GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018


The following explanations of expressions used in GDPR are contained in guidance from the ICO, the Article 29 Working Party and the EDPB.

This page may be added to in the future.

International transfer

Transfers to third countries


Source: ICO guidance
Q1. "Are we planning to make a restricted transfer of personal data outside of the EEA? If no, you can make the transfer. If yes go to Q2 ...
1) Are we making a restricted transfer?
You are making a restricted transfer if:
  • the GDPR applies to your processing of the personal data you are transferring. The scope of the GDPR is set out in Article 2 (what is processing of personal data) and Article 3 (where the GDPR applies). Please see the section of the guide What is personal data. We will be providing guidance on where the GDPR applies later this year. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in specific circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
  • you are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually because they are located in a country outside the EEA and
  • the receiver is a separate organisation or individual. The receiver cannot be employed by you or by your company. It can be a company in the same group."
The establishment, exercise or defence of legal claims

Source: ICO guidance on International transfers
"The claim must have a basis in law, and a formal legally defined process, but it is not just judicial or administrative procedures. This means that you can interpret what is a legal claim quite widely, to cover, for example:
  • all judicial legal claims, in civil law (including contract law) and criminal law. The court procedure does not need to have been started, and it covers out-of-court procedures. It covers formal pre-trial discovery procedures.
  • administrative or regulatory procedures, such as to defend an investigation (or potential investigation) in anti-trust law or financial services regulation, or to seek approval for a merger.
You cannot rely on this exception if there is only the mere possibility that a legal claim or other formal proceedings may be brought in the future."
The establishment, exercise or defence of legal claims

Source: EDBP guidelines on Article 49
"Under Article 49(1)(e), transfers may take place when 'the transfer is necessary for the establishment, exercise or defense of legal claims'. Recital 111 states that a transfer can be made where it is 'occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies'. This covers a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger. The derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.
This derogation can apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)).
The combination of the terms 'legal claim' and 'procedure' implies that the relevant procedure must have a basis in law, including a formal, legally defined process, but is not necessarily limited to judicial or administrative procedures ('or any out of court procedure'). As a transfer needs to be made in a procedure, a close link is necessary between a data transfer and a specific procedure regarding the situation in question. The abstract applicability of a certain type of procedure would not be sufficient.
Data controllers and data processors need to be aware that national law may also contain so-called 'blocking statutes', prohibiting them from or restricting them in transferring personal data to foreign courts or possibly other foreign official bodies."
The establishment, exercise or defence of legal claims

Source: Recital (52)
A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Explicit consent

Source: ICO guidance
"Explicit consent requires a very clear and specific statement of consent. ... Explicit consent must be expressly confirmed in words, rather than by any other positive action."
Explicit consent

Source: EDPB guidelines
"The GDPR prescribes that a 'statement or clear affirmative action' is a prerequisite for 'regular' consent. As the 'regular' consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR.
The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.
However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met 47 when the statement was recorded.
An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).
[Examples 17 and 18]
Two stage verification of consent can also be a way to make sure explicit consent is valid. For example, a data subject receives an email notifying them of the controller’s intent to process a record containing medical data. The controller explains in the email that he asks for consent for the use of a specific set of information for a specific purpose. If the data subjects agrees to the use of this data, the controller asks him or her for an email reply containing the statement 'I agree'. After the reply is sent, the data subject receives a verification link that must be clicked, or an SMS message with a verification code, to confirm agreement."
Large scale

Source: ICO guidance
"When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
  • the numbers of data subjects concerned;
  • the volume of personal data being processed;
  • the range of different data items being processed;
  • the geographical extent of the activity; and
  • the duration or permanence of the processing activity."
Large scale

Source: Article 29 Working Party guidelines on Data Protection Officers
"Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes large-scale processing, though recital 91 provides some guidance.
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes 'large scale' in respect of certain types of common processing activities. The WP29 also plans to contribute to this development, by way of sharing and publicising examples of the relevant thresholds for the designation of a DPO.
In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
  • The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity
Examples of large-scale processing include:
  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
  • processing of patient data by an individual physician
  • processing of personal data relating to criminal convictions and offences by an individual lawyer
Footnote 14: According to the recital [91], 'large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk' would be included, in particular. On the other hand, the recital specifically provides that 'the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer'. It is important to consider that while the recital provides examples at the extremes of the scale (processing by an individual physician versus processing of data of a whole country or across Europe); there is a large grey zone in between these extremes. In addition, it should be borne in mind that this recital refers to data protection impact assessments. This implies that some elements might be specific to that context and do not necessarily apply to the designation of DPOs in the exact same way."
Regular and systematic monitoring of data subjects

Source: ICO guidance
"What does 'regular and systematic monitoring of data subjects on a large scale' mean?
There are two key elements to this condition requiring you to appoint a DPO. Although the GDPR does not define 'regular and systematic monitoring' or 'large scale', the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines.
'Regular and systematic' monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising."
Regular and systematic monitoring of data subjects

Source: Article 29 Working Party guidelines
"The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but the concept of 'monitoring of the behaviour of data subjects' is mentioned in recital 24 and clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behaviour of data subjects.
WP29 interprets 'regular' as meaning one or more of the following:
  • Ongoing or occurring at particular intervals for a particular period
  • Recurring or repeated at fixed times
  • Constantly or periodically taking place
WP29 interprets 'systematic' as meaning one or more of the following:
  • Occurring according to a system
  • Pre-arranged, organised or methodical
  • Taking place as part of a general plan for data collection
  • Carried out as part of a strategy
Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
Footnote 15 [Recital :In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes'.
Footnote 16: Note that Recital 24 focuses on the extra-territorial application of the GDPR. In addition, there is also a difference between the wording 'monitoring of their behaviour' (Article 3(2)(b)) and 'regular and systematic monitoring of data subjects' (Article 37(1)(b)) which could therefore be seen as constituting a different notion."

Disclaimer   -   Copyright   -   Privacy policy