This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
This issue focuses on the legal grounds for processing. Skip to the end for a quick overview of the main takeaways and to do’s.
The GDPR does not change the legal grounds for processing. However, certain interpretations and practices are now expressly included in the GDPR, as further detailed below.
The processing of personal data is lawful only if and to the extent that at least one of the following conditions applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It is of the utmost importance that the appropriate legal basis be used for each processing activity. This is especially important when it comes to consent. Organizations tend to rely on consent when it is not actually required. Consent is too often, and wrongly, seen as a safe haven. Companies think that if they have obtained consent, the processing is lawful. This is however not always the case. Using consent when reliance on another ground is called for may result in the unlawful processing of personal data. Consent will be further addressed in a separate issue of this series.
The basis for the processing of personal data in order to comply with a legal obligation or perform a task in the public interest must be laid down in EU or Member State law. This means that organizations cannot rely on this ground if the legal obligation or task that forms the basis for the processing is found in the law of a non-EU Member State (e.g. the US). Member States are free to introduce more specific rules on the processing of personal data for these purposes.
Public authorities processing personal data in the performance of their tasks may not rely on the legitimate interest ground.
Given the accountability principle (see the previous issue on data processing principles) and the obligation to inform the data subject of the legitimate interest, the legitimate interest must be duly identified, analysed and documented.
When analysing a legitimate interest, organizations should take into account the reasonable expectations of the data subject. It must be verified whether the data subject can reasonably expect at the time and in the context of the collection of his or her personal data that processing for the indicated purpose will take place. If the processing could not reasonably be expected by the data subject, it may be hard to rely on the legitimate interest ground.
The recitals mention that the following purposes may constitute a legitimate interest:
Pursuant to the purpose limitation principle, personal data may not be further processed in a manner that is incompatible with the purpose for which they were initially collected and processed. If the further processing is considered compatible with the initial purpose (e.g. processing for archiving, scientific or historical research purposes), a separate legal basis is not required. In order to ascertain whether a purpose for further processing is compatible with the purpose for which the personal data are initially collected, the controller should take into account the following elements:
If the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller is allowed to further process the personal data irrespective of the compatibility of the purposes.
Vous devez être connecté pour ajouter un commentaire.
Vous devez être membre pour ajouter un contenu à vos favoris.
Déjà membre ? Connectez-vous :
Pas encore inscrit ?Créez votre compte