EU General Data Protection Regulation

INTRODUCTION

The General Data Protection Regulation (GDPR) creates a harmonised set of rules for personal data processing in the European Union (EU), to ensure a high level of protection for personal data. While it is an EU law, it imposes obligations on organisations anywhere in the world, provided certain criteria are met. As such, Victorian public sector (VPS) organisations must consider whether they have obligations under the GDPR in addition to any privacy obligations under the Privacy and Data Protection Act 2014 (Vic) (PDP Act).

This resource provides general guidance to VPS organisations on when the GDPR may apply, key themes in the GDPR, and how the GDPR compares with the Information Privacy Principles (IPPs) under the PDP Act.

SCOPE OF THE GDPR: CONSIDERATIONS FOR VICTORIA

VPS organisations already have obligations under the PDP Act to protect personal information they hold. However, VPS organisations may also have obligations under the GDPR to the extent that they:

• have an establishment in the EU and process personal data in the context of the activities of that establishment;¹ or
• do not have an establishment in the EU, but process the personal data of data subjects² who are in the EU, and the processing activities relate to:
  • offering goods or services to data subjects in the EU (regardless of whether payment is required);³ or
  • monitoring the behaviour of data subjects in the EU, in so far as the behaviour takes place within the EU.⁴

VPS organisations should consider the geographical reach of their activities and seek independent legal advice regarding their data processing activities. The extent to which the GDPR may apply to them will depend on the particular circumstances of each organisation and their activities.

Establishment in the EU

Under Article 3(1), the GDPR will apply where a data controller⁵ or data processor⁶ has an establishment in the EU and the personal data processing is carried out in the context of the activities of that establishment. The GDPR will apply regardless of whether the processing takes place in the EU or not.

Targeting data subjects in the EU

Under Article 3(2), the GDPR will apply where a controller or processor does not have an establishment in the EU, but their processing activities relate to data subjects who are in the EU, and those activities either relate to offering goods or services to data subjects in the EU, or to monitoring data subjects’ behaviour where that behaviour takes place in the EU.

The key factors to consider here are who the data relates to and what the activity relates to. Entities should assess their activities on a case-by-case basis as they may be subject to the GDPR for some but not others.

Offering goods or services to data subjects in the EU

Article 3(2)(a) captures processing activities of controllers or processors without an establishment in the EU related to offering goods or services which intentionally target data subjects in the EU.⁷ Some factors to consider when assessing whether the GDPR applies to a processing activity in this context may include:

• whether the EU or a Member State is designated by name with reference to the good or service;
• whether dedicated addresses or phone numbers is used for an EU country;
• whether top-level domain names (e.g. ‘.de’) or neutral top-level domain names (e.g. ‘.eu’) are used;
• whether the organisation has marketing and advertisement campaigns directed at an EU country;
• the international nature of the activity in question; and
• the use of language or currency other than that generally used in the organisation’s country.⁸

However, simply being able to access an entity’s website or contact details in the EU is not enough by itself to demonstrate an intention to provide goods or services to a data subject in the EU.⁹ Factors more likely to demonstrate the requisite intention may include using an EU language or currency with the possibility of ordering goods or services in the other language, or mentioning customers or users in the EU.¹⁰

Monitoring the behaviour of data subjects in the EU

Article 3(2)(b) captures processing activities of controllers or processors without an establishment in the EU that monitor the behaviour of a data subject in the EU. For the GDPR to apply in this context, both the data subject and the behaviour being monitored must be in the EU.¹¹

A factor to consider when assessing whether an activity involves monitoring behaviour is whether a natural person is being tracked on the internet, including the potential subsequent use of profiling techniques, particularly in order to analyse or predict the person’s personal preferences, behaviours and attitudes.¹²

Examples of when a controller or processor may be monitoring data subjects’ behaviour in the EU include:

• behavioural advertisements;
• geo-localisation activities, particularly for marketing purposes;
• online tracking through cookies or other tracking techniques;
• CCTV; and
• market surveys and other behavioural studies based on individual profiles.¹³

KEY THEMES IN THE GDPR

Emphasis on clear, plain language drafting

The GDPR places obligations on data controllers and processors to ensure information or communications relating to the processing of personal data be easily accessible and drafted in clear, plain, language.¹⁴

Demonstrated compliance

Data controllers are expressly required to demonstrate compliance with the principles relating to the processing of personal data, including implementing appropriate measures to comply.¹⁵ This includes integrating a ‘data protection by design’ approach and ensuring that, by default, only personal data which is necessary for a specific purpose is processed.¹⁶ Similarly, controllers must only engage processors that guarantee compliance with the GDPR.¹⁷

Under Article 35, controllers are required to undertake a data protection impact assessment for any processing activities likely to result in high risks to individuals’ rights and freedoms. Controllers must seek advice from their Data Protection Officer (DPO), where designated, when conducting the assessment.

Mandatory appointment of a data protection officer

Article 37 requires that controllers and processors appoint a DPO, where:

• the processing is carried out by a public authority;¹⁸
• an activity may require the monitoring of data subjects on a large scale;¹⁹ or
• the core activities of the controller or the processor consist of processing special categories of personal data (sensitive data) on a large scale under Articles 9 and 10.²⁰

Like a Privacy Officer, the DPO is the main point of contact for individuals for privacy enquiries²¹ and is responsible for conducting staff privacy awareness training activities. The DPO reports to the highest level of management within the entity.

Enhanced individual rights

Data subjects are granted enhanced, actionable, individual rights under Chapter 3 of the GDPR, including:

• the right to be forgotten;
• the right to restrict processing;
• the right to data portability;
• the right to object to processing in limited circumstances, including where personal data is processed for direct marketing purposes; and
• the right not to be subject to automated decision making and profiling.

The rights under Chapter 3 may be restricted in limited circumstances under Union or Member State law.²²

Cross-border transfers of data

Under Article 45, a transfer of personal data to a third country or international organisation can only take place where the European Commission has decided that the receiving country or organisation has an adequate level of protection.²³ If the protection level is inadequate upon review,²⁴ the Commission may repeal the country’s status without retroactive effect.²⁵ Currently, Australia has not been recognised as providing adequate protection for the purposes of Article 45.²⁶

In the absence of the Commission granting ‘adequacy’ status to a country under Article 45, cross-border transfers may take place with public authorities on the basis of a legally binding and enforceable instrument that provides for appropriate safeguards.²⁷ Transfers made between organisations within a corporate group are governed by binding corporate rules under Article 47.

Joint responsibility for compliance

Where two or more controllers are acting together (as joint controllers),²⁸ they must form an arrangement between them to clearly assign compliance responsibilities in a transparent manner.²⁹ A summary of this arrangement must be made available to the data subject.³⁰

Mandatory data breach notification requirements

Under Article 33, data controllers are obligated to report data breaches to the supervisory authority³¹within 72 hours of the breach occurring. Data controllers must also advise data subjects of personal data breaches that pose a high risk to their rights and freedoms.³²

Consent

Entities captured by the GDPR are expressly required to draft terms of use in clear and plain language. Provisions seeking consent must be clearly distinguished from other provisions.³³ This means entities cannot bundle provisions seeking consent amongst other terms and conditions. For consent to be informed and meaningful it must be specific, freely given, and the data subject’s agreement must be clear and unambiguous. Consent should cover all processing activities carried out for the same purpose.³⁴

The controller should be able to demonstrate that the data subject has given informed consent to the processing operation. Where the consent declaration is pre-drafted for the individual, this document should be intelligible and easily accessible with clear, plain language.³⁵

CASE STUDY

A Victorian university offering goods and services to students in the EU

A Victorian university may demonstrate an intention to offer goods and services to students in the EU by:

• allowing payment for services in Euros;
• specifically targeting students in the EU via a website drafted in a European language;
• advertising the goods and services to specific EU universities; and
• mentioning students or users in the EU.

If these processing activities do fall within the scope of the GDPR, some steps the Victorian university may take to ensure compliance with the GDPR could include:

• Reviewing any privacy communications, including Privacy Policies and Collection Notices to ensure they are drafted in plain, accessible, language.
• Where the processing of personal information will be based on consent, ensuring that all Collection Notices seeking individuals’ consent allow consent to be freely given (for example, on a positive, opt-in, basis), specific to an identified purpose, clearly distinct from other matters and in clear, accessible, language.
• Ensuring the university has appointed a Privacy Officer, who is responsible for the university’s privacy compliance activities. For the purposes of the GDPR, the university’s Privacy Officer may be their DPO too.
• The university needs to ensure the DPO is supported, well-resourced, and independent enough to carry out the tasks of the DPO, including the delivery of advice on, and monitoring of, GDPR compliance. Like a Privacy Officer, the DPO is the main point of contact for individuals for privacy enquiries and is responsible for conducting all staff privacy awareness training activities. The DPO shall report to the highest level of management of the university.
• Adopting a Privacy by Design approach to any new program or initiative, through undertaking regular privacy impact assessments under the guidance of the DPO.
• Ensuring the procedures in place to allow individuals to access and correct their personal information account for the enhanced rights for individuals under the GDPR, including the right to receive a copy of their data in a machine-readable format and the right to be forgotten (amongst others).
• Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal information.
• Ensuring that any data breach response plans account for the mandatory breach notification requirements under the GDPR.

This is an example of general steps a VPS organisation may take to ensure compliance with the GDPR should it apply to their data processing activities relating to offering goods and services to students in the EU, having regard to their existing obligations under the PDP Act. These steps are not a checklist and VPS organisations should carefully assess whether their data processing activities fall within the scope of the GDPR.

COMPARING THE GDPR AND THE IPPS UNDER THE PDP ACT

The below is designed to help VPS organisations understand where the protections under the PDP Act may be equivalent to or different to those under the GDPR. This table does not outline all GDPR requirements.

The privacy protections under the PDP Act are principle-based, allowing a degree of flexibility for VPS organisations to comply with their obligations. In contrast, the GDPR combines a principle-based and prescriptive approach to the protections afforded for data subjects, introducing strict, mandatory obligations for data controllers and processors.

IPP 1 – Collection

An organisation may only collect personal information if it is necessary to fulfil its functions. It must collect personal information only by a lawful and fair means and provide notice of collection, for both direct and indirect collection activities.

Relevant GDPR Provisions

Article 5 contains a number of principles for processing personal data under the GDPR, including a requirement that data is collected for a specified, explicit and legitimate purpose and limited to what is necessary for the identified purpose.

Articles 12, 13 and 14 outline the rights of data subjects to be notified where their personal data is collected, directly or indirectly.

Article 21 provides data subjects the right to object to the processing of personal data in limited circumstances, including where personal data is processed for direct marketing purposes. Data subjects need to be made aware of these rights at the time of the first communication with the data subject.

Comparison notes

IPP 1.1 contains a similar requirement to Article 5, providing that organisations must only collect personal information that is necessary for one or more of its functions.

The notice requirements under Articles 12, 13 and 14 are generally more prescriptive than IPPs 1.3 to 1.5. In particular, Article 12 requires the information notifying data subjects of the collection of their personal data be drafted in a concise, transparent, intelligible and easily accessible form (especially if the information is addressed to a child).

Article 12 also provides for the use of visual aids to assist data subjects understand information provided in a notice of collection.³⁶

IPP 2 – Use and Disclosure

Personal information may only be used and disclosed for the primary purpose for which it was collected, or for a reasonably expected secondary purpose (amongst other limited circumstances).

Relevant GDPR Provisions

Article 5 restricts the processing of personal data beyond the specified purpose for collection, however Article 6 outlines a number of lawful bases for the processing of personal data, including where the data subject has provided informed consent or where processing is deemed necessary for compliance with legal obligations to which the controller is subject.

Comparison notes

The GDPR requires stricter conditions around relying on consent as a lawful basis for processing.³⁷

Article 7 requires controllers to demonstrate the data subject’s consent to processing and that any requests for consent are clearly distinguishable from other matters, using clear and plain language.

Article 8 outlines procedures for gaining consent (in relation to information society services)³⁸ where the data subject is a child. It outlines consent may form the lawful basis of processing where the child is at least 16 years old. Processing on the basis of consent is only permitted for a child under 16 years upon parental consent. In comparison, the PDP Act does not set clear age brackets for the consent requirements of children, under s 28. Instead, the consent of minors is primarily addressed as a matter of policy supported by relevant case law in Victoria.³⁹

IPP 3 – Data Quality

Organisations must take reasonable steps to ensure that personal information collected, used or disclosed is accurate, complete and up to date.

Relevant GDPR Provisions

Article 5 requires personal data to be accurate and kept up to date. Where personal data is shown to be inaccurate, organisations must take every reasonable step to erase or rectify the data without delay.

Article 18 also provides a right to restrict a controller processing their personal data where the data subject has contested the accuracy of the personal data (amongst other grounds).

Comparison notes

In addition to data quality requirements when information is collected, organisations bound by the IPPs have ongoing obligations to ensure personal information used and disclosed is accurate, complete and up to date.

Article 18 is more prescriptive than IPP 6 where a person contests the accuracy of their personal information. Under IPP 6, an individual may request an organisation to correct their personal information. However, if a data subject contests the accuracy of their personal data under Article 18, then that data can only be processed with the data subject’s consent (amongst other limited circumstances).

IPP 4 – Data Security

Organisations must take reasonable steps to protect personal information it holds from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed.

Relevant GDPR Provisions

Article 5 outlines that personal data shall be processed in a manner that ensures appropriate security, protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using inappropriate technical or organisational measures.

Article 32 requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (to the personal data).

Articles 33 and 34 introduce mandatory data breach notification requirements, within 72 hours to the relevant supervisory authority. Where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, controllers must notify the data subject of the personal data breach without undue delay.

The GDPR also provides for the pseudonymisation of personal data as a way to reduce risks to data subjects and help controllers and processors to meet data protection obligations.⁴⁰

Comparison notes

The Office of the Victorian Information Commissioner’s (OVIC) view is that compliance with the Victorian Protective Data Security Framework (VPDSF), established under Part 4 of the PDP Act, amounts to reasonable steps for the purposes of IPP 4.1.

Under the VPDSF, OVIC developed an information security incident notification scheme.⁴¹ It requires organisations to notify OVIC of incidents that compromise the confidentiality, integrity or availability of public sector information with a ‘limited’ business impact or higher on government operations, organisations or individuals.

VPS organisations should also consider data breach notification requirements under any enabling legislation, contractual agreements and the Commonwealth Notifiable Data Breaches (NDB) scheme, in relation to Tax File Number information.⁴²

In relation to de-identifying personal information, IPP 4.2 requires VPS organisations to take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed. However, organisations should consider the ongoing risk of re-identifying personal information.⁴³

The GDPR provides for the ‘pseudonymisation’ of personal data, which refers to the processing of personal data in a way that can no longer be attributed to a specific data subject without the use of additional information.⁴⁴ To address the risk of re-identification, Recital 26 notes that any personal data that has undergone pseudonymisation which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable person.

IPP 5 – Openness

Organisations must have clearly expressed policies on the way they manage personal information and make that these policies generally available.

Relevant GDPR Provisions

Article 5 requires that personal data must be processed lawfully, fairly and in a transparent manner.⁴⁵

Article 13 gives a data subject the right to be made aware of the existence of automated decision-making processes⁴⁶ and to be provided meaningful information about the logic involved as well as the envisaged consequences for such processing for the data subject.

Article 30 also requires controllers and processors to keep a record of any processing activities and make this record available to the supervisory authority (independent public authority responsible for monitoring compliance with the GDPR) upon request.

Comparison notes

IPP 5 requires organisations to be transparent about their information handling practices, usually through a current and publicly available privacy policy. VPS organisations should draft privacy policies in clear and accessible language, consistent with the GDPR requirements.

IPP 5 does not place strict algorithmic transparency obligations on VPS organisations the way that Article 13 does for data controllers.

IPP 6 – Access and Correction

Organisations must provide individuals with a right of access to their personal information, as well as a right to make corrections, if required. An organisation may only refuse a request for access or correction in limited circumstances.

Relevant GDPR Provisions

Article 15 provides a right of access for a data subject, including the right to access their personal data and confirmation that personal data concerning the data subject is being processed. Article 15 also provides the right for a data subject to access information about the processing of their personal data, including the purpose for processing, how long the data will be stored and, where personal data is transferred to a third country or international organisation, the safeguards in place for the transfer under Article 46.

Article 16 provides data subjects with the right to rectify inaccurate personal data, and to complete any incomplete personal data.

Article 17 provides the right to erasure, or the right to be forgotten. This requires controllers to erase a data subject’s personal data in certain circumstances, including where the personal data is no longer necessary for the specified purpose of collection, or where the data subject withdraws consent for the processing.

Article 19 requires controllers to communicate any rectification, erasure or processing restriction carried out where a data subject has exercised their right to rectification, right to be forgotten or right to restrict processing to each recipient of the personal data,⁴⁷ and inform the data subject who those recipients are upon request.

Article 20 also provides data subjects a right to data portability, that is, a right to receive their personal data in a structured, commonly used and machine-readable format. The data subject has the right to have their personal data transmitted to another controller.

Comparison notes

Article 15 is much broader than the rights provided for under IPP 6. IPP 6 provides individuals with the right to access their personal information. However, IPP 6 does not give the individual the right to request the same kind of information as in Article 15 (like the purpose for process, how long the data will be stored for etc.).⁴⁸

Similarly, notification obligations for controllers under Article 19 to alert recipients of any rectification, erasure or restriction of processing are not expressly contemplated under IPP 6.

The scope of the right to be forgotten under Article 17 is greater than IPP 4.2, which requires organisations to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

Article 17(2) outlines where the controller has made the personal data public and the data subject has exercised their right to be forgotten, the controller shall take reasonable steps (taking into account the available technology and cost of implementation) to inform controllers processing the personal data that the data subject has requested erasure.

IPP 7 – Unique Identifiers

The use of unique identifiers (usually a number) is only allowed where an organisation can demonstrate that the assignment is necessary to carry out its functions efficiently by organisations.

Relevant GDPR Provisions

Article 87 provides that EU Member States are free to determine the conditions for processing national identification numbers⁴⁹ or any other identifier of general application, subject to the appropriate safeguards for the rights and freedoms of data subjects under the GDPR.

Comparison notes

Unique identifiers are defined under the PDP Act to expressly exclude an identifier that consists only of the individual’s name, whereas the definition of personal data under Article 4 of the GDPR encompasses identifiers such as a name, an identification number, location data, an online identifier etc.

IPP 7 limits the circumstances in which an organisation may assign, adopt, use or disclose unique identifiers.

IPP 8 – Anonymity

Where lawful and practicable, individuals must have the option of transacting with an organisation anonymously.

Relevant GDPR Provisions

Recital 26 defines anonymous information as information which does not relate to an identified or identifiable natural person, or personal data rendered anonymous in such a manner that the data subject is no longer identifiable.

Recital 26 also notes that the data protection principles under the GDPR are not intended to apply to anonymous information.

Comparison notes

Where an individual’s identity is not reasonably ascertainable from the information held by a VPS organisation, the information will not be considered personal information for the purposes of the PDP Act.

Where individuals are able to transact with VPS organisations anonymously, in accordance with IPP 8, the organisation may not attract obligations to protect the information under the PDP Act.

IPP 9 – Transborder Data Flows

Personal information can travel outside of Victoria only in certain limited circumstances, outlined under IPP 9.

Relevant GDPR Provisions

Chapter 5 contains a number of protections for international transfers of personal data. Article 45 provides for international transfers of personal data based on an adequacy decision, where the Commission has decided the recipient (including a third country or international organisation) offers an adequate level of protection.

In the absence of an adequacy decision, international transfers of personal data can be made (in accordance with Article 46) where there are appropriate safeguards in place, such as a legally binding agreement between public authorities and bodies, binding corporate rules (Article 47) or standard data protection clauses adopted by the Commission (amongst others).⁵⁰

Article 49 provides that derogations from Articles 45 and 46 may be made in very specific circumstances, such as where the data subject has explicitly consented to the proposed transfer.

Comparison notes

Under IPP 9, VPS organisations can only transfer data outside of Victoria in a number of limited circumstances, including where the organisation reasonably believes the recipient is subject to a law, binding scheme, or contract which is substantially similar to the IPPs, or where the individual has consented to the transfer.

The GDPR offers more prescriptive protections for international data transfers, limiting when controllers and processors may transfer personal data to a third country or international organisation.

IPP 10 – Sensitive Information

Special restrictions are placed on organisations collecting sensitive information, as defined in Schedule 1 of the PDP Act.

Relevant GDPR Provisions

Article 9 prohibits the processing of “special categories of personal data” (sensitive data) including racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Further, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited (except in certain, limited circumstances, outlined in Article 9(2)).

Article 10 applies to the processing of personal data relating to criminal convictions and offences based on Article 6(1).

Comparison notes

Both the GDPR and IPP 10 recognise that higher protections are required for sensitive information. They outline that sensitive information must not be handled (or processed, under the GDPR), unless an individual has provided explicit consent (or some other limited circumstance applies).

The definition of sensitive information under the PDP Act includes an individual’s criminal record, whereas personal data relating to criminal convictions and offences are defined separately from sensitive data, under Article 10. The PDP Act also does not apply to health information (whereas Article 9 applies to data concerning health).

REFERENCES

1. Article 3(1).
2. Data subject means an identified or identifiable natural person; Article 4(1).
3. Article 3(2)(a).
4. Article 3(2)(b).
5. Data controller means a natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of the processing of personal data; Article 4(7).
6. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller; Article 4(8).
7. Recital 23; European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, 17 (https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en).
8. European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, 17-18 (https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en).
9. Recital 23.
10. Recital 23.
11. European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, 19 (https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en).
12. Recital 24.
13. European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, 20 [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en).
14. Recital 39.
15. Article 5(2); Article 24.
16. Article 25(2).
17. Article 28; in the form of a binding written agreement or other legal act of Union or Member State law which must include conditions as outlined in Article 28(3). Further detail about the contents of such agreements or legal acts is under Recital 81.
18. Except for courts acting in their judicial capacity, Article 37(1)(a).
19. Article 37(1)(b).
20. Article 37(1)(c).
21. As well as the supervisory authority in relevant Member States of the EU. Chapter 6 of the GDPR sets out the procedure for the establishment, role and parliamentary oversight requirements of independent supervisory authorities in each EU Member State.
22. Article 23.
23. Under Article 45(1). Adequate protection takes into account the legislative framework and respect for fundamental rights, effective oversight and safeguarding mechanisms and international commitments that the receiving country is party to (see Article 45(2)).
24. A mechanism for periodic review may be implemented by the Commission (by way of an implementing act) to take place at least every four years (see Article 45(3)).
25. Article 45(5).
26. See the factsheet Adequacy of the protection of personal data in non-EU countries for a list of current adequacy decisions.
27. Article 46(2)(a), and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46(1)). Article 46(2) lists appropriate safeguards that may be implemented to allow for cross-border transfers in compliance with the GDPR.
28. Where two or more controllers jointly determine the purposes and means of processing they will be joint controllers; Article 26.
29. Article 26(1) and Recital 79.
30. Article 26(2).
31. Each Member State of the EU is required to appoint a supervisory authority. A supervisory authority is one or more independent public authorities responsible for monitoring compliance with the GDPR (https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en).
32. Article 34.
33. Article 7.
34. Recital 32; consent is an active action to enter into an agreement; inactivity (such as pre-ticked boxes) is not sufficient.
35. Recital 42.
36. Recital 58; Recital 58 also notes the need for clear communications where the “technological complexity of the practice make it difficult for the data subject to…understand” the purpose of collection.
37. Articles 7 and 8; Recital 43 also notes consent should not form the legal basis for processing where there is a clear imbalance between the data subject and controller, for example, where the controller is a public authority.
38. ‘Information society service’ is defined under Article 4(25) to mean “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” (pursuant to point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council).
39. The test for determining the competence of a minor to consent comes from the English case of Gillick v West Norfolk AHA [1986] AC 112. For more information on consent, capacity, and minors, see OVIC’s Guidelines to the IPPS at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
40. Recital 28.
41. OVIC’s Information Security Incident Notification Scheme available at https://ovic.vic.gov.au/data-protection/agency-reporting-obligations/incident-notification/.
42. The Office of the Australian Commissioner has resources for organisations captured by the NDB scheme https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.
43. OVIC’s De-identification and privacy resource, available https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
44. Article 4(5) provides that any additional information needs to be kept separately and be subject to technical and organisational measures to ensure that the data no longer relates to an identified or identifiable natural person.
45. Recital 39 further explains the principle of transparency, requiring that any information and communication relating to the processing of personal data be easily accessible and easy to understand and drafted in clear and plain language.
46. As referred to in Article 22, which provides data subjects with the right not to be subject to a decision based solely on automated processing except in certain situations.
47. Unless it is impossible or involves disproportionate effort, under Article 19.
48. This information may be provided to individuals at the time of collection, via a collection notice under IPP 1.3.
49. ‘Identification number’ forms part of the definition of personal data under Article 4.
50. Article 50 requires the Commission and supervisory authorities to take steps to develop cooperation mechanisms to facilitate effective enforcement of relevant legislation, provide mutual assistance in the enforcement of legislation, including through notification, complaint referral and investigate assistance (amongst other measures) and engage relevant stakeholders to further international cooperation in enforcement.