Handbook on European Data Protection
Total Page:16
File Type:pdf, Size:1020Kb
HANDBOOK Handbook on European data protection law © European Union Agency for Fundamental Rights, 2014 Council of Europe, 2014 The manuscript for this Handbook was completed in April 2014. Updates will become available in future on the FRA website at: fra.europa.eu, the Council of Europe website at coe.int/dataprotection, and on the European Court of Human Rights website under the Case-Law menu at: echr.coe.int. Reproduction is authorised, except for commercial purposes, provided the source is acknowledged. Europe Direct is a service to help you find answers to your questions about the European Union Freephone number (*): 00 800 6 7 8 9 10 11 (*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you). Photo credit (cover & inside): © iStockphoto More information on the European Union is available on the Internet (http://europa.eu). Cataloguing data can be found at the end of this publication. Luxembourg: Publications Office of the European Union, 2014 ISBN 978-92-871-9934-8 (CoE) ISBN 978-92-9239-461-5 (FRA) doi:10.2811/69915 Printed in Belgium Printed on process chlorine-free recycled paper (PCF) This handbook was drafted in English. The Council of Europe (CoE) and the European Court of Human Rights (ECtHR) take no responsibility for the quality of the translations into other languages. The views expressed in this handbook do not bind the CoE and the ECtHR. The handbook refers to a selection of commentaries and manuals. The CoE and ECtHR take no responsibility for their content, nor does their inclusion on this list amount to any form of endorsement of these publications. Further publications are listed on the Internet pages of the ECtHR library at: echr.coe.int. Handbook on European data protection law Foreword This handbook on European data protection law is jointly prepared by the European Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights. It is the third in a series of legal handbooks jointly prepared by FRA and the Council of Europe. In March 2011, a first handbook was published on European non-discrimination law and, in June 2013, a second one on European law relating to asylum, borders and immigration. We have decided to continue our cooperation on a highly topical subject which affects all of us every day, namely the protection of personal data. Europe enjoys one of the most protective systems in this sphere, which is based on Council of Europe Convention 108, European Union (EU) instruments, as well as the case law of the European Court of Human Rights (ECtHR) and of the Court of Justice of the European Union (CJEU). The aim of this handbook is to raise awareness and improve knowledge of data pro- tection rules in European Union and Council of Europe member states by serving as the main point of reference to which readers can turn. It is designed for non-special- ist legal professionals, judges, national data protection authorities and other persons working in the field of data protection. With the entry into force of the Treaty of Lisbon in December 2009, the Charter of Fundamental Rights of the EU became legally binding, and with this the right to the protection of personal data was elevated to the status of a separate fundamental right. A better understanding of Council of Europe Convention 108 and EU instru- ments, which paved the way for data protection in Europe, as well as of the CJEU and ECtHR case law, is crucial for the protection of this fundamental right. We would like to thank the Ludwig Boltzmann Institute of Human Rights for its con- tribution in drafting this handbook. We would also like to express our gratitude to the European Data Protection Supervisor’s office for its feedback during the drafting phase. We thank in particular the data protection unit of the European Commission during the preparation of this handbook. Philippe Boillat Morten Kjaerum Director General of Human Rights Director of the European Union Agency and Rule of Law Council of Europe for Fundamental Rights 3 Contents FOREWORD ........................................................................................................................................................................................................................... 3 ABBREVIATIONS AND ACRONYMS ......................................................................................................................................................... 9 HOW TO USE THIS HANDBOOK ................................................................................................................................................................ 11 1. CONTEXT AND BACKGROUND OF EUROPEAN DATA PROTECTION LAW ................................. 13 1.1. The right to data protection ....................................................................................................................................... 14 Key points ............................................................................................................................................................................................................... 14 1.1.1. The European Convention on Human Rights .................................................................................... 14 1.1.2. Council of Europe Convention 108 ............................................................................................................. 15 1.1.3. European Union data protection law ........................................................................................................ 17 1.2. Balancing rights ........................................................................................................................................................................ 21 Key point .................................................................................................................................................................................................................. 21 1.2.1. Freedom of expression ......................................................................................................................................... 22 1.2.2. Access to documents .............................................................................................................................................. 26 1.2.3. Freedom of the arts and sciences ............................................................................................................... 30 1.2.4. Protection of property ............................................................................................................................................ 31 2. DATA PROTECTION TERMINOLOGY ......................................................................................................................................... 35 2.1. Personal data ............................................................................................................................................................................... 36 Key points ............................................................................................................................................................................................................... 36 2.1.1. Main aspects of the concept of personal data ................................................................................ 36 2.1.2. Special categories of personal data ........................................................................................................... 43 2.1.3. Anonymised and pseudonymised data ................................................................................................ 44 2.2. Data processing ........................................................................................................................................................................ 46 Key points ............................................................................................................................................................................................................... 46 2.3. The users of personal data ......................................................................................................................................... 48 Key points ............................................................................................................................................................................................................... 48 2.3.1. Controllers and processors ................................................................................................................................. 49 2.3.2. Recipients and third parties ............................................................................................................................... 54 2.4. Consent ............................................................................................................................................................................................... 55 Key points ............................................................................................................................................................................................................... 55 2.4.1. The elements of valid consent ....................................................................................................................... 56 2.4.2. The right to withdraw consent at any time ......................................................................................