One of the key tenets in European data privacy law is the general principle of fair and lawful processing. The principle was initially established in Article 6 a) of the Data Protection Directive of 1995 – “Member States shall provide that personal data must be processed fairly and lawfully”. It was retained and further expanded in Article 5, paragraph 1) a) of the GDPR – “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency)“. It is recital 39 of the GDPR that postulates the basic requirement that any processing of personal data must be lawful and fair. Further, the processing also has to be transparent to natural persons when personal data concerning them is collected, used, consulted or otherwise processed. The principle of transparency requires that any information and communication relating to the processing of personal data should be easily accessible and easy to understand by way of using clear and plain language.
In order for a personal data processing operation to be lawful under the GDPR it has to rely on one of the six established legal bases. These are:
i) the consent of the data subject to processing for one or more specific purposes
ii) the necessity of the processing for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
iii) the necessity of the processing for compliance with a legal obligation to which the controller is subject
iv) the necessity of the processing for protecting the vital interests of the data subject or of another natural person
v) the necessity of the processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
vi) the necessity of the processing for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
The notion of consent as a legitimizing ground for processing of personal data is the first of the six bases for lawful processing. The GDPR states that consent by the data subject needs to be unambiguous, freely given, specific and informed. It further declares that consent can be indicated by a statement or a clear affirmative action. The Regulation clarifies that silence, pre-ticked boxes or inactivity cannot possibly constitute consent. This is important guidance for data controllers when they intend to obtain consent through the use of online forms. They should never use pre-ticked boxes and they shall not infer that the use of a service or the mere browsing of a website could constitute consent to the processing of personal data.
Additionally, the GDPR stresses that consent is not a valid legal ground for processing of personal data in situations where there is a clear imbalance between the data subject and the controller – for example in relations between employers and employees.
The GDPR imposes an obligation on data controllers to actually be able to demonstrate that the data subject has consented to the processing of personal data. In practice, this means that controllers need to keep record and maintain archives of the declarations of data subjects when they agree to the processing of their personal data.
Finally, it has to be noted that data subjects have the ultimate power to withdraw consent at any time without the need to invoke a reason. The immediate result of such action is the restriction of further processing of the personal data in question. And if the controller is unable to demonstrate the existence of a different fair purpose and another legitimate ground for processing, the data will have to be erased. A case on point would be a website that is disseminating a newsletter to a set of subscribers and their personal data is being processed on the basis of their consent. In case a subscriber withdraws its consent at a later point (i.e. unsubscribes) and the data controller cannot rely on another ground for lawful processing, it will inevitably have to erase the personal data that has been stored in view of that subscriber.
The second lawful ground is the necessity of the processing for the performance of a contract to which the data subject is party or the performance of preliminary steps prior to entering into a contract. A typical example of such lawful processing would be a situation where an online shop is processing personal data such as the name, the physical address and the phone number of the data subject for the purpose of organizing the delivery of a purchased item after a contract for sale has been concluded between the parties. Processing would also be lawful when the same online shop is processing the name and the email address of a potential customer in order to reply to a query about a product or service that is generated through the use of the contact form on its website. In the first scenario, the data processing is necessary for the online shop so that it can actually perform its contractual duties. In the second scenario, the processing is necessary because it allows the vendor to execute certain preliminary steps that are initiated by the customer and that are needed before conclusion of a contract.
The third ground for lawful data processing is the existence of a legal obligation for the controller. For example, this ground would be relevant in a situation where a bank or a financial institution requires its customers to fill in an AML or KYC questionnaire and it collects and stores their personal data on the basis of a statutory requirement established by applicable anti-money laundering legislation or KYC regulations. The requirement postulated by the GDPR is that the relevant processing should have a basis in either EU law or the law of a EU member state. Accordingly, any legal obligations arising under non-EU law would be irrelevant in view of this third ground for lawful processing and could not be used by a controller to legitimize its processing activities.
The fourth ground for lawfulness is the protection of the vital interests of the data subject. Usually, this ground involves situations where the protection of interests related to the life of the data subject is at stake. Typical examples involve processing of personal data of affected data subjects in critical emergency care situations, disasters, humanitarian emergencies, etc. The basic rule is that processing of personal data under that ground should only occur where the processing cannot be based on another legal basis.
The fifth lawful ground denotes a situation when the processing is necessary for a task performed in the public interest or in the exercise of official authority. This ground is usually relevant for most of the data processing activities performed by public authorities or natural/legal persons governed by public law. It is important to note here that there is an explicit requirement that such processing must have a basis in either EU law or the law of a EU member state. Accordingly, it should be for EU law or member state law to determine the purpose of the processing and specify details such as the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period, etc. It has to be pointed out that data subjects can object to processing that is performed under this ground. In such a scenario, the controller can no longer process the personal data unless it is able to demonstrate compelling legitimate grounds for the processing which override the freedoms, rights and interests of the data subject.
The sixth ground for lawful processing is the legitimate interests of the data controller. Legitimate interests can be a lawful ground for processing only when they are not overridden by the interests or the fundamental rights and freedoms of the data subject, when the reasonable expectations of the data subjects based on their relationship with the controller are taken into consideration. Therefore, for a controller to rely on this basis it should always conduct a prior legitimate interests assessment and see if its processing would be lawful or not on the basis of the results of that assessment. It is recommended that such an assessment and the outcome of it is always documented in written form so that compliance can be easily demonstrated in case that is required. Examples of legitimate interests of the data controller could include processing of personal data for: prevention of fraud, direct marketing purposes, transmitting personal data within a group of enterprises for internal administrative purposes, ensuring network security and information security, etc.
Being in the position of a data controller, the natural way to determine the applicable ground for lawful data processing is to examine the purpose/purposes of the processing, the context of the processing and the specific relation with the data subject. When these elements are closely reviewed it usually becomes clear which ground for processing would be relevant for the given operation. Another thing to bear in mind is that for each processing purpose there should be only one legal basis and that legal basis should be established in advance of commencing the personal data processing.
Under the principle of transparency, a data controller will have to present certain mandatory information related to the lawfulness of processing to the attention of the data subject. One manifestation of this duty is the preparation of a privacy notice by the data controller that it then publishes on its website. Such privacy notice should always provide data subjects with information about the specific purposes of the processing and the lawful grounds that apply for each processing purpose. Moreover, if a controller relies on the ground of legitimate interests, its privacy notice should also include additional details and explicitly spell out the specific legitimate interests that the controller wishes to rely on.
If a data controller relies on the first ground for processing – consent, it should be aware that consent can be withdrawn by the data subject at any time and this would result in having to cease the processing activities immediately. And if a data controller relies on the sixth ground – legitimate interests, it should be aware that first, it will have to conduct a prior assessment and second, the data subject can still object to the processing and the only way to continue the processing operations would be to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
Finally, the ground for lawful processing relied on by a data controller would also have an impact on the exercise of the relevant data subject rights. For example, the right of the data subject to object to the processing of its personal data only applies to the grounds under Article 6 e) and 6 f) of the GDPR – processing for the performance of a task carried out in the public interest and processing for the purposes of the legitimate interests pursued by the controller. In a similar way, the right of the data subject to request the erasure of its personal data cannot be exercised when the processing is based on the grounds under Article 6 c) and 6 e) of the GDPR – processing for compliance with a legal obligation to which the controller is subject and processing for the performance of a task carried out in the public interest.
You must be logged in to post a comment.