) and (2): Scientific and historical public interest” under Member State or Union law.
research purposes or statistical purposes
Article 90: Obligations of secrecy
Article 89(1) acknowledges that controllers
may process data for these purposes where This Article allows Member States to introduce
appropriate safeguards are in place (see specific rules to safeguard “professional” or
sections on lawfulness of processing and further “equivalent secrecy obligations” where supervisory
processing and Special categories of data and authorities are empowered to have access to
lawful processing). Where possible, controllers personal data or premises. These rules must
are required to fulfil these purposes with data “reconcile the right to protection of personal data
which does not permit, or no longer permits, the against the obligations of secrecy”, and can only
identification of data subjects; if anonymisation apply to data received or obtained under such
is not possible, pseudonymisation should be obligation. Again, Member States must notify the
used, unless this would also prejudice the European Commission of any laws introduced
purpose of the research or statistical process. under this Article and must also notify it of any
Useful comments on pseudonymisation were amendments. Details on this can be found on the
published by ENISA in their January 2019 report European Commission website.

1 2 3 4 5 6 7 8 9 10 94
Article 91: Churches and religious
associations

This Article protects “comprehensive” existing

rules for churches, religious associations and
communities where these are brought into
line with the GDPR’s provisions. Such entities
will still be required to submit to the control
of an independent supervisory authority
under the conditions of Chapter VI (see
section on co-operation and consistency
between supervisory authorities).

Where can I find this?

Derogations
Article 23, Recital 73
Special conditions
Articles 6(2), 6(3), 9(2)(a), 85-91
Recitals 50, 53, 153-165

1 2 3 4 5 6 7 8 9 10 95
9. DELEGATED ACTS AND IMPLEMENTING ACTS

Delegated acts, implementing

acts and final provisions
At a glance
As prescribed by the final chapters of the GDPR,
the GDPR took effect on 25 May 2018. The
GDPR’s intended relationship with other EU
data protection instruments including Directive
2002/58/EC (the “e-Privacy Directive”) is also set
out in these chapters.

The European Commission will report regularly

on the GDPR. These final provisions also
empower the European Commission to adopt
certain delegated acts under the GDPR (e.g.
in respect of the use of icons and certification
mechanisms).

1 2 3 4 5 6 7 8 9 10 96
Commentary

Chapter 10 of the GDPR grants the European The European Commission will report regularly
Commission the power to adopt delegated on the GDPR to the Parliament and the
acts (as referred to in Article 12(8) in respect Council, with particular focus on the GDPR’s
of standardised icons and in Article 43(8) in data transfer, co-operation and consistency
respect of certification mechanisms). These provisions. The first report was published on
delegated legislative powers can be revoked 24 June 2020, and new reports will follow every
by the Parliament or the Council at any time. 4 years thereafter, with the next being due in
Delegated acts enter into force no earlier June 2024. The reports will be made public.
than 3 months after being issued, and only if
neither the Parliament nor the Council objects. Article 95 makes clear that the GDPR must
The European Commission will be assisted by be interpreted so as to not impose additional
a committee, in accordance with Regulation obligations on providers of publicly available
182/2011. It is of particular importance that the electronic communications services in the
European Commission carry out appropriate Union to the extent that they are subject to
consultations when carrying out its preparatory specific obligations under the e-Privacy Directive
work, including at expert level (Recital 166). (2002/58/EC, as amended) that have the same
objectives. A new EU Privacy Regulation was
Implementing powers are also conferred on proposed by the European Commission, in early
the European Commission in order to ensure 2017, to replace the e-Privacy Directive; however,
uniform conditions for the implementation of the European Parliament and Council have so far
the GDPR which should also be exercised in failed to reach agreement on the final text.
accordance with Regulation 182/2011.
Recital 171 clarifies that where processing
Chapter 11 of the GDPR confirms that the Data is based on a consent obtained before the
Protection Directive was repealed on 25 May GDPR came into force, it is not necessary for
2018. References in other legislation to the the individual to give their consent again if the
repealed Data Protection Directive are now way the consent was given is in line with the
construed as references to the GDPR, and conditions of the GDPR.
references to the Article 29 Working Party are
now construed as references to the EDPB.

Where can I find this?

Articles 92-99, Recitals 166-173

1 2 3 4 5 6 7 8 9 10 97
About Us
A leading data protection and
technology-focussed law firm
Data protection experts
We are top ranked in legal directories and we boast one of the largest practices in Europe and Asia
Pacific. We have a deep understanding of changes in technology and law. Our clients often collect large
quantities of sensitive data and are high profile businesses, for whom the disclosure or misuse of data
will have severe ramifications.

A number of our lawyers are former members of data protection authorities. Some of our lawyers
have also spent time in-house, giving the team hands-on experience, and reinforcing a pragmatic,
collaborative approach to providing legal services for our clients.

Global coverage
We have 1,400 lawyers worldwide across a global network spanning 32 offices in 23 countries.

Bird & Bird office locations: Abu Dhabi ● Amsterdam ● Beijing ● Bratislava ● Brussels ● Budapest ●
Casablanca ● Copenhagen ● Dubai ● Dublin ● Dusseldorf ● Frankfurt ● The Hague ● Hamburg ● Helsinki ●
Hong Kong ●London ● Luxembourg ● Lyon ● Madrid ● Milan ● Munich ● Paris ● Prague ● Rome ● San
Francisco ● Shanghai ● Singapore ● Stockholm ● Sydney ● Warsaw ● Shehzen

Bird & Bird Plus Firms: Building a collaborative network so that we can offer clients a joined-up,
international legal service with affiliated law firms

Contact us
Reach out to one of our team if you have a data protection query.

1 2 3 4 5 6 7 8 9 10 98
twobirds.com
The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal
or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. Bird & Bird assumes no responsibility for
such information contained in this document and disclaims all liability in respect of such information.
This document is confidential. Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this
document may be published, distributed, extracted, re-utilised, or reproduced in any material form.
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated
by the Solicitors Regulation Authority (SRA) with SRA ID497264. Its registered office and principal place of business is at 12 New Fetter Lane, London
EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional
qualifications, is open to inspection at that address.

10