Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


European Data Protection: Understanding the GDPR and Modernised Convention 108, Sbobinature di Diritto Privato

An in-depth analysis of the european union's data protection laws, focusing on the general data protection regulation (gdpr) and the modernised convention 108. It covers topics such as personal data processing, sensitive data, consent, data subject rights, and data portability. The document also explains the concept of anonymisation and pseudonymisation, and the importance of transparency in data processing.

Tipologia: Sbobinature

2022/2023

Caricato il 18/03/2024

lia-cimino-1
lia-cimino-1 🇮🇹

4

(1)

4 documenti

1 / 24

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
DATA MANAGEMENT AND LEGAL ISSUES
Introduction to Private Law
Chapter 1
Law exists because a society does: ubi societas, ibi (et) ius, which means that any
society is grounded on law. We can talk about the philosophy of the giusnaturalist
Thomas Hobess, who was convinced on the strong gap between the “state of nature
and the state after the negotiation of the social contract.
Law has two different functions: the negative function of the law is that law is aimed
at impeding the disruption of society. The positive function is that law enhances the
unity of society.
Marx Weber said that the historical development of law is based on two processes:
the generalization and the systematization of legal concepts.
Patrick Glenn said that any legal tradition is founded upon a substrate of religious
nature. Both law and religion are techniques of societal control. In the West, the
Enlightenment of the late eighteenth century marked a pervasive secularization of
society and the increasing replacement of religion with the state’s legislature and
judicature. This process commenced a large movement of juridification of Western
societies, purported to prevent class struggle and to avoid political conflicts. Michel
Foucault considered the juridification of the society as the action to enforce the social
stereotype even if law has obviously to compete with a pluralistic system of private
ordering.
Chapter 2
The Western legal tradition is firmly based on the legacy of Roman law, transmitted
over centuries through the Justinian compilation. The foundation of the Western legal
tradition may be traced back to the renaissance of Roman law, which took place
between the end of the eleventh and the beginning of the twelfth century. In the same
period, the Catholic Church was reformed and organized as a political institution,
thus starting to develop a law of its own: ‘Canon law’. The combination of Roman law
collected in the Justinian compilation and the apparatus of its ‘scientific’
interpretations by scholars became the general law (ius commune) applicable. In the
1700 the universalism of the ius commune was increasingly challenged by the
overwhelming complexity of the interplay between the sources of Roman law and
the many strands of local law. In England, by contrast, it was the functioning of a
royal and centralized jurisdiction that in the late twelfth century, eventually created a
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Anteprima parziale del testo

Scarica European Data Protection: Understanding the GDPR and Modernised Convention 108 e più Sbobinature in PDF di Diritto Privato solo su Docsity!

DATA MANAGEMENT AND LEGAL ISSUES

Introduction to Private Law ➔ Chapter 1 Law exists because a society does: ubi societas, ibi (et) ius, which means that any society is grounded on law. We can talk about the philosophy of the giusnaturalist Thomas Hobess, who was convinced on the strong gap between the “state of nature and the state after the negotiation of the social contract. Law has two different functions: the negative function of the law is that law is aimed at impeding the disruption of society. The positive function is that law enhances the unity of society. Marx Weber said that the historical development of law is based on two processes: the generalization and the systematization of legal concepts. Patrick Glenn said that any legal tradition is founded upon a substrate of religious nature. Both law and religion are techniques of societal control. In the West, the Enlightenment of the late eighteenth century marked a pervasive secularization of society and the increasing replacement of religion with the state’s legislature and judicature. This process commenced a large movement of juridification of Western societies, purported to prevent class struggle and to avoid political conflicts. Michel Foucault considered the juridification of the society as the action to enforce the social stereotype even if law has obviously to compete with a pluralistic system of private ordering. ➔ Chapter 2 The Western legal tradition is firmly based on the legacy of Roman law, transmitted over centuries through the Justinian compilation. The foundation of the Western legal tradition may be traced back to the renaissance of Roman law, which took place between the end of the eleventh and the beginning of the twelfth century. In the same period, the Catholic Church was reformed and organized as a political institution, thus starting to develop a law of its own: ‘Canon law’. The combination of Roman law collected in the Justinian compilation and the apparatus of its ‘scientific’ interpretations by scholars became the general law (ius commune) applicable. In the 1700 the universalism of the ius commune was increasingly challenged by the overwhelming complexity of the interplay between the sources of Roman law and the many strands of local law. In England, by contrast, it was the functioning of a royal and centralized jurisdiction that in the late twelfth century, eventually created a

‘common law’ of the kingdom which was later on flanked by ‘equity’ administered by the Chancery. The pureness of the Roman law is the first step towards the secularization of law and overall society. In the earlier stages, Roman law was confined to a number of fixed procedures and imbued with an extreme formalism. In the late Republic, jurists became a cadre of experts learned in law, whose legal decisions were at first rendered mainly on the basis of intuition and experience acquired through the administration of justice. The collections of the legal decisions constituted a specialized literature, which eventually amounted to the foundations of jurisprudentia. What characterizes Roman law was the highly specialized and autonomous field of rational knowledge (shared education, culture, mentality). The Roman Classic Law flourished between the end of the first century and the beginning of the third century. Our knowledge of the Roman classic law is partial and inaccurate because of the loss of thousands of books that did not survive the dark centuries. What remained of Roman law and was transmitted to us is contained exclusively in a compilation assembled in Constantinople during the sixth century (emperor Justinian I), therefore known as the Justinian compilation. Justinian mandated a commision, to draw up a collection of snippets from the constitution (Codex). In 533 AD, a book was edited that was called the Digest. It consists of a huge collection of excerpts from about two thousand writings of the most Roman jurists of the classical age. But Justinian compilation was not always genuine because several texts underwent a process of alteration during the post-classical period. The Digesta contained texts that afterwards appeared too difficult and far removed from contemporary problems. The foundation of the Western legal tradition may be traced back to the renaissance of Roman law, which took place between the end of the eleventh century and the beginning of the twelfth century. A jurist called Irnerius discovered in Bologna a copy of the Digestum and began to comment on it. Their comments formed a critical apparatus called glossae. In 1808 the first university of the Western world was established: the alma master studiorum, as the University of Bologna. The apparatus of comments enshrined in the glossae grew over time as a work on their own. The opinions rendered by the scholars of law (communis opinio doctorum) became as authoritative as the Justinian compilation itself. During 1300 and 1400, the combination of Roman law collected in the Justinian compilation and the apparatus of its doctrinal interpretation became the general law ( ius commune ). The Holy Roman Empire (900) formally and officially adopted the ius

great representatives of natural law around the seventeenth century. Roman law started a process of modernization. This new jurisprudence claimed the abandonment of all rules of the medieval ius commune that had in the meantime become obsolete. The eighteenth century advocated for a codification of national laws. It's peak was the Code Napoleon with the French revolution of 1789. ➔ Chapter 3 Until the nineteenth century, European law developed based on scholarly and judicial re-interpretation of a corpus of writings by Roman lawyers. A proper common law (ius commune) of Europe was established and went flourishing for centuries. The Holy Roman Empire and the Roman Church were not definable as states in a modern sense, first of all because they claimed to be universal institutions. This institutional paradigm fell to pieces after the Peace of Westphalia, in 1648, put an end to the raes of religion which had been inflaming Europe for thirty years. Jean Bodin thought that law was no longer hinged on the rationality of legal reasoning but on the state’s political will. The truth pure and rational, was no longer paramount for the law, replaced instead with the sovereign’s will. Because of this, wars became just a negotiation between nation states. The Westphalian paradigm was characterized by a strict separation between domestic law and international law. Domestic law has the purpose to bind the citizens by enacting legal rules. Law became a product of nation states, an autonomous system of its sources. International law produced a self-limitation of state’s sovereignty with other states. With other words, sometimes domestic law has to change because of the principles perpetuated by international laws. Comparative law grew up because of the existence of a plurality of legal systems. This is very different from a foreign law. This is just the result of an intellectual and cultural operation of comparison between a national legal system and another. The historical heralding of comparative law goes back to Greek literature of political philosophy. From a scholarly perspective, a decisive role was played by the Italian lawyer Emerico Amari (founder of the comparative law in a modern sense). Comparative law proceeds with a measurement of the similarities and differences between laws considered. The benefits of this operation serve: as an aid to the legislator; as a tool of construction of national or international law; as a subject to be taught and studied at universities; as an incentive and a guide to uniform existing laws. Such comparison can take place only with a common denominator between the

legal systems under consideration, which constitute the criterion of their comparison (tertium of comparationis). Generally this process is characterized by an anti-dogmatic, or even anti-conceptual, approach. Processes:

  • functionalist approach: the tertium comparationis should be determined by the function on which practical problems are resolved, independently of the conceptual or dogmatic structure of such solutions.
  • historical-comparatist approach: summarized in the formula of Gino Gorla “comparison involves history”
  • dissociation of legal formants: this method illuminates the fate of legal transplants that occur when, due to a wide range of possible reasons, a piece of legislation of one country was implemented more or less uncritically in another. These methods have a micro-comparison focus, namely a comparison between the legal systems based on the operational solutions that they give to the individual practical problems that must be addressed and resolved by the law. There are also macro-comparison methods, which compare national laws on the basis of their different constitutional and institutional features. The existence of a plurality of autonomous jurisdictions itself brings with the possibility of conflict of laws. A choice of law must be then accomplished. Each jurisdiction must provide for rules purported and designed to carry out this function, to make a choice between conflicting national laws (conflict rules). These are secondary rules because they sort out which of the several legal systems involved is competent to rule it. It is also possible that different elements of the same case are connected to different national laws, thus bringing these laws into co-existence. All rules of this sort are contained in a branch of the law which is traditionally called private international law. It's international in its content but not in the sources. International law can only be applied to cross-border conflicts. Because international law is based on national private laws, it is evident the tendency to uniform private international law thanks to treaties between nations. Uniform law comes into existence when many states intend to have identical rules in their own legal systems and each of them enacts the same legislative provisions. This is a way of international standardization. The instruments of uniform law are either: International conventions, that oblige states applying them to change their own legal systems accordingly; Model laws. Two of the most important international agencies are UNIDROIT and UNCITRAL. One of the most successful instances of

southern regions of France. It also pleaded for the adoption of a codification of private law, which had already been advocated by natural lawyers. Napoleon drafted the code in 1804 with a commission of four members. They wrote 4 codifications in 4 days. The code became the prototype for other civil codification. The basic ideas of the Code were: make the law accessible to all citizens; break the particularism which had characterized the feudal regimes; uphold the principle of equal treatment; apply the law irrespective of the social class or group to which a citizen happened to belong. New values: freedom of contract and protection of private ownership. Importance of the clarity and rationality, as well as for the elegance of its language. The occasion of the Code’s bicentenary, in 2004, marked the completion of a vast program of reforms of its main sections. In 1896 the German parliament enacted the cose. The code entered into force on 1 January of 1900. It was really similar to Roman law. Savigny believed that the ‘popular mentality’ of the German people was enshrined in the justinian compilation (classical Roman law). This carved out the concept of a contemporary Roman law. The conceptualism and formalism of the Roman law reached their peak with the German ‘Pandectistic school’.It elaborated the theoretical basis of juridical studies that are still prevalent in civil law systems that can be described as dogmatic. Friedrich Carl von Savigny was the founder of the Historical School of Jurisprudence. The purpose of Savigny was to present the law and its study as a proper science, comparable to those sciences of nature. The organicist conception of the law suggested a systematic classification of the contents of Roman law through their conceptual formalization in juridical institutions. Each juridical institution represents the synthesis of all the legal contents necessary to carry out a specific regulatory function. A recognized characteristic of the BGB lies in its development of a huge system of abstract concepts, that does nor mirror legal practice, but rather reflects the conceptual structure built up by scholars and professor laws. Jhering posed the question of how legal responses to tangible goods were to be construed. During 200, large parts of the BGB were completely revised: modernization of the law of obligations. The Italian civil code was enacted in 1866. In 1923 Vittorio Scialoja was entrusted by the government to chair a commission for the reform of the Civil Code. The task was then continued by Filippo Vassalli. The code is the expression of the liberal culture of its drafters (mix of the french code and the germany code).

European Data Protection Chapter 1 From 1995 until May 2018, the principal Eu legal instrument on data protection was directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Data Protection Directive reflected the data protection principles already contained in national laws and in Convention 108, while often expanding them. The Data Protection Directive established a detailed data protection system in the EU. Directives do not apply directly and must be transposed into the national laws of the Member States, their purpose is to harmonize national laws. However, the result is the establishment of diverse data protection rules across the EU. The reform led to the adoption of the General Data Protection Regulation in April 2016 and it modernized the legislation. It preserves and develops the principles and rights of the data subject provided for in the Data Protection Directive. In addition, it introduced new obligations requiring organizations to implement data protection by design. The scope of application was limited to the internal market, and to activities of public authorities other than law enforcement. It was also important to achieve the necessary clarity and balance between data protection and other legitimate interests. This is the case for rules governing the processing of personal data by law enforcement authorities. The first organ to regulate this matter was Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (when data are exchanged just between Member States). Where a competent authority processes personal data for purposes of the prevention, investigation, detection or prosecution of criminal offense, Directive 2016/680 will apply. Other purposes went under the General Data Protection Regulation. The directive seeks to achieve a balance between the rights of individuals and the legitimate objectives of security-related processing. Example: decisions based solely on automated processing must be prohibited. The directive also contains rules to ensure the accountability of controllers. They must designate a data protection officer to monitor compliance with the data protection rules. The processing of data carried out by police officers is subjected to the supervision of independent supervisory authority. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in electronic communications sets out the rules on the security of personal data in the sector of electronic communications. Confidentiality of communications is linked to the protection of the right to respect for private life enshrined in Article 7 of the Charter and the right to personal data protection (8).

Limitations on the right to personal data must be provided for by law. Limitations must be based on a legal basis and it has to define the scope and manner of the exercise of the power by the competent authorities to protect individuals against arbitrary interference. Any limitation on the fundamental rights protected under the Charter must respect the essence of those rights. If this is not respected, the limitation is unlawful. Article 52 of the Charter provides that, subject to the principle of proportionality, limitations on the exercise of the fundamental rights and freedoms recognised by the Charter may be made only if they are necessary. A limitation may be necessary if there is a need to adopt measures for the public interest objective pursued and the measures adopted must be less intrusive compared to other options for achieving the same goal: necessity test. Proportionality means that the advantages resulting from the limitation should outweigh the disadvantages the latter causes on the exercise of the fundamental rights at stake. Concerning the need to protect the rights and freedoms of others, the rights to protection of personal data often interact with other fundamental rights. The CJEY and the ECtHR often refer to each other’s judgments, as part of the constant dialogue between the two courts to seek a harmonious interpretation of data protection rules. The right to personal data protection is not an absolute right; where data protection interacts with other rights, both the ECtHR and the CJEU have repeatedly stated that a balancing exercise with other rights is necessary. Because of this condition, states sometimes adopt legislation to reconcile the right to personal data protection with other rights. For this reason, the General Data Protection Regulations provides a number of areas of national derogation. GDPR requires Member States to reconcile by law “the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information (processing for journalistic, academic, artistic purposes”. Freedom of expression is protected by Article 11 of the Charter. This right includes the “freedom to hold opinions and to receive and impart information and ideas without interference by public authority”. Freedom of information protects the right not only to impart but also to receive information. The relationship between the protection of personal data and freedom of expression is governed by Article 85 of the General Data Protection Regulation, entitled “Processing and Freedom of expression and information”. It is fundamentally a reconciliation between the two rights. This balance is the expression to a debate of general interest. Concerning the right to receive information, which also forms part of freedom of expression, there is also a growing realization of the importance of government transparency for the functioning of a democratic society. Transparency is an objective of general interest that could thus justify an interference with the right to data protection, if necessary and

proportionate. This right may come into conflict with the right to data protection, for this reason the best thing to do is a case-by-case analysis. Interference with the right to data protection in the context of access to documents needs a specific and justified reason. The right of access to documents cannot automatically overrule the right to data protection. The ECtHR stated that Article 10 did not confer on the individual a right of access to information held by a public authority or oblige the government to impart such information to the individual. The access to some information has to present: the purpose of the information request; the nature of the information sought; the role of the applicant; whether the information was ready and available. Under national law, certain communications may be subject to the obligation of professional secrecy. Professional secrecy is a special ethical duty that incurs a legal obligation inherent in certain professions and functions, which are based in faith and truth. These people are obliged to not reveal confidential information received by them in the course of performing duties. Professional secrecy is not a fundamental right, but is protected as a form of the right to respect for private life. Both CJEU and ECHtR have created particular rules to norm this eventuality. Also in this case, the interaction between the right to data protection and professional secrecy. Data protection rules and safeguards established in legislation help ensure professional secrecy. EU General Data Protection Regulation enables the processing of health data, which constitute special categories of personal data, with specific measures to safeguard the rights of data subjects. It’s evident the importance of special controllers and an implementation of data security methods. The General Data Protection Regulation (GDPR) provides for the possibility of Member States adopting specific rules to safeguard the professional or other equivalent secret. The supervisory authorities are subjected to a duty of professional secrecy during and after their term of office. Freedom of religion and belief is protected under Article 9 of the ECHR and Article 10 of the EU Charter of Fundamental Rights. Religious or philosophical beliefs are considered “sensitive data” under both EU and COE law. Any organization which processed these data must be accountable for their handling and processing of such data, especially since information processed by religious organizations often concerns children, the elderly or the most vulnerable. Article 13 protects the freedom of the arts and science. This is a form of thought and expression and is to be exercised having regard to Article 1 of the Charter.

For the applicability of European data protection law, however, there is no need for actual identification of the data subject; it is sufficient that the person concerned be identifiable. A person is considered identifiable if there are enough elements available through which the person can be directly or indirectly identified. Under CoE law, identifiability is understood in a similar way. The Explanatory Report of Modernised COnvention 108 includes a similar description: the notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow one person to be ‘individualized’ or singled out from others and potentially treated differently. This individualisation could be done by referring to him or her specifically, or to a device or a combination of devices linked to an identification number… An individual is not considered identifiable if his or her identification requires unreasonable time, effort or resources. According to the principle of the storage limitation contained in the GDPR and Modernised Convention 108, data must be kept “in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data are processed”. Consequently, data would have to be erased or anonymised if a controller wanted to store them after they were no longer needed and no longer served their initial purpose. The process of anonymising data means that all identifying elements are eliminated from a set of personal data so that the data subject is no longer identifiable. The appropriate process of anonymisation should be decided on a case by case basis. They are no longer personal data and data protection. Personal information contains attributes, such as name, sex, address or other element that could led to identification. The process of pseudonymisation of personal data means that these attributes are replaced by a pseudonym. EU law defines “pseudonymisation” as “the process of personal data in such manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Contrary to anonymised data, pseudonymised data are still personal data and are therefore subject to data protection legislation. Authentication is a procedure by which a person is able to prove that he or she possesses a certain identity and/or is authorized to do certain things, such as enter a security area. It can be achieved through different ways. Under EU law as well as CoE law, there are special categories of personal data which, by their nature, may pose a risk to the data subject when processed and need enhanced protection. Such data are subject to a prohibition principle and there are a limited number of conditions under which processing is lawful. Sensitive data are: personal data revealing

racial or ethnic origin; personal data revealing political opinions, religious or other beliefs, including philosophical beliefs; personal data revealing trade union membership; genetic data and biometric data processed; sexual life, health. Modernised Convention 108 includes personal data relating to offenses, criminal proceedings and convictions, and related security measures in the list of special categories of personal data. The Concept of personal data processing is comprehensive under both EU and CoE law: “processing of personal data shall mean any operation such as collection, recording, organization, structuring, storage.. of personal data. Data protection under Modernised Convention 108 and the GDPR fully applies to automated data processing. Under EU law, automated data processing concerns operations performed on “personal data wholly or partly by automated means”. Modernised Convention 108 includes a similar definition: any personal data processing through automated means with the help of any device is covered by both EU and CoE data protection rules. Data protection under EU law is no way limited to automated data processing. A structured filing system is one which categories a set of personal data, making them accessible according to certain criteria. This is because paper files can be structured in a way which makes finding information quick and easy; storing personal data in structured paper files makes it easy to circumvent the restrictions laid down by law for automated data processing. Under CoE law, the definition of automatic processing recognises that some stages of manual use of personal data may be required between automated operation. The most important consequence of being a controller or a processor is legal responsibility for complying with the respective obligations under data protection law. In the private sector, this is usually a natural or legal person; in the public sector, it is usually an authority. THe data controller exercises control over the processing and who has responsibility for this, including legal liability. Data processors have an obligation to comply with many of the requirements which apply to controllers. They also are required to implement appropriate technical and organizational measures to ensure the security of processing and to notify data breaches to the controller. Activities that have professional or commercial aspects cannot fall under the household exemption. Thus, where the scale and frequency of data processing suggests a professional or full-time activity a private individual could be considered as controller. In addition to the professional or commercial character of the processing activity, another factor that must be taken into account is whether personal data is made available to a large number of persons, obviously external to the private sphere of the individual.

processor must keep records of all categories of processing activities it carries out behalf of the controller. The GDPR, says that a third party is a “natural person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data”. Recipient is a broader term than ‘third party’. A recipient means “a natural or legal person, public authority, agency or another body, to which dere are disclosed, whether a third party or not”. Consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”. EU law sets out several elements for consent to be valid, which aim to guarantee that the data subject truly meant to agree to a particular use of their data. Consent must be given by a clear affirmative act, establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his or her personal data. The data subject must have the right to withdraw consent at any time. Consent must be given in a clear manner so as to leave no doubt about the intention of the data subject. Chapter 3.1. EU and CoE data protection laws require personal data to be processed lawfully. Lawful processing requires the consent of the data subject or another legitimate ground provided in the data protection legislation. EU and CoE data protection laws require personal data to be processed fairly. The principle of fair processing governs primarily the relationship between the controller and the data subject. Controllers should notify data subjects and the general public that they will process data in a lawful and transparent manner and must be able to demonstrate the compliance of processing operations with the GDPR. Processing operations must not be performed in secret and data subjects should be aware of potential risks. Furthermore, controllers must act in a way which promptly complies with the wishes of the data subject (legal basis for the data processing). THe features of the data processing systems must make it possible for data subject to really understand what is happening with their data. In any case, the principles of fairness goes beyond transparency obligations and could also be linked to processing personal data in an ethical manner. EU and CoE data protection laws require personal data processing to be done “in a transparent manner in relation to the data subject. The principle establishes an obligation for

the controller to take any appropriate measure in order to keep the data subjects - who may be users, customers or clients- informed about how their data are being used. Transparency may refer to the information given to the individual before the processing starts, the information that should be readily accessible to data subjects during the processing. Processing operations must be explained to the data subjects in an easily accessible way which ensures that they understand what will happen to their data. This means that the specific purpose of processing personal data must be known by the data subject at the time of the collection of the personal data. CoE law specifies that certain essential information has to be compulsory provided in a proactive manner by the controller to the data subjects. All the information has to be presented as easily accessible, legible, understandable and adapted to the relevant data subjects. The principle of purpose limitation is one of the fundamental principles of European data protection law. It is strongly connected with transparency, predictability and user control. At the same time, clear delineation of the purpose is important to enable data subjects to effectively exercise their rights, such as the right to object to processing. The principle requires that any processing of personal data must be done for a specific, well-defined purpose and only for additional purposes that are compatible with the original purpose. The processing of personal data for undefined purposes is unlawful. The legitimacy of processing personal data will depend on the purpose of the processing, which must be explicit, specified and legitimate. Every new purpose for processing data which is not compatible with the original one must have its own particular legal basis and cannot rely on the fact that the data were initially acquired for another legitimate purpose. Every new purpose will require a separate new legal basis. Modernised Convention 108 and the General Data Protection Regulation rely on the concept of compatibility: the use of data for compatible purposes is allowed on the grounds of the initial legal basis. To assess whether the further processing is to be considered compatible, the controller should take the following into account: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected; the nature of the personal data; the consequences of the intended further processing for data subject; the existence of appropriate safeguards in both the original and intended further processing operations. “The further processing for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes” is a priori considered compatible with the initial purpose. However, appropriate safeguards such as the anonymisation, encryption or

Data should be “processed lawfully, fairly and in a transparent way”. For data to be processed lawfully, the processing must comply with one of the lawful grounds for making data processing legitimate. Consent: Under CoE law, consent is mentioned in Article 5 of Modernised Convention108. Under EU law consent as a basis for lawful data processing is established in Article 6. Consent must be freely given, informed, specific and unambiguous. Consent must be a statement or clear affirmative action signifying agreement to the processing, and the person has the right to withdraw their consent at any time. Free Consent: Within the CoE framework of Modernised Convention 108, consent of the data subject must “represent the free expression of an intentional choice”. The existence of free consent is only valid, “if the data subject is able to exercise a real choice and consequences if he/she does not consent”. In this regard, EU law stipulates that consent is not considered freely given “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. Free consent could also be in doubt in situations of subordination, where there is a significant economic or other imbalance between the controller securing consent and the data subject providing consent. Article 29, employee are almost never in a position to freely give, refuse or revoke consent, given the dependency. This does not mean, however, that consent can never be valid in circumstances where not consenting would have some negative consequences. Informed consent The data subject must have sufficient information before exercising his or her choice. Informed consent will usually comprise a precise and easily understandable description of the subject matter requiring consent. “The individual concerned must be given, in a clear and understandable manner, accurate and full information of all relevant issues, such as the nature of the data processed, purposes of the processing, the recipients of possible and the rights of the data subject. Individuals must also be aware of the consequences of not consenting to processing. Informed consent means: the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data “processed are intended”. The quality of the information is important. Quality of information means that the information’s language should be adapted to its foreseeable recipients. Information must be given in a clear plain language that a regular user should be able to understand. Accessibility and visibility of the information are important elements: the information must be clearly visible. Specific consent:

For consent to be valid, it must also be specific to the processing purpose, which must be described clearly, and in unambiguous terms. The quality of information given about the purpose of the consent. In this context, the reasonable expectations of an average data subject will be relevant. The data subject must be asked again for consent if processing operations are to be added or changed in a way which could have reasonably been foreseen when initial consent was given. When the processing has multiple purposes, consent should be given for all of them. Unambiguous consent All consent must be given in an unambiguous way. If consent is given in a written form “safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given”. The GDPR includes a right to withdraw consent at any time. There should be no requirement to give reasons for withdrawal and no risk of negative consequences over and above the termination of any benefits which may have derived from the previously agreed data use. Withdrawal should be as easy as giving it. Under EU law, Article 6 of the GDPR provides another basis for legitimate processing, namely if it is “ necessary for the performance of a contract to which the data subject is party”. Until it is “ necessary in order to take steps at the request of the data subject prior to entering into a contract”. EU law sets out another ground for making data processing legitimate, namely if “it is necessary for compliance with a legal obligation to which the controller is subject”. This provision refers to controllers acting in both the private and the public sector. Under EU law, Article 6 of the GDPR provides that personal data processing is lawful if it “is necessary in order to protect the vital interests of the data subject or of another natural person”. Under CoE law, the vital interests of the data subject are not mentioned in Article 8 of the ECHR. However, the vital interests of the data subject are considered to be implied in the notion of ‘legitimate basis’ of Article 5, which deals with the legitimacy of personal data processing. Article 6 of the GDPR provides that personal data may lawfully be processed if it “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” IT also provides that personal data may lawfully be processed if it “is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties,