Data Protection and Management Law


This course will analyse privacy rights and data protection rights within the European Union, with a special focus on the General Data Protection Regulation (GDPR). The aim is to prepare students to operate with the GDPR, both in a theoretical and practical way, by analysing case law and practical scenarios involving data processing. The analysis and discussion will also involve some more complex and little explored scenarios, such as digital profiling, data collection for the development and training of artificial intelligence systems and the use of facial recognition technology.

General characterization





Responsible teacher



Weekly - 3

Total - 36

Teaching language



Not Applicable


Article 29 Working Party, 2014. ¿Opinion 06/ 2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/ 46/ EC¿, 

Article 29 Working Party, ¿Opinion 03/ 2013 on Purpose Limitation¿, 2013,

European Data Protection Board, 2020, ¿Guidelines 07/2020 on the concepts of controller and processor in the GDPR¿,

European Data Protection Board / European Data Protection Supervisor, 2021, ¿EDPB-EDPS Joint Opinion 5/2021on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)¿,

European Data Protection Board / European Data Protection Supervisor, 2022, ¿EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space¿,

European Union Agency for Fundamental Rights and Council of Europe, 2018. Handbook on EU Data Protection Law. Available at

Kuner, Christopher, Lee A. Bygrave and Christopher Docksey (eds.), 2020. The EU General Data Protection Regulation (GDPR). Oxford University Press (2020). Oxford University Press 2020 DOI: 10.1093/oso/9780198826491.003.0002

Raposo, Vera Lúcia, 2022, ¿(Do Not) Remember My Face: Uses of Facial Recognition Technology in Light of the General Data Protection Regulation¿, Information and Communication Technology Law, Doi: 10.1080/13600834.2022.2054076



Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja Gonzále, (2014) CJEU C¿131/12, ECLI:EU:C:2014:317

Schrems v Data Protection Commissioner (2015) CJEU Case C-362/14, ECLI:EU:C:2015:650

Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, (2019) CJEU Case C- 40/17, ECLI:EU:C:2019:629

Schrems and Facebook Ireland v Data Protection Commissioner (2020) CJEU Case C-311/18, ECLI:EU:C:2020:559

X and Z v Autoriteit Persoonsgegevens, Case C-245/20, (2022) CJEU ECLI:EU:C:2021:822 (Advocate general opinion)


Note: Additional case law and references might be indicated throughout the course.

Teaching method

The course is structured in sessions that combine theoretical exposition with the practical solution of life cases and with the debate of controversial issues.

The teaching materials include not only the indicated references but also short videos that will be integrated to streamline the classes and give them a more practical content.


Evaluation method

The evaluation can be carried out in two ways:

i) Final assessment: Final exam, with the consultation of all materials


ii) Ongoing assessment:

(a) Participation in classes - 30%

(b) Written report, to be presented at the end of the semester, on an issue to be previously agreed with the professor, between 3000 and 4000 words (not counting bibliographic references) - 70%

Subject matter

1. The rights to privacy and data protection: Contextualization of these rights in European law

2. The GDPR: legal background and practical application

2.1. Scope

2.2. Basic concepts

2.3. Guiding principles

2.4. Rights of data subjects and obligations of controllers and processors

2.5. International data transfer

3. Critical assessment of the GDPR