ONLINE SERVICES AND GDPR

The European Data Protection Board (EDPB) at the end of its ninth plenary session held on April 9 and 10th, 2019, released draft guidelines on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects (Guidelines 2/2019 on “the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects”).   The guidelines highlight the narrow scope of the contractual necessity legal basis. In particular the guidelines concern with the applicability of Article 6 (1)b) GDPR to processing of personal data in the context of contracts for online services. The scope of the guidelines is to outline the elements of lawful processing under Article 6 (1)(b), but particularly to clarify the concept of “necessity” since Article 6(1)(b) GDPR provides a lawful basis for processing where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.   Article 6(1) (b) GDPR applies where either of two conditions are met: the processing is objectively necessary for the performance of a contract with a data subject, or the processing is objectively necessary in order to take pre-contractual steps at the request of a data subject. The EDPB specifies, “assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’”. Therefore, Article 6(1) (b) GDPR will not be an appropriate legal basis for processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the data controller’s other business purposes.   With respect to the first of the two alternative abovementioned conditions, the processing is necessary for performance of a contract with the data subject, the EDPB underlines that a data controller can rely on the legal basis of Article 6 (1)(b) GDPR only if he can establish that the processing takes place in the context of a valid contract with the data subject and overall that processing is necessary in order for the specific contract with the data subject to be performed. Where a data controller cannot demonstrate such necessity, he needs to consider another legal basis for processing personal data. As clearly pointed out in the EDBP guidelines, merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). In order to establish that the processing is based on the performance of a contract with the data subject, it is essential to assess what is objectively necessary to perform the contract. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of the contractual service to the data subject. The data controller should be able to demonstrate how the main object of the specific contract with the data subject cannot be performed if the specific processing of the personal data does not occur.   The provision that the processing is necessary in order to take pre-contractual steps at the request of a data subject is the second conditions for applicability of Article 6 (1)(b) GDPR as legal basis for the processing of personal data. Referring to this condition, the EDBP explains that it is a provision which reflects the possibility, in some cases, for preliminary processing of personal data to be necessary before entering into a contract in order to facilitate the actual entering into a contract, but it stresses that in any case, this provision would not cover unsolicited marketing or other processing which are carried out solely on the initiative of the data controller, or at the request of a third party.   At the end of these guidelines, the EDPB deals with the applicability of Article 6 (1)(b) GDPR in some specific situations, namely: (i) processing for service improvement, (ii) processing for fraud prevention, (iii) processing for online behavioural advertising and (iv) processing for personalization of content. According to EDPB, processing for service improvement is unlikely to satisfy the “necessity threshold”. In most cases, the collection of information on how users engage with the service cannot be considered as necessary for the provision of the service because the service can be delivered without the processing of such personal data. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis in Article 6 GDPR, such as legal obligation or legitimate interest. The Board considers that behavioural advertising does not constitute a necessary element of online services. The EDPB points out it would be hard to argue that the contract had not been performed because there were no behavioural ads, bearing in mind, in particular, that data subjects have the right under Article 21 GDPR to object to processing of their data for direct marketing purposes. Further to this, the Board stresses that “Article 6(1) (b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, it is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue.” Referring to processing for personalization of content, the EDPB acknowledges that personalization of content may, but does not always, be an essential element of certain online services and therefore considered as necessary for the performance of a contract. However, the Board highlights that whether such processing can be regarded as an intrinsic aspect of an online service depends on many factors such as the…

Download

Guidelines on artificial intelligence and data protection

The Consultative Committee on Convention 108, chaired since 2016 by the Italian Garante della Protezione dei dati personali, released the guidelines on artificial intelligence and data protection. The Council of Europe established the Convention 108 (Convention for the Protocol of Individuals with regard to Automatic Processing of Personal Data) in 1981, and the Committee worked at updating the provisions of the Convention to a more technological world and in particular focusing on Artificial Intelligence (“AI”). The set of Guidelines cover (i) general principles, (ii) guidelines to AI developers, manufacturers, and service providers and (iii) legislators and policy makers.

Download

5 marzo 2018 – Lezione inaugurale master Fashion Law – Le problematiche giuridiche della filiera della moda

Il 5 marzo 2018, dalle ore 14.30 alle 18.30, si terrà la lezione inaugurale del corso di perfezionamento in Fashion Law, presso l’Università degli Studi di Milano, via Sant’Antonio 12, Aula Napoleonica. Parteciperanno il Prof. Antonio Gambaro (Ordinario Diritto Civile nell’Università degli Studi di Milano) la Prof.ssa Barbara Pozzo (Ordinario Diritto Privato Comparato nell’Università degli Studi dell’Insubria) la Prof.ssa Rossella Cerchia (Associato Diritto Privato Comparato nell’Università degli Studi di Milano). Tra i relatori anche l’avv. Andrea Amato e l’avv. Dario Picone, partners di Cmp Law.

Download

Regolamento UE 2016/679 e l’adeguamento richiesto alle imprese private

Il Regolamento UE 2016/679 (General Data Protection Regulation o GDPR) si propone di armonizzare le previsioni in materia di privacy a livello europeo, abrogando la direttiva 95/46/CEE, recepita nel nostro ordinamento dal d.lgs. 196/2003 (Codice della Privacy). Il Regolamento, che è immediatamente applicabile in ogni Stato dell’Unione Europea, apporta grandi novità sul piano della tutela dei diritti della persona, tutela che viene largamente ampliata in ragione del valore economico che attualmente questi dati hanno assunto. Ciò che cambia per le imprese è che, se da un lato, il Regolamento prevede strumenti per responsabilizzare maggiormente i titolari del trattamento, dall’altro, stabilisce significative semplificazioni.

Download

Corte Costituzionale 6 dicembre 2017, n. 254: il committente è obbligato in solido (anche) con il subfornitore ai sensi dell’art. 29, comma secondo, d.lgs. 276/2003

La Corte Costituzionale stabilisce l’applicabilità della solidarietà del committente per le passività retributive e contributive nei confronti dei dipendenti del subcontraente anche in relazione ai contratti rientranti nella disciplina della subfornitura. The Constitutional Court of Italy rules – with regard to subsupply agreements (so called “contratti di subfornitura “) – that principals are jointly liable with subsuppliers for any liability towards the employees of the subsuppliers and for any relevant social security outstanding obligation.    

Download