References
- A29WP (Article 29 Data Protection Working Party). 2010. “Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’”. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
- A29WP (Article 29 Data Protection Working Party). 2014. “Opinion 8/2014 on Recent Developments on the Internet of Things”. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf
- A29WP (Article 29 Data Protection Working Party). 2016. (Article 29 Data Protection Working Party) “Guidelines on Data Protection Officers”. https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf?wb48617274 = CD63BD9A
- A29WP (Article 29 Data Protection Working Party) and WPPJ (Working Party on Police and Justice). 2009. “The Future of Privacy. Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data”. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp168_en.pdf
- AEPD (Agencia española proteccion datos) (DPA Spain). 2021. Procedure no.: PS/00059/2020 18 May 2021. https://www.aepd.es/informes-y-resoluciones/resoluciones?search_api_fulltext = PS%2F00059%2F2020&sort_bef_combine = fecha_firma_DESC
- Blecher, L. 2017. “Codes of Conduct: The Trojan Horse of International Human Rights law.” Comparative Labor Law & Policy Journal 38 (3): 462–464.
- Bomann-Larsen, L. 2014. Responsibility in World Business: Managing Harmful Side-Effects of Corporate Activity. Tokyo: UN University Press.
- Bonnitcha, J., and Robert McCorquodale. 2017. “The Concept of ‘Due Diligence’ in the UN Guiding Principles on Business and Human Rights.” European Journal of International Law 28 (3): 899–919. https://doi.org/10.1093/ejil/chx042.
- Bygrave, L. A. 2017. “Data Protection by Design and by Default: Deciphering the EU’s Legislative Requirements.” Oslo Law Review 4 (2): 105–120. https://doi.org/10.18261/issn.2387-3299-2017-02-03
- Bygrave, L. A. 2020. “Article 25 Data Protection by Design and by Default.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by C. Kuner et al., 571–581. UK: Oxford University Press.
- Bygrave, L. A. 2022. Security by Design: Aspirations and Realities in a Regulatory Context.” Accepted for publication in Oslo Law Review 8 (3): Research Paper No. 2022-44.
- Bygrave, L. A., Luca Tosoni, et al. 2020. “Article 4(7) Controller.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by C. Kuner, 145–156. UK: Oxford University Press.
- Cafaggi, F. 2013. “The Regulatory Functions of Transnational Commercial Contracts: New Architectures.” Fordham Int'l LJ 36: 1557.
- Cavoukian, A. 2009. “Privacy by Design: The 7 Foundational Principles: Implementation and Mapping of Fair Information Practices.” https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf
- Cavoukian, A., S. Taylor, and M. E. Abrams. 2010. “Privacy by Design: Essential for Organizational Accountability and Strong Business Practices.” Identity in the Information Society 3 (2): 405–413. https://doi.org/10.1007/s12394-010-0053-z
- Commission of the European Communities. 2001. “Green Paper: Promoting a European Framework for Corporate Social Responsibility” COM (2001) 366 final (July 18, 2001). https://www.europarl.europa.eu/meetdocs/committees/deve/20020122/com(2001)366_en.pdf
- Dahi, A., and Marcelo Corrales Compagnucci 2022. “Device Manufacturers as Controllers – Expanding the Concept of ‘Controllership’ in the GDPR.” Computer Law & Security Review 47: 105762. https://doi.org/10.1016/j.clsr.2022.105762.
- Docksey, C. 2020. “Article 24 Responsibility of the controller”. In The EU General Data Protection Regulation (GDPR): A Commentary, edited by C. Kuner et al., 550–570. UK: Oxford University Press.
- EDPB (European Data Protection Board). 2020a. “Guidelines 4/2019 on Article 25 Data Protection by Design and by Design” (version 2.0 adopted on 20 October 2020). https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf.
- EDPB (European Data Protection Board). 2020b. “Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR” (version 2.1. adopted on 7 July 2021). https://edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf.
- EDPS (European Data Protection Supervisor). 2012. “Opinion on the Data Protection Reform Package”. https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf.
- EDPS (European Data Protection Supervisor). 2015. “Annex to Opinion 3/2015: Comparative table of GDPR texts with EDPS recommendations.” https://edps.europa.eu/sites/edp/files/publication/15-07-27_gdpr_recommendations_annex_en_1.pdf.
- Eijsbouts, J. 2017. “Corporate Codes as Private Co-Regulatory Instruments in Corporate Governance and Responsibility and their Enforcement.” Indiana Journal of Global Legal Studies 24 (1): 181–205. https://doi.org/10.2979/indjglolegstu.24.1.0181
- European Commission. 2010. “A Comprehensive Approach on Personal Data Protection in the European Union” (COM(2010) 609 final), 4.11.2010. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri = COM:2010:0609:FIN:EN:PDF
- European Commission. 2012. “Impact Assessment Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data” (SEC(2012) 72 final) 25.1.2012. https://europarl.europa.eu/cmsdata/59702/att_20130508ATT65856-1873079025799224642.pdf.
- European Commission. 2022. “Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937”, 2022/0051(COD) (Proposed CSDD Directive). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri = CELEX%3A52022PC0071.
- European Data Protection Supervisor (EDPS). 2011. “Opinion on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions – ‘A comprehensive approach on personal data protection in the European Union.”
- European Parliament. 2011. “European Parliament resolution of 6 July 2011 on a comprehensive approach on personal data protection in the European Union” (2011/2025(INI)). https://www.europarl.europa.eu/doceo/document/TA-7-2011-0323_EN.pdf.
- Friedman, B., David G. Hendry, and Alan Borning. 2017. “A Survey of Value Sensitive Design Methods.” Foundations and Trends® in Human–Computer Interaction 11 (2): 63–125. https://doi.org/10.1561/1100000015
- Hartzog, W. 2018. Privacy’s Blueprint: The Battle to Control the Design of New Technologies. Cambridge, MA: Harvard University Press.
- Hildebrandt, M., and Laura Tielemans. 2013. “Data Protection by Design and Technology Neutral Law.” Computer Law & Security Review 29 (5): 509–521. https://doi.org/10.1016/j.clsr.2013.07.004
- Jasserand-Breeman, C. 2019. “Reprocessing of Biometric Data for Law Enforcement Purposes: Individuals’ Safeguards Caught at the Interface between the GDPR and the ‘Police’ Directive?.” Dissertation, University of Groningen.
- Klitou, D. 2011. “Privacy by Design and Privacy-Invading Technologies: Safeguarding Privacy, Liberty and Security in the 21st Century.” Legisprudence 5 (3): 297–330. https://doi.org/10.5235/175214611799248904
- Latour, B. 2010. “A Cautious Prometheus? A Few Steps Toward a Philosophy of Design (with Special Attention to Peter Sloterdijk).” In Networks of Design: Proceedings of the 2008 Annual International Conference of the Design History Society, edited by F. Hackney, J. Glynne, and V. Minto, 2–10. Universal Publishers.
- Michelakaki, C., and Barros Vale. 2023. Unlocking Data Protection by Design & By Default: Lessons from the Enforcement of Article 25 GDPR. Future of Privacy Forum. https://fpf.org/wp-content/uploads/2023/05/FPF-Article-25-GDPR-A4-FINAL-Digital.pdf.
- Rogge, A. 2020. “Audits and Reporting Schemes: A Business Case for Human Rights Due Diligence.” ANU College of Law, 13 November 2020. https://law.anu.edu.au/news-and-events/news/audits-and-reporting-schemes-business-case-human-rights-due-diligence.
- Sherman III, John F. 2021. “Irresponsible Exit: Exercising Force Majeure Provisions in Procurement Contracts” Business and Human Rights Journal 6 (1): 127–134. https://doi.org/10.1017/bhj.2020.27
- Shift. 2012. “Respecting Human Rights Through Global Supply Chains”, Shift Workshop Report No. 2. https://www.hks.harvard.edu/sites/default/files/centers/mrcbg/programs/cri/files/Shift-Workshop-Report-2_Respecting-Human-Rights-Through-Global-Supply-Chains.pdf.
- Smit, L., Gabrielle Holly, Robert McCorquodale, and Stuart Neely. 2021. “Human Rights Due Diligence in Global Supply Chains: Evidence of Corporate Practices to Inform a Legal Standard.” The International Journal of Human Rights 25 (6): 945–973. https://doi.org/10.1080/13642987.2020.1799196
- Sorell, T. 2005. “Business and Human Rights.” In Human Rights and the Moral Responsibilities of Corporate and Public Sector Organisations, edited by T. Campbell, and Seumas Miller, 129–143. Dordrecht: Springer.
- UN Human Rights Council. 2007. “Report of the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises, John Ruggie* Business and human rights: mapping international standards of responsibility and accountability for corporate acts” (19 February 2007), UN Doc. A/HRC/4/35. https://documents.un.org/doc/undoc/gen/g07/108/85/pdf/g0710885.pdf?token = tXcGGGTmr17rcP98Xa&fe = true.
- UN Human Rights Council. 2008. Clarifying the Concepts of ‘Sphere of Influence’ and ‘Complicity’, UN Doc. A/HRC/8/16. https://documents.un.org/doc/undoc/gen/g08/134/78/pdf/g0813478.pdf?token = XKZbtq0O3D3xrz8dtO&fe = true.
- UN Human Rights Council. 2011. Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework (UNGP 2011), UN Doc. A/HRC/17/31). https://documents.un.org/doc/undoc/gen/g11/121/90/pdf/g1112190.pdf?token = dE4bLLpZOHEOKLg8vF&fe = true.
- Van Alsenoy, B. 2017. “Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation.” Journal of Intellectual Property, Information Technology and E-Commerce Law 7 (3): 271–288.
- Van Mil, J., and J. P. Quintais. 2022. “A Matter of (Joint) Control? Virtual Assistants and the General Data Protection Regulation.” Computer Law & Security Review 45 (105689) . https://doi.org/10.1016/j.clsr.2022.105689.
- Waldman, A. E. 2018. “Privacy’s Law of Design.” UC Irvine Law Review 9 (5): 1239–1288.
- Wood, S. 2012. “The Case for Leverage-Based Corporate Human Rights Responsibility.” Business Ethics Quarterly 22 (1): 63–98. https://doi.org/10.5840/beq20122215
- Legislation
- Regulation (EU). 2016/679. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC: General Data Protection Regulation. Consolidated version. Data.europa.eu/eli/reg/2016/679/2016-05-04.
- Case law (in chronological order)
- European Court of Justice
- Judgment of 25 November 1998. Giuseppe Manfredi v Regione Puglia (Manfredi). Case C-308/97 ECLI:EU:C:1998:566.
- Judgment of 24 November 2005. Deutsches Milch-Kontor GmbH v Hauptzollamt Hamburg-Jonas (Deutsches Milch-Kontor), Case C-136/04, ECLI:EU:C:2005:716.
- Judgment of 2 April 2009. Hauptzollamt Bremen v. J. E. Tyson Parketthandel GmbH hanse j. (Hauptzollamt Bremen), C-134/08 ECLI:EU:C:2009:229.
- Judgment of 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (Google Spain), Case C-131/12, ECLI:EU:C:2014:317.
- Judgment of 5 June 2018. Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie), C-210/16 EU:C:2018:388.
- Judgement of 10 July 2018. Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta (Jehovan todistajat), C-25/17 ECLI:EU:C:2018:551
- Decisions of Data Protection Authorities
- UODO (Urzędu Ochrony Danych Osobowych) (DPA Poland), DKN.5130.1354.2020, 17 December 2020, (Available at https://uodo.gov.pl/decyzje/DKN.5130.1354.2020 )
- GPDP (Garante Per La Protezione Dei Dati Personali) (DPA Italy). 2020. “Injunction order against Wind Tre SpA”, 9 July 2020 [doc. web no. 9435753] https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9435753
- AEPD (Agencia española proteccion datos) (DPA Spain), 2021. Procedure no.: PS/00059/2020 18 May 2021. https://www.aepd.es/informes-y-resoluciones/resoluciones?search_api_fulltext = PS%2F00059%2F2020&sort_bef_combine = fecha_firma_DESC
- GPDP (Garante Per La Protezione Dei Dati Personali) (DPA Italy). 2021. “Injunction order against Atac spa” 22 July 2021 [doc. web no. 9698597], (Available at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9698597).
- UODO (Urzędu Ochrony Danych Osobowych) (DPA Poland), DKN.5130.2215.2020, 22 January 2022, (Available at https://uodo.gov.pl/decyzje/DKN.5130.2215.2020).