DATA

PROTECTION
LAW
IN CHARTS
A VISUAL GUIDE TO THE
GENERAL DATA
PROTECTION REGULATION

FEDERICO MARENGO
CONTENTS

1.- Context of European data protection law

1.1.- Outline of the unit

1.2.- The right to data protection. International legal framework

1.3.- The right to data protection. Data protection in the EU

1.4.- Similarities and differences between the right to personal data protection and to the
respect private life

1.5.- Limitations on the right to data protection: General conditions for lawful limitations of
rights under Art 52 CFR

1.6.- Limitations on the right to data protection: Conditions for justified interference of the
right to privacy and family life under Art. 8 ECHR

1.7.- interaction with other rights: freedom of expression

1.8.- interaction with other rights: Intellectual property, general economic interests and
professional secrecy

2.- General aspects of data protection law

2.1.- Outline of the unit

2.2.- GDPR subject matter and objectives

2.3.- GDPR material scope of application: general rule

2.4.- GDPR material scope of application: exceptions

2.5.- GDPR territorial scope of application: establishment criterion

2.6.- GDPR territorial scope of application: targeting criterion

2.7.- GDPR personal scope of application: controllers, processors, recipients and third
parties

3.- Data protection concepts

3.3.- Personal data

3.4.- Personal data (cont.)

3.5.- Processing

6.10.- Restriction of processing

3.6.- Profiling

2
3.7.- Pseudonymisation

3.5.- Filing system

3.8.- Users of personal data: controller

3.9.- Users of personal data: controller (cont.)

3.10.- Users of personal data: joint controller

3.11.- Users of personal data: processor

3.12.- Users of personal data: recipient and third party

5.3.- Consent

3.13.- Personal data breach

3.14.- Special types of data: genetic data

3.15.- Special types of data: biometric data

3.16.- Special types of data: data concerning health

3.17.- Main establishment

7.4.- Representative

3.18.- Enterprise and group of undertakings

3.19.- Binding corporate rules

3.20.- Supervisory authority and supervisory authority concerned

3.21.- Cross-border processing

3.22.- Relevant and reasoned decision

4.- Data protection principles

4.1.- Outline of the unit

4.2.- Introduction to data protection principles

4.3.- Lawful and fair processing

4.4.- Transparent processing

4.5.- Purpose limitation

4.6.- Data minimisation

4.7.- Data accuracy

4.8.- Storage limitation

4.9.- Data security

4.10.- Accountability principle

3
4.11.- Mapping data flows and protection targets

5.- Rules of data protection law

5.1.- Outline of the unit

5.2.- Lawfulness of processing

5.3.- Consent

5.4.- Consent (cont.)

5.5.- Child’s consent

5.6.- Contractual necessity

5.7.- Contractual necessity (cont.)

5.8.- Legal duties of the controller

5.9.- Vital interests of the data subject

5.10.- Public interest and exercise of official authority

5.11.- Legitimate interests of the controller

5.12.- Legitimate interests of the controller (cont.)

5.13.- Legitimate interests of the controller. Balancing of interests

5.14.- Processing special categories of data

5.15.- Processing special categories of data. Exceptions

5.16.- Processing personal data relating to criminal convictions and offences

5.17.- Processing which does not require identification

6.- Rights of the data subject

6.1.- Outline of the unit

6.2.- General transparency obligations of controllers

6.3.- Right to be informed

6.4.- Right to be informed (cont.)

6.5.- Right to access to personal data

6.6.- Right to access to personal data (cont.)

6.7.- Right to rectification

6.8.- Right to erasure (right to be forgotten)

6.9.- Right to erasure (right to be forgotten) (cont.)

4
6.10.- Right to restriction of processing

6.11.- Right to data portability

6.12.- Right to object processing

6.13.- Right to object processing (cont.)

6.14.- Right to not to be subject to a decision based solely on automated decision making,
including profiling

6.15.- Right to not to be subject to a decision based solely on automated decision making,
including profiling (cont.)

6.16.- Summary of data subject’s rights

6.17.- Restrictions in the exercise of data subject’s rights

7.- Controller and processor's duties and obligations

7.1.- Outline of the unit

7.2.- Accountability

7.3.- General obligations of controllers

7.4.- General obligations of controllers: representatives

7.5.- General obligations of controllers: representatives (cont.)

7.6.- Processors

7.7.- Processors (cont.)

7.8.- Recipients and third parties

7.9.- Data protection by design and default

7.10.- Records of processing activities

7.11.- Security of processing

7.12.- Personal data breach

7.13.- Personal data breach: notification to the DPA

7.14.- Personal data breach: communication to data subjects

7.15.- Data protection impact assessment

7.16.- Data protection impact assessment (cont.)

7.17.- Data protection impact assessment. Prior consultation with the DPA

7.18.- Data protection officer

7.19.- Data protection officer (cont.)

7.20.- Data protection officer: tasks of the DPO

5
7.21.- Codes of conduct

7.22.- Monitoring codes of conduct

7.23.- Certification mechanism

7.24.- Certification bodies

8.- International data transfers and flows of personal data

8.1.- Outline of the unit

8.2.- Nature of personal data transfers. Free movement of personal data between member
states

8.3.- Personal data transfers to third countries or to international organisations

8.4.- Transfers on the basis of an adequacy decision

8.5.- Transfers on the basis of an adequacy decision (cont.)

8.6.- Safe Harbour and Schrems I

8.7.- Passenger Name Records agreement and CJEU Opinion 1/2015

8.8.- Transfers subject to appropriate safeguards

8.9.- Transfers subject to appropriate safeguards (cont.)

8.10.- Transfers subject to contractual clauses

8.11.- Contractual clauses and Schrems II

8.12.- Contractual clauses and Schrems II (cont.)

8.13.- Schrems II implications

8.14.- Transfers subject to binding corporate rules

8.15.- Transfers based on international agreements

8.16.- Transfers and disclosed not authorised by the EU law

8.17.- Derogations for specific situations. Explicit consent, contract, public interest

8.18.- Derogations for specific situations. Legal claims, vital interests, public registers

8.19.- Derogations for specific situations. Compelling legitimate interests

8.20.- International cooperation for the protection of personal data

9.- Supervisory authority

9.1.- Outline of the unit

6
9.2.- Establishment of supervisory authorities

9.3.- Independence of data protection authorities

9.4.- Independence of data protection authorities (cont.)

9.5.- Competence of data protection authorities

9.6.- Competence (one-stop-shop mechanism)

9.7.- Competence (one-stop-shop mechanism) (cont.)

9.8.- Tasks of data protection authorities

9.9.- Powers of data protection authorities

9.10.- Powers of data protection authorities (cont.)

9.11.- Cooperation between the lead DPA and other DPA concerned

9.12.- Cooperation between the lead DPA and other DPA concerned (cont.)

9.13.- Mutual assistance between data protection authorities

9.14.- Joint operations of data protection authorities

9.15.- Consistency mechanism

9.16.- Consistency mechanism (cont.)

9.17.- The European Data Protection Board

10.- Remedies, liabilities and penalties

10.1.- Outline of the unit

10.2.- Right to lodge a complaint with a supervisory authority

10.3.- Right to an effective judicial remedy against a supervisory authority

10.4.- Right to an effective judicial remedy against a controller or processor

10.5.- Data subjects' procedural options

10.6.- Representation of data subjects

10.7.- Suspension of proceedings

10.8.- Right to compensation and liability

10.9.- General conditions for imposing administrative fines. Competence

10.10.- General conditions for imposing administrative fines. Conditions

10.11.- General conditions for imposing administrative fines. Punishable actions and
maximum limits

7
11.- Specific processing situations

11.1.- Outline of the unit

11.2.- Processing and freedom of expression and information

11.3.- Processing and public access to official documents

11.4.- Processing of the national identification number

11.5.- Processing in the context of employment

11.6.- Processing in the context of employment (cont.)

11.7.- Processing for archiving purposes in the public interest, scientific or historical
research or statistical purposes

11.8.- Processing for archiving purposes in the public interest, scientific or historical
research or statistical purposes (cont.)

11.9.- Obligation of secrecy

11.10.- Existing data protection rules of churches and religious associations

8
 Federico Marengo All rights reserved

1.- The right to data protection

1.2.- The right to data protection
Summary: The protection of personal data and to private life is ensured by several international instruments

The right to data protection

International legal framework

Right to private life

Universal Declaration of Human Rights (1948)

- It establishes that nobody may be subjected to arbitrary or unlawful interference with
their privacy (art. 12)
- it also adopted two Resolutions on the right to privacy in the digital age
(A/RES/68/167 and A/C.3/69/L.26/Rev.1) in 2013 and 2014

European Convention of Human Rights (1950)

- Art. 8 ECHR provides for the right to respect everyone's
- private and family life
- home and correspondence
- The right to data protection forms part of the rights protected under art. 8: ECtHR,
Rotaru v. Romania (2000)
- Contracting States have an obligation to refrain from taking actions that might violate
the right to private life, but also they must take steps to actively secure the respect for
it (ECtHR, I v. Finland (2008) and K.U. v. Finland (2008)

Art. 7 CFR
Everyone has the right to respect for his or her private and family life, home and
communications.

Right to personal data protection

Convention for the Protection of individuals with regard to automatic processing

of personal data (Convention 108)
- Adopted in 1981 by the Council of Europe
- Only legally binding international agreement on data protection
- The ECtHR sought inspiration on the principles enshrined in this instrument in
determining whether or not there has been an interference with the right to private life:
Z. v. Finland (2008)
- It aims to set a global standard for data protection and it is open for accession by
non-Contracting parties of the Council of Europe
- It has been modernised in 2018 to update its provisions to the digital environment
and to align it with the provisions of the GDPR in the EU

Data protection in the EU

- Primary legislation
- Arts. 16 TFEU, art. 39 TEU and art. 8 CFR
- Secondary legislation
- General Data Protection Regulation (2016)
- Law Enforcement Directive (LED) Directive 2016/680
- E-Privacy Directive
- EU Institutions Data Protection Regulation (Regulation 2018/1725)

15
 Federico Marengo All rights reserved

3.- Data protection concepts

3.3.- Personal data
Summary: This chart explains the concept of personal data in the GDPR

Personal data
(art. 4(1) GDPR)

Personal data
Any information relating to an identified or identifiable natural person (art. 4(1)
GDPR)

Mixed datasets
- In the case of a data set composed of both personal and non-personal data, Regulation 2018/1807 applies to
the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably
linked, the GDPR must also be applied (art. 2(2) Reg. 2018/1807 on the free flow of non-personal data)

Definition of personal data

Elements of the
definition

Identified or
Any information Relating to Natural person
identifiable

1) Any information

Broad concept of information. It encompasses all kinds of data insofar as they

are related to the DS: Nowak (2017)

the private life of It may cover an identifier

an individual such as a name, an ID
number, location data, an
Personal data online identifier or to one or
It irrelevant that the data
covers professional more factors specific to the
concerns activities of a
information activities physical, physiological,
professional nature: Schecke
regarding genetic, mental, economic,
(2010).
cultural or social identity of
that natural person (art. 4(1)
DS's public life GDPR)

33
 Federico Marengo All rights reserved

9.- Supervisory authority

9.11.- Cooperation between the lead DPA and the other DPA concerned
Summary: This chart outlines the decision-making procedure in the context of the one-stop-shop mechanism

Cooperation between the lead DPA and the other DPA concerned
(art. 60 GDPR)

One-stop-shop mechanism
Enforcement procedure to ensure uniform monitoring of controllers and processors that perform intra-EU
cross-border processing of personal data

Procedure to adopt decisions with the one-stop-shop mechanism

Initial phase

Must cooperate and exchange information the with other DPAs concerned in
Having identified the an endeavor to reach consensus (art. 60(1) GDPR)
lead DPA (art. 56
GDPR)
May request at any time other DPAs concerned to provide mutual assistance
and may conduct joint operations, in particular for carrying out investigations
or for monitoring the implementation of a measure concerning a controller or
processor established in another MS (art. 60(2) GDPR)

Lead DPA
Must communicate the relevant information to the other DPAs concerned
(art. 60(3) GDPR)

Must submit a draft decision to the other DPAs concerned for their opinion
and take due account of their views (art. 60(3) GDPR)

DPA concerned expressing objections

Where any DPA concerned expresses a

relevant and reasoned objection to the
draft decision (art. 60(4) GDPR)
Relevant and reasoned objection
Disagreement to a draft decision as to
whether:
the lead DPA
- there is an infringement of the GDPR
- the envisaged action in relation to the
controller or processor complies with the
Rejects the objection Follows the objection
GDPR
It must submit the matter to the It must submit to the other DPAs
It must clearly demonstrate:
consistency mechanism (art. concerned a revised draft decision
- the significance of the risks posed by the
60(4) GDPR) for their opinion (art. 60(5) GDPR)
draft decision as regards the fundamental
rights and freedoms of DS, and
- the free flow of personal data within the
EU (art. 4(24) GDPR) Agreement with the draft
decision
Where none of the other DPAs
concerned has objected the draft
decision submitted by the lead
DPA (art. 60(6) GDPR)

158
 Federico Marengo All rights reserved

9.- Supervisory authority

9.17.- European Data Protection Board (EDPB)
Summary: The EDPB is an independent body in charge of promoting an effective and consistent application of the GDPR

European Data Protection Board

(arts. 68-76 GDPR)

EU body with legal personality (art. 68 GDPR),

that promotes an effective and consistent
application of the GDPR

Successor of the Article 29 Working Party

Composition under the Directive 95/46/EC
- The heads of the DPAs of each MS form part of the
EDPB (art. 68 (3) GDPR)

Voting
- It has equal voting rights, except in cases related to
dispute resolution, where it may vote only on
decisions concerning principles and rules applicable
to EU institutions which correspond in substance
with those of the GDPR (art. 68(&) GDPR)

Consistency
- EDPB's main responsibility is to ensure that the
GDPR is consistently applied in the EU
- The EDPB issues legally binding decisions where:
- a DPA has raised a relevant an reasoned
objection in cases of one-stop-shop
- there are conflicting views on which of the
DPAs is the lead DPA,
- the competent DPA does not request or does
not follow the EDPB's opinion (art. 65 GDPR)

Consultation
The EDPB is also in charge of:
Tasks - advising the Commission on any issue related to
(art. 70 GDPR) the protection of personal data in the EU, like GDPR
amendments, revisions to EU legislation

Guidance
The EDPB also:
- issues guidelines, recommendations, and best
practice to encourage the consistent application of
the GDPR,
- promotes cooperation and knowledge exchanges
between DPAs
- encourages associations of controllers or
processors to draw up codes of conduct and to
establish certifications mechanisms and seals

164
 Federico Marengo All rights reserved

11.- Specific processing situations

11.10- Existing data protection rules of churches and religious associations
Summary: Existing data protection rules of churches and religious associations may continue to apply where they are brought in line with
the provisions of the GDPR

Existing data protection rules of churches and religious associations

(art. 91 GDPR)

The GDPR
Objective
respects the status of
It attempts to strike a balance between the
churches and religious
freedom of religion and the respect of the
associations under MS
autonomy of religious communities, and the
law, as recognised in
protection of personal data (rec. 4 GDPR)
Article 17 TFEU (rec.
165 GDPR)

Striking a balance.
Strict interpretation of
derogations
The CJEU did not consider
as a processing carried out
in the course of a purely
personal or household
activity:
- Setting up a webpage to
provide information to
parishioners, which included
their personal data: Lindqvist
(2003)
- Collecting personal data in
the context of door-to-door
preaching: Jehovah's
Withnesses (2018)
Special category of personal data
Processing of personal data revealing - Includes data concerning
religious or philosophical beliefs membership to a religious
constitutes a special category of community
personal data (art. 9(1) GDPR) - Protected by art. 10 and
CFR and art. 9 ECHR
these sensitive data can only be processed where
- Processing by a any NGO with a political, philosophical, religious
or trade union aim
- Carried out in the course of its legitimate activities
- Subject to the provision of appropriate safeguards
- Processing activities must relate solely to the members (or
former members) of the body or to persons who have regular
contact with it in connection with its purposes
- Personal data must not be disclosed outside that body without
the consent of the DS (art. 9(2)(d) GDPR)

Limited derogation from the general regime

of the GDPR

Only applies to churches and
religious associations or
communities
They have applied special and The pre-existing data protection
comprehensive data protection rules are brought in line with the
rules prior to the entry into force provisions of the GDPR
of the GDPR

- In these cases religious organisations can apply special data protection rules in certain and limited circumstances (art. 91(1)
GDPR)
- They remain subject to the supervision of the competent DPA (art. 91(2) GDPR)

187