This is a collection of information I collected for taking the IAPP CIPP/E Privacy certification based on GDPR. At the time of writing this (beginning of 2017) the textbooks were not yet updated to reflect the changes due to GDPR. Fortunately, almost everything can be found online.
The structure of the document is the CIPP/E Body of Knowledge version 1.1.0 as outline by IAPP. Bold text is my own emphasis. Italic text are my own personal words, interpretations and opinions. I'm not a lawyer so your mileage may vary. For me, writing and studying it was enough to let me pass the CIPP/E exam and most of the knowledge required to pass can be found in this document. I would recommend to also read the additional Web based privacy resources and GDPR resources as mentioned on the IAPP web site, as some of the questions require knowledge of how to apply the law in case based situations. Also, some of the guidelines and reports from those resources contain information that may be subject of the certification. 

This information is shared under a Creative Commons Attribution-NonCommercial-ShareAlike license. If you find good additional information, feel free to contribute on https://github.com/jhammink/CIPP_E. Last update: 23 April 2017. A copy of this document can be retrieved as eBook here.

Have fun with it and good luck with your exam!

Jasper Hammink

Table of contents:

1. I. Introduction to European Data Protection
   1. A. Origins and Historical Context
      1. 1. Rationale for data protection
      2. 2. Human rights laws
      3. 3. Early laws and regulations
      4. 4. The need for a harmonised European approach
      5. 5. The Treaty of Lisbon
      6. 6. A modernised framework
   2. B. European Institutions
      1. 1. Council of Europe
      2. 2. European Court of Human Rights
      3. 3. European Parliament
      4. 4. European Commission
      5. 5. European Council
      6. 6. European Court of Justice
   3. C. Legislative Framework
      1. 1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)
      2. 2. The EU Data Protection Directive (95/46/EC)
      3. 3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended
         1. Data retention and other issues
         2. Unsolicited e-mail and other messages
         3. Cookies
         4. Amendments
      4. 4. The EU Directive on Electronic Commerce (2000/31/EC)
         1. "Mere conduit"
         2. "Caching"
         3. Hosting
      5. 5. European data retention regimes
      6. 6. The General Data Protection Regulation (GDPR) and related legislation
2. II. European Data Protection Law and Regulation
   1. A. Data Protection Concepts
      1. 1. Personal data
      2. 2. Sensitive personal data
      3. 3. Pseudonymous and anonymous data
      4. 4. Processing
      5. 5. Controller
      6. 6. Processor
      7. 7. Data subject
   2. B. Application of the Law
      1. 1. Establishment in the EU
      2. 2. Non-establishment in the EU
   3. C. Data Protection Principles
      1. 1. Fairness and lawfulness
      2. 2. Purpose limitation
      3. 3. Proportionality
      4. 4. Accuracy
      5. 5. Storage limitation
      6. 6. Integrity and confidentiality
   4. D. Legitimate Processing Criteria
      1. 1. Consent
      2. 2. Contractual necessity
      3. 3. Legal obligation, vital interests and public interest
      4. 4. Legitimate interests
      5. 5. Special categories of processing
   5. E. Information Provision Obligations
      1. 1. Transparency principle
      2. 2. Privacy notices
      3. 3. Layered notices
   6. F. Data Subjects Rights
      1. 1. Access
      2. 2. Rectification
      3. 3. Erasure and the right to be forgotten (RTFBF)
      4. 4. Restriction and objection
      5. 5. Automated decision making, including profiling
      6. 6. Data portability
      7. 7. Restrictions
   7. G. Confidentiality and Security
      1. 1. Appropriate technical and organisational measures
      2. 2. Breach notification
      3. 3. Vendor Management
   8. H. Accountability Requirements
      1. 1. Responsibility of controllers and processors
      2. 2. Data protection by design and by default
      3. 3. Documentation and cooperation with regulators
      4. 4. Data protection impact assessment
      5. 5. Mandatory data protection officers
   9. I. Cross-Border Data Transfers
      1. 1. Rationale for prohibition
      2. 2. Safe jurisdictions
      3. 3. Safe Harbor and Privacy Shield
         1. Safe Harbor
         2. The EU-U.S. Privacy Shield
      4. 4. Model contracts
      5. 5. Binding Corporate Rules (BCRs)
      6. 6. Codes of Conduct and Certifications
      7. 7. Derogations
   10. J. Supervision and enforcement
       1. 1. Supervisory authorities and their powers
       2. 2. The European Data Protection Board
       3. 3. Role of the European Data Protection Supervisor (EDPS)
   11. K. Consequences for GDPR violations
       1. 1. Process and procedures
       2. 2. Infringements and fines
       3. 3. Data subject compensation
3. III.Compliance with European Data Protection Law and Regulation
   1. A. Employment Relationship
      1. 1. Legal basis for processing of employee data
      2. 2. Storage of personnel records
      3. 3. Workplace monitoring and data loss prevention
         1. Legal instruments
         2. Surveillance And Monitoring Of Electronic Communications In The Work Place Under Directive 95/46/EC: Principles
         3. E-mail monitoring
         4. Monitoring of Internet access
         5. Data Loss Prevention
      4. 4. EU Works councils
      5. 5. Whistleblowing systems
      6. 6. 'Bring your own device' (BYOD) programs
         1. Security
         2. Privacy
         3. Ethics / legal questions
   2. B. Surveillance Activities
      1. 1. Surveillance by public authorities
      2. 2. Interception of communications
      3. 3. Closed-circuit television (CCTV)
      4. 4. Geolocation
   3. C. Marketing Activities
      1. 1. Telemarketing
      2. 2. Direct marketing
      3. 3. Online behavioural targeting
   4. D. Internet Technology and Communications
      1. 1. Cloud computing
         1. Code of conduct
      2. 2. Web cookies
      3. 3. Search engine marketing (SEM)
      4. 4. Social networking services

I. Introduction to European Data Protection

A. Origins and Historical Context

1. Rationale for data protection

Could not find any information on this

2. Human rights laws

Universal Declaration of Human Rights 1948 , Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. (source: http://www.un.org/en/universal-declaration-human-rights/index.html)

European Convention on Human Rights 1950 Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Source: https://en.wikipedia.org/wiki/Article_8_of_the_European_Convention_on_Human_Rights

3. Early laws and regulations

A right to protection of an individual’s private sphere against intrusion from others, especially from the state, was laid down in an international legal instrument for the first time in Article 12 of the United Nations (UN) Universal Declaration of Human Rights (UDHR) of 1948 on respect for private and family life.1 The UDHR influenced the development of other human rights instruments in Europe. (source: handbook data protection law 2nd ed)

The Council of Europe was formed in the aftermath of the Second World War to bring together the states of Europe to promote the rule of law, democracy, human rights and social development. For this purpose, it adopted the European Convention on Human Rights (ECHR) in 1950, which entered into force in 1953. States have an international obligation to comply with the ECHR. All CoE member states have now incorporated or given effect to the ECHR in their national law, which requires them to act in accordance with the provisions of the Convention. To ensure that the Contracting Parties observe their obligations under the ECHR, the European Court of Human Rights (ECtHR), was set up in Strasbourg, France, in 1959. The ECtHR ensures that states observe their obligations under the Convention by considering complaints from individuals, groups of individuals, NGOs or legal persons alleging violations of the Convention.(source: handbook data protection law 2nd ed)

1957: Treaty of Rome, established European Economic Area (EEA), renamed in 2009 to Treaty of Functioning of European Union (TFEU)

1980: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

1981: Convention 108
With of the emergence of information technology in the 1960s, a growing need developed for more detailed rules to safeguard individuals by protecting their (personal) data. By the mid-1970s, the Committee of Ministers of the Council of Europe adopted various resolutions on the protection of personal data, referring to Article 8 of the ECHR.7 In 1981, a Convention for the protection of individuals with regard to the automatic processing of personal data (Convention 108) was opened for signature.(source: handbook data protection law 2nd ed) Convention 108 was, and still remains, the only legally binding international instrument in the data protection field.

All EU Member States have ratified Convention 108. In 1999, Convention 108 was amended to enable the EU to become a Party.9 In 2001, an Additional Protocol to Convention 108 was adopted, introducing provisions on transborder data flows to non-parties, so-called third countries, and on the mandatory establishment of national data protection supervisory authorities. (source: handbook data protection law 2nd ed)

• Convention 108 applies to all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities.
• It protects the individual against abuses, which may accompany the collection and processing of personal data, and seeks, at the same time, to regulate the transborder flow of personal data. As regards the collection and processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and automatic processing of data, stored for specified legitimate purposes and not for use for ends incompatible with these purposes nor kept for longer than is necessary.
• They also concern the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality) as well as accurate.
• In addition to providing guarantees on the collection and processing of personal data, it outlaws, in the absence of proper legal safeguards, the processing of ‘sensitive’ data, such as on a person’s race, politics, health, religion, sexual life or criminal record.
• The convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected. Restrictions on the rights laid down in the convention are possible only when overriding interests, such as state security or defence, are at stake.

1992: Treaty of Maastricht: Establishment of the EU 

1995: The EU Data Protection Directive (95/46/EC)

2000: Charter of Fundamental Rights of the European Union
The original treaties of the European Communities did not contain any reference to human rights or their protection. As cases came before the then European Court of Justice (ECJ) alleging human rights violations in areas within the scope of EU law, however, it developed a new approach. To grant protection to individuals, it brought fundamental rights into the so-called general principles of European law. According to the CJEU, these general principles reflect the content of human rights protection found in national constitutions and human rights treaties, in particular the ECHR. The CJEU stated that it would ensure the compliance of EU law with these principles. In recognising that its policies could have an impact on human rights and in an effort to make citizens feel ‘closer’ to the EU, the EU in 2000 proclaimed the Charter of Fundamental Rights of the European Union (Charter). This Charter incorporates the whole range of civil, political, economic and social rights of European citizens, by synthesising the constitutional traditions and international obligations common to the Member States. The rights described in the Charter are divided into six sections: dignity, freedoms, equality, solidarity, citizens’ rights and justice.
Although originally only a political document, the Charter became legally binding as EU primary law (see Article 6 (1) of the TEU) with the coming into force of the Lisbon Treaty on 1 December 2009.
The Charter not only guarantees the respect for private and family life (Article 7), but also establishes the right to data protection (Article 8), explicitly raising the level of this protection to that of a fundamental right in EU law. EU institutions as well as Member States must observe and guarantee this right, which also applies to Member States when implementing Union law (Article 51 of the Charter). Formulated several years after the Data Protection Directive, Article 8 of the Charter must be understood as embodying pre-existing EU data protection law. The Charter, therefore, not only explicitly mentions a right to data protection in Article 8 (1), but also refers to key data protection principles in Article 8 (2). Finally, Article 8 (3) of the Charter ensures that an independent authority will control the implementation of these principles.(source: handbook data protection law 2nd ed)

4. The need for a harmonised European approach

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.
Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU. (source: http://ec.europa.eu/justice/data-protection/)

5. The Treaty of Lisbon

With the entry into force of the Treaty of Lisbon in December 2009, the Charter of Fundamental Rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right. (source: handbook data protection law 2nd ed)

Most important articles with regard to privacy::

Article 7

Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8

Protection of personal data

1.Everyone has the right to the protection of personal data concerning him or her.

2.Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3.Compliance with these rules shall be subject to control by an independent authority.

(source: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:C:2007:303:FULL&from=EN)

It establishes 7 EU institutions:

1. European Parliament (> 700 members) - Legislative
2. European Council (28 heads of member states in 2014)
3. Council of the EU / "The Council" (groups of 28 ministers by theme) - Legislative
4. European Commission / "The Commission" (28 commissioners and +23000 useless and overpaid civil servants)
5. The Court of Justice of the EU
6. European Central Bank
7. Court of Auditors

6. A modernised framework

Couldn't find any information on this

B. European Institutions

1. Council of Europe

(Not to be confused with European Council or Council of the European Union.) 

This is not an EU institution. The Council of Europe (CoE; French: Conseil de l'Europe) is an international organisation focused on protecting human rights, democracy, rule of law in Europe[2]and promoting European culture.[3] Founded in 1949, it has 47 member states, covers approximately 820 million people and operates with an annual budget of approximately half a billion euros.[4]
The organisation is distinct from the 28-nation European Union (EU), although it is sometimes confused with it, partly because the EU has adopted the original European Flag which was created by the Council of Europe in 1955,[5] as well as the European Anthem.[6] No country has ever joined the EU without first belonging to the Council of Europe.[7]

2. European Court of Human Rights

The best known body of the Council of Europe is the European Court of Human Rights, which enforces the European Convention on Human Rights.

3. European Parliament

The European Parliament (EP) is the directly elected parliamentary institution of the European Union (EU). Together with the Council of the European Union (the Council) and the European Commission, it exercises the legislative function of the EU. The Parliament is composed of 751 (previously 766) members. Source: https://en.wikipedia.org/wiki/European_Parliament

4. European Commission

The European Commission (EC) is an institution of the European Union, responsible for proposing legislation, implementing decisions, upholding the EU treaties and managing the day-to-day business of the EU.[2] Commissioners swear an oath at the European Court of Justice in Luxembourg, pledging to respect the treaties and to be completely independent in carrying out their duties during their mandate.[3]. The Commission operates as a cabinet government, with 28 members of the Commission (informally known as "commissioners"). Source: https://en.wikipedia.org/wiki/European_Commission

What does the Commission do?
Proposes new laws: The Commission is the sole EU institution tabling laws for adoption by the Parliament and the Council that:

• protect the interests of the EU and its citizens on issues that can't be dealt with effectively at national level;
• get technical details right by consulting experts and the public.

Manages EU policies & allocates EU funding

• Sets EU spending priorities, together with the Council and Parliament.
• Draws up annual budgets for approval by the Parliament and Council.
• Supervises how the money is spent, under scrutiny by the Court of Auditors.

Enforces EU law. Together with the Court of Justice, ensures that EU law is properly applied in all the member countries.

• Represents the EU internationally
• Speaks on behalf of all EU countries in international bodies, in particular in areas of trade policy and humanitarian aid.
• Negotiates international agreements for the EU. 

Source: https://europa.eu/european-union/about-eu/institutions-bodies/european-commission_en

5. European Council

The European Council (French: Conseil européen), charged with defining the EU's overall political direction and priorities, is the institution of the European Union (EU) that comprises the heads of state or government of the member states, along with the President of the European Council and the President of the European Commission. Source: https://en.wikipedia.org/wiki/European_Council

6. European Court of Justice

The European Court of Justice (ECJ), officially just the Court of Justice (French: Cour de Justice), is the highest court in the European Union in matters of European Union law. As a part of the Court of Justice of the European Union it is tasked with interpreting EU law and ensuring its equal application across all EU member states.[1] The Court was established in 1952 and is based in Luxembourg. It is composed of one judge per member state – currently 28 – although it normally hears cases in panels of three, five or 15[2] judges. Source: https://en.wikipedia.org/wiki/European_Court_of_Justice 

Council of the European Union

AKA The Council. Apparantly IAPP find them not important as they are not in the list of  European Institutions required to know for certification. However, they can adopt EU laws together with the Parliament on proposal of the Commission. They consist of Government ministers from each EU country, according to the policy area to be discussed

C. Legislative Framework

1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)

CoE Convention 108 is the first international legally binding instrument dealing explicitly with data protection. Convention 108 was, and still remains, the only legally binding international instrument in the data protection field.

Convention 108 applies to all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities. It protects the individual against abuses, which may accompany the collection and processing of personal data, and seeks, at the same time, to regulate the transborder flow of personal data. As regards the collection and processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and automatic processing of data, stored for specified legitimate purposes and not for use for ends incompatible with these purposes nor kept for longer than is necessary. They also concern the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality) as well as accurate. In addition to providing guarantees on the collection and processing of personal data, it outlaws, in the absence of proper legal safeguards, the processing of ‘sensitive’ data, such as on a person’s race, politics, health, religion, sexual life or criminal record. The convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected. Restrictions on the rights laid down in the convention are possible only when overriding interests, such as state security or defence, are at stake. Although the convention provides for free flow of personal data between State Parties to the convention, it also imposes some restrictions on those flows to states where legal regulation does not provide equivalent protection.

Treaty No.181: The text will increase the protection of personal data and privacy by improving the original Convention of 1981 (ETS No. 108) in two areas. Firstly, it provides for the setting up of national supervisory authorities responsible for ensuring compliance with laws or regulations adopted in pursuance of the convention, concerning personal data protection and transborder data flows. The second improvement concerns transborder data flows to third countries. Data may only be transferred if the recipient State or international organisation is able to afford an adequate level of protection.  Source: http://fra.europa.eu/en/publication/2014/handbook-european-data-protection-law

2. The EU Data Protection Directive (95/46/EC)

The principal EU legal instrument on data protection is Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).11 It was adopted in 1995, at a time when several Member States had already adopted national data protection laws. Free movement of goods, capital, services and people within the internal market required the free flow of data, which could not be realised unless the Member States could rely on a uniform high level of data protection.

As the aim of adopting the Data Protection Directive was harmonisation12 of data protection law at the national level, the directive affords a degree of specificity comparable to that of the (then) existing national data protection laws. For the CJEU, “Directive 95/46 is intended […] to ensure that the level of protection of the rights and freedoms of individuals with regard to the processing of personal data is equivalent in all Member States. […] The approximation of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the EU. Accordingly, […] the harmonisation of those national laws is not limited to minimal harmonisation but amounts to harmonisation which is generally complete.”13 Consequently, the EU Member States have only limited freedom to manoeuvre when implementing the directive.

The Data Protection Directive is designed to give substance to the principles of the right to privacy already contained in Convention 108, and to expand them. The fact that all 15 EU Member States in 1995 were also Contracting Parties to Convention 108 rules out the adoption of contradictory rules in these two legal instruments. The Data Protection Directive, however, draws on the possibility, provided for in Article 11 of Convention 108, of adding on instruments of protection. In particular, the introduction of independent supervision as an instrument for improving compliance with data protection rules proved to be an important contribution to the effective functioning of European data protection law. (Consequently, this feature was taken over into CoE law in 2001 by the Additional Protocol to Convention 108.)

The territorial application of the Data Protection Directive extends beyond the 28 EU Member States, including also the non-EU Member States that are part of the European Economic Area (EEA)14 – namely Iceland, Liechtenstein and Norway.

The CJEU in Luxembourg has jurisdiction to determine whether a Member State has fulfilled its obligations under the Data Protection Directive and to give preliminary rulings concerning the validity and interpretation of the directive, in order to ensure its effective and uniform application in the Member States. An important exemption from the applicability of the Data Protection Directive is the so-called household exemption, namely the processing of personal data by private individuals for merely personal or household purposes.15 Such processing is generally seen as part of the freedoms of the private individual.

Corresponding to EU primary law in force at the time of the adoption of the Data Protection Directive, the material scope of the directive is limited to matters of the internal market. Outside its scope of application are, most importantly, matters of police and criminal justice cooperation. (source: handbook data protection law 2nd ed)

3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended

E-Privacy Directive
The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital technologies and ease the advance of electronic communications services.^[1]The Directive complements theData Protection Directiveand applies to all matters which are not specifically covered by that Directive. ^[2]In particular, the subject of the Directive is the “right to privacy in the electronic communication sector” and free movement of data, communication equipment and services.

The first general obligation in the Directive is to provide security of services. ^[4]The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there is a particular risk, such as a virus or other malware attack.^[5]
The second general obligation is for the confidentiality of information to be maintained.^[6]The addressees are Member States, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and “related traffic”, unless the users have given their consent or conditions of Article 15(1) have been fulfilled.

Data retention and other issues

The directive obliges the providers of services to erase or anonymize the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled.^[7]Retention is allowed for billing purposes but only as long as thestatute of limitationsallows the payment to be lawfully pursued. Data may be retained upon a user’s consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing.^[8]Likewise, the users must be able to opt out of calling-line identification.^[9]
Where data relating to location of users or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent, or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.^[10]

Unsolicited e-mail and other messages

Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes theopt-inregime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication where it was initially collected and subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13.
Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services.^[11]The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.^[12]

Cookies

The Directive provision applicable tocookiesis Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the content's of a user's shopping cart on anonline shoppingservice, are exempted.
The article is technology neutral, not naming any specific technological means which may be used to store data, but applies to any information that a website causes to be stored in a user's browser. This reflects the EU legislator’s desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with theData Protection Directive, about the purposes of the storage of, or access to, that information; and has given his or her consent.
The regime so set-up can be described asopt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser. The UK Regulations allow for consent to be signified by future browser settings, which have yet to be introduced but which must be capable of presenting enough information so that a user can give their informed consent and indicating to a target website that consent has been obtained. Initial consent can be carried over into repeated content requests to a website. The Directive does not give any guidelines as to what may constitute an opt-out, but requires that cookies, other than those "strictly necessary for the delivery of a service requested by the user" are not to be placed without user consent.
(source: https://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electronic_Communications)

Amendments

The Data Retention Directive 2006/24/EC: According to the directive, member states will have to store citizens' telecommunications data for a minimum of 6 months and at most 24 months. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid Source: https://en.wikipedia.org/wiki/Data_Retention_Directive

Directive 2009/136/EC The 2009 Directive (Cookie law) introduced in the European Union legal framework an obligation for electronic communications providers to report, without undue delay, personal data breaches to the relevant national authority, and to individuals affected when there is a risk to their personal data or privacy.

4. The EU Directive on Electronic Commerce (2000/31/EC)

he E-Commerce Directive makes several provisions on the liability of intermediaries.

"Mere conduit"

Who an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider: (a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission. The acts of transmission and of provision of access include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

"Caching"

Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients of the service upon their request, on condition that: (a) the provider does not modify the information; (b) the provider complies with conditions on access to the information; (c) the provider complies with rules regarding the updating of the information, specified in a manner widely recognized and used by industry; (d) the provider does not interfere with the lawful use of technology, widely recognized and used by industry, to obtain data on the use of the information; and (e) the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement.

Hosting

Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

Source: https://en.wikipedia.org/wiki/Electronic_Commerce_Directive

5. European data retention regimes

The Data Retention Directive 2006/24/EC: According to the directive, member states will have to store citizens' telecommunications data for a minimum of 6 months and at most 24 months. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid (source: https://en.wikipedia.org/wiki/Data_Retention_Directive)

In 2014, the CJEU invalidated the Data Retention Directive, holding that it provided insufficient safeguards against interferences with the rights to privacy and data protection. This decision triggered considerable activity at both judicial and legislative levels in 2015.

In the absence of a valid Data Retention Directive, Member States may still provide for a data retention scheme. However, such schemes must also comply with the rules regarding the rights to privacy and personal data protection set out in Article 15 of the ePrivacy Directive, the EU Charter of Fundamental Rights and the CJEU ruling. (source: http://fra.europa.eu/en/theme/information-society-privacy-and-data-protection/data-retention)

6. The General Data Protection Regulation (GDPR) and related legislation

Well, see chapter II.

II. European Data Protection Law and Regulation

A. Data Protection Concepts

Source: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

1. Personal data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. Sensitive personal data

Also called Special information: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited, except....

3. Pseudonymous and anonymous data

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Anonymous data: information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

4. Processing

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

5. Controller

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

6. Processor

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

7. Data subject

an identified or identifiable natural person

B. Application of the Law

1. Establishment in the EU

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
The GDPR will apply directly in all Member States of the European Union and in Iceland, Liechtenstein and Norway, which are part of the European Economic Area (EEA). source: https://www.mwe.com/en/thought-leadership/publications/2016/06/european-general-data-protection-regulation

2. Non-establishment in the EU

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3.This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So residency is not important

C. Data Protection Principles

All principles apply:

1. Fairness and lawfulness

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
*fairly *: open term for normal, decent behavior

2. Purpose limitation

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
* legitimate *: There has to be a reason justifying the limitation to the right to privacy.

3. Proportionality

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
* limited *: both in terms of scope and time (data retention)
*adequate *: Collecting too little information may lead to incorrect or incomplete information on a data subject

4. Accuracy

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5. Storage limitation

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
13 2 (a) the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:: the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
So the controller must determine explicit retention periods or criteria

6. Integrity and confidentiality

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

D. Legitimate Processing Criteria

Any one of these criteria is sufficient
Regarding processing of data for other purposes:
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

1. Consent

4: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Article 7::

1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3.The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.When assessing whether consent is freely given, utmost account shall be taken of whether,inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

2. Contractual necessity

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

3. Legal obligation, vital interests and public interest

processing is necessary for compliance with a legal obligation to which the controller is subject*;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Vital interests: concerning the health of people
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller*
Public interest: not limited to official government authorities
* The basis for the processing referred to in point 1 and 3 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject.

4. Legitimate interests

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
This shall not apply to processing carried out by public authorities in the performance of their tasks.

Recital 47: At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

5. Special categories of processing

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3.Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4.Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

E. Information Provision Obligations

1. Transparency principle

Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

1.The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2.The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3.The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4.If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5.Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6.Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7.The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8.The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

2. Privacy notices

Source: ICO privacy notice code of practice
Best practice on why a privacy notice may be important, what to include, how to present it and how to let people choose (opt-in).

3. Layered notices

Source: ICO privacy notice code of practice
It usually consists of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. This can, in turn, contain links to further material that explains specific issues, such as the circumstances in which information may be disclosed to the police.

F. Data Subjects Rights

1. Access

1.The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d)where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3.The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4.The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

2. Rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Erasure and the right to be forgotten (RTFBF)

1.The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2.Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3.Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

4. Restriction and objection

Right to restriction of processing
1.The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2.Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3.A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Right to object
1.The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2.Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3.Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4.At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5.In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6.Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5. Automated decision making, including profiling

1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2.Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
3.In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4.Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

6. Data portability

1.The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2.In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3.The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4.The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

7. Restrictions

1.Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.
2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

G. Confidentiality and Security

1. Appropriate technical and organisational measures

Article 32.
1.Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2.In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3.Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4.The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

2. Breach notification

Article 33: Notification of a personal data breach to the supervisory authority
1.In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2.The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3.The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5.The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Article 34: Communication of a personal data breach to the data subject
1.When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2.The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3.The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4.If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

3. Vendor Management

Article 26:Joint controllers
1.Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2.The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-�-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
3.Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

H. Accountability Requirements

1. Responsibility of controllers and processors

5.2: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
This implies that if the controller cannot demonstrate compliance, he can be fined just for that

11: If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

Article 24: Responsibility of the controller
1.Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3.Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Article 28: Processor
1.Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2.The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3.Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
4.Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
5.Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6.Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7.The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
8.A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
9.The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
10.Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Article 29: Processing under the authority of the controller or processor
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

2. Data protection by design and by default

Article 25:Data protection by design and by default
1.Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2.The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3.An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

3. Documentation and cooperation with regulators

Article 30: Records of processing activities
1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
3.The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4.The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
5.The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Article 31: Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

4. Data protection impact assessment

Article 35: Data protection impact assessment
1.Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
2.The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
3.A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
4.The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.
5.The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.
6.Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
7.The assessment shall contain at least:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
8. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
9.Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
10.Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.
11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

Article 36: Prior consultation
1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2.Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
3.When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
(b) the purposes and means of the intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
(d) where applicable, the contact details of the data protection officer;
(e) the data protection impact assessment provided for in Article 35; and
(f) any other information requested by the supervisory authority.
4.Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5.Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

5. Mandatory data protection officers

Article 37: Designation of the data protection officer
1.The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
2.A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
3.Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
4.In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
5.The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6.The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
7.The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Article 38: Position of the data protection officer
1.The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2.The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
3.The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5.The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6.The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

Article 39: Tasks of the data protection officer
1.The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2.The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

I. Cross-Border Data Transfers

1. Rationale for prohibition

Recital 101: Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

45: A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.

46: In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
2.The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
The basis for this principle is that such jurisdictions provide sufficient protection for the rights and freedoms of data subjects without the need for further safeguards. Source: https://www.whitecase.com/publications/article/chapter-13-cross-border-data-transfers-unlocking-eu-general-data-protection

2. Safe jurisdictions

The Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. (source: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm)

3. Safe Harbor and Privacy Shield

Safe Harbor

The Safe Harbour Privacy Principles were developed between 1998-2000. They were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbour scheme", were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour Decision.
The seven principles from 2000 are:

1. Notice - Individuals must be informed that their data is being collected and how it will be used.The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
2. Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
3. Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
4. Security - Reasonable efforts must be made to prevent loss of collected information.
5. Data Integrity - Data must be relevant and reliable for the purpose it was collected.
6. Access - Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
7. Enforcement - There must be effective means of enforcing these rules.

The EU-US Safe Harbour Principles 'self certification scheme' has been criticised in regard to their compliance and enforcement in three external EU evaluations
source: https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles
'Safe Harbor' is now defunct because the European Court of Justice found the following:
(a) There is no general privacy law or other measures enacted in the US that shows the US offers "an adequate level of protection" for personal data relating to European data subjects;
(b) Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the 'Safe Harbor' rules after disclosure;
(c) Some US law enforcement agencies can gain access to personal data in 'Safe Harbor' without having any law that legitimises their access; and
(d) The European Commission knew all the above and knew that personal data was possibly being used for incompatible and disproportionate purposes by law enforcement agencies.
If you read Article 8(2) of the Human Rights Convention, you will get the ECJ Judgment immediately.

As Snowden's leaks showed, there is no law legitimising the interference by the National Security Agencies, so one does not know whether any interference on their part is necessary. Source: http://www.theregister.co.uk/2015/10/08/understand_safe_harbor_ischrems_v_facebooki_in_under_300_words/

'Safe Harbor' is unsafe because such agencies in the USA can access personal data without due process, and because the US has no law that limits the use of personal data by them.

On 6 October 2015, the Court of Justice of the European Union declared the Commission’s 2000 Decision on EU-US Safe Harbour invalid.
On 6 November 2015 the European Commission adopted a Communication on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems). The aim was to provide an overview of the alternative tools for transatlantic data transfers in the absence of an adequacy decision.
On 29 February 2016, the Commission published a draft adequacy decision and the relevant commitments by U.S. authorities.
On 13 April 2016, the Article 29 Working Party issued its opinion: Opinion 01/2016 of the Article 29 Working Party on the EU – U.S. Privacy Shield draft adequacy decisionpdf(613 kB) Choose translations of the previous link.
On 8 July 2016, the Article 31 (comitology) Committee approved the revised draft decision.
On 12 July 2016, the Commission adopted Decision 2016/1250 on the adequacy of protection of the EU-U.S. Privacy Shield.
(source: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm)

The EU-U.S. Privacy Shield

The Commission adopted on 12 July 2016 its decision on the EU-U.S. Privacy Shield.
This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers. The new arrangement includes:

• strong data protection obligations on companies receiving personal data from the EU
• safeguards on U.S. government access to data;
• effective protection and redress for individuals;
• annual joint review to monitor the implementation.

The Privacy Shield allows your personal data to be transferred from the EU to a company in the United States, provided that the company there processes (e.g. uses, stores and further transfers) your personal data according to a strong set of data protection rules and safeguards. The protection given to your data applies regardless of whether you are an EU citizen or not.

To transfer personal data from the EU to the U.S. different tools are available such as contractual clauses, binding corporate rules and the Privacy Shield. If the Privacy Shield is used, U.S. companies must first sign up to this framework with the U.S. Department of Commerce. The obligation applying to companies under the Privacy Shield are contained in the “Privacy Principles”. This Department is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles. They must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

If you want to know if a company in the U.S. is part of the Privacy Shield, you can check the Privacy Shield List on the website of the Department of Commerce (https://www.privacyshield.gov/welcome). This list will give you details of all the companies taking part in the Privacy Shield, the kind of personal data they use, and the kind of services they offer. You can also find a list of companies that are no longer part of the Privacy Shield. This means they are no longer allowed to receive your personal data under the Privacy Shield. Also, these companies may only keep your personal data if they commit to the Department of Commerce that they will continue to apply the Privacy Principles.

The Privacy Shield provides you with a number of rights and companies are obliged to protect your personal data in line with the “Privacy Principles”.
1. Your right to be informed
2. Limitations on the use of your data for different purposes
3. Data minimisation and obligation to keep your data only for the time needed
4. Obligation to secure your data
5. Obligation to protect your data if transferred to another company
6. Your right to access and correct your data
7. Your right to lodge a complaint and obtain a remedy
8. Redress in case of access by U.S. public authorities

as an individual you have several possibilities to lodge a complaint, namely with the:
1. U.S. Privacy Shield company itself;
2. Independent recourse mechanism, such as ADR or DPA;
3. U.S. Department of Commerce, only through a DPA;
4. U.S. Federal Trade Commission (or the U.S. Department of Transportation if complaint relates to an airline or ticket agent);
5. Privacy Shield Panel, only once certain other redress options have failed.

While existing U.S. law provides you with protections and remedies in the law enforcement area, the Privacy Shield framework for the first time creates a special instrument to address national security access, the so-called Ombudsperson mechanism. The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson will ensure that complaints are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied. In carrying out its duties, and following up on the complaints received, the Ombudsperson will work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are the ones responsible to oversee the various U.S. intelligence agencies.
Source: http://ec.europa.eu/justice/data-protection/files/eu-us_privacy_shield_guide_en.pdf
Some of the differences with Safe Harbor:

• Safeguards related to intelligence activities will extend to all data transferred to the U.S., regardless of the transfer mechanism used.
• The Shield’s dispute resolution framework provides multiple avenues for individuals to lodge complaints, more than those available under the Safe Harbor and alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
• An organization’s compliance with the Privacy Shield will be directly and indirectly monitored by a wider array of authorities in the U.S. and the EU, possibly increasing regulatory risks and compliance costs for participating organizations.
• The Department of Commerce will significantly expand its role in monitoring and supervising compliance, including by carrying out ex officio compliance reviews and investigations of participating organizations.
• Participating organizations will be subjected to additional compliance and reporting obligations, some of which will continue even after they withdraw from the Privacy Shield.

Source: https://www.mofo.com/resources/publications/privacy-shield-vs-safe-harbor-a-different-name-for-an-improved-agreement.html

4. Model contracts

These are the standard data protection clauses mentioned in article 46.
At the EU level, the European Commission with the assistance of the Article 29 Working Party developed standard contractual clauses which were officially certified by a Commission Decision as proof of adequate data protection.
The most important features of the standard contractual clauses are:

• a third-party beneficiary clause which enables data subjects to exercise contractual rights even though they are not a party to the contract;
• the data recipient or importer agreeing to be subject to the procedure of the data-exporting controller’s national supervisory authority and/or courts in case of dispute.

There are now two sets of standard clauses for controller-to-controller transfers available, from which the data-exporting controller can choose.For controller-to processor transfers, there is only one set of standard contractual clauses
Source: handbook data protection law 2nd ed

5. Binding Corporate Rules (BCRs)

Multilateral binding corporate rules (BCRs) very often involve several European data protection authorities at the same time.235 In order for BCRs to be approved, the draft of the BCRs must be sent together with the standardised application forms to the lead authority.236 The lead authority is identifiable from the standardised application form. This authority then informs all of the supervisory authorities in EEA member countries where affiliates of the group are established, although their participation in the evaluation process of the BCRs is voluntary.
Source: handbook data protection law 2nd ed
Article 47: Binding corporate rules

1.The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:
(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
(c) fulfil the requirements laid down in paragraph 2.
2.The binding corporate rules referred to in paragraph 1 shall specify at least:
(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n) the appropriate data protection training to personnel having permanent or regular access to personal data.
3.The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

6. Codes of Conduct and Certifications

Code of conduct: intended to specify standards for specific categories of controllers: May become binding
Certification: To demonstrate a controller or a product satisfies a certain level of protection
Article 40: Codes of conduct
1.The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
3.In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4.A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5.Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6.Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
7.Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
8.Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9.The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10.The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11.The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Article 41: Monitoring of approved codes of conduct
1.Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
2.A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
(a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3.The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4.Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5.The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
6.This Article shall not apply to processing carried out by public authorities and bodies.

Article 42: Certification
1.The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
2.In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
3.The certification shall be voluntary and available via a process that is transparent.
4.A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
5.A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
6.The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.
8.The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

Article 43: Certification bodies
Certification bodies may be appointed to handle certification, provided they have demonstated sufficient expertise

7. Derogations

Article 49: Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2.A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3.Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
4.The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
6.The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

J. Supervision and enforcement

1. Supervisory authorities and their powers

Article 51: Each Member State shall provide for one or more independent public authorities
Article 52: Each supervisory authority shall act with complete independence (free from external influance, own budget, own staff,
Article 53: General conditions for the members of the supervisory authority (qualifications, experience and skills, may not be fired)
Article 54: Rules on the establishment of the supervisory authority (member states will include this in local law, members of DPA will be bound to professional secrecy)
Article 55: Competence (on the territory of its own Member State, not competent to supervise processing operations of courts)
Article 56: Competence of the lead supervisory authority (for international organizations, the supervisory authority of the main establishment of the controller or processor shall be competent. Complaints may be lodged with any supervisory authority, who will relay this to the lead supervisory authority, who will decide whether to handle it themselves or let the local authority decide. )
Article 57: Tasks (Long list; monitor and enforce the application of this Regulation, promote it and advice local government. Handle complaints for free, unless excessive.)

Article 58: Powers
1.Each supervisory authority shall have all of the following investigative powers:
(a) to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
(b) to carry out investigations in the form of data protection audits;
(c) to carry out a review on certifications issued pursuant to Article 42(7);
(d) to notify the controller or the processor of an alleged infringement of this Regulation;
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
2.Each supervisory authority shall have all of the following corrective powers:
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.
3.Each supervisory authority shall have all of the following authorisation and advisory powers:
(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;
(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
(d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
(e) to accredit certification bodies pursuant to Article 43;
(f) to issue certifications and approve criteria of certification in accordance with Article 42(5);
(g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(h) to authorise contractual clauses referred to in point (a) of Article 46(3);
(i) to authorise administrative arrangements referred to in point (b) of Article 46(3);
(j) to approve binding corporate rules pursuant to Article 47.
4.The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5.Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6.Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

2. The European Data Protection Board

Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61: Supervisory authorities shall provide each other with relevant information and mutual assistance
Article 62: Joint operations of supervisory authorities, borrow each others staff
Article 63: consistent application of this Regulation
Article 64: The board shall issue an opinion when a supervisory authority intends to adoptcriteria for PIA, code of conduct, accreditation, standard clauses and BCR. Also, a supervisory authority may request an opinion on issues of general application or producing effects in more than one Member State
Article 65: Dispute resolution. The board may take a binding decision when two DPA's disagree, cannot establish who has the lead or a DPA does not request the boards opinion or ignores it. It requires two-thirds majority of the members of the Board (or majority of that is not reached)
Article 66: Urgency procedure: temporary decision may be taken for no more than 3 months in case of urgent need to act in order to protect the rights and freedoms of data subjects. An urgent opinion or an urgent binding decision shall be adopted within two weeks by simple majority of the members of the Board.
Article 68: The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor
European Data Protection Supervisor: a completely separate body which is tasked with supervision on handling personal data by EU insitutions, and advisory powers with regard to EU policy and law.
Article 70: Tasks of the Board (supervisor of the supervisors. issue guidelines, recommendations and best practices. advise the Commission on any issue related to the protection of personal data in the Union)

3. Role of the European Data Protection Supervisor (EDPS)

Established by Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

The EDPS and its tasks are not formally described in the GDPR. The EDPS is however mentioned because it takes part in the European Data Protection Board and it provides the secretariat for it.

Scope
1. This Regulation shall apply to the processing of personal data by all Community institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law.
2. This Regulation shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
Source: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32001R0045&qid=1488831333871&from=NL

The EDPS' general objective is to ensure that the European institutions and bodies respect the right to privacy when they process personal data and develop new policies. A number of specific duties of the EDPS are laid down in Regulation (EC) No 45/2001. The three main fields of work are:

• Supervision : the EDPS monitors the processing of personal data in the EU administration and ensures compliance with the data protection rules. The supervisory tasks  range from prior checking processing operations likely to present specific risks, to handling complaints and conducting enquiries.
• Consultation : the EDPS advises the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues having an impact on data protection.
• Cooperation : the EDPS cooperates with other data protection authorities in order to promote consistent data protection throughout Europe. The central platform for cooperation with national data protection authorities is the Article 29 Working Party.

SUPERVISION AND ENFORCEMENT

One of the EDPS' main tasks is to supervise personal data processing by the  European institutions and bodies . This supervision work takes various forms.

• The bulk of it is based on notifications of processing operations presenting specific risks. These need to be prior checked by the EDPS. Based on the facts submitted to him, the EDPS will examine the processing of personal data in relation to the Data Protection Regulation ( Regulation (EC) No 45/2001 ). In most cases, this exercise leads to a set of recommendations that the institution or body need to implement so as to ensure compliance with data protection rules.
• The EDPS receives complaints from EU staff members as well as from other people who feel that their personal data have been mishandled by a European institution or body. If a complaint is admissible, the EDPS usually carries out an inquiry. The findings are communicated to the complainant, and necessary measures are adopted.
• The EDPS may adopt opinions on administrative measures related to data protection adopted by European institutions and bodies.
• The EDPS may carry out inquiries on his own initiative. Inquiries and inspections are essential for a supervisory authority to have the means for fact-finding, following up of cases and monitoring of compliance in general.
• In order to monitor compliance with Regulation (EC) No 45/2001, the EDPS largely relies on the Data Protection Officers (DPOs) who are to be appointed in each institution/body. Apart from bilateral meetings and contacts with the DPOs, the EDPS also takes part in the regular meetings of the DPO network.
• Since January 2004, the EDPS has ensured the supervision of the central unit of Eurodac. An essential aspect of this supervision is the cooperation with national supervisory authorities and the drawing up recommendations for common solutions to existing problems.

The EDPS publishes thematic guidelines on critical issues to serve as reference documents for the European administration.In December 2010 the EDPS adopted a policy paper entitled: "Monitoring and Ensuring Compliance with Regulation (EC) 45/2001".

CONSULTATION

• The EDPS advises the EU institutions and bodies on data protection issues in a range of policy areas. His consultative role relates to proposals for new legislation, as well as soft law instruments (e.g. communications) that affect personal data protection in the EU. He also monitors new technologies that may have an impact on data protection. The objective is to ensure that the EU citizens' fundamental rights to protection of privacy and personal data are maintained, while society evolves.
• One of the primary tasks of the EDPS is to examine the data protection and privacy impact of proposed new legislation. The EDPS Policy paper of 2014 elaborates on how this role is interpreted in terms of limitations in scope, working methods and main orientations. The EDPS uses different instruments in order to exercise this role.
• The first instrument is a planning tool. Each year in December, the EDPS publishes an inventory of his priorities for the coming year. It lists the most relevant Commission proposals, which may require a formal reaction by the EDPS. Those proposals that are expected to have a strong impact on data protection are given high priority. This may also apply to research projects.
• The second and most important instrument is the formal public opinion . By issuing opinions on a regular basis, the EDPS establishes a consistent policy on data protection issues. The opinions are addressed to those involved in the legislative negotiations, but also published on the website as well as in the Official Journal of the EU.
• A third instrument of intervention is the EDPS comments , which address data protection issues for instance in Commission communications.
• A final instrument is the possibility to intervene in cases before the Court of Justice, the Court of First Instance and the Civil Service Tribunal.

COOPERATION


The third leg of EDPS' activities can best be described as cooperation. It covers work on specific issues, such as the interpretation of the EU Data Protection Directive, as well as more structural collaboration together with other data protection authorities. The overriding aim of the EDPS is to promote consistency in the protection of personal data throughout the EU.

• The central forum for cooperation in the EU is the Article 29 Working Party . This is where the national data protection authorities meet to exchange views on current issues, to discuss a common interpretation of data protection legislation and to give expert advice to the European Commission. 
• The EDPS also participates in the work to ensure good data protection in the EU's third pillar, which covers police and judicial cooperation (formerly "EU's third pillar"). This includes attending a number of meetings of the Joint Supervisory Bodies with deal with information systems in the area of police and justice. He is also a member of the Working Party on Police and Justice set up by the European Conference to provide advice in the area of law enforcement.
• One of the most important cooperative tasks relates to the large scale IT system Eurodac , where the responsibilities for data protection supervision are shared. The system consists of national units (subject to national law), and a central unit (subject to the EU Data Protection Regulation). It therefore requires a coordinated approach that is developed through biannual coordination meetings organised by the EDPS. 
• Two major data protection conferences are organised each year. Every spring, a European Conference gathers data protection officials from authorities in the Member States of the EU and the Council of Europe. And every autumn, a wide range of data protection experts, from the public as well as the private sector, meets for the International Conference . 
• International organisations which are exempted from national law, often find themselves without a legal framework for data protection. Because all of them process personal data, the EDPS took the initiative in 2005 of organising a workshop on 'data protection as part of good governance in international organisations' with representatives from some 20 organisations. Two follow-up workshops have been organised since then.

Source: https://secure.edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS

K. Consequences for GDPR violations

1. Process and procedures

Article 77: [Data subject has a] Right to lodge a complaint with a supervisory authority. Any supervisory authority, really
Article 78: [Data subject has a] Right to an effective judicial remedy against a supervisory authority (go to Member court where supervisory authority is established)
Article 79: [Data subject has a] Right to an effective judicial remedy against a controller or processor (go to Member court where the controller or processor has an establishment or where data subject lives)
Article 80: Representation of data subjects by a not-for-profit body, organisation or association which has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data, in order to lodge the complaint on his or her behalf
Article 81: Suspension of proceedings. If a case against the same controller or processor regarding the same subject matter are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.

2. Infringements and fines

Article 83: General conditions for imposing administrative fines

1.Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2.Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3.If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4.Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
These are the more administrative obligations: how data should be handled
5.Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
These are violations against the principles of the regulation: where data should not have been processed at all
6.Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7.Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8.The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
9.Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

Article 84:Penalties
1.Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
2.Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
This includes handling of personal data relating to criminal convictions and offences (article 10) and the obligation to demonstrate accordance with the regulation (article24)

3. Data subject compensation

Article 82: Right to compensation and liability
Controller is liable for the damage caused by infringement. Processor is only responsible when not complying with Regulation or instructions of Processor. When more than 1 party is involved, each may be held liable for entire damage; they may claim back part of it with other controllers or processors that are responsible.
1.Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2.Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3.A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4.Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5.Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6.Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

III.Compliance with European Data Protection Law and Regulation

Most of the information in this chapter comes from the Working Party 29 opinions. Almost every one of them was published before acceptance of the GDPR and relate to the Data Protection Directive. For the purpose of understanding the consequences of privacy law on practical situations the essence of the opinions still seems valid to me. In some cases the opinions argue if, why and when Data Protection Directive applies in case of the offering of electronic services to EU residents (for instance, because a cookie is stored on equipment located in the EU). With the GDPR it is clear thatthese services should comply with the European privacy laws as they offer services to EU residents.

A. Employment Relationship

1. Legal basis for processing of employee data

Context: Data Protection Regulation

• PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT TO WHICH THE DATA SUBJECT IS PARTY… Employment relationships are very often based on a contract of employment between the employer and worker. To meet its obligations under the contract to, for example, pay the worker, the employer must process some personal data.
• PROCESSING IS NECESSARY FOR COMPLIANCE WITH A LEGAL OBLIGATION… (ARTICLE 7.1.C) The employer may be under a legal obligation to make certain disclosures of personal data, for example, to the tax authorities or to process data or in connection with social security payments.
• PROCESSING IS NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTERESTS PURSUED BY THE CONTROLLER OR BY THE THIRD PARTY OR PARTIES TO WHOM THE DATA ARE DISCLOSED, EXCEPT WHERE SUCH INTERESTS ARE OVERRIDDEN BY THE INTERESTS FOR FUNDAMENTAL RIGHTS AND FREEDOMS OF THE DATA SUBJECT … (Article 7.1.F). This criterion requires a balance to be struck between the interests of the employer and the interests of workers. Some supervisory authorities have issued guidance on how the balance between the interests of the data controller and the interests of the data subject should be struck. It is important to remember that if this criterion is relied on the worker retains the right to object to the processing on compelling legitimate grounds (Article 14).
• PROCESSING IS NECESSARY IN ORDER TO PROTECT THE VITAL INTERESTS OF THE DATA SUBJECT. (Article 7.1.D) This may be relevant in the context of the protection of safety.
• PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTEREST…. 16 (Article 7.1.E). The circumstances, in which this criterion is relevant in the employment context, are likely to be very limited.

If none of the criteria are applicable to the processing of a worker’s data by an employer, the employer can, alternatively, obtain the worker’s unambiguous consent to the processing.. However:

THE ARTICLE 29 WORKING PARTY TAKES THE VIEW THAT WHERE AS A NECESSARY AND UNAVOIDABLE CONSEQUENCE OF THE EMPLOYMENT RELATIONSHIP AN EMPLOYER HAS TO PROCESS PERSONAL DATA IT IS MISLEADING IF IT SEEKS TO LEGITIMISE THIS PROCESSING THROUGH CONSENT. RELIANCE ON CONSENT SHOULD BE CONFINED TO CASES WHERE THE WORKER HAS A GENUINE FREE CHOICE AND IS SUBSEQUENTLY ABLE TO WITHDRAW THE CONSENT WITHOUT DETRIMENT.

The problem here is the worker - employer relationship, which is not balanced. The Article 29 Working Party takes the view that where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent. Consent must at all times be freely given. Thus a worker must be able to withdraw consent without prejudice.

Not all manual records necessarily fall within the Directive’s scope. They only do so if they form part of a ‘personal data filing system’. This is defined as any structured set of personal data, which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Source: WP 29 opinion 15: (source http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf)

There is no uniform European law governing the use of personal data by employers. Each member state has different national laws. Many countries have embedded the right to privacy in their constitution (not the UK), but how it should apply to employer-employee relationships is not determined by it. Many countries have adapted additional (labour) laws that are specificly describing what is or isn't allowed, and DPA's have issued guidelines and opinions about it.

Relevancy
Throughout the Member States, the main labour law principle to be found is the principle of relevancy. It implies that the employer’s right to investigate is not absolute. It is designed to strike a balance between the respective legitimate interests that exist in the context of employment privacy. The relevancy-test is made, implying that the employer’s may only exercise his right to information – or his right to investigate and collect information – in so far as these collections or investigations are relevant for the employment.

Proportionality
The principle of relevancy may also give rise to a proportionality test in various cases.

‘tendency companies’, are companies which are biased or show a certain social, ideological, political, religious, … affinity. Religious organisations are a clear example, like political parties, or various non-profit organisations. For such organisations, the employer’s interest in collecting specific personal and sensitive information may increase in relation to the specific biased (but legitimate) business purposes. The ban on investigations would be lifted only for employees performing tasks that are directly linked to the employer’s ideological stance. For employees performing non-ideological functions, employer’s investigations would continue to be illegal.

Source: 1_dataprotection_hendrickx_combinedstudies_en.pdf

2. Storage of personnel records

The employer must implement appropriate technical and organisational measures at the workplace to guarantee that the personal data of his workers is kept secured. Particular protection should be granted as regards unauthorised disclosure or access. Personal data must remain safe from the curiosity of other workers or third parties. Nowadays, the technology offers reasonable means for preventing such unauthorised access or disclosure, allowing in any case the identification of the staff accessing the files. Where a data processor is used, there must be a contract between the employer and the third party providing security guarantees and ensuring that the processor acts only on the employer’s instructions.

Also, the usual yada yada applies: finality, transparency, legitimacy, proportionality, accuracy and retention of the data, security, awareness of the staff

Source: WP 29 opinion 15: (source http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf)

3. Workplace monitoring and data loss prevention

Contect: In considering the question of surveillance, it must always be borne in mind that while workers have a right to a certain degree of privacy in the workplace, this right must be balanced against the right of the employer to control the functioning of his business and defend himself against workers' action likely to harm employers' legitimate interests, for example the employer’s liability for the action of their workers.

It must be emphasised moreover that the conditions of work have evolved in the way that it becomes more difficult today to clearly separate work hours from private life. In particular, as “home office” is developing, many workers continue their work at home using computer infrastructure provided by the employer for that purpose or not.

Legal instruments

Article 8 and 10 of the European Convention For The Protection Of Human Rights And Fundamental Freedoms (right to respect for his private and family life, his home and correspondence, and freedom of expression

In the judgements given to date, the Court has made it clear that the protection of "private life" enshrined in Article 8 does not exclude the professional life as a worker and is not limited to life within home. The case Niemitz v. Germany concerned the search by a government authority of the complainant's office.[...] The court stated "There appears, furthermore, to be no reason of principle why this understanding of the notion of "private life" should be taken to exclude activities of a professional or business nature"

More precisely in the case of Halford v. the United Kingdom the Court decided that interception of workers' phone calls at work constituted a violation of Article 8 of the Convention. In the Court's view "it is clear from its case-law that telephone calls made from business premises as well as from the home may be covered by the notions of "private life" and "correspondence" within the meaning of Article 8 paragraph 1 (…). There is no evidence of any warning having been given to Ms Halford, as a user of the internal telecommunications system that calls made on that system would be liable to interception. She would, the Court considers, have had a reasonable expectation of privacy for such calls…"

More generally, three principles can be extracted from the case law on Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms:

• a) Workers have a legitimate expectation of privacy at the workplace, which is not overridden by the fact that workers use communication devices or any other business facilities of the employer. However the provision of proper information by the employer to the worker may reduce the workers legitimate expectation of privacy.
• b) The general principle of secrecy of correspondence covers communications at the workplace. This is likely to include electronic e-mail and related files attached thereto.
• c) Respect for private life also includes to a certain degree the right to establish and develop relationships with other human beings. The fact that such relationships, to a great extent, take place at the workplace puts limits to employer's legitimate need for surveillance measures

Surveillance And Monitoring Of Electronic Communications In The Work Place Under Directive 95/46/EC: Principles

• NECESSITY This principle means that the employer must check if any form of monitoring is absolutely necessary for a specified purpose before proceeding to engage in any such activity. Traditional methods of supervision, less intrusive for the privacy of individuals, should be carefully considered and where appropriate implemented before engaging in any monitoring of electronic communications. It would only be in exceptional circumstances that the monitoring of a workers mail or Internet use would be considered necessary. For instance, monitoring of a worker’s e-mail may become necessary in order to obtain confirmation or proof of certain actions on his 14 http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp48en.pdf 14 part. Such actions would include criminal activity on the part of the worker insofar as it is necessary for the employer to defend his own interests, for example, where he is vicariously liable for the actions of the worker.
• FINALITY. This principle means that data must be collected for a specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes.
• TRANSPARENCY This principle means that an employer must be clear and open about his activities. It means that no covert e-mail monitoring is allowed by employers except in those cases where a law in the Member State under Article 13 of the Directive allows for that. This is most likely to be the case where specific criminal activity has been identified. This principle can be divided into two (well, three actually) aspects:
  • THE OBLIGATION TO PROVIDE INFORMATION TO THE DATA SUBJECT It means that the employer has to provide his workers with a readily accessible, clear and accurate statement of his policy with regard to e-mail and Internet monitoring
  • THE OBLIGATION TO NOTIFY SUPERVISORY AUTHORITIES BEFORE CARRYING OUT ANY WHOLLY OR PARTLY AUTOMATIC PROCESSING OPERATION OR SET OF SUCH PROCESSING OPERATIONS. This is another way of providing transparency as workers can always check in the Data Protection registers, for instance, what categories of data, for what purposes and for what recipients is the employer supposed to process the personal data of their employees.
  • RIGHT OF ACCESS A Worker, as any other individuals under the Directive17, has a right of access to the personal data related to him processed by his employer and where appropriate, request its rectification or erasure or blocking which does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data.
• LEGITIMACY This principle means that any data processing operation can only take place if it has a legitimate purpose as provided for in Article 7 of the Directive and the national legislation transposing it. [...] The processing of sensitive data connected to monitoring activities and surveillance is a difficult issue, which is not only relevant for the employment context. Indeed is a general issue on which the Working Party may provide some guidance in the future. As a matter of fact, unless specifically authorised by national law providing for adequate safeguards, monitoring activities directly aimed at the processing of sensitive data of workers would not find a legitimisation under the provisions of Directive 95/46/EC and would not be acceptable. However, preventing or making very difficult any monitoring activities (which in many cases are not only lawful but even also desirable such as those directly aimed at guaranteeing the security of the system), by the simple fact that the processing of certain sensitive data might be unavoidable involved, does not seem acceptable either.
• PROPORTIONALITY This principle requires that personal data including those involved in monitoring must be adequate, relevant and not excessive with regard to achieving the purpose specified. The proportionality principle therefore rules out blanket monitoring of individual e-mails and Internet use of all staff other than where necessary for the purpose of ensuring the security of the system. The monitoring of e-mails should, if possible, be limited to traffic data on the participants and time of a communication rather than the contents of communications if this would suffice to allay the employers concerns. If access to the e-mail’s content is absolutely necessary, account should be taken of the privacy of those outside the organisation receiving them as well as those inside. The employer, for instance, cannot obtain the consent of those outside the organisation sending e-mails to his workers. The employer should make reasonable efforts to inform those outside the organisation of the existence of monitoring activities to the extent that people outside the organisation could be affected by them. A practical example could be the insertion of warning notices regarding 18 the existence of the monitoring systems, which may be added to all outbound messages from the organisation.
• ACCURACY AND RETENTION OF DATA It is hard to see that a retention period longer of three months would be normally justified.
• SECURITY It also encompasses the right of the employer to protect his system against viruses and may involve the automated scanning of e-mails and network traffic data. The Working Party is of the opinion that, in view of the importance of maintaining a secure system, such automated opening of e-mails should not be considered as violating the worker’s right to privacy, provided that appropriate safeguards are put in place.

The Article 29 Working Party draws attention to the role of the system administrator, a worker who holds important responsibilities from the data protection point of view. It is of great importance that the system administrator and anyone else who has access to personal data about workers in the course of monitoring, is placed under a strict duty of professional secrecy with regard to confidential information, to which they have access.

E-mail monitoring

The Article 29 Working Party is of the view that electronic communications made from business premises may be covered by the notions of "private life" and "correspondence" within the meaning of Article 8 paragraph 1 of the European Convention. There is little margin for interpretation as this respect as this issue has been clearly settled by the Court in the case Halford v. the United Kingdom mentioned above.

The most likely legitimisation for e-mail monitoring can be found in Article 7 (f) of the Directive, that is, where processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party or parties to whom the data are disclosed

WP29 advises to use a separate email account for personal use, so that the distinction between private and professional correspondence is more clear.

Monitoring of Internet access

Wherever possible prevention should be more important than detection.

The delivering of prompt information to the worker on the detection of a suspicious use of the Internet is important in order to minimise problems Even if a necessary measure, any monitoring must be a proportionate response to the risk faced by the employer. In most cases Internet misuse can be detected without the necessity of analysing the content of the sites visited. For example, a check on the time spent, or a check on the sites most frequently visited by a department may suffice to reassure an employer that their facilities are not being misused.

When assessing Internet use by workers employers should try to exercise caution in coming to conclusions, taking into account the ease with which websites can be visited unwittingly through unintended responses of search engines, unclear hypertext links, misleading banner advertising and miskeying. In any case, workers must have the facts presented to them and be given full opportunity to contest the misuse alleged by the employer.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp55_en.pdf

Data Loss Prevention

Couldn't find much about this subject, just:

• Risk: Data leakage may be a result of a variety of attacks (e.g. physical theft, data transfers across the network).
• Implementation: Network monitoring should examine outbound traffic. Laptops with sensitive data should have encrypted hard drives.
• Measurement: Test data should be moved across network boundaries in a variety of scenarios.

Source: https://www.cippguide.org/2010/11/09/continuous-monitoring-security-controls/

4. EU Works councils

This is organized per country, as each country has specific laws regarding works councils. A work council is a body of people representing the personnel of a company. The Works council represents the personnel when decisions are made that concern the personnel. In different countries, different rules apply to the rights and duties of an employer and a works council. In the Netherlands,changes regarding the processing and protection of personal data of personnel and monitoring or inspection of the attendance, behaviour or performance of personnel must be approved by the works council.

Source: http://www.preslmayr.at/tl_files/Publikationen/2010/10_things_you_need_to_know_about_works_councils_and_privacy_in_europe.pdf

5. Whistleblowing systems

Source: WP 29 Opinion 117 (http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf)

When blowing the whistle, the whistleblower processes personal data of the accused. When doing so, the whistleblower is vulnerable and needs to be protected, and this also goes for his personal data. At the same time, the accused has his data subject rights, but they may conflict with the interest of the company to investigate the accusations. The opinion makes a couple of observations:

• There must be a legal basis for whistleblowing schemes. For certain industries such as banking, there is a legal obligation to establish a whistleblower scheme. In case there is no such obligation, there may still be a legitimate interest, but in this case "Such a reason would only be acceptable on condition that such legitimate interests are not overridden by the interests for fundamental rights and freedoms of the data subject”.
• Application of the principles of data quality and proportionality
  • Possible limit on the number of persons entitled to report. Processed data must be adequate, relevant and not excessive. This might mean a company may restrict who has the right to file a whistleblower report to prevent accusations of issues that are not serious enough to justify invasion of the privacy of the accused
  • Possible limit on the number of persons who may be incriminated. This is to prevent that people may be incriminated for things that are not serious enough to justify invasion of the privacy of the accused
  • Anonymous reporting may lead to problems (more difficult to investigate, malevolent reporting, people may still guess who the whistleblower is). Also, anonymous reports raise a specific problem with regard to the essential requirement that personal data should only be collected fairly. Therefore, the rule should be that whistleblowing reports should not as a rule be submitted anonymously. Anonymous reporting may still happen because of various reasons. The Working Party considers that whistleblowing schemes should be built in such a way that they do not encourage anonymous reporting as the usual way to make a complaint. The processing of anonymous reports must be subject to special caution.
  • Companies setting up these systems should clearly define the type of information to be disclosed through the system, by limiting the type of information to [the purpose of the whistleblower scheme]
  • Personal data processed by a whistleblowing scheme should be deleted, promptly, and usually within two months of completion of the investigation of the facts alleged in the report.
• Provision of clear and complete information about the scheme (Article 10): The requirement of clear and complete information on the system obliges the controller to inform data subjects about the existence, purpose and functioning of the scheme, the recipients of the reports and the right of access, rectification and erasure for reported persons. Data controllers should also provide information on the fact that the identity of the whistleblower shall be kept confidential throughout the whole process and that abuse of the system may result in action against the perpetrator of the abuse.
• Rights of the incriminated person:
  • Information rights: the reported employee must be informed about: [1] the entity responsible for the whistleblowing scheme, [2] the facts he is accused of, [3] the departments or services which might receive the report within his own company or in other entities or companies of the group of which the company is part, and [4] how to exercise his rights of access and rectification. However, where there is substantial risk that such notification would jeopardise the ability of the company to effectively investigate the allegation or gather the necessary evidence, notification to the incriminated individual may be delayed as long as such risk exists.
  • Rights of access, rectification and erasure: Under no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower from the scheme on the basis of the accused person’s right of access, except where the whistleblower maliciously makes a false statement.
• Security of processing operations: security measures must be proportionate to the purposes, confidentiality of reports is an essential requirement
• A specific organisational must be set up within the company or the group dedicated to handling whistleblowers’ reports and leading the investigation. External service providers for reporting or investigation may be used, if the comply with the principles of the privacy law Principle of investigation in the EU for EU companies, unless the nature and seriousness of the alleged offence calls for communication outside the EU, for example if the report incriminates a partner of another legal entity within the group, a high level member or a management official of the company concerned.
• Transfers to third countries: usual restrictions apply
• the processing operations might be subject to prior checking by the national data protection authority

6. 'Bring your own device' (BYOD) programs

Generally speaking, there are three high-level means of implementing a BYOD program:

• Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device;
• Walled garden: Contain data or corporate application processing within a secure application on the personal device so that it is segregated from personal data;
• Limited separation: Allow comingled corporate and personal data and/or application processing on the personal device with policies enacted to ensure minimum security controls are still satisfied.

Security

• Assess and document risks in:
  • Information security (operating system compromise due to malware, device misuse, and information spillover risks)
  • Operations security (personal devices may divulge information about a user when conducting specific activities in certain environments)
  • Transmission security (protections to mitigate transmission interception)
• Ensure consistency with government-wide standards for processing and storing Federal information
• Assess data security with BYOD versus the devices being replaced
• Securely architect systems for interoperability (government data vs. personal data)

Privacy

• Identify the right balance between personal privacy and organizational security
• Document process for employee to safeguard personal data if / when government wipes the device

Ethics / legal questions

• Define “acceptable use” from both government and individual perspective
• Address legal discovery (including confiscation rights) and liability issues (e.g., through pre-defined opt-in requirements in terms of service)
• Consider implications for equal rights employment (e.g., disparity in quality of personal devices)

Source: https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf

B. Surveillance Activities

1. Surveillance by public authorities

WP29 has issued an opinion stating "The European Essential Guarantees":

• Guarantee A - Processing should be based on clear, precise and accessible rules. [The] legal basis should in any case be set out in statute law including the nature of the offences which may give rise to an interception or surveillance order, a definition of the categories of people that might be subject to surveillance, a limit on the duration of the measure, the procedure to be followed for examining, using and storing the data obtained, and the precautions to be taken when communicating the data to other parties.
• Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated. The Courts do not seem to have taken a final position on the legality of the massive and indiscriminate collection of personal data (i.e. non-targeted bulk collection) and their subsequent use, including the question under what circumstances such collection and use of personal data could take place. As regards the content of communications data, the CJEU is clearer. It has stated in the Schrems judgment that public authorities should not be allowed to have access to the content of electronic communications on a generalised basis.However, the court does not define what it understands ‘on a generalised basis’ to mean.
• Guarantee C - An independent oversight mechanism should exist. Since the 1970s, the ECtHR has held that any interference with the right to privacy and data protection should be subject to an effective, independent and impartial oversight system that must be provided for either by a judge or by another independent body. Given the special nature of data processing for intelligence purposes, it is accepted that the processing takes place without the data subject being informed, in any case at the start and during the surveillance operation.
• Guarantee D - Effective remedies need to be available to the individual. For the ECtHR, the question of an effective remedy is inextricably linked to the notification of a surveillance measure to the individual once the surveillance is over.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp237_en.pdf

Legal basis

Surveillance programmes run by the EU Member States will in general not be subject to EU law, following the national security exemption written into the European treaties, as well as – following this decision of the contracting Member States – several EU regulations and directives, including the EU data protection directive 95/46/EC. That does not mean however such programmes are only subject to national law. The analysis of the WP29 shows, that even though EU law in general and the data protection directive in particular do not apply, the data protection principles following the European Convention on Human Rights and Council of Europe Convention 108 on the protection of personal data will for the most part still need to be respected by the intelligence services in order to lawfully perform their duties.

It becomes clear from assessing the relevant national legislation that the GDPL in many countries does not apply to the activities of intelligence services and the data protection authority has a limited or in some cases non-existent supervisory role.

They make a couple of recommendations to improve the situation but basically this is out of their jurisdiction.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp215_en.pdf

The Snowden revelations and those emerging in parallel to the Snowden case are not limited to US surveillance activities but also concern surveillance by intelligence services of EU Member States, be it on European territory or abroad. These are particularly relevant, since several Europe-based intelligence services are now confirmed as having a close working relationship with their US counterparts11. The closer the relationship with the United States, the more information is shared on the basis of reciprocity. This goes to show that national security is less ‘national’ than the word would suggest: data, including personal data, are shared and exchanged by intelligence services on a large scale.

Any limitations to these fundamental rights can only be accepted when they meet the conditions established by the ECtHR and are thus restricted to specific, well described and foreseeable situations. The Working Party therefore points out that if compliance with the Council of Europe instruments is to be considered effective, then no massive, indiscriminate and secret collection of data relating to individuals subject to EU jurisdiction can be tolerated by States party to the ECHR.

In summary, neither the relevant provisions of EU law nor the CJEUs case law offer a clear definition of what ‘national security’ is. Moreover, the EU and its Member States use various rather similar notions related to security without defining them: internal security, national security, State security, public security and defense should all be distinguished, but are in the view of the Working Party inextricably linked.

The Snowden revelations and those emerging in parallel to the Snowden case are not limited to US surveillance activities but also concern surveillance by intelligence services of EU Member States, be it on European territory or abroad. These are particularly relevant, since several Europe-based intelligence services are now confirmed as having a close working relationship with their US counterparts. The closer the relationship with the United States, the more information is shared on the basis of reciprocity. This goes to show that national security is less ‘national’ than the word would suggest: data, including personal data, are shared and exchanged by intelligence services on a large scale.

[...] the Working Party points out that the national security exemption has to be interpreted to reflect the competence of the EU vis-à-vis the Member States and not as a general exemption from EU data protection requirements of all activities requested by third countries in the name of national security. [...] Additionally, the Working Party takes the view that it is important to critically assess whether surveillance is actually conducted for the purpose of national security.[...] The Working Party is concerned that EU (data protection) law may be circumvented in practice with a mere reference to the data processing being needed for national security purposes.

Basic concern: although out of scope of Data protection directive (and GDPR), many conventions still put restrictions on how and what a government may do in terms of surveillance activities for the sake of national security. They emphasise the obligation of member states to incorporate restrictions in their national law guaranteeing surveillance is necessary and proportional, offers suffiecient oversight and is respecting freedom and rights of individuals.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp228_en.pdf

2. Interception of communications

5.1 Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1):

15.1 Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC.

Source: E-privacy directive 2002/58/EC

Also, see III A 3 and III B 1.

3. Closed-circuit television (CCTV)

Purposes:

1) protection of individuals, 

2) protection of property, 

3) public interest, 

4) detection, prevention and control of offences, 

5) making available of evidence, 

6) other legitimate interests.

A considerable portion of the information collected by means of video surveillance concerns identified and/or identifiable persons, who have been filmed as they moved in public and/or publicly accessible premises. Such an individual in transit may well expect a lesser degree of privacy, but not expect to be deprived in full of his rights and freedoms as also related to his own private sphere and image. Consideration is also to be given here to the right to free movement of individuals who are lawfully within a State’s territory, which is safeguarded by Article 2 of Additional Protocol No. 4 to the European Convention for the Protection of Human Rights and Fundamental Freedoms. -6- This freedom of movement may only be subject to such restrictions as are necessary in a democratic society and proportionate to the achievement of specific purposes. 

In a few countries there are also specific provisions applying irrespective of the circumstance that video surveillance may entail the processing of personal data. Under these regulations, installation and deployment of CCTV and similar surveillance equipment are to be authorised in advance by an administrative authority.

The Directive does not apply to the processing of sound and image data for purposes concerning public security, defence, State security and the activities of the State in areas of criminal law and/or in the course of any other activity which falls outside the scope of Community law. Secondly, the Directive does not apply to processing operations performed by a natural person in the course of a purely personal or household activity.

OBLIGATIONS AND APPROPRIATE PRECAUTIONS APPLYING TO THE DATA CONTROLLER 

A) Lawfulness of the Processing

B) Specificity, Specification and Lawfulness of Purposes

C) Criteria Making the Processing Legitimate

D) Proportionality of the Recourse to Video Surveillance (does the purpose justify deployment of such a invasive measure, especially in non-public places)

E) Proportionality in Carrying Out Video Surveillance Activities (video angle, zoom, location, retention of images, identification facilitated by other means such as records, sharing of images with third parties)

F) Information to Data Subjects

G) Additional Requirements (limited number of people who have access to images, their training, erasure of images after retention period, protection of the images)

H) Data Subjects’ Rights 

I) Additional Safeguards in connection with Specific Processing Operations 

[...] the need to pay greater attention [...] to the following cases [...]

a) permanent interconnection of video surveillance systems as managed by different data controllers, 

b) possible association of image and biometric data such as fingerprints (e.g. at the entrance of banks), 

c) use of voice identification systems, 

d) implementation, in line with proportionality principles and based on specific provisions, of indexing systems applying to recorded images and/or systems for their simultaneous automatic retrieval, especially via identification data, 25 Except where otherwise provided by national legislation -22- 

e) use of facial recognition systems that are not limited to identifying camouflages of persons in transit, such as fake beards and wigs, but are based on the targeting of suspected offenders – i.e. on the ability of the system to automatically identify certain individuals on the basis of templates and/or standard identity-kits resulting from certain outward features (such as colour of a person’s skin, eyes, protruding cheekbones, etc.), or else on the basis of pre-defined abnormal behaviour (sudden movements, repeated transit even at given intervals, way of parking a vehicle, etc.). In this connection, human intervention is appropriate also in the light of mistakes possibly occurring in these cases as also mentioned with regard to point f) below, 

f) possibility to automatically trace routes and trails and/or reconstruct or foresee a person’s behaviour, 

g) taking of automated decisions based either on a person’s profile or on intelligent analysis and intervention systems unrelated to standard alerts - such as the fact of accessing a place without the required identification or else a fire alert.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp67_en.pdf

An updated document can be found here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2004/wp89_en.pdf but frankly I can't find many differences.

CCTV for guarding your house: If it captures public space, it may not be legal.  Unless images are only used to report crimes.The directive has an exception in the case of data processing carried out “by a natural person in the course of a purely personal or household activity”, but the court found that the exception would not always apply if a camera is recording images of a public space such as a footpath.

Source: https://www.theguardian.com/law/2014/dec/11/home-surveillance-cctv-images-may-breach-data-protection-rules-european-court-judgment-says

4. Geolocation

Source: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf

Privacy risks: A smart mobile device is very intimately linked to a specific individual. This allows the providers of geolocation based services to gain an intimate overview of habits and patterns of the owner of such a device and build extensive profiles. From a pattern of inactivity at night, the sleeping place can be deduced, and from a regular travel pattern in the morning, the location of an employer may be deduced. The pattern may also include data derived from the movement patterns of friends, based on the so-called social graph. 6 A behavioural pattern may also include special categories of data, if it for example reveal visits to hospitals and religious places, presence at political demonstrations or presence at other specific locations revealing data about for example sex life. These profiles can be used to take decisions that significantly affect the owner.

Even when people intentionally make their geolocation data available on the Internet, through whereabout and geotagging services, the unlimited global access creates new risks ranging from data theft to burglary, to even physical aggression and stalking. As with other new technology, a major risk with the use of location data is function creep, the fact that based on the availability of a new type of data, new purposes are being developed that were not anticipated at the time of the original collection of the data.

Legal base depends on Location source:

• Base station data processed by telecom operators: The e-privacy directive (2002/58/EC, as revised by 2009/136/EC) applies to the processing of base station data by public electronic communication services and networks (telecom operators). Since location data derived from base stations relate to an identified or identifiable natural person, they are subject to the provisions on the protection of personal data (inform the data subject, consent).
• A combination of base station, GPS and WiFi data: these are information society services, as such they are explicitly excluded from the e-Privacy directive. directive 95/46/EC [GDPR] applies.

Personal data: Smart mobile devices are inextricably linked to natural persons. There is usually direct and indirect identifyability. The combination of a MAC address of a WiFi access point with its calculated location, should be treated as personal data.

3 types of controllers:

• Owners of databases with mapped WiFi access points are controllers.
• The provider of an application that is capable of processing geolocation data is the controller for the processing of personal data resulting from the installation and use of the application.
• The developer of the operating system of the smart mobile device can be a controller for the processing of geolocation data when it processes personal data independently from the application provider.

Legitimate ground:

Prior informed consent is also the main applicable ground for making data processing legitimate when it comes to the processing of the locations of a smart mobile device (more dificult in case of employees and children). By default, location services must be switched off.

Given the semi-static nature of WiFi access points, the mapping of WiFi access points in principle constitutes a lesser threat to the privacy of the owners of these access points than the real-time tracking of the locations of smart mobile devices. In order for controllers to successfully let their legitimate interests prevail over time over the interests of the data subjects, they must develop and implement guarantees, such as the right to easily and permanently opt-out from the database, without needing to provide additional personal data to the controller of such a database. Additionally, for the purpose of offering geolocation services, the collection and processing of SSIDs is not necessary. Therefore the collection and processing of SSIDs is excessive.

Controllers must respect data subjects rigthts such as a right to access possible profiles based on these location data. If location information is stored, users should be allowed to update, rectify or erase this information. Also, retention may be no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

C. Marketing Activities

1. Telemarketing

Not sure, couldn't find any information regarding telemarketing in the contect of European laws, besides the rules that also apply to direct marketing (see below).

2. Direct marketing

Unsolicited communications

1. The use of automated calling and communication systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent.

2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case the customer has not initially refused such use.

3. Member States shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers or users concerned or in respect of subscribers or users who do not wish to receive these communications, the choice between these options to be determined by national legislation, taking into account that both options must be free of charge for the subscriber or user.

4. In any event, the practice of sending electronic mail for the purposes of direct marketing which disguise or conceal the identity of the sender on whose behalf the communication is made, which contravene Article 6 of Directive 2000/31/EC, which do not have a valid address to which the recipient may send a request that such communications cease or which encourage recipients to visit websites that contravene that Article shall be prohibited.

5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.

6. Without prejudice to any administrative remedy for which provision may be made, inter alia, under Article 15a(2), Member States shall ensure that any natural or legal person adversely affected by infringements of national provisions adopted pursuant to this Article and therefore having a legitimate interest in the cessation or prohibition of such infringements, including an electronic communications service provider protecting its legitimate business interests, may bring legal proceedings in respect of such infringements. Member States may also lay down specific rules on penalties applicable to providers of electronic communications services which by their negligence contribute to infringements of national provisions adopted pursuant to this Article.’;

Source: Amended Directive 2002/58 ("amended ePrivacy Directive")

DIRECT MARKETING: The communication by whatever means (including but not limited to mail, fax, telephone, on-line services etc…) of any advertising or marketing material, which is carried out by the Direct Marketer itself or on its behalf and which is directed to particular individuals.

DIRECT MARKETER Any natural or legal person (including charities and political parties) who communicates by whatever means (including but not limited to mail, fax, telephone, on-line services etc…) any advertising or marketing material which is directed to particular individuals.

Direct Marketer may be a different entity than controller and processor. For security measures, the country of establishment of the controller defines applicable law, for laws regarding the processing it is the location of the processor.

When Data Controllers receive requests, in writing or in any other durable medium, from Data Subjects enquiring about the source of their Data Controllers should, where it is lawful and where the source can be identified by reasonable efforts, communicate the information to the enquirer. If data has been compiled from different sources, Data Controllers are encouraged to keep a list of sources from which Personal Data have been obtained.

If Data Controllers receive a request not to approach a Data Subject by whatever means, they should as soon as possible and at least in no more than 4 weeks of receiving that request, have blocked that Data Subject's name in their databases.

The rest pretty much follows the directive for consent, information to be provided at time of collection and rights of the data subject.

Source: FEDMA Direct Marketing Code of Conduct as approved by WP29

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp77_en.pdf

3. Online behavioural targeting

Legal framework

Amended Directive 2002/58 ("amended ePrivacy Directive") and Data Protection Directive voth apply; the doctrine [that] states that a law governing a specific subject matter (lex specialis) overrides a law which only governs a general matter (lex generalis) In line with the above, Article 5(3) of the ePrivacy Directive which deals with informed consent will be directly applicable. Directive 95/46 will be fully applicable except for the provisions that are specifically addressed in the ePrivacy Directive, which mainly correspond to Article 7 of Directive 95/46/EC on the legal grounds for data processing

Conclusions:

Roles and responsibilities

• Ad network providers are bound by the obligations of Article 5(3) of the ePrivacy Directive insofar as they place cookies and/or retrieve information from cookies already stored in the data subjects' terminal equipment. They are also data controllers insofar as they determine the purposes and the essential means of the processing of data.
• Publishers have certain data controller related responsibilities regarding the processing that takes place in the first phase of the processing, i.e., when by virtue of the way they set up their web sites they trigger the transfer of the IP address to ad network providers (which enable the further processing). Such responsibility entails some, limited data protection obligations (see below). In addition, when/if publishers transfer directly identifiable personal data to ad network providers themselves, they will be deemed joint controllers.

Obligations and rights (some stuff left out which is pretty self-evident)

• Article 5(3) of the ePrivacy Directive which sets up an obligation to obtain prior informed consent applies to ad network providers. In practical terms, they should ensure that individuals are told, at a minimum, who (i.e. which entity) is responsible for serving the cookie and collecting the related information. In addition, they should be informed in simple ways that
  • (a) the cookie will be used to create profiles;
  • (b) what type of information will be collected to build such profiles;
  • (c) the fact that the profiles will be used to deliver targeted advertising and
  • (d) the fact that the cookie will enable the user's identification across multiple web sites. Network providers/ publishers should provide the information directly on the screen, interactively, if needed, through layered notices. In any event it should be easily accessible and highly visible
• Cookie-based opt-out mechanisms in general do not constitute an adequate mechanism to obtain informed user consent. In most cases user's consent is implied if they do not opt out. However, in practice, very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertising, but rather because they do not realise that the processing is taking place, much less how to exercise the opt out.
• In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure.
• Ad network providers should implement retention policies which ensure that information collected each time that a cookie is read is automatically deleted after a justified period of time (necessary for the purposes of the processing).
• Providing highly visible information is a precondition for consent to be valid. Mentioning the practice of behavioural advertising in general terms and conditions and/or privacy policies can never suffice.

Source: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf

Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

In April 2011 the relevant actors engaged in online behavioural advertising, represented by both the European Advertising Standards Alliance (EASA) and the Internet Advertising Bureau Europe (IAB), adopted a self-regulatory Best Practice Recommendation on online behavioural advertising (hereinafter "EASA/IAB Code")

In August 2011, the Article 29 WP sent an open letter to EASA and IAB outlining the data protection concerns surrounding the opt-out approach suggested within the EASA/IAB Code. In a subsequent meeting with the Article 29 WP, representatives of EASA and IAB stated that “the Code was primarily intended to create a level playing field" and that its purpose was not to achieve compliance with the revised e-Privacy Directive.

The proposed "information notice for behavioural advertising icon" is not sufficient to provide the required information because it is not widely recognized, not complete and displayed after setting the cookie.Also, the icon provides an opt-out choice instead of opt-in.

The first practical implementation of the EASA/IAB Code is the www.youronlinechoices.eu website, where the method selected to express “choice” is based on the use of different "opt-out" cookies. The website contains a list with different names of advertising networks. Users may indicate their preference if they do not wish to receive targeted advertising from one, more or all of the networks. Selecting one or more advertising networks results in the installation of one or more opt-out cookies from these networks. This implementation, apart from the fact that it follows an opt-out approach and thus is not consistent with the requirement for prior informed consent as set out in article 5(3) of the revised e-Privacy Directive, has the following additional problems:

• a) Although the opt-out cookie prevents the further reception of personalised advertising, it does not stop the advertising network from accessing and storing information in the user's terminal. On the contrary, it has been demonstrated that an ongoing technical exchange of information between the user’s terminal equipment and the advertising network is still in place after the installation of the opt-out cookie.
• b) The user is not informed on whether or not the tracking cookie remains stored in his/her computer and for what purpose5 .
• c) The installation of the opt-out cookie does not offer the possibility to manage and delete previously installed tracking cookies, whereas at the same time it creates the mistaken presumption that opting out disables the tracking of internet behaviour.

Adherence to the EASA/IAB Code on online behavioural advertising and participation in the website www.youronlinechoices.eu does not result in compliance with the current e-Privacy Directive. Moreover, the Code and the website create the wrong presumption that it is possible to choose not be tracked while surfing the Web. This wrong presumption can be damaging to users but also to the industry if they believe that by applying the Code they meet the requirements of the Directive.

So yeah, nice try but this won't fly

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf

D. Internet Technology and Communications

1. Cloud computing

WP29 has released opinion 196 about this:

• Data protection risks of cloud computing: As this Opinion focuses on personal data processing operations deploying cloud computing services, only the specific risks related to this context are considered. The majority of these risks fall within two broad categories namely lack of control over the data, and insufficient information regarding the processing operation itself (absence of transparency).
• The cloud provider is the entity that provides the cloud computing services in the various forms discussed above. When the cloud provider supplies the means and the platform, acting on behalf of the cloud client, the cloud provider is considered as a data processor
• Article 17(2) of Directive 95/46/EC puts full responsibility on cloud clients (acting as data controllers) to choose cloud providers that implement adequate technical and organisational security measures to protect personal data and to be able to demonstrate accountability.
• In addition to the core security objectives of availability, confidentiality and integrity, attention must also be drawn to the complementary data protection goals of transparency[…], isolation , intervenability, accountability and portability.
• Special emphasis must be placed on the features of the applicable contracts – these must include a set of standardised data protection safeguards including those outlined by the WP in paragraph 3.4.3 (Technical and Organisational Measures) and in paragraph 3.5 (cross-border data flows) – as well as on additional mechanisms that can prove suitable for facilitating due diligence and accountability (such as independent third-party audits and certifications of a provider’s services – see paragraph 4.2).
• To ensure legal certainty the contract should also set forth the following issues: [a list of issues that must be specified follows]
• Encryption of personal data should be used in all cases when “in transit” and when available to data “at rest”.

(source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf)

Additional analysis of the opinion can be found on the IAPP website: https://iapp.org/news/a/gdpr-killing-cloud-quickly/

Basically, cloud providers are considered processers. Because the relationship with a cloud provider is so much different than the classic concept of a third party organization doing some some work on behalf of you, this leads to many different problems. There is usually a big distance between the business of the processor and the cloud provider; the cloud provider may not even know what is being processed, how it is being processed and for whom. Nor do they need to know to carry out their work. But because even storage of data is considered processing, a contract must exist with the cloud provider stating all the requirements from article 28. That means

• taking security measures tailored to the customers data (article 32),
• right to audit (impracticle where data may be on instances that are shared with other companies or where data may change location on-the-fly),
• receiving written instructions on how to process the data, where usually the controller proceses the data itself on the cloud providers systems
• getting consent from every cloud user if services are sub-contracted, like hosting on AWS

Code of conduct

In January 2015 a Code of conduct for cloud providers (CSPs) was submitted for review to WP29. It was addressing several of the issues mentioned in the IAPP comment. I could not locate the original version; a later version from 2016 is available on http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=11194

WP29 did not approve the code yet. In an opinion they stated points for improvement

Main issues:

Some issues were raised regarding the governance and enforcement and transition to compliance. Some parts of the code were not specific enough:

• handling of cases involving sensitive data,
• lack of information for the customer on where data is located,
• lack of anonymisation and pseudonimisation as a security measure,
• missing a clause that a processor shall communicate any legally binding request for disclosure of the personal data by a law enforcement authority to the controller unless otherwise prohibited , and in any case, transfers of personal data by a processor to any public authority cannot be massive, disproportionate and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.
• The Code does not elaborate sufficiently on the liability regime applicable to the parties in case of breach of their data protection obligations. The Code must prevent the adoption of terms of services that are to the disadvantage of the clients by unduly limiting cloud providers’ obligations and liability and restricting clients’ rights.
• WP29 recommends expanding this section of the Code, with a specific care of the handling of data subjects’ complaints/requests (5.8) and the need for CSP to cooperate with customers to that effect.
• the Code would benefit from the addition of a clause that would clearly remind CSP that they should, depending on the context, either provide adequate information to the data subject or cooperate in good faith with their customer to enable him to properly inform data subjects.
• a reference to portability would contribute to the Code’s sustainability
• The right to audit was limiting the right as outlined by GDPR

Regarding security measures taken by the CSP:

• To this purpose, it is indeed fundamental that the CSP provides the customer with “a sufficient level of detail on the security measures implemented by the CSP”. This, though, should also be complemented by a sufficient level of information on the threats on and vulnerabilities of the CSP service and infrastructure and on the risk management decisions taken by the CSP. If it is not the case, the background for the customer to perform its own data protection risk management would not be adequate.
• The Code imposes also on the CSP a duty to perform a risk assessment “to ensure that the right of personal data protection is guaranteed to the data subject”. The CSP should consider establishing different levels of protection depending on the “processing and the nature of the data to be protected” and to advertise them publicly when offering their services.

So basically, the code does not yet sufficiently demand a risk management process based on the specific type of data a CSP processes.

But: WP29 is encouraged by the progress made by C-SIG in developing the Code and supports the group in their efforts to finalise the Code by taking into account comments made in this opinion and previous correspondence. WP29 recognises the value that such a Code can provide to the cloud computing industry and it does assist data controllers in assessing a CSP and a particular cloud computing product or service. However, in its current form there are still a number of significant gaps which should be addressed before the Code is finalised.

Source http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp232_en.pdf

2. Web cookies

Article 5.3: Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service

Source: Amendment (directive) 2009/136/EC

There is a new proposal to withdraw the complete e-privacy directive and replace it with a Regulation: http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241

I had an extensive description here taken fro the two WP29 opinions, but unfortunately it got lost a crash of my system. The short version:

Consent has to be asked for setting a cookie unless it is stricly necessary to deliver the service explicitly requested by the user.

Article 5.3 allows cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:

• CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
• CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”

Two factors play an imprtant role in determining whether a cookie setisfies these criteria:

• Whether it is a session or a persistent cookie
• Whether it is a third party cookie. Third party here does not mean from a diffeent domain, but if it is from a different processor

Criterion A may be satified by a session cookie that is used for load balancing across multiple web servers, so that the user interacts with the same server in order to preserve statefulness. The type of cookie has to fit with the purpose of the cookie to fall under criterion A or B. Storing language preferences in s session cookie is OK under criterion B if it is a session cookie. Only if a user actively selects "remember me" is it acceptable to store it in a persistent cookie.Additionally, following the previous definitions, “third party” cookies are usually not “strictly necessary” to the user visiting a website since these cookies are usually related to a service that is distinct from the one that has been “explicitly requested” by the user.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Conditions for consent:

Specific information must be given about the purpose of the processing. It has to be consented to before setting the cookie. It must be an active choice. Assuming the user is OK with it by using the website is not OK. Choice must be freely given. It is thus recommended to refrain from the use of consent mechanisms that only provide an option for the user to consent, but do not offer any choice regarding all or some cookies. If certain cookies are therefore not needed in relation to the purpose of provision of the website service, but only provide for additional benefits of the website operator, the user should be given a real choice regarding those cookies. Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies (e.g.: for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).

Users should also be offered a real choice regarding tracking cookies. Such tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour, infer interests, and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data. For the processing of the personal data that goes together with the reading and setting of tracking cookies the data controller needs to obtain the unambiguous consent of the user.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf

3. Search engine marketing (SEM)

This seems to concern advertising networks and tracking cookies.

From a user’s point of view, major privacy and security concerns are as follows:

• Certain advertisements contain external applications, which can often affect users’ browser settings, or show pop-ups in non-affiliated pages. Such applications might also be spyware.
• Third-party cookies can seriously compromise the user’s privacy or anonymity. Such cookies can enable advertisers to trace the address of the browser.

In June 2010, a controversy arose around new additions to Google Analytics and the privacy issues that it touched upon. With these new additions, it became possible for website operations to use the search engine optimization suite to sift through Facebook profiles and Twitter posts. The software allowed individuals to conduct search engine marketing campaigns to find Facebook and Twitter profiles of individuals who have visited their websites, including a certain amount of personal information about these individuals.

Source: https://www.cippguide.org/2011/12/27/search-engine-marketing-privacy-concerns/

Opinion regarding data protection issues related to search engines:

two different roles are played by search engine providers with regard to personal data:

• First, in their role as service providers to the users, search engines collect and process vast amounts of user data, including data gathered by technical means, such as cookies. Data collected can range from the IP address of individual users to extensive histories of past searching behaviour or data provided by users themselves when signing up to use personalised services. The profitability of such search engines generally relies on the effectiveness of the advertising that accompanies the search results. They process IP addresses, log files containing searh queries, cookies.
• Second, in their role as content providers, search engines help to make publications on the internet easily accessible to a worldwide audience. By retrieving and grouping widespread information of various types about a single person, search engines can create a new picture, with a much higher risk to the data subject than if each item of data posted on the internet remained separate. [...] The Data Protection Directive does not contain a special reference to the processing of personal data by information society services that act as selection intermediaries. The principle of proportionality requires that to the extent that a search engine provider acts purely as an intermediary, it should not be considered to be the principal controller with regard to the content related processing of personal data that is taking place. In this case the principal controllers of personal data are the information providers. Website owners may opt out a priori of both the search engine and the caching by using the robots.txt file or the Noindex/NoArchive tag. Some search engines republish data in a so-called ‘cache’. Any caching period of personal data contained in indexed websites beyond this necessity of technical availability, should be considered an independent republication. The right to correct or delete information also applies to some specific cache data held by search engine providers,

But also more sophisticated technology exists and is increasingly being employed by search engine providers, such as facial recognition technology in the context of image processing and image search. Thus search engine providers may perform value-added operations linked to characteristics or types of personal data on the information they process.

The Working Party finds that the correlation of personal data across services and platforms for authenticated users can only be legitimately done based on consent, after the users have been adequately informed. Correlation can also be done for non-authenticated users, based on IP address or on a unique cookie that can be recognised by all the different services offered by a search engine provider. Usually this is done in an automatic way, without the user being aware of such a correlation. Covert surveillance of people's behaviour, certainly private behaviour such as visiting websites, is not in accordance with the principles of fair and legitimate processing of the Data Protection Directive. Search engine providers should be very clear about the extent of correlation of data across services and only proceed on the basis of consent.

Obligations on search engine providers:

• Search engines may only process personal data for legitimate purposes and the amount of data has to be relevant and not excessive in respect of the various purposes to be achieved.
• Search engine providers must delete or anonymise (in an irreversible and efficient way) personal data once they are no longer necessary for the purpose for which they were collected. The Working Party calls for the development of appropriate anonymisation schemes by search engine providers.
• Retention periods should be minimised and be proportionate to each purpose put forward by search engine providers. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months. However, national legislation may require earlier deletion of personal data. In case search engine providers retain personal data longer than 6 months, they must demonstrate comprehensively that it is strictly necessary for the service. In any case, the information about the data retention period chosen by search engine providers should be easily accessible from their homepage.
  
• While search engine providers inevitably collect some personal data about the users of their services, such as their IP address, resulting from standard HTTP traffic, it is not necessary to collect additional personal data from individual users in order to be able to perform the service of delivering search results and advertisements.
  
• If search engine providers use cookies, their lifetime should be no longer than demonstrably necessary. Similarly to web cookies, flash cookies should only be installed if transparent information is provided about the purpose for which they are installed and how to access, edit and delete this information.
  
• Search engine providers must give users clear and intelligible information about their identity and location and about the data they intend to collect, store or transmit, as well as the purpose for which they are collected2
  
• Enrichment of user profiles with data not provided by the users themselves is to be based on the consent of the users.
  
• If search engine providers provide means to retain the individual search history, they should make sure they have the consent of the user.
  
• Search engines should respect website editor opt-outs indicating that the website should not be crawled and indexed or included in the search engines’ caches.
  
• When search engine providers provide a cache, in which personal data are being made available for longer than the original publication, they must respect the right of data subjects to have excessive and inaccurate data removed from their cache.
• Search engine providers that specialise in the creation of value added operations, such as profiles of natural persons (so called ‘people search engines’) and facial recognition software on images must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2008/wp148_en.pdf

4. Social networking services

Personal data published on social network sites can be used by third parties for a wide variety of purposes, including commercial purposes, and may pose major risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm. 

SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties. 

Application providers: Application providers may also be data controllers, if they develop applications which run in addition to the ones from the SNS and users decide to use such an application. 

Users: In most cases, users are considered to be data subjects. The Directive does not impose the duties of a data controller on an individual who processes personal data "in the course of a purely personal or household activity" - the so-called "household exemption". 

In some instances, the activities of a user of an SNS may not be covered by the household exemption and the user might be considered to have taken on some of the responsibilities of a data controller:

• If an SNS user acts on behalf of a company or association, or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the [household] exception does not apply.
• When access to profile information extends beyond self-selected contacts, such as when access to a profile is provided to all members within the SNS8 or the data is indexable by search engines, access goes beyond the personal or household sphere. Equally, if a user takes an informed decision to extend access beyond self-selected ‘friends’ data controller responsibilities come into force. It should be kept in mind that, even if the household exemption does not apply, the SNS user may benefit from other exemptions such as the exemption for journalistic purposes, artistic or literary expression. In those cases, a balance needs to be struck between freedom of expression and the right to privacy.
• The application of the household exemption is also constrained by the need to guarantee the rights of third parties, particularly with regard to sensitive data. In addition, it must be noted that even if the household exemption applies, a user might be liable according to general provisions of national civil or criminal laws in question (e.g. defamation, liability in tort for violation of personality, penal liability).

SNS should offer privacy-friendly default settings which allow users to freely and specifically consent to any access to their profile's content that is beyond their self-selected contacts in order to reduce the risk of unlawful processing by third parties. Restricted access profiles should not be discoverable by internal search engines, including the facility to search by parameters such as age or location. Decisions to extend access may not be implicit, for example with an "opt-out" provided by the controller of the SNS.

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life is considered sensitive. Sensitive personal data may only be published on the Internet with the explicit consent from the data subject or if the data subject has made the data manifestly public himself. In some EU Member States, images of data subjects are considered a special category of personal data since they may be used to distinguish between racial/ethnic origins or may be used to deduce religious beliefs or health data. The Working Party in general does not consider images on the Internet to be sensitive data, unless the images are clearly used to reveal sensitive data about individuals.

The creation of pre-built profiles of non-members through the aggregation of data that is independently contributed by SNS users, including relationship data inferred from uploaded address books, lacks a legal basis.

SNS-mediated access: In addition to the core SNS service, most SNS offer users additional applications provided by third party developers which also process personal data. SNS should have the means to ensure that third party applications comply with the Data Protection and ePrivacy Directives.

User-mediated third party access: When offering an API that enables access to contacts' data, SNS should provide for a level of granularity that lets the user choose an access level for the third party that is only just sufficient to perform a certain task.. When accessing personal data via third party’s API on behalf of a user, third party services should: 

• process and store data no longer than necessary to perform a specific task; 
• perform no operations on imported user contacts' data other than personal usage by the contributing user.

Some SNS allow their users to send invitations to third parties. The prohibition on the use of electronic mail for the purposes of direct marketing does not apply to personal communications (certain restrictions apply).

When a user does not use the service for a defined period of time, the profile should be set to inactive, i.e. no longer visible to other users or the outside world, and after another period of time the data in the abandoned account should be deleted. SNS should notify users before taking these steps with whatever means they have at their disposal.

[...] it can be observed that SNS may need to register some identifying data about members but does not need to publish the real name of members on the Internet. Therefore, SNS should consider carefully if they can justify forcing their users to act under their real identity rather than under a pseudonym. There are strong arguments in favor of giving users choice in this respect and in at least one Member State, this is a legal requirement. The arguments are particularly strong in the case of SNS with wide membership. Users should, in general, be allowed to adopt a pseudonym.

Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2009/wp163_en.pdf