Art 25 Para 2 Gdpr in Conjunction With Reason 39

← Commodity v: Principles →
Chapter i: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article three: Territorial scope Article four: Definitions Chapter 2: Principles Commodity 5: Principles relating to processing of personal data Commodity 6: Lawfulness of processing Article 7: Atmospheric condition for consent Commodity eight: Atmospheric condition applicable to child's consent in relation to data order services Article 9: Processing of special categories of personal data Commodity ten: Processing of personal data relating to criminal convictions and offences Commodity 11: Processing which does not require identification Chapter 3: Rights of the information subject Article 12: Transparent information, communication and modalities for the practise of the rights of the data subject Article xiii: Information to be provided where personal data are collected from the data subject Article fourteen: Data to be provided where personal data have not been obtained from the information subject area Commodity fifteen: Right of access past the data subject field Article sixteen: Correct to rectification Article 17: Right to erasure ('correct to be forgotten') Article 18: Right to brake of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Commodity twenty: Right to data portability Commodity 21: Right to object Commodity 22: Automatic individual controlling, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Commodity 25: Data protection past design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Spousal relationship Article 28: Processor Article 29: Processing under the authorisation of the controller or processor Article 30: Records of processing activities Commodity 31: Cooperation with the supervisory authority Article 32: Security of processing Commodity 33: Notification of a personal information breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject field Commodity 35: Data protection bear upon assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the information protection officer Article 39: Tasks of the data protection officer Article 40: Codes of acquit Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter v: Transfers of personal data Article 44: Full general principle for transfers Article 45: Transfers on the basis of an adequacy determination Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union police Article 49: Derogations for specific situations Commodity l: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory dominance Commodity 52: Independence Article 53: Full general conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory dominance Article 55: Competence Commodity 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article sixty: Cooperation betwixt the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Articulation operations of supervisory authorities Article 63: Consistency machinery Commodity 64: Opinion of the Lath Article 65: Dispute resolution by the Lath Article 66: Urgency procedure Article 67: Substitution of information Article 68: European Data Protection Board Commodity 69: Independence Article seventy: Tasks of the Board Article 71: Reports Article 72: Process Article 73: Chair Article 74: Tasks of the Chair Commodity 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Correct to gild a complaint with a supervisory authority Article 78: Right to an effective judicial remedy confronting a supervisory dominance Article 79: Right to an effective judicial remedy confronting a controller or processor Article 80: Representation of data subjects Commodity 81: Suspension of proceedings Article 82: Right to bounty and liability Commodity 83: General atmospheric condition for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Commodity 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Commodity 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Practice of the delegation Commodity 93: Committee procedure Chapter xi: Concluding provisions Commodity 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Commodity 96: Human relationship with previously ended Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and awarding

Legal Text [edit | edit source]

Article 5 - Principles relating to processing of personal data

1. Personal information shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data field of study ('lawfulness, fairness and transparency');

(b) nerveless for specified, explicit and legitimate purposes and not farther processed in a manner that is incompatible with those purposes; farther processing for archiving purposes in the public involvement, scientific or historical enquiry purposes or statistical purposes shall, in accordance with Article 89(ane), not be considered to be incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without filibuster ('accuracy');

(e) kept in a form which permits identification of information subjects for no longer than is necessary for the purposes for which the personal data are candy; personal data may exist stored for longer periods insofar every bit the personal data will be processed solely for archiving purposes in the public interest, scientific or historical enquiry purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required past this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');

(f) processed in a manner that ensures appropriate security of the personal information, including protection confronting unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').;

ii. The controller shall be responsible for, and exist able to demonstrate compliance with, paragraph 1 ('accountability').

Relevant Recitals [edit | edit source]

Recital 39: Principles of Data Processing

Whatever processing of personal data should be lawful and fair. It should be transparent to natural persons that personal information apropos them are collected, used, consulted or otherwise candy and to what extent the personal data are or will exist processed. The principle of transparency requires that any information and advice relating to the processing of those personal data exist hands accessible and like shooting fish in a barrel to sympathize, and that clear and plain language be used. That principle concerns, in particular, data to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should exist fabricated enlightened of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In item, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the drove of the personal data. The personal data should exist adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in item, ensuring that the menstruum for which the personal information are stored is express to a strict minimum. Personal information should be processed simply if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal information are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable stride should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should exist processed in a manner that ensures advisable security and confidentiality of the personal data, including for preventing unauthorised admission to or use of personal data and the equipment used for the processing.

Recital 74: Controller Responsibility and Liability

The responsibleness and liability of the controller for whatsoever processing of personal information carried out by the controller or on the controller'southward behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the run a risk to the rights and freedoms of natural persons.

[edit | edit source]

Commodity 5 GDPR sets out all the guiding principles to be observed when processing personal data: lawfulness, fairness and transparency; purpose limitation; information minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Other principles are further articulated and affirmed in unlike parts of the Regulation. For example, the transparency principle underlies Article 13 on which information to provide before the processing. The integrity and confidentiality principles are confirmed and estalished by Commodity 32 on security. The accountability principle finds its roots in Articles 24 and 25 GDPR.

(1) Principles [edit | edit source]

The principles specified by Article 5 GDPR are the main "bottleneck" for the legality of any processing operation - together with the requirement to have a legal basis under Commodity six to 10 GDPR. Any controller or processor must comply with all elements of Article 5 GDPR.[However, the information processing principles can exist restricted by Union or Member State law under the atmospheric condition set along in Article 23 GDPR.]

(a) Lawfulness, Fairness and Transparency [edit | edit source]

Lawful [edit | edit source]

In lodge to be "lawful", processing should comply with Commodity half-dozen to ten GDPR (Article six is headed "Lawfulness of processing") and its requirement to base of operations whatsoever processing operation on at least one of the six legal bases it exhaustively lists.^[i] All the same, lawfulness is not limited to compliance with Article 6. Indeed, the European Wedlock Agency for Fundamental Rights has affirmed that "the principle of lawful processing is likewise to be understood by reference to weather condition for lawful limitations of the right to data protection or of the right to respect for individual life in low-cal of Article 52(1) of the Charter of Fundamental Rights of the European union ('CPR') and of Article viii(2) ECHR".^[2] Thus, any processing that violates either the GDPR or any national provision would render the processing of data illegal.^[3]

Fair [edit | edit source]

Fairness, is an overall requirement of the GDPR., Concepts like "Fairness" are  inherently vague, merely may serve every bit an interpretive tool for situation that may not be in violation of the letter of the constabulary, merely clearly non "fair". Indeed, it is a highly contextual question whether a certain processing operation can be considered as "off-white". Information technology is for these reasons that the recent EDPB Guidelines on data protection past design and past default are particularly welcome.^[4] As de Terwangne and Bygrave have correctly pointed out, the "guidelines […]cast low-cal on how the core principles of Article five shall exist understood and applied in various hypothetical scenarios. Especially noteworthy is the guidelines' explanation of the criterion of 'fairness' in Article 5(1)(a)".^[v]

In these guidelines, the EDPB provides a non-exhaustive list of certain elements of fairness which should ever be respected while processing personal data. The listing is especially detailed and examples range from providing the data bailiwick with a loftier level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognised, such as the information subjects' expectations to a reasonable use of their data, the right not exist discriminated or exploited equally a result of certain psychological weaknesses. The imbalance of power betwixt the controller and data subject field often existing in certain intrusive profiling and processing operations seems connected to these principles.^[6]

Fairness can be especially relevant in problematic business practices, when controllers try to dispense information subjects. This happens, for example, when a controller implements tools, such every bit a cookie banner, which does non provide the users with effective privacy choices ("Accept all cookies" button with no possibility to decline them) or otherwise adopts subtle psychological tricks to obtain the user consent (for instance, if the "Accept" button is displayed in a brilliant greenish and the "Reject" i is placed in a lite grey colour at the bottom of the banner). The EDPB clarifies that, in club for the processing to be "fair", no charade is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.^[seven]

Further, sure guidance on fairness may also be drawn from Recital 42 which highlights that "[i]n accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using articulate and plainly language and it should not contain unfair terms". The Unfair Contract Terms Directive aims to protect consumers against unfair clauses included in pre-formulated contracts. The Directive applies to "all contracts concluded between sellers or suppliers and consumers"^[8] and declares that a contractual clause "shall be regarded as unfair if, reverse to the requirement of expert religion, it causes a significant imbalance in the parties' rights and obligations arising nether the contract, to the detriment of the consumer."

From this bending, not simply the terms and conditions betwixt controller and data subject, but too the privacy policies pursuant to Manufactures 13 and 14 GDPR, specially if the processing is based on the legal basis of the contract pursuant to Article half dozen(1)(b) GDPR, as well equally, more generally, all communications between controller and information subject field (Recital 42), must be inspired past criteria of good contractual faith and must not generate an imbalance between the parties to the human relationship.

Transparent [edit | edit source]

In general terms, the transparency principle requires that the data subject is fully enlightened of the processing of whatsoever personal information. Recital 39 GDPR contains a number of explanatory statements regarding the transparency principle. In detail, "it should be transparent to natural persons that personal information concerning them are nerveless, used, consulted or otherwise processed and to what extent the personal data are or volition exist candy." Data subjects should be "made aware of risks, rules, safeguards, and rights in relation to the processing [...] and how to practise their rights." All information communicated should be "accessible and easy to sympathize" and in "articulate and plain language". The transparency principle is closely linked, among the others, to Articles 12(1), 13, fourteen, 15 nineteen and 22(3) GDPR. These articles clarify that the information provided to the data subject field must be timely, articulate and detailed (Article 12 GDPR), provided both before the processing takes place (Articles 13 and 14 GDPR) and later the operations have begun (Commodity 15 GDPR).

The information in question has substantially two purposes. On the one hand, in awarding of the principle of foreseeability provided for past EU police, allows the data subject to direct its choices. For example, on the basis of the privacy policy ex Article 13 GDPR, the data bailiwick tin decide non to employ a certain service.^[nine] On the other paw, it allows the data subject to verify the fairness of the processing and possibly exercise further rights under the GDPR. For example, following a request for access nether Commodity 15 GDPR, the data bailiwick may make up one's mind to exercise its right of rectification or objection to processing for a sure purpose. [S4]

(b) Purpose Limitation [edit | edit source]

While the controller is free to achieve whatsoever legitimate purpose, Article five(ane)(b) sets out the principle of purpose limitation in the processing of personal data. It requires that personal data be collected for specified, explicit and legitimate purposes and ensures that, after collection, information are not used for purposes that are incompatible with the original ones. Many other provisions of the GDPR refer back to the purpose of the processing activity. Just to name a few, Article 4(7) defines the controller every bit the natural and legal person which, alone or jointly with others, determines the "purpose" of the processing. Article v(1)(b) GDPR itself stipulates that personal data shall be collected just for specified, explicit and legitimate "purposes". Article five(1)(d) determines the time information may be kept by referring to the purpose, Commodity 6(i)(a) GDPR allows consent for one or more than "specific purposes". This makes the proper definition of purposes a crucial footstep for compliance with the GDPR. Instance: A data subject area may share highly personal data in a medical context to get the best treatment, but may non agree that the same information is shared for the purpose of medical advertisement.

Specific [edit | edit source]

Considering the purpose of processing operations is meant to limit them to a specific, pre-defined, aim, information technology cannot exist overly broad. Purposes that are likewise wide would undermine the protections that the purpose limitation principle tries to establish. Broad descriptions like "improving the user feel", "marketing", "research" or "Information technology security" are not sufficiently defined.^[10] For instance, in its Guidelines on video surveillance, the EDPB clarified that monitoring purposes demand to be specified for every surveillance camera in use and "[v]ideo surveillance based on the mere purpose of "safety" or "for your rubber" is not sufficiently specific".^[eleven] While a purpose may not be too wide, at that place is no limitation every bit to how specific a purpose may be. The exact level of specificity is not considerately defined in the GDPR. In many cases it is possible to split broad purposes into multiple, more specific purposes.

Explicit [edit | edit source]

The purpose may not only exist divers internally, just must exist explicitly stated. This requirement is inextricably linked to the principle of transparency analysed in the previous paragraph. Indeed, a processing purpose that is made explicit (i.e. in a transparent fashion) seems to be the only mode to allow the information subject both a prior command (whether to have a sure processing) and a subsequent one (hypothetically, following a request for access nether Article 15 GDPR).

Legitimate [edit | edit source]

The employ of personal data for the stated purpose must exist legal[MS5]. This qualification includes laws beyond the GDPR and national data protection laws (like consumer or worker protection laws).

Farther processing [edit | edit source]

The principle of purpose limitation shall ensure that controllers practice non engage in "secondary utilize" ("further processing") of personal data when such processing is incompatible with the original purpose(s). For this reason, "[p]urposes for processing personal data should be determined from the very beginning, at the time of the collection of the personal information".^[12] According to the WP29 opinion, the compatibility of the further processing must exist assessed taking into account various parameters such equally the relationship betwixt the original and the further purposes, the context of the information drove, the reasonable expectation of the data subject with regard to futurity processing, also considering the human relationship between the data subject and the controller, the impact of further processing, the necessity of further processing and the being of acceptable safeguards for the data discipline.^[thirteen] Failure to comply with the compatibility requirement set along in Article 5(1)(b) of the GDPR renders the processing unlawful.

Example: a doctor may not suddenly use their patient'due south wellness data for marketing purposes (secondary utilise).

The above is true except for three types of cases. Indeed, the compatibility requirement does not need to be met if the further processing is (i) authorized by the data subject by giving consent (Commodity half dozen(four) GDPR), (ii) based on a Matrimony or Fellow member Country law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR or, finally, is meant for (iii) archiving purposes in the public interest, scientific or historical enquiry purposes or statistical purposes (Commodity 5(1)(b) GDPR). The purpose limitation principle extends to all recipients to whom the personal information have been disclosed. This is reflected in the notification obligation outlined in Article 19 GDPR.^[fourteen]

(c) Data Minimisation [edit | edit source]

Dissimilar the previous Directive 95/46/EC, under which data processing did not have to be "excessive", the GDPR specifies that it must exist "limited to what is necessary" to achieve the purpose. This principle is therefore closely related to the principle of purpose limitation and just makes sense if the latter is well defined past the controller. In one case the ii parameters are defined (processing and purpose), then it is possible to assess whether the processing is limited to what is necessary to achieve the purpose. If the outcome is negative (i.e. processing is excessive), the the operations are per se illegal. A controller must then review each pace of a processing performance and also each data chemical element towards the necessity to achieve the purpose. For case, an online shop may non ask for more personal details than what is necessary to deliver the product.

In a recent decision, the CJEU had to provide some guidance on how to assess whether a certain processing (in that case, a video surveillance organization) could exist considered 'necessary' for the purposes of the legitimate interests pursued past the controller. The Court held that the the necessity of a processing functioning must be examined in conjunction with the information minimisation principle which restricts the controller's options to those "adequate, relevant and non excessive in relation to the purposes for which they are nerveless". In conclusion, the Courtroom clarified that the controller must, among other things, examine "whether information technology is sufficient that the video surveillance operates only at night or outside normal working hours, and cake or obscure the images taken in areas where surveillance is unnecessary".^[15]

Example: 30

(d) Accuracy [edit | edit source]

Article 5(ane)(d) requires that data be authentic and, where necessary, kept up to engagement, and that all reasonable steps be taken to delete or rectify inaccurate data promptly (Recital 39).

Accurateness of data expresses a more than general principle of the correct representation of the person at the well-nigh diverse levels and in the most various contexts and is i of the essential prerequisites of the right to informational self-decision.^[xvi] The WP29 points out that the principle of accurateness applies not only to facts that are processed about a person, but likewise to value judgments, in particular forecasts and correlations.^[17] This is particularly relevant for modern forms of automated profiling, artificial intelligence-powered processing and machine-learning systems. Indeed, value judgements can too be incorrect if they are based on an erroneous factual basis, presume wrong premises or are the result of incorrect conclusions (east.m. that there is a correlation betwixt a date and a person's solvency).^[18] Which way to ensure that the data is accurate depends greatly on the circumstances of the case and the type of processing being done.

Example: A public protocol is meant to record an incident of a sure 24-hour interval. If elements of the protocol are inaccurate, they must exist corrected. At the same time, the historic period of the persons may non exist changed every time a person turns a twelvemonth older.

Some provisions of the Regulation provide precise indications on which types of intervention are possible. For example, Article 16 GDPR establishes the correct of the data subject to obtain the integration of incomplete data. Commodity 17 allows the erasure of the data if certain conditions are met, including, for example, where the processing of that personal data is no longer necessary, or in example of revocation of consent or even if the data has been collected in an unlawful fashion. All the same, in these cases Article 19 GDPR provides that the do of rights is also communicated (with similar consequences) to all those who have received the information previously.

(east) Storage Limitation [edit | edit source]

The principle of storage limitation imposes a time limit on whatever processing operation. It follows that once all purposes of a processing operation are fulfilled, the functioning must cease. The controller must inform the data subject about the storage flow (or the criteria to define information technology, Article 13(two)(a) and Article 14(2)(a) GDPR) every bit well every bit ensure and demonstrate compliance with this principle (Article 5(2) GDPR). Storage periods should therefore be defined internally before the processing begins.^[19]

Instance: 30

Deletion or Anonymisation [edit | edit source]

Data can be deleted or anonymised by controllers. The latter means that any link between the data and the relevant person must be removed. Controllers have complied with Article 5(i)(e) once the data does not chronicle to an identifiable person. The GDPR imposes an active duty on the controller^[20] to delete data. The controller may non wait for an activity by the data subject (e.g. nether Article 17 GDPR) but must proactively delete information. In do, the principle requires that the controller implements deletion practices or automatic deletion systems. The fourth dimension by which any deletion has to be executed depends on the purpose. In many cases there are stock-still legal deadlines, like record keeping duties or the statute of limitations that determine the need to retain data. In other cases, the deadline depends on other factual elements (e.grand. when a customer cancels a contract) that brand continuous processing irrelevant for the purpose.

Exception [edit | edit source]

An exception to the principle of storage limitation is independent in the concluding role of Article five(ane)(d) in favour of processing for archiving, statistical, scientific and historical research purposes. In these cases, the GDPR allows "longer periods" of storage, and in and so doing takes into account the social interest in inquiry and the preservation of the collective retentiveness. However, in order for the exception to utilize,  technical and organizational measures must be put in place, as set out in Article 89(1).

(f) Integrity and Confidentiality [edit | edit source]

The GDPR requires technical and organisational measures to ensure that data is neither lost nor destroyed.

Integrity [edit | edit source]

A data subject may not merely be harmed by the illegitimate processing of their personal data merely also equally a result of the loss of data. For example, if a infirmary loses the personal data of a patient, they may get an incorrect handling. The controller must too ensure that data is not falsely deleted or contradistinct. Threats to the integrity of personal data may come up from the controller, 3rd parties or from an blow.

Confidentiality [edit | edit source]

Confidentiality aims to protect data against unauthorised access and thus against unauthorised processing. The controller must therefore also implement technical and organisational measures to ensure that personal data is not falsely disclosed, hacked or lost. This includes that unauthorised persons neither have access to the data nor to the devices on which they are processed (Recital 39). The requirements for data security are further defined in Article 32 GDPR.

(2) Accountability [edit | edit source]

The start part of Article 5(two) highlights that the controller is responsible for complying with Commodity 5(1) GDPR as well as with all other relevant provisions of the GDPR. More than detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.k. Article 24 GDPR. In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. Nevertheless, the provision does non farther specify how a controller has to demonstrate compliance, as this is highly dependent on the processing performance and the type of system conveying information technology out. In nearly cases, written documentation volition be used to demonstrate compliance. If applicative, a tape of processing actives (see Article 30 GDPR) is as well typically sufficient.

Decisions [edit | edit source]

→ You can find all related decisions in Category:Commodity 5 GDPR

References [edit | edit source]

1. ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 8 (C.H. Brook 2020, 3rd Edition).
2. ↑ de Terwangne, in Kuner, Bygrave, Docksey, The European union Full general Data Protection Regulation (GDPR): A Commentary, Commodity v GDPR, p. 314 (Oxford University Press 2020).
3. ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article v GDPR, margin number 9 (C.H. Beck 2020, third Edition).
4. ↑ EDPB, 'Guidelines four/2019 on Article 25 Information Protection past Design and by Default', 20 October 2020 (Version 2.0) (available here).
5. ↑ de Terwangne, Bygrave, in Kuner et al., The EU General Data Protection Regulation (GDPR) [Update of Selected Manufactures - May 2021] Article 5 GDPR, p. 68 (Oxford University Press 2020).
6. ↑ EDPB, 'Guidelines 4/2019 on Commodity 25 Data Protection by Blueprint and by Default', xx Oct 2020 (Version 2.0), p. 18 (available here). See also CJEU, Case C-201/14, Bara, ane Oct 2015, margin numbers 32, 34 (available here).
7. ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection past Design and by Default', 20 Oct 2020 (Version 2.0), p. 18 (available here).
8. ↑ This control mechanism "is not limited to specific types of contracts such as sales or services contracts. The Directive applies to contracts ended by electronic means, for the provision of digital content and services and irrespective of the counter-performance. The Directive potentially applies to a broad range of online transactions, such as downloading a "free" app from the iStore, buying a newspaper article at Blendle, and subscribing to an online advertising-funded music streaming service." Borgesius, Helberger, Reyna, The perfect friction match? A closer wait at the relationship between EU Consumer Law and Data Protection Law, in Common Market Police Review, Volume 54, Outcome 5 (2017) pp. 1427 – 1465
9. ↑ The fact that citizens are unable to foresee the consequences of the act is incompatible with fundamental principles of Eu law, such as the principles of legal certainty and the protection of legitimate expectations. The principle of legal certainty means, in essence, that the individuals concerned must be able to ascertain the scope of their rights and to foresee the consequences of their actions. See, to that upshot, CJEU judgments C 313/99 § 47, and of C 480/00, C 482/00, C 484/00, C 489/00 to C 491/00 and C 497/00 to C 499/00, § 85.
10. ↑ WP29, 'Opinion 03/2013 on purpose limitation', 00569/xiii/EN WP 203, 2 April 2013, p. xvi (available here).
11. ↑ EDPB, 'Guidelines three/2019 on processing of personal information through video devices', 29 January 2020 (Version 2.0), p. 9 (bachelor here).
12. ↑ de Terwangne, in Kuner, Bygrave, Docksey, The EU General Information Protection Regulation (GDPR): A Commentary, Commodity 5 GDPR, p. 315 (Oxford University Press 2020).
13. ↑ WP29, 'Opinion 03/2013 on purpose limitation', 00569/13/EN WP 203, two Apr 2013, p. 21 (available here).
14. ↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article five GDPR, margin numbers 29 (C.H. Beck 2018, 3rd Edition).
15. ↑ CJEU, Case C-708/18, TK five Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019 (rectified 13 February 2020), margin number 51 (available here).
16. ↑ Resta, in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article five GDPR (Wolters Kluwer 2018), p. 59.
17. ↑ WP29, 'Guidelines on Automated individual determination-making and Profiling for the purposes of Regulation 2016/679', 17/EN WP251rev.01, 3 October 2017  (available here).
18. ↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 27 (C.H. Beck 2020, 36th Edition).
19. ↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Commodity five GDPR, margin number 32 (C.H. Beck 2020, 38th Edition); Herbst in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 66 (C. H. Beck 2021, tertiary ed.).
20. ↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 34 (C.H. Brook 2020, 36th Edition).

grequodwilliams.blogspot.com

Source: https://gdprhub.eu/Article_5_GDPR