Table Of ContentGDPR Articles With Commentary & EU Case Laws
GDPR Articles
With
Commentary & EU Case Laws
Author
Adv. Prashant Mali
[M.Sc.(Computer Science), CCFP, CISSA,LLM, Ph.D(Pursu.)]
GDPR Articles With Commentary & EU Case Laws
About Author:
Author is International Cyber Law & Privacy Expert and a practicing High Court Lawyer
based out of Mumbai in India. He is Masters in Computer Science and Masters in Law
with Certification in Computer Forensics & Information Systems Security Auditing and
prior working experience in the field of Software, Networking & IT Security. He is
Chevening (UK) Cyber Security Fellow & IVLP (USA). He is the founder president of a
law firm named Cyber Law Consulting. He was awarded as Cyber Security Lawyer of
the year (Asia Pacific) in 2016 and Cyber Security Lawyer of the Year by Financial
Monthly Magazine of UK. He has been a sought after speaker on National and
International forums and is interviewed by BBC World, Bloomberg, Zee News, NDTV,
CNBC, Al Jazeera etc. His articles are published in various magazines across the world
and he is been quoted by leading daily newspapers. He has conducted various
workshops on GDPR in various countries and has unique way of explaining GDPR with
examples and by comparing it to existing laws of the country.
Note:
Every effort has been made to avoid errors or omissions in this, errors may creep in any
mistake, error or discrepancy noted may be brought to our notice which shall be taken
care of in the next edition. It is notified that neither the publisher or the author or seller
will be responsible for any damages or loss of action to any one, of any kind, in the
manner, there from. It is suggested that to avoid any doubt the reader should cross-
check all the facts, law and contents of the publication with original Government
publication or notification.
All rights reserved. No part of this work may be copied, reproduced, adapted, abridged
or translated. Stored in any retrieval system, computer system, photographic or other
system or transmitted in any form by any means whether electronic, mechanical, digital,
optical photographic or otherwise without the prior written permission of cyber
Infomedia. Any breach will entail legal action and prosecution without further notice.
GDPR Articles With Commentary & EU Case Laws
INDEX
Page
Articles Particular No.
CHAPTER 1 : GENERAL PROVISIONS
GDPR Subject-matter and objectives
1 01
GDPR Material scope
2 03
GDPR Territorial scope
3 04
GDPR Definitions
4 10
CHAPTER 2 : PRINCIPLES
14
GDPR Principles relating to processing of personal
5 14
data
GDPR Lawfulness of processing
6 17
GDPR Conditions for consent
7 20
GDPR Conditions applicable to child's consent in
8 23
relation to information society services
GDPR Processing of special categories of personal
9 24
data
GDPR Processing of personal data relating to criminal
10 28
convictions and offences
GDPR Processing which does not require
11 29
identification
CHAPTER 3 : RIGHTS OF THE DATA SUBJECT
30
Section 1 : Transparency and modalities
GDPR Transparent information, communication and
12 30
modalities for the exercise of the rights of the data
subject
Section 2 : Information and access to personal
32
data
GDPR Information to be provided where personal
13 32
data are collected from the data subject
GDPR Information to be provided where personal
14 34
data have not been obtained from the data subject
GDPR Articles With Commentary & EU Case Laws
GDPR Right of access by the data subject
15 37
Section 3 : Rectification and erasure
38
GDPR Right to rectification
16 38
GDPR Right to erasure (‘right to be forgotten’)
17 39
GDPR Right to restriction of processing
18 41
GDPR Notification obligation regarding rectification or
19 42
erasure of personal data or restriction of processing
GDPR Right to data portability
20 43
Section 4 : Right to object and automated
44
individual decision-making
GDPR Right to object
21 44
GDPR Automated individual decision-making,
22 46
including profiling
Section 5 : Restrictions
47
GDPR Restrictions
23 47
CHAPTER 4 : CONTROLLER AND PROCESSOR
49
Section 1 : General obligations
GDPR Responsibility of the controller
24 49
GDPR Data protection by design and by default
25 52
GDPR Joint controllers
26 55
GDPR Representatives of controllers or processors not
27 58
established in the Union
GDPR Processor
28 60
GDPR Processing under the authority of the controller
29 64
or processor
GDPR Records of processing activities
30 64
GDPR Cooperation with the supervisory authority
31 67
Section 2 : Security of personal data
68
GDPR Articles With Commentary & EU Case Laws
GDPR Security of processing
32 68
GDPR Notification of a personal data breach to the
33 72
supervisory authority
GDPR Communication of a personal data breach to the
34 74
data subject
Section 3 : Data protection impact assessment and
77
prior consultation
GDPR Data protection impact assessment
35 77
GDPR Prior consultation
36 82
Section 4 : Data protection officer
84
GDPR Designation of the data protection officer
37 84
GDPR Position of the data protection officer
38 86
GDPR Tasks of the data protection officer
39 88
Section 5 : Codes of conduct and certification
93
GDPR Codes of conduct
40 93
GDPR Monitoring of approved codes of conduct
41 96
GDPR Certification
42 99
GDPR Certification bodies
43 100
CHAPTER 5 : TRANSFERS OF PERSONAL DATA TO
104
THIRD COUNTRIES OR INTERNATIONAL
ORGANISATIONS
GDPR General principle for transfers
44 104
GDPR Transfers on the basis of an adequacy decision
45 106
GDPR Transfers subject to appropriate safeguards
46 109
GDPR Binding corporate rules
47 112
GDPR Transfers or disclosures not authorised by
48 116
Union law
GDPR Derogations for specific situations
49 117
GDPR Articles With Commentary & EU Case Laws
GDPR International cooperation for the protection of
50 121
personal data
CHAPTER 6 : INDEPENDENT SUPERVISORY
123
AUTHORITIES
Section 1 : Independent status
GDPR Supervisory authority
51 123
GDPR Independence
52 124
GDPR General conditions for the members of the
53 126
supervisory authority
GDPR Rules on the establishment of the supervisory
54 127
authority
Section 2 : Competence, tasks and powers
128
GDPR Competence
55 128
GDPR Competence of the lead supervisory authority
56 129
GDPR Tasks
57 131
GDPR Powers
58 134
GDPR Activity reports
59 137
CHAPTER 7 : COOPERATION AND CONSISTENCY
138
Section 1 : Cooperation
GDPR Cooperation between the lead supervisory
60 138
authority and the other supervisory authorities
concerned
GDPR Mutual assistance
61 140
GDPR Joint operations of supervisory authorities
62 142
Section 2 : Consistency
144
GDPR Consistency mechanism
63 144
GDPR Opinion of the Board
64 144
GDPR Dispute resolution by the Board
65 146
GDPR Articles With Commentary & EU Case Laws
GDPR Urgency procedure
66 148
GDPR Exchange of information
67 149
Section 3 : European data protection board
149
GDPR European Data Protection Board
68 149
GDPR Independence
69 150
GDPR Tasks of the Board
70 150
GDPR Reports
71 154
GDPR Procedure
72 154
GDPR Chair
73 154
GDPR Tasks of the Chair
74 155
GDPR Secretariat
75 155
GDPR Confidentiality
76 157
CHAPTER 8 : REMEDIES, LIABILITY AND
158
PENALTIES
GDPR Right to lodge a complaint with a supervisory
77 158
authority
GDPR Right to an effective judicial remedy against a
78 158
supervisory authority
GDPR Right to an effective judicial remedy against a
79 160
controller or processor
GDPR Representation of data subjects
80 161
GDPR Suspension of proceedings
81 162
GDPR Right to compensation and liability
82 163
GDPR General conditions for imposing administrative
83 163
fines
GDPR Penalties
84 170
CHAPTER 9 : PROVISIONS RELATING TO SPECIFIC
171
PROCESSING SITUATIONS
GDPR Articles With Commentary & EU Case Laws
GDPR Processing and freedom of expression and
85 171
information
GDPR Processing and public access to official
86 171
documents
GDPR Processing of the national identification number
87 171
GDPR Processing in the context of employment
88 172
GDPR Safeguards and derogations relating to
89 173
processing for archiving purposes in the public
interest, scientific or historical research purposes or
statistical purposes
GDPR Obligations of secrecy
90 175
GDPR Existing data protection rules of churches and
91 176
religious associations
CHAPTER 10 : DELEGATED ACTS AND
178
IMPLEMENTING ACTS
GDPR Exercise of the delegation
92 178
GDPR Committee procedure
93 179
CHAPTER 11 : FINAL PROVISIONS
181
GDPR Repeal of Directive 95/46/EC
94 181
GDPR Relationship with Directive 2002/58/EC
95 181
GDPR Relationship with previously concluded
96 182
Agreements
GDPR Commission reports
97 182
GDPR Review of other Union legal acts on data
98 183
protection
GDPR Entry into force and application
99 183
CASE LAWS
185
I. SUMMARY OF EU COURT DECISIONS RELATING
186
TO DATA PROTECTION (IN NUMERICAL ORDER OF
CASE NUMBER)
GDPR Articles With Commentary & EU Case Laws
COURT OF JUSTICE DECISIONS
1
C-450/00, COMMISSION V. LUXEMBOURG,
1.1 186
4.10.2001 (“LUXEMBOURG”)
C-465/00 AND C-138/01, RECHNUNGSHOF V.
1.2 186
OSTERREICHISCHER RUNDFUNK, 20.5.2003
(“RECHNUNGSHOF”)
C-101/01, LINDQUIST, 6.11.2003 (“LINDQUIST”)
1.3 187
C-317 AND 318/04, PARLIAMENT V. COUNCIL (PNR),
1.4 189
30.5.2006 (“PNR”)
C-275/06, PROMUSICAE, 29.1.2008
1.5 189
(“PROMUSICAE”)
C-301/06, IRELAND V. PARLIAMENT AND COUNCIL,
1.6 190
10.2.2009 (“IRELAND”)
C-524/06, HUBER V. GERMANY, 16.12.2008
1.7 191
(“HUBER”)
C-73/07, TIETOSUOJAVALTUUTETTU [FINNISH
1.8 192
DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN
MARKKINAPORSSI OY AND SATAMEDIA OY,
16.12.2008 (“TIETOSUOJAVALTUUTETTU”)
C-518/07, COMMISSION V. GERMANY, 9.3.2010
1.9 193
(“GERMANY”)
C-553/07, COLLEGE VAN BURGEMEESTER EN
1.10 194
WETHOUDERS VAN ROTTERDAM V. RIJKEBOER,
7.5.2009 (“RIJKEBOER”)
C-557/07, LSG-GESELLSCHAFT ZUR
1.11 194
WAHRNEHMUNG VON
LEISTUNGSSCHUTZRECHTEN GMBH V. TELE2
TELECOMMUNICATION GMBH, 19.2.2009 (“LSG”)
C-28/08, COMMISSION V. BAVARIAN LAGER CO.,
1.12 195
29.6.2010 (“BAVARIAN LAGER”)
C-92/09 VOLKER UND MARKUS SCHECKE GBR V.
1.13 198
LAND HESSEN, AND C-93/09, EIFERT V. LAND
HESSEN AND BUNDESANSTALT FUR
LANDWIRTSCHAFT UND ERNAHRUNG, 9.11.2010
(“SCHECKE”)
Description:Book deals with questions of applicability of GDPR articles in various scenarios. This book is helpful to a student, a auditor, a lawyer, a DPO
