Protection of personal data under GDPR
Protection of Personal Data under GDPR
The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is the EU's comprehensive data protection framework designed to safeguard personal data and privacy rights of individuals within the European Union.
Key Principles of GDPR:
Lawfulness, fairness, and transparency
Data must be processed lawfully, fairly, and transparently to the data subject.
Purpose limitation
Personal data can only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimization
Data collected should be adequate, relevant, and limited to what is necessary.
Accuracy
Data must be accurate and kept up to date.
Storage limitation
Data should be retained no longer than necessary for the purpose it was collected.
Integrity and confidentiality
Data must be processed securely, protecting against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability
Data controllers must be responsible and able to demonstrate compliance with these principles.
Rights under GDPR:
Right to access personal data
Right to rectification
Right to erasure (“right to be forgotten”)
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling
Enforcement:
Supervisory authorities (such as the ICO in the UK, CNIL in France, or the DPA in Germany) have powers to investigate breaches, issue fines, and enforce corrective actions. Fines can be very substantial, up to 20 million euros or 4% of global annual turnover, whichever is higher.
Detailed Explanation of Important GDPR Cases
Here are six important GDPR cases, illustrating how courts and regulators interpret and enforce the GDPR:
1. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (C-131/12) – The "Right to be Forgotten"
Background:
This landmark case was decided by the Court of Justice of the European Union (CJEU) in 2014, before GDPR but pivotal for its principles. Mario Costeja González requested Google to remove links to an old newspaper article about his debt, arguing it was outdated and irrelevant.
Ruling:
The CJEU held that search engines are data controllers and can be required to remove links to personal data if it is "inadequate, irrelevant or no longer relevant." This established the "Right to be Forgotten," which was later codified in Article 17 of the GDPR.
Significance:
It set a precedent that personal data held online can be erased under certain conditions.
Balanced privacy rights against freedom of expression and information.
2. Facebook Ireland Ltd v. Data Protection Commissioner (DPC) (Schrems II, C-311/18)
Background:
Max Schrems challenged Facebook’s transfer of personal data from the EU to the US, arguing that US surveillance laws did not provide adequate protection.
Ruling:
The CJEU invalidated the EU-US Privacy Shield framework, which was the main legal basis for transatlantic data transfers. The court held that US laws allow government agencies excessive access to EU personal data, violating GDPR principles.
Significance:
Emphasized strict conditions for international data transfers.
Led to increased scrutiny of data transfer mechanisms like Standard Contractual Clauses (SCCs).
Data exporters must assess the legal environment in recipient countries.
3. Google LLC v. CNIL (C-507/17) – Right to be Forgotten: Territorial Scope
Background:
Google challenged the French Data Protection Authority’s (CNIL) order to remove links globally, not just within EU country domains.
Ruling:
The CJEU ruled that the right to be forgotten requires search engines to remove links on EU country domain extensions (like google.fr) but not globally (e.g., google.com). Global delisting could interfere with freedom of expression in other jurisdictions.
Significance:
Clarified territorial limits of GDPR enforcement.
Imposed a balance between privacy and freedom of expression in different countries.
4. British Airways (BA) ICO Fine – 2020
Background:
British Airways suffered a data breach affecting 500,000 customers, where hackers accessed personal data due to poor security measures.
Enforcement:
The UK's Information Commissioner’s Office (ICO) fined British Airways £20 million (reduced from an initial proposal of £183 million due to COVID-19 impact).
Significance:
Highlighted the importance of robust cybersecurity under GDPR.
Demonstrated high financial penalties for failing to protect personal data.
Showed the importance of breach notification and transparency.
5. H&M Data Breach Case (Hamburg Data Protection Authority, 2020)
Background:
H&M was fined €35 million for illegally monitoring several hundred employees, collecting excessive data on their private lives (including personal family issues, religious beliefs, etc.).
Violation:
The company failed the GDPR principles of data minimization, transparency, and lawful basis.
Significance:
Reinforced that employee data is subject to GDPR protection.
Illustrated limits on employers' monitoring of workers.
Showed heavy penalties for misuse of sensitive personal data.
6. Planet49 GmbH (C-673/17) – Cookie Consent under GDPR
Background:
The German Federal Court referred the case to the CJEU regarding consent validity when websites use pre-checked boxes to gain consent for cookies.
Ruling:
The CJEU held that consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are invalid.
Significance:
Strengthened consent requirements under GDPR.
Led to widespread changes in cookie consent banners and privacy notices.
Summary
These cases show how GDPR principles operate in practice:
The Right to be Forgotten and data erasure can compel removal of personal data online.
International data transfers must comply with strict standards, balancing privacy with practical business needs.
Enforcement actions (e.g., BA, H&M) highlight the severe penalties for breaches or misuse of data.
Employee data and consent mechanisms receive strong protection under GDPR.
RELATED Blog
0 comments