Handbook on European data protection law - …

1 Handbook on European data protection lawHANDBOOK European union Agency for fundamental rights , 2014 Council of Europe, 2014 The manuscript for this Handbook was completed in April 2014. Updates will become available in future on the FRA website at: , the Council of Europe website at , and on the European Court of Human rights website under the Case-Law menu at: is authorised, except for commercial purposes, provided the source is Direct is a service to help you find answers to your questions about the European UnionFreephone number (*):00 800 6 7 8 9 10 11(*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you).Photo credit (cover & inside): iStockphotoMore information on the European union is available on the Internet ( ).Cataloguing data can be found at the end of this : Publications Office of the European union , 2014 ISBN 978-92-871-9934-8 (CoE) ISBN 978-92-9239-461-5 (FRA) in BelgiumPrinted on process chlorine-free recycled paper (PCF)This Handbook was drafted in English.

2 The Council of Europe (CoE) and the European Court of Human rights (ECtHR) take no responsibility for the quality of the translations into other languages. The views expressed in this Handbook do not bind the CoE and the ECtHR. The Handbook refers to a selection of commentaries and manuals. The CoE and ECtHR take no responsibility for their content, nor does their inclusion on this list amount to any form of endorsement of these publications. Further publications are listed on the Internet pages of the ECtHR library at: on Europeandata protection law3 ForewordThis Handbook on European data protection law is jointly prepared by the European union Agency for fundamental rights (FRA) and the Council of Europe together with the Registry of the European Court of Human rights . It is the third in a series of legal handbooks jointly prepared by FRA and the Council of Europe.

3 In March 2011, a first Handbook was published on European non-discrimination law and, in June 2013, a second one on European law relating to asylum, borders and immigration. We have decided to continue our cooperation on a highly topical subject which affects all of us every day, namely the protection of personal data. Europe enjoys one of the most protective systems in this sphere, which is based on Council of Europe Convention 108, European union (EU) instruments, as well as the case law of the European Court of Human rights (ECtHR) and of the Court of Justice of the European union (CJEU). The aim of this Handbook is to raise awareness and improve knowledge of data pro-tection rules in European union and Council of Europe member states by serving as the main point of reference to which readers can turn. It is designed for non-special-ist legal professionals, judges, national data protection authorities and other persons working in the field of data protection .

4 With the entry into force of the Treaty of Lisbon in December 2009, the Charter of fundamental rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right. A better understanding of Council of Europe Convention 108 and EU instru-ments, which paved the way for data protection in Europe, as well as of the CJEU and ECtHR case law, is crucial for the protection of this fundamental right. We would like to thank the Ludwig Boltzmann Institute of Human rights for its con-tribution in drafting this Handbook . We would also like to express our gratitude to the European Data protection Supervisor s office for its feedback during the drafting phase. We thank in particular the data protection unit of the European Commission during the preparation of this BoillatDirector General of Human rights and Rule of Law Council of EuropeMorten KjaerumDirector of the European union Agency for Fundamental Rights5 ContentsFOREWORD.

5 3 ABBREVIATIONS AND ACRONYMS ..9 HOW TO USE THIS Handbook ..111. CONTEXT AND BACKGROUND OF European DATA protection LAW .. The right to data protection ..14 Key points .. The European Convention on Human rights .. Council of Europe Convention 108 .. European union data protection law .. Balancing rights ..21 Key point .. Freedom of expression .. Access to documents .. Freedom of the arts and sciences .. protection of property ..312. DATA protection TERMINOLOGY .. Personal data ..36 Key points .. Main aspects of the concept of personal data .. Special categories of personal data .. Anonymised and pseudonymised data .. Data processing ..46 Key points .. The users of personal data ..48 Key points .. Controllers and processors .. Recipients and third parties .. Consent ..55 Key points.

6 The elements of valid consent .. The right to withdraw consent at any time ..6063. THE KEY PRINCIPLES OF European DATA protection LAW .. The principle of lawful processing ..62 Key points .. The requirements for a justified interference under the ECHR .. The conditions for lawful limitations under the EU Charter .. The principle of purpose specification and limitation ..68 Key points .. Data quality principles ..70 Key points .. The data relevancy principle .. The data accuracy principle .. The limited retention of data principle .. The fair processing principle ..73 Key points .. Transparency .. Establishing trust .. The principle of accountability ..75 Key points ..754. THE RULES OF European DATA protection LAW .. Rules on lawful processing ..81 Key points .. Lawful processing of non-sensitive data.

7 Lawful processing of sensitive data .. Rules on security of processing ..90 Key points .. Elements of data security .. Confidentiality .. Rules on transparency of processing ..95 Key points .. Information .. Notification .. Rules on promoting compliance ..99 Key points .. Prior checking .. Personal data protection officials .. Codes of conduct ..1015. THE DATA SUBJECT S rights AND THEIR ENFORCEMENT .. The rights of data subjects ..1057 Key points .. Right of access .. Right to object .. Independent supervision ..114 Key points .. Remedies and sanctions ..118 Key points .. Requests to the controller .. Claims lodged with the supervisory authority .. Claim lodged with a court .. Sanctions ..1266. TRANSBORDER DATA FLOWS .. Nature of transborder data flows ..130 Key points.

8 Free data flows between Member States or between Contracting Parties ..131 Key points .. Free data flows to third countries ..133 Key points .. Free data flow because of adequate protection .. Free data flow in specific cases .. Restricted data flows to third countries ..136 Key points .. Contractual clauses .. Binding corporate rules .. Special international agreements ..1397. DATA protection IN THE CONTEXT OF POLICE AND CRIMINAL JUSTICE .. CoE law on data protection in police and criminal justice matters ..144 Key points .. The police recommendation .. The Budapest Convention on Cybercrime .. EU law on data protection in police and criminal matters ..149 Key points .. The Data protection Framework Decision .. More specific legal instruments on data protection in police and law-enforcement cross-border cooperation.

9 Data protection at Europol and Eurojust .. Data protection in the joint information systems at EU level ..15688. OTHER SPECIFIC European DATA protection LAWS .. Electronic communications ..166 Key points .. Employment data ..170 Key points .. Medical data ..173 Key point .. Data processing for statistical purposes ..175 Key points .. Financial data ..178 Key points ..178 FURTHER READING ..181 CASE LAW ..187 Selected case law of the European Court of Human rights ..187 Selected case law of the Court of Justice of the European union ..191 INDEX ..1939 Abbreviations and acronymsBCR Binding corporate ruleCCTV Closed circuit televisionCETS Council of Europe Treaty SeriesCharter Charter of fundamental rights of the European UnionCIS Customs information systemCJEU Court of Justice of the European union (prior to December 2009, it was called the European Court of Justice, ECJ)CoE Council of EuropeConvention 108 Convention for the protection of Individuals with regard to Auto-matic Processing of Personal Data (Council of Europe)

10 CRM Customer relations managementC-SIS Central Schengen Information SystemEAW European Arrest WarrantEC European CommunityECHR European Convention on Human RightsECtHR European Court of Human RightsEDPS European Data protection SupervisorEEA European Economic AreaEFTA European Free Trade AssociationENISA European Network and Information Security AgencyENU Europol National UnitESMA European Securities and Markets AuthorityeTEN Trans- European Telecommunication NetworksEU European UnionEuroPriSe European Privacy Sealeu-LISA EU Agency for Large-scale IT Systems10 FRA European union Agency for Fundamental RightsGPS Global positioning systemJSB Joint Supervisory BodyNGO Non-governmental organisationN-SIS National Schengen Information SystemOECD Organisation for Economic Co-operation and DevelopmentPIN Personal identification numberPNR Passenger name recordSEPA Single Euro Payments AreaSIS Schengen Information SystemSWIFT Society for Worldwide Interbank Financial TelecommunicationTEU Treaty on European UnionTFEU Treaty on the Functioning of the European UnionUDHR Universal Declaration of Human RightsUN United NationsVIS Visa Information System11 How to use this handbookThis Handbook provides an overview of the law applicable to data protection in rela-tion to the European union (EU) and the Council of Europe (CoE).