loader image

Resources

In this section you will find a collection of useful resources for your daily operations.
The list includes guidelines, templates, reports and many other materials that public organisations issue to aid controllers and processors.
The section is under construction and constant renewal.

Data protection general resources

Materials

EU Agency for Fundamental Rights, Handbook on European data protection law (2018)

AA.VV. The DPO Handbook. Guidance for DPOs in the public and quasi‐public sectors on how to ensure compliance with the GDPR (2019)

CJEU, Fact sheet on protection of personal data (2021)

Council of Europe, Guide on Article 8 of the ECHR, (2020)

Council of Europe, Case law of the ECHR concerning the protection of personal data (2018)

Council of Europe, Factsheet on personal data protection and on new technologies (2020)

ICO, Guide to the General Data Protection Regulation (2021)

AA.VV, The GDPR made simple(r) for SMEs (VUB Press 2021)

Marengo, Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation (2021)

Resorces on particular GDPR articles

Article 1 - Subject matter and objectives
Article 2 - Material scope
Article 3 - Territorial scope
Article 4 - Definitions
Art. 4 (1) personal data
Art. 4 (2) processing
Art. 4 (3) restriction of processing
Art. 4 (4) profiling
Art. 4 (5) pseudonymisation
Art. 4 (6) filing system
Art. 4 (7) and (8) controller and processor
Art. 4 (9) and (10) recipient and third party
Art. 4 (11) consent
Art. 4 (12) personal data breach
Art. 4 (13) genetic data
Art. 4 (14) biometric data
Art. 4 (15) data concerning health
Art. 4 (16) main establishment
Art. 4 (17) representative
Art. 4 (18) and (19) enterprise and group of undertakings
Art. 4 (20) binding corporate rules
Art. 4 ( 21) and (22) supervisory authority and SA concerned
Art. 4 (23) cross-border processing
Art. 4 (24) relevant and reasoned objection
Art. 4 (25) information society service
Art. 4 (26) international organization
Article 5 - Principles relating to processing of personal data
Art. 5 (1)(a) Lawful, fair and transparent processing
Art. 5 (1)(b) purpose limitation
Art. 5 (1)(c) data minimisation
Art. 5 (1)(d) accuracy
Art. 5 (1)(e) storage limitation
Art. 5 (1)(f) data security
Art. 5 (2) accountability
Article 6 - Lawfulness of processing
Art. 6 (1)(a) consent
Art. 6 (1)(b) contractual necessity
Art. 6 (1)(c) legal obligation
Art. 6 (1)(d) protection of vital interests
Art. 6 (1)(e) public interest
Art. 6 (1)(f) legitimate interests
Article 7 - Conditions for consent
Article 8 - Conditions applicable to child's consent in relation to information society services
Article 9 - Processing of special categories of personal data
Article 10 - Processing of personal data relating to criminal convictions and offences
Article 11 - Processing which does not require identification
Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
Article 13 - Information to be provided where personal data are collected from the data subjectercise of the rights of the data subject
Article 14 - Information to be provided where personal data have not been obtained from the data subjectm the data subjectercise of the rights of the data subject
Article 15 - Right of access by the data subject
Article 16 - Right to rectification
Article 17 - Right to erasure (‘right to be forgotten’)
Article 18 - Right to restriction of processing
Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 - Right to data portability
Article 21 - Right to object
Article 22 - Automated individual decision-making, including profiling
Article 23 - Restrictions
Article 24 - Responsibility of the controller
Article 25 - Data protection by design and by default
Article 26 -Joint controllers
Article 27 - Representatives of controllers or processors not established in the Union
Article 28 - Processor
Article 29 - Processing under the authority of the controller or processor
Article 30 - Records of processing activities
Article 31 - Cooperation with the supervisory authority
Article 32 - Security of processing
Article 33 - Notification of a personal data breach to the supervisory authority
Article 34 - Communication of a personal data breach to the data subject
Article 35 - Data protection impact assessment
Article 36 - Prior consultation
Article 37 - Designation of the data protection officer
Article 38 - Position of the data protection officer
Article 39 - Tasks of the data protection officer
Article 40 - Codes of conduct
Article 41 - Monitoring of approved codes of conduct
Article 42 - Certification
Article 43 - Certification bodies
Chapter V - Transfers of personal data to third countries or international organisations
Article 44 - General principle for transfers
Article 45 - Transfers on the basis of an adequacy decision
Article 46 - Transfers subject to appropriate safeguards
Art. 46 (2)(a) - Legally binding and enforceable instrument between public authorities
Art. 46 (2)(b) - Binding Corporate Rules
Art. 46 (2)(c) and (d) - Standard Contractual Clauses
Art. 46 (2)(e) and (f) - Approved code of conduct or certification mechanisms
Art. 46 (3)(a) - Ad hoc contractual clauses
Art. 46 (3)(b) - Administrative agreements between public authorities
Brexit
Article 47 - Binding corporate rules
Article 48 - Transfers or disclosures not authorised by Union law
Article 49 - Derogations for specific situations
Article 50 - International cooperation for the protection of personal data
Article 51 - Supervisory authority
Article 52 - Independence
Article 53 - General conditions for the members of the supervisory authority
Article 54 - Rules on the establishment of the supervisory authority
Article 55 - Competence
Article 56 - Competence of the lead supervisory authority
Article 57 - Tasks
Article 58 - Powers
Article 59 - Activity reports
Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61 - Mutual assistance
Article 62 - Joint operations of supervisory authorities
Article 63 - Consistency mechanism
Article 64 - Opinion of the Board
Article 65 - Dispute resolution by the Board
Article 66 - Urgency procedure
Article 67 - Exchange of information
Article 68 - European Data Protection Board
Article 69 - Independence
Article 70 - Tasks of the Board
Article 71 - Reports
Article 72 - Procedure
Article 73 - Chair
Article 74 - Tasks of the Chair
Article 75 - Secretariat
Article 76 - Confidentiality
Article 77 - Right to lodge a complaint with a supervisory authority
Article 78 - Right to an effective judicial remedy against a supervisory authority
Article 79 - Right to an effective judicial remedy against a controller or processor
Article 80 - Representation of data subjects
Article 81 - Suspension of proceedings
Article 82 - Right to compensation and liability
Article 83 - General conditions for imposing administrative fines
Article 84 - Penalties
Article 85 - Processing and freedom of expression and information
Article 86 - Processing and public access to official documents
Article 87 - Processing of the national identification number
Article 88 - Processing in the context of employment
Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 90 - Obligations of secrecy
Article 91 - Existing data protection rules of churches and religious associations

Specific Processing Activities

Artificial Intelligence and data protection

General guidelines

EDPB, Guidelines on Automated individual decision-making and Profiling (2018)

It clarifies the definitions of profiling and automated decision-making and the GDPR approach to these in general, the general provisions on profiling and ADM and specific provisions on solely ADM in Article 22, the impact of profiling on children, and recommendations for DPOs and how to carry out DPIAs

ICO, Guidance on AI and data protection (2020)

Best practices for data protection-compliant AI, and how we interpret data protection law as it applies to AI systems that process personal data

AEPD, GDPR compliance of processing that embed Artificial Intelligence. An introduction (2020)

It addresses some concerns regarding privacy compliance in AI systems and the more relevant aspects regarding the design and implementation of AI compliant systems

AEPD (ES), Código de buenas prácticas en protección de datos para proyectos de big data

ICO, Big data, artificial intelligence, machine learning and data protection (2017)

Evaluates the implications of BD, AI and ML for data protection, and explains the ICO’s views on the subject

European Commission, Defining Artificial Intelligence. Towards an operational definition and taxonomy of artificial intelligence (2020)

It proposes an operational definition of AI to be adopted in the context of AI Watch, the Commission knowledge service to monitor the development, uptake and impact of AI for Europe

Datatilsynet (NO), Artificial Intelligence and privacy (2018)

Report summarizing the main AI features and the data protection challenges in the era of AI

European Parliamentary Research Service, The Impact of the General Data Protection Regulation (GDPR) on Artificial Intelligence (2020)

Datatilsynet (NO), Big Data. privacy principles under pressure (2013)

Explaining AI systems

 ICO, Explaining decisions made with AI  (2020)

It gives organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. 

Auditing AI systems

AEPD, Audit Requirements for Personal Data Processing Activities involving AI (2020)

It outlines relevant and specific controls that audits of AI systems must include

Ethical approaches

EU Commission, Ethics guidelines for trustworthy AI (2019)

This document puts forward a set of 7 key requirements that AI systems should meet in order to be deemed trustworthy

EU Commission, Assessment List for Trustworthy Artificial Intelligence (ALTAI) for self-assessment (2020)

It translates AI principles outlined in the Ethics Guidelines for Trustworthy Artificial Intelligence into an accessible and dynamic checklist that guides developers and deployers of AI in implementing such principles in practice

CNIL, How Can Humans Keep the Upper Hand? The ethical matters raised by algorithms and artificial intelligence (2017)

German Data Ethics Commission, Opinion on data and algorithmic systems (2020)

Cybersecurity

ENISA, Artificial Intelligence Cybersecurity Challenges (2020)

It maps the AI cybersecurity ecosystem and its Threat Landscape

Enforcement

EDPS, Opinion on coherent enforcement of fundamental rights in the age of Big Data (2016)

It recommends establishing a Digital Clearing House for enforcement in the EU digital sector, a voluntary network of regulatory bodies to share information about possible abuses in the digital ecosystem and the most effective way of tackling them

 

Targeting and tracking technologies
Employment Relationship
Surveillance Activities
Direct Marketing
Internet Technology and Communications
Other materials
COVID related processing activities