Delhi High Court
Case BriefsHigh Courts

The mistake of the patent agent would be similar to the mistake of an advocate who may be representing parties in any civil or criminal litigation.

Delhi High Court: Prathiba M Singh J. condoned the delay in filing reply to the First Examination Reports (hereinafter ‘FER’) and remarked that applicant did not have an intention to abandon and if the Court is convinced that there was a mistake of the patent agent and the applicant is able to establish full diligence, the Court ought to be liberal in its approach.

The facts of the case are such that the Petitioner, initially engaged European Law Firm, FREYLINGE to file and prosecute the Indian national phase applications of their Patent Cooperation Treaty (hereinafter, ‘PCT’) applications before the Indian patent office. Thereafter, the responsibility of processing, prosecution, maintaining and coordination of these applications were moved by the Petitioner to another European firm namely, GEVERS. Emails were exchanged between the first patent agent and GEAVERS informing the patent agent of the movement of the files from FREYLINGE to GEVERS. The first patent agent had duly confirmed the receipt of instructions to the effect that the file has been transferred. The FER was issued by the Patent Office. However, due to non-filing of the Reply to the FER within the stipulated time, both the applications were ‘deemed to have been abandoned’. Various emails were addressed to the patent office seeking a hearing, however, since no reply was received, the present Writ Petitions were filed seeking setting aside of the order of abandonment.

The Court observed that on perusal of Section 21 of the Patents Act, 1970 (hereinafter referred to as the Act) and Rule 24-B of the Patents Rules, 2003 (hereinafter referred to as the Rules) shows that the application must be mandatorily deemed to have been abandoned unless the applicant has fulfilled all the requirements imposed on him under the Act.

The Court observed that on a conjoint reading of Section 21 of the Patents Act, 1970 along with Rules 24-B, 137 and 138 of the Patents Rules, 2003, leaves no doubt in the mind of the court that insofar as the powers of the Controller are concerned, they are circumscribed by the said provisions and the Controller does not have the discretion to extend the timelines prescribed in the provisions, especially those timelines, that are specifically excluded in Rule 138 of the Patents Rules, 2003.

It is clear that in the prosecution of patent applications, deadlines fixed in the Act read with the Rules fall into two categories:

i. Deadlines which can be extended.

ii. Deadlines which cannot be extended.

The Court opined that patent agents are expected to know which deadlines are extendable and which are not extendable. Non-extendable deadlines include inter alia

1. deadlines relating to entry of the application into the national phase,

2. timelines for filing of request for examination,

3. timelines for putting an application in order for grant etc.,

The Court relied on Ferid Allani v. Union of India 2008 SCC OnLine Del 1756, Telefonaktiebolaget Ericsson v. Controller of Patents, in W.P (C) 9126 of 2009, decided on 11-03-2010 and PNB Vesper Life Sciences v. Controller General of Patents, in W.P 22253 of 2021, decided on 14-03-2022 and observed that while the Controller may have no power to extend the deadline within which the application has to be put in order for grant, courts exercising writ jurisdiction, may in rare cases permit the same, after examining the factual matrix to see as to whether the Applicant in fact intended to abandon the patent or not. Any extraordinary circumstances could also be considered by the Court, such as negligence by the patent agent, docketing error and whether the Applicant has been diligent. However, lack of follow-up by the Applicant would be a circumstance which may lead to an inference that the applicant intended to abandon the patent. Thus, the court would have to examine the circumstances in the peculiar facts of each case.

The Court noted that on a perusal of the chronology of the facts and events, leaves no doubt in the mind of the Court that the Applicant was not negligent and was in fact taking all steps within its command to follow up on the prosecution of the patent application. However, for reasons beyond its own control, the consequence of abandonment has now been saddled upon the Applicant.

In the facts of the present case, the Applicant had undertaken the following actions

• Initially, filed the application in several foreign countries;

• Entered India within the prescribed period;

• Obtained the grant of patent for corresponding applications in several foreign countries;

• Filed the request for examination within the prescribed period;

• Followed up continuously with the patent agent even during the prescribed period as to the status of the applications.

The Court noted that the consequences of patent being abandoned are quite extreme such as depriving the applicant of exclusivity for the invention completely. Thus, such a consequence ought not to visit the applicant for no fault of the Applicant. There was no intention to abandon on behalf of the Petitioner; instead, the Petitioner’s actions indicate that they were actively pursuing the application. Moreover, the judicial opinion in respect of responses to FER or other deadlines seems to suggest that if the Applicant did not have an intention to abandon and if the Court is convinced that there was a mistake of the patent agent and the Applicant is able to establish full diligence, the court ought to be liberal in its approach.

The Court however cautioned that the intention of the Legislature in Rule 138 of the Rules cannot be ignored by the Controller, nor can one ignore the express language of Section 21(1) of the Act, which mandates a deemed abandonment in case of non-compliance with the requirements imposed under the Act. It is only in extraordinary cases, while exercising writ jurisdiction, that the Court may consider being flexible, and this would depend on the facts of each case as to whether a condonation ought to be given at all.

Observations of Parliamentary Committee on “deemed abandonment” provisions

The 161st report submitted by the Department Related Parliamentary Standing Committee on Commerce on 23-07-2021, titled ‘Review of the Intellectual Property Rights Regime in India’ has taken note of the enormous prejudice being caused to patent applicants due to ‘deemed abandonment’ provisions.

The Committee opines that the abandoning of patents, without allowing hearing or petition, may demoralize and discourage patentees in the country to file patents. It recommends the Department that certain flexibility should be incorporated in the Act to make allowance for minor errors and lapses to prevent outright rejection of patents being filed. Hence, a revised petition with penalty or fee may be permitted under the Act for minor or bona fide mistakes that had been committed in the filed patents.”

The Court thus held “the present two applications would fall in the category of exceptional circumstances, owing to the peculiar facts where the response to the FERs deserve to be taken on record.”

[European Union v. Union of India, WP (C) IPD 5 of 2022, decided on 31-05-2022]

Advocates who appeared in this case :

Mr. Peeyoosh Kalra, Mr. Vineet Rohilla, Mr. Rohit Rangi, Mr. Sudhindra Tripathi, Mr. Rohan Kapoor, Mr. Garvil Singh, Mr. Debashish Banerjee, Mr. Ankush Verma, Advocate, for the European Union;

Mr. Harish V. Shankar, Ms. S. Bushra Kazim, Mr. Srish Kumar Mishra, Mr. Sagar Mehlawat, Advocate, for the Union of India.

*Arunima Bose, Editorial Assistant has reported this brief.

Experts CornerSanjay Vashishtha

Today, the world is plainly under the grasps of social media. The foundation of an individual is evaluated on the anvil of his/her presence at the virtual world. Google has become synonymous to “search” and it is perhaps the virtual world that decides the credibility of an individual or an institution alike.


The unparalleled growth of information and technology had made us privy to the most intricate details of human lives – both good and bad. The boundaries of privacy are blurring more than ever. We enjoy the latest controversies with a cup of tea but have we ever thought what would things be like if we were placed in their shoes? Think of the most embarrassing thing you have ever done, now conjure a reality where everybody in the world knows about it, it is tough, right?


At a point in time, where artificial intelligence has advanced to the point of retaining and interpreting data, study behavioural patterns and automate human responses, we need to think about the kind of huge impact our digital footprint has on the web.


The personal information of an individual at this point not confined to just papers, official and government records. It can now be easily assessed by an individual from anywhere around the world through web or search engines. This incomparable change in both the nature and the expanse of personal information accessible online is an underlining issue. An individual need not be grounded or an overachiever to be in the list items of Google or any other search engine for that matter.



In 1998, Mario Costeja González, a Spaniard, had run into financial difficulties and was in severe need of funds. As a result, he advertised a property for auction in the newspaper, and the advertisement ended up on the internet by chance. Mr Gonzáles, unfortunately, was not forgotten by the internet. As a result, news about the sale was searchable on Google long after he had fixed his financial issue, and everyone looking him up assumed he was bankrupt. Understandably, this resulted in severe damage to his reputation, prompting him to take up the matter to the court. Ultimately, this case gave birth to the concept of the “right to be forgotten”.

The European Court of Justice ruled against the search engine giant Google, declaring that under certain circumstances, European Union residents could have personal information removed or deleted from search results and public records databases.[1]


However, in 2019 the EU Court restricted the ruling only to the European Union, saying Google does not have to apply the “right to be forgotten outside Europe”.


The concept of the right to be forgotten, also known as the right to erasure, is that individuals have a civil right to have their personal information removed from the internet. Likewise, a traceable procedure must be in place to ensure that removed data is also erased from backup storage media.


India, at present does not have any statutory provision that provides for right to be forgotten (RTBF). The Indian security system has seen an alternate wave with the presentation of the new Personal Data Protection Bill (PDP Bill)[2] in 2018. The Bill envisage many changes with respect to data handling and security privileges of an individual.


However, the Bill guises to fetch in the right to be forgotten which is not accessible in the current legitimate system under the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.


In simple terms, the “right to be forgotten” is the right to have publicly available personal information removed from the internet, search, databases, websites or any other public platforms, once the personal information in question is no longer necessary, or relevant.


However, there is an intricate system envisaged under the Section 20 of PDP Bill for setting off the right to be forgotten. The Bill articulates that the right can be sanctioned only on the order of an adjudicating officer after an application recorded by the data principal. Whereas, the choice on whether the right to be forgotten can be granted with respect to any information will rely upon “the right to the right to freedom of speech and expression and the right to information of some other citizen”.


Keeping in view the laws of other countries, the European Union’s (EU) General Data Protection Regulation (GDPR) permit individuals to have their personal data erased, but the authorities noted that “organisations do not always have to do it”.


The GDPR provisions read like a master for the Indian PDP Bill and it further expresses that an individual can look for the eradication of their information when “there are serious inaccuracies in the data or they believe information is being retained unnecessarily, they no longer consent to processing”.


Furthermore, EU noticed that the right to be forgotten is “not an absolute right”. Consequently, in situations where the information is being utilised to practise the right to freedom and expression or for consenting to a lawful decision or commitment, an appeal for eradication may not be engaged. Additionally, where public interest is included or when an association is utilising information while practicing its authority, it can refuse to delete any information that it considers to be significant for its purposes.


Today, at this point it is not simple to get away from one’s past when one’s personal information can be easily circulated around the web or stay on the internet endlessly, accessible through speedy search results. For people who wish to start afresh, the right to be forgotten remains essentially important and all the more necessary given the expand of our digital footprint. The essential query that encompasses the commencement and nature of the right to be forgotten is: would it be a good idea for us to reserve the right to be forgotten?


In India, the first question previously came up before the judiciary in Dharamraj Bhanushankar Dave v. State of Gujarat[3], before the Gujarat High Court. In its judgment the court did not acknowledge the so-called “right to be forgotten”. Here, in this case the petitioner had been charged with criminal conspiracy, murder, and kidnapping, among others and was acquitted by the Sessions Court, which was further supported by a Division Bench of the Gujarat High Court. The petitioner had claimed that since the judgment was non-reportable, respondent should be banned from publishing it on the internet because it would jeopardise the petitioner’s personal and professional life. The High Court, on the other hand, found that such publication did not violate Article 21 of the Indian Constitution, and that the petitioner had presented no legal basis to prevent the respondents from publishing the judgment.


Subsequently, In V. v. High Court of Karnataka[4], , the Karnataka High Court recognised right to be forgotten. The purpose of this case was to remove the name of the petitioner’s daughter from the cause title since it was easily accessible and defame her reputation. The court held in favour of the petitioner and ordered that the name of the petitioner’s daughter to be removed from the cause title and the orders. The court held that “this would be consistent with the trend in western countries, where the ‘right to be forgotten’ is applied as a rule in sensitive cases concerning women in general, as well as particularly sensitive cases involving rape or harming the modesty and reputation of the individual concerned”.


Noticeably, the right to be forgotten has now been perceived as a basic face of the right to privacy.


Furthermore, in the landmark case of K.S. Puttaswamy v. Union of India[5], the Supreme Court recognised the right to be forgotten as part of the right to life under Article 21.


The Supreme Court had stated that the right to be forgotten was subject to certain restrictions, and that it could not be used if the material in question was required for the—

  1. exercise of the right to freedom of expression and information;
  2. fulfilment of legal responsibilities;
  3. execution of a duty in the public interest or public health;
  4. protection of information in the public interest;
  5. for the purpose of scientific or historical study, or for statistical purposes; or
  6. the establishment, executing, or defending of legal claims.


Recently, a Single Judge Bench of the Madras High Court headed by Mr Justice N. Anand Venkatesh, had given an important order regarding “right to be forgotten” (RTBF) or right to erasure as a facet of the fundamental “right to privacy”.


In this case, the petitioner’s name continued to appear in the High Court’s verdict and was freely available to anyone who would type their name into Google search. Despite the fact that the petitioner was acquitted, they were named as an accused throughout the preceding judgment. Therefore, the petitioner contends that this has a negative influence on his public image. As a result, the petitioner requests the High Court to issue an order redacting their name from the verdict.

The Madras High Court ruled that the “right to be forgotten” cannot exist in the administration of justice, especially when it comes to court judgments.


“Right to be forgotten does not exist in case of court judgments, rules Madras HC”

It is innocuous to conclude that RTBF is still in its preliminary stage in India. To effectively enforce this right in India, the following should be proposed:

  1. A robust data protection law would go a long way in effectively imbibing this right in every citizen. RTBF can be restructured to further help in protecting the privacy of individuals.

The current events show just how much this Bill needs to be enacted into an act. The need of the hour is to protect people against attacks through digital platforms. Additionally, a clause that clarifies different situations with certain outcomes is also essential, so as not to give rise to any potential conflict between the two fundamental rights.

  1. Even though the PDP Bill has not been implemented, several courts have recognised the RTBF in their judgments, keeping international jurisprudence in mind. Whilst the Delhi and Karnataka High Court have recognised the right and judicially enforced it, there is still a long way for a systematic method which effectively safeguards RTBF in a way that right to information and right to freedom of speech and expression are not violated. Filing a petition for defamation to invoke their fundamental right to privacy can be used in the meantime.
  2. Lastly, search engines and major digital platforms can alter their policies and determine the eradication of personal data through de linking. However, big giants like Google have continued to retain certain information even when taken to court by a petitioner in Kerala HC. This goes to show that this method is the least effective way to enforce the right.


However, applying the three cumulatively and in a systemic manner could help to properly establish and implement RTBF in India.

Lastly, it would be interesting to note the development of right to be forgotten in other jurisdictions.


Comparative analysis of the concept of right to be forgotten


European Union (EU)

The concept of the right to be forgotten has elicited conflicting reactions from various jurisdictions around the globe. The EU, in particular, has seen rapid development. The European Union (EU) – several maneuvers have been made in the European Union to consolidate the right to be forgotten. The Data Protection Directive was a European Union directive passed in 1995 to govern the exemption of personal data within the EU. It is a crucial part of EU privacy and human rights law. Following that, in April 2016, the General Data Protection Regulation (GDPR) was enacted, superseding the Data Protection Directive, 1995.


In accordance with Article 17 which states that the data subject has the right to request the erasure of personal data relating to them on a variety of grounds, including non-conformity with Article 6(1) (lawfulness), which includes a case if the controller’s sincere interests are overshadowed by the data subject’s interests or fundamental rights and freedoms, which require the protection of personal data. As a result, GDPR Article 17 has defined the situations in which European Union citizens can exercise their right to be forgotten or erasure.


The article gives citizens of the European Union the right to have their personal data erased under six conditions, including the withdrawal of consent to use data or the data no longer being relevant for the purpose for which it was gathered. However, the request may be denied in certain circumstances, such as when it contradicts the right to free expression and information, or when it is conflicting to public interest in the areas of public health, scientific or historical research, or statistical drives. As a result, Article 17 of the GDPR of 2016 includes a specific protection in the right to be forgotten.


When a member of the public requests for the erasure of the information, the European Court of Justice in Google Spain SL v. Agencia Española de Protección de Datos[6] ordered Google to delete “inadequate, irrelevant, or no longer relevant” material from its search results. The judgment, dubbed the “right to be forgotten” by the public, was crucial in enforcing the EU’s data protection laws and regulations, particularly the EU’s General Data Protection Regulation.


Mario Costeja González, a Spaniard, was dissatisfied when a Google search for his name turned up a newspaper article from 1998. Gonzalez approached the newspaper in 2009 to have the article removed, but the newspaper refused, so González went to Google to have the article removed when his name is searched.


To exercise one’s right to be forgotten and have one’s information removed from a search engine, fill out a form on the search engine’s website.


Google’s removal request process requires the applicant to identify their country of residence, provide personal information, provide a list of URLs to be removed along with a brief description of each one, and attach legal identification. The form allows users to enter the name for which they want search results to be removed. If a search engine refuses to delink material, EU citizens can file an appeal with their local data protection agency.


Google may face legal action if it objects to a data protection agency decision. The European Union has requested that Google implement delinking requests from EU citizens across all international domains.


United States (US)

The United States of America has an evolved general set of laws that defends its residents’ protection. The State of New York was quick to acquaint a draft “right to be forgotten” Bill A05323 in its State Assembly, named “An act to amend the civil rights law and the civil practice law and rules, in relation to creating the right to be forgotten act.” Moreover, in March 2017, New York State representative Tony Avella and assemblyman David Weprin introduced legislation that would permit people to require web search tools and online speakers to eliminate data that is “inaccurate,” “irrelevant,” “inadequate,” or “excessive,” that is “no longer material to current public debate or discourse,” and that is causing evident harm to the subject.


The Bill was written mainly along the lines of the European Court of Justice’s decision in Google Spain SL v. Agencia Española de Protección de Datos[7].


Two significant cases to be specific Melvin v. Reid[8] and Sidis v. FR Publishing Corpn.[9] are somewhat pertinent. The court contemplated, “Any individual who leads a moral life has the option to joy, which remembers the independence from unmerited assaults for his character, social standing, or notoriety.” While the plaintiff in the case, William James Sidis, was a former child prodigy who wish to spend his adult life discreetly and undetected, subsequently, an article in The New Yorker disrupted this. In this case, the court resolute that the option to control one’s own life and realities about oneself has limits, that there is social worth in distributed realities, and that an individual cannot overlook their celebrity status basically in light of the fact that they need to.” Despite these slow developments, the prospects of a federal law or a constitutional amendment providing for a standalone. Right to be forgotten in the United States are very faint, particularly regardless of the solid resistance in light of the fact that it is conflicting with the first amendment to the United States Constitution, which ensures freedom of speech and expression. Thus, it is contended, the right will viably bring about another type of restriction.


These criticisms, however, are consistent with the proposal that the only information that can be removed at the user’s request is content that the user has uploaded.

Sanjay Vashishtha is a practicing counsel at the Supreme Court of India, LLM in Comparative Criminal Law from McGill University, Canada and MSc, Criminology and Criminal Justice from University of Oxford. He is serving as a counsel/special counsel and consultant for several law enforcement and public sector institutions.

[1] C-507/17, Google LLC, successor in law to Google Inc., v Commission nationale de l’informatique et des libertés (CNIL) can be accessed HERE

[2] Personal Data Protection Bill accessible Here

[3] 2017 SCC OnLine Guj 2493.

[4] 2017 SCC OnLine Kar 424.

[5] (2019) 1 SCC 1.

[6] Case C‑131/12, decided on 13-5-2014.

[7] Case C‑131/12, decided on 13-5-2014.

[8] 112 Cal App 285: 297 P 91 (1931).

[9] 85 L Ed 462 : 61 S Ct 393 : 311 US 711 (1940).

Case BriefsInternational Courts

European Court of Justice: The Bench composed of K. Lenaerts, President, L. Bay Larsen, Vice-President, A. Arabadjiev, K. Jürimäe, C. Lycourgos, E. Regan, N. Jääskinen, I. Ziemele and J. Passer, Presidents of Chambers, M. Ilešič (Rapporteur), J.-C. Bonichot, T. von Danwitz and N. Wahl, JJ., directed Bulgaria to recognize same sex couple as parents of a child irrespective of the fact that Bulgaria does not recognizes the concept of marriage between homosexuals. The Bench held that,

“It would be contrary to the fundamental rights which are guaranteed to the child under Articles 7 and 24 of the Charter for the Child to be deprived of the relationship with one of her parents when exercising her right to move and reside freely within the territory of the Member States on the ground that her parents are of the same sex.”

V.M.A. and K.D.K., a same sex couple resided in Spain since 2015. In December 2019, they had a daughter, S.D.K.A., whose birth certificate, issued by the Spanish authorities, refers to V.M.A. as ‘Mother A’ and to K.D.K. as ‘Mother’ of the child. Noticeably, V.M.A. was a Bulgarian national while K.D.K was a national of United Kingdom.

The issue arose when in January 2020, V.М.А., applied to the Sofia municipality, Bulgaria for a birth certificate for S.D.K.A. to be issued to her, which was necessary for the issue of a Bulgarian identity document. However, the municipality refused to issue the birth certificate for the lack of information concerning the identity of the child’s biological mother and the fact that a reference to two female parents on a birth certificate was contrary to the public policy of the Republic of Bulgaria, which does not permit marriage between two persons of the same sex.

Questions Referred

The referring Court-Administrative Court of Sofia, asked whether Article 4(2) TEU could serve as justification for the Bulgarian authorities’ refusal to issue a birth certificate in respect of S.D.K.A as any obligation to draw up a birth certificate mentioning two female individuals as the child’s parents could have an adverse effect on public policy and on the national identity of the Republic of Bulgaria, since the Bulgarian Constitution and Bulgarian family law do not provide for the parenthood of two persons of the same sex.

The referring Court also asked whether refusal to issue a birth certificate infringes the rights conferred on such a national in Articles 20 and 21 TFEU and Articles 7, 9, 24 and 45 of the Charter of Fundamental Rights of the European Union, albeit it would have no legal effect on the Bulgarian nationality of the child and consequently on that child’s Union citizenship, however it may hinder that child’s exercise of the right of free movement and thus full enjoyment of her rights as a Union citizen.

Consideration of the questions referred

Under Article 20(1) TFEU, every person holding the nationality of a Member State is to be a citizen of the Union hence, the Bench opined that as a Bulgarian national, S.D.K.A. enjoys the status of Union citizen under that provision. Accordingly, the Bulgarian authorities are required to issue to her an identity card or a passport stating her nationality and her surname as it appears on the birth certificate drawn up by the Spanish authorities to enable S.D.K.A. to exercise the right to move and reside freely within the territory of the Member States, guaranteed in Article 21(1) TFEU, with each of the child’s two mothers, whose status as parent of that child has been established by their host Member State.

In so far as Bulgarian law requires a Bulgarian birth certificate to be drawn up before a Bulgarian identity card or passport is issued, the Bench stated that Member State cannot rely on its national law as justification for refusing to draw up such an identity card or passport as Article 4(3) of Directive 2004/38 requires the Bulgarian authorities to issue an identity card or a passport to S.D.K.A. regardless of whether a new birth certificate is drawn up for that child.

Whether there was parent-child relationship?

Observing that the Spanish authorities lawfully established that there was a parent-child relationship, biological or legal, between S.D.K.A. and her two parents, and attested this in the birth certificate issued in respect of the child, the Bench stated that, therefore the Bulgarian authorities were required to recognise that parent-child relationship for the purposes of permitting S.D.K.A. since she had acquired Bulgarian nationality, to exercise without impediment, with each of her two parents, her right to move and reside freely within the territory of the Member States as guaranteed in Article 21(1) TFEU.

In addition, in order to enable S.D.K.A. to exercise her right to move and reside freely within the territory of the Member States with each of her two parents, V.M.A. and K.D.K. must as well have a document which mentions them as being persons entitled to travel with that child.

Same Sex Marriage, a Concept foreign for Bulgaria

It is true, the Bench noted, that Article 9 of the Charter provides that the right to marry and the right to found a family are to be guaranteed in accordance with the national laws which makes the member States free to decide whether or not to allow marriage and parenthood for persons of the same sex under their national law, however, the added, in exercising that competence, each Member State must comply with EU law, in particular the provisions of the FEU Treaty on the freedom conferred on all Union citizens to move and reside within the territory of the Member States, by recognising the civil status of persons that has been established in another Member State in accordance with the law of that other Member State.

Therefore, the Court held that in the instant case, parent-child relationship being recognized by the Spain the same shall be recognized in Bulgaria.

Same Sex Marriage and Public Policy

Article 2 of the convention establishes, for the child, the principle of non-discrimination, which requires that that child is to be guaranteed the right to be registered immediately after birth, the right to a name and the right to acquire a nationality, without discrimination against the child in that regard, including discrimination on the basis of the sexual orientation of the child’s parents.

Citing Coman v Inspectoratul General pentru Imigrări, [2019] 1 WLR 425, the Bench stated that public policy may be relied on only if there is a genuine and sufficiently serious threat to a fundamental interest of society. The Bench added,

“The concept of public policy as justification for a derogation from a fundamental freedom must be interpreted strictly, with the result that its scope cannot be determined unilaterally by each Member State without any control by the EU institutions.”

The obligation for a Member State to recognise the parent-child relationship and to issue an identity card or a passport to a child whose birth certificate issued by the another Member State recognizes a same sex couple as the child’s parents in the context of the child’s rights under Article 21 TFEU does not undermine the national identity or pose a threat to the public policy of that Member State.

Whether Bulgaria bound to Change its Public Policy?

The Bench clarified that the obligation to recognize parent-child relationship in the instant case do not require the Member State of which the child concerned is a national to provide, in its national law for the parenthood of persons of the same sex, or to recognise, for purposes other than the exercise of the rights which that child derives from EU law, the parent-child relationship between that child and the persons mentioned on the birth certificate drawn up by the authorities of the host Member State.


The Bench concluded, in the case of a child, being a minor, who is a Union citizen and whose birth certificate issued by the competent authorities of the host Member State designates as that child’s parents two persons of the same sex, the Member State of which that child is a national is obliged,

To issue to that child an identity card or a passport without requiring a birth certificate to be drawn up beforehand by its national authorities, and

To recognise, the document from the host Member State that permits that child to exercise, with each of those two persons, the child’s right to move and reside freely within the territory of the Member States. [V.М.А. v. Sofia Municipality, Bulgaria, Case C-490/20, decided on 14-12-2021]

Kamini Sharma, Editorial Assistant has reported this brief.

Law made Easy

[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]

Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.


Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy.  GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.

GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.


GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary; and
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.





Federal Act concerning the Protection of Personal Data (DSG)


Supervisory Authority:

Austrian Data Protection Authority

Act No. 110/2019 Coll. on the Processing of Personal Data


Supervisory Authority:

Office of Personal Data Protection (UOOU)

Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework

 Supervisory Authority

National Data Protection Commission





Protection of Natural Persons regarding the Processing of Personal Data


Supervisory Authority: Gegevensbeschermingsautoriteit


Law on Implementation of the General Data Protection Regulation


Supervisory Authority: Croatian Data Protection Personal Agency



Law n°2018-493 of June 20, 2018


Supervisory Authority:

CNIL (Commission nationale de l’informatique et des libertés_






Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)


Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information


Data Protection Act 2018


Supervisory Authority: The Data Protection Commission


Danish Data Protection Act


Supervisory Authority: The Danish Data Protection Agency (Datatilsynet)






Data Protection Act – ‘HE 9/2018 vp


Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)


Legislative Decree No. 101/2018


Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)


Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)


Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )








Personal Data Protection Act


Supervisory Authority: President of the Office for Personal Data Protection


Protection of Personal Data (Act No. 18 of 2018)


Supervisory Authority: Office of Personal Data Protection


Organic Law 3/2018 of December 5


Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos)









Data Protection Act (2018:218)

Supervisory Authority: Swedish Data Protection Authority


Swiss Federal Data Protection Act

Supervisory Authority: Information Commissioners Office



Data Protection Act 2018


Supervisory Authority: Information Commissioners Office






Law no. 190/2018

Supervisory Authority: National Supervisory Authority for Personal Data Processing



Law no. 58/2019, of 08 of August

Supervisory Authority: National Data Protection Authority (CNPD)


The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.

  1. Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
  2. Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
  3. Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
  • choosing the right algorithm;
  • the right key size;
  • the right software; and
  • keeping the key secure.
  1. Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
  2. Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.
  1. International transfers : The guidance provides clarification regarding
  • where a transfer of personal data is considered a ‘restricted transfer’; and
  • which mechanisms can be deployed in this case to transfer personal data.
  1. Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.

The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.


The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of ​​national security and defence.

As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.

Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.


The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.

The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.


Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.

The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018  and Directive  2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.

The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:

  1. CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.


  1. Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
  • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
  • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
  1. Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
  • The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
  • The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
  • The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.

On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).

The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.


Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.

The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:

  • Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
  • Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.

Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive.  The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.

  1. Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
  • your obligations under data protection;
  • how to respond to an individual exercising their rights;
  • how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.

Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.

The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.


Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.


The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.

Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:

  1. AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
  • Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
  • Contact details of the controller must be included in the register.
  • Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
  • Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
  • Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
  1. Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.

The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.

The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:

  1. Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
  2. Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
  3. Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
  • Establish the proper basis for collecting and using personal data;
  • Comply with the information obligation in accordance with the new rules;
  • Communicate in a transparent way;
  • Always respect the rights of people;
  • Remember that consent can be withdrawn at any time;
  • Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
  • Do not create unnecessary documentation;
  • You have the right to profile, but remember about limitations;
  • Invest in a professional DPO;
  • Watch out for cheaters.

The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.

Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:

  1. Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
  2. Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
    • to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
    • customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
    • data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
    • operator should process only the personal data that is necessary to achieve a specific purpose of processing;
    • operator must process correct and up-to-date personal data;
    • operator must keep personal data only for the necessary time to achieve the purpose of processing;
    • operator must guarantee the adequate security of the processed personal data; and
    • operator must be able to show compliance with the previous one the principles of processing.

The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:

  1. Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
  2. Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
  3. Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.

The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.


The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:

  • The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
  • The data controller or processor (as the potentially infringing party) is a Swiss resident.
  • Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.

The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.

  1. Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.

The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.

Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]


Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.

The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:

  1. Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
  2. outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
  3. provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
  • provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
  1. lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
  2. DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
  3. contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
  4. provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
  • highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
  1. includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.

 On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.


The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities. 

Conclusion: Critique of GDPR

As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.

The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.

Recently, some of the major fines were imposed in the year 2020, such as:

  • In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
  • On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
  • On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]

Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.

The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.

† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional

[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.

[4] Last accessed on December 11, 2020.



[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC

[8] Last accessed on December 11, 2020.

[9] Last accessed at December 14, 2020


Case BriefsInternational Courts

European Court of Justice (Grand Chamber): Striking a blow on companies dependent upon the transfer of data between Europe and the US via the Privacy Shield Decision, the Court held that Privacy Shield Decision does not provide adequate data protection of European citizens from US surveillance activities. It was further observed that the Privacy Shield Decision is incompatible with Art. 45(1) of the General Data Protection Regulation (GDPR) read in the light of Arts. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and is therefore invalid. Further examining the European Commission Decision 2010/87/EU dated 05-02-2010 on ‘standard contractual clauses’ (SCCs) for the transfer of personal data to processors established in third countries, the Court agreed with the Opinion delivered on the instant matter by the CJEU Advocate General on 19-12-2019 wherein it was stated that the SCCs offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Art. 26(2) of Directive 95/46/EC of the European Parliament and the Council. 

As per the facts, any person residing in the European Union, who wishes to use Facebook is required to conclude, (at the time of registration) a contract with Facebook Ireland, a subsidiary of Facebook Inc., established in the United States. Some or all of the personal data of Facebook Ireland’s users residing in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.  Max Schrems, an Austrian Facebook user since 2008, filed a complaint with the Commissioner whereby he requested that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. Mr Schrems claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

Perusing the background of the case, the Court compared the legal mechanism of data protection vis-à-vis surveillance as prevalent in US and European Union. It was found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, as assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law under Art. 52(1) of the Charter of Fundamental Rights of the European Union. It was further observed that US Government accepted that Presidential Policy Directive-28 (which imposes a number of limitations for “signals intelligence” operations and has binding force for U.S. intelligence authorities, and if particular relevance for EU data subjects) does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in Art. 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. [Data Protection Commissioner v. Facebook, Ireland Ltd., C-311/18, decided on 16-07-2020]

Op EdsOP. ED.

The European Union (EU) continues to be a significant market for the IT/BPO industry in India[1]. Currently, India’s Data Protection Bill, 2019[2] (“the Bill”) is still not enacted into a law, there are many challenges that India is facing while entering into data processing agreements with EU. EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Further, Article 3 (Territorial scope) of the General Data Protection Regulation (GDPR) makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so[3]. The focus of this article is on transfer of data outside EU to India and India’s approach in dealing with such data transfer with respect to its obligation and extent of its liability.

Data transfer and GDPR

Legitimacy of data transfer regarding personal data of data subjects under GDPR involves two stages[4]:

  1. Data transfer itself must be legal.
  2. Whether transfer to third country is permitted.

Where a processor is situated in a third country, there must be separate mention that allocates the obligations of the controller and processor in every data processing agreement.The reason being that Article 82 of GDPR clearly states that a person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A controller involved in processing shall be liable for the damage caused by processing which infringes the regulations given under GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller[5].

Obligations of the Controller


Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing[6]. The obligation is on the controller to show that consent of the data subject has been obtained as required under Article 7 of GDPR. Article 82 read with Article 7 of GDPR mandates the controller to be held liable for damages to the data subject in case of infringement of Article 7 of GDPR.

Lawfulness and means of processing

Article 4(7) of GDPR defines controller as one who ascertains the purposes and means of the processing of personal data. The obligations of the controller as stated under Article 24 of GDPR are to be read with Article 5 of GDPR. Thus apart from lawfulness of processing and obtaining consent of the data subjects extended responsibilities which are imposed on the controller, for which the controller shall be held accountable, shall be fair and transparent processing, data collected must be for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Also, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate. Such data must have regard to the purposes for which they are processed, are erased or rectified without delay, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures[7]. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation[8].

Obligations of the Processor

What are the obligations and liability of the Processor is the next question

It is the responsibility of both the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[9]. Further, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law[10]. If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing[11].

In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller[12]. Thus the carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject[13].

Further, it is the responsibility of both the controller and the processor to maintain records of processing activities under their responsibility[14].


If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. There is a differentiation between secure and unsecure third countries[15].

GDPR allows transfer of personal data of data subjects situated in EU to countries outside EU for the purpose of processing and does not prohibit such transfer per se, whether it is a secure third country that has attained ‘adequacy’ status or an unsecure third country with no data protection law at all as in case of India. The principles embodied under the GDPR recognises the importance of international trade and cooperation in order to achieve economic growth. The Regulation tries to balance economic growth with individual privacy and national security.

The secured third countries for the purpose of data transfer do not require any specific authorisation[16]. As India (third country) does not yet have a separate law dealing with data protection and is regarded as an unsecure third country by EU, the agreements with EU countries consist of a standard contractual clauses as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data. These standard contractual clauses cannot be amended to contradict the notification. The parties are free to add clauses so long as it is consonance with the standard contractual clauses as given in the notification.

The EU Commission’s decision dated 5 February 2010 deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating:

Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.

Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a Data Protection Act in place.

What’s next for India?

Is India Chapter V of GDPR compliant? 

For the purpose of data transferred from a controller situated in EU and processed in India i.e. data transfer, without any necessary safeguard provisions, it is necessary that the Indian Data Protection Bill, 2019 comply with Chapter V of GDPR and be regarded as those countries providing adequate protection. India is gearing up to seek ‘adequacy’ status with the European Union‘s General Data Protection Regulation[17] .

In conclusion, the author states that the purpose of this article is to create awareness among the processors regarding their obligations and subsequently its liability. A processor cannot be held liable for all data privacy breaches. Thus it’s necessary to understand the obligations of the controller and the processor and separately allocate each entity their responsibility in the agreement entered between them. This article will also assist the data subjects who have been aggrieved by data privacy breach to approach the right entity and claim relief.

* Advocate

[1] India gets ready for EU’s new data regime, Rahul Kumar, 25 April 2017,

[2] Personal Data Protection Bill, 2019 

[3] How can Indian organisations prepare for the GDPR regime?, Sivarama Krishnan

[4] General Data Protection Regulation, Key Issue, Third Country 

[5] General Data Protection Regulation, Recital 79, Allocation of Responsibilities,

[6] General Data Protection Regulation, Key Issue, Consent

[7] Article 5 of General Data Protection Regulation, 2018

[8] General Data Protection Regulation, Key Issue, Processing,

[9] Article 32 of General Data Protection Regulation, 2018

[10] Article 29 of General Data Protection Regulation, 2018

[11] Article 28(10) of General Data Protection Regulation, 2018

[12] General Data Protection Regulation, Key Issue, Processing,

[13] General Data Protection Regulation, Recital 81, The Use of Processors,

[14] Article 30 of General Data Protection Regulation, 2018

[15] General Data Protection Regulation, Key Issue, Third Country,

[16] Article 45 of General Data Protection Regulation, 2018

[17] India to seek EU’s approval on GDPR compliance for ‘adequacy’ status, Abhimanyu Ghoshal,

[Image Credits:]

Cabinet DecisionsLegislation Updates

The Union Cabinet has approved the proposal of the Securities & Exchange Board of India (SEBI) to sign an updated Alternative Investment Fund Managers Directive (AIFMD) MoU signed between SEBI and Financial Conduct Authority (FCA), UK, pursuant to UK’s exit from the European Union on 31-01-2020.

Major impact

The UK exited the EU on 31st January 2020. FCA, UK had submitted to SEBI that no transitional measures would be available if the amended MoU is not signed before the date when the UK exits the European Union (Brexit), and requested SEBI to sign an updated MoU as early as possible. As such, the proposal is not expected or intended to have any effect on employment in India.


In accordance with the requirement of establishing adequate supervisory cooperation arrangements between EU and non-EU authorities under the European Union Alternative Investment Fund Managers Directive (AIFMD), a bilateral MoU was signed by SEBI with securities regulators of 27 member States of EU / European Economic Area, including Financial Conduct Authority (FCA), United Kingdom on 28th July 2014. In the context of UK’s proposed withdrawal from EU, FCA brought to the notice of SEBI that the existing MoU between SEBI and FCA relating to AIFMD, which is currently anchored on EU law, will no longer apply directly in the UK, and have, therefore, suggested signing an updated MoU after amending the AIFMD MoU by suitably modifying it and substituting references to EU legislation with the relevant UK law.


[Press Release dt. 19-02-2020]

[Source: PIB]

Hot Off The PressNews

The Geneva Act of the Lisbon Agreement on Appellations of Origin and Geographical Indications reached a milestone enabling its entry into force, as the European Union (EU) joined as the key fifth member of the international registration system that provides protection for names identifying the geographic origin of products such as coffee, tea, fruits, wine, pottery, glass and cloth.


Appellations of origin and geographical indications are distinctive product designations that require a qualitative link between the product to which they refer and its place of origin. Both are interesting marketing tools for producers, as they inform consumers about a product’s geographical origin and a quality, characteristic and/or reputation of the product linked to its place of origin. The basic difference between the two terms is that the link with the place of origin is stronger in the case of an appellation of origin.

Like all intellectual property rights, the rights granted by an appellation of origin or a geographical indication fundamentally have a territorial character and only take effect in the country or region in which the distinctive sign is protected.

The Lisbon System offers an international registration system for appellations of origin and geographical indications through a single procedure with WIPO. By means of a single registration procedure and a minimum expense, the holder of a national or regional appellation of origin or geographical indication may obtain the protection of the distinctive sign in the other contracting parties of the Lisbon System.

Examples of appellations of origin and geographical indications include Kampot Pepper, Darjeeling Tea, Panjin Rice, Café de Colombia, Prosciutto di Parma, Oku Honey, Scotch Whisky, Tequila, Argane, Chulucanas, Khokhloma, Chiangmai Celadon, Swiss Watches and Bohemia Crystal.


[Press Release dt. 26-11-2019]

Hot Off The PressNews

French Parliament is the first to adopt the European Copyright reform, which would ensure that:

Ensure media are paid for original content, typically news, offered online by tech giants such as Google and Facebook.”

As reported by media, “revamp to European copyright legislation, adopted by the European Parliament in March, was agreed by the French lower chamber in a final reading, making France the first country to adopt the directive.”

The EU copyright directive is due to be adopted by all member states by April next year.

Read more:
European Copyright Reform:
According to a press release by the European Union, it stated that:
The reform will adapt copyright rules to today’s world, where music streaming services, video-on-demand platforms, news aggregators and user-uploaded-content platforms have become the main gateways to access creative works and press articles. The new Directive will boost high-quality journalism in the EU and offer better protection for European authors and performers.
Users will benefit from the new rules, which will allow them to upload copyright-protected content on platforms legally. Moreover, they will benefit from enhanced safeguards linked to the freedom of expression when they upload videos that contain rights holders’ content, i.e. in memes or parodies.
Case BriefsForeign Courts

Supreme Court of United Kingdom: In a landmark decision with regards to the June 2016 referendum which marked the “BREXIT”, the 11- Judge Bench of the Court with a ratio of 8:3 held that, in conformation of Article 50 of the Treaty on the European Union, an Act of Parliament is required to authorise ministers to give ‘Notice’ of the decision of the United Kingdom to withdraw from the European Union.

The issue in the present case was that whether the Notice as stated in Article 50 of the Treaty on the European Union can be lawfully given by the government ministers, without an Act of Parliament. Article 50 clearly states that if a member state decides to withdraw from the European Union ‘in accordance with its own constitutional requirements’, it should serve a Notice of that intention and that the treaties which govern the EU “shall cease to apply” to that member state within two years thereafter. It was contended that, “the Government cannot serve a Notice unless first authorised to do so by an Act of Parliament. Resolution of this dispute depends on the proper interpretation of the European Communities Act 1972 (‘the ECA’), which gave domestic effect to the UK’s obligations under the then existing EU Treaties”.

While deciding the case, the Court made it clear that, it is not conducting a scrutiny over the validity of the decision of the United Kingdom to withdraw from the EU. President, Lord Neuberger, heading the majority decision, stated that “Section 2 of the ECA authorises a dynamic process by which EU law becomes a source of UK law and takes precedence over all domestic sources of UK law, including statutes”. Observing upon the major political and legal significance of the 2016 Refrendum, the majority stated that, “The change in the law required to implement the referendum’s outcome must be made in the only way permitted by the UK constitution, namely, by an Act of Parliament”. The dissenting Judges however observed that, “The ECA does not impose any requirement or manifest any intention in respect of the UK’s membership of the EU. It does not therefore affect the Crown’s exercise of prerogative powers in respect of UK membership.” [R v. Secretary of State, [2017] 2 WLR 583: [2017] UKSC 5, decided on 24.01.2017]