Chapter 2D: Lawful Processing Criteria Flashcards
Define what it means for consent as a lawful basis to be ‘freely given’.
Consent must be freely given; it cannot be relied on if the service is conditional on consent, or if there’s a clear imbalance of power between the data subject and the controller.
It needs to be as easy to withdraw as it is to give.
Define what it means for consent as a lawful basis to be ‘specific’.
All purposes must be outlined.
Define what it means for consent as a lawful basis to be ‘informed’.
The consent section should be clearly distinguishable from other matters, and intelligible and in clear and plain language; it should also be compatible with the original purpose.
Define what it means for consent as a lawful basis to be ‘unambiguous’.
The consent is absolutely clear.
Define what it means for consent as a lawful basis to reflect an ‘indication of wishes’.
It should be a clear, affirmative action (e.g. opting in) and not be accepted as silence, inactivity, a pre-ticked box or opt out
What are the conditions for consent?
Demonstrable - if a written declaration, it should be clearly distinguishable.
They should have the right to withdraw at any time and it should not be conditional for performance of a contract.
What does ‘legitimate interest’ mean as a processing criteria?
For the legitimate interests of the controller, processing is necessary and the interests to meet those interests, which have been balanced against the data subject’s - however, criteria is more restrictive.
What is the restrictive criteria of legitimate interest?
It must be compliant with other legal obligations
Transparent
Economic interests aren’t necessarily sufficient
Fundamental rights and freedoms of the data subjects should be held
Must be compatible with use limitation
Should be adequate safeguards for secondary uses, e.g. pseudonymisation and encryption
Special categories of data are prohibited except if…
There’s explicit consent
In the context of employment
For vital interests of individual
Political, philosophical and religious purposes
The sensitive data is manifestly made public by the DS
Establishment, exercise or defence of legal claims
Substantial public interest
Medicine and social healthcare
Public health
Public archives, scientific or historical research, statistical purposes
Consent re: special category data
Unambiguous, freely given, specific and informed, clear affirmative act
Context of employment for special category data
Only where necessary for a controller to comply with a legal obligation under employment law for candidates, employees or contractors
Vital interests re special category data
Controller must be able to demonstrate that it’s not possible to obtain consent
Political, philosophical and religious purposes re special category data
Covers particular foundations, associations, not for profit bodies or any with trade union aims
Relates to processing of data about members of an organisation or formal members with regular contact
Appropriate safeguards must be in place
The data must not be disclosed outside the organisation without consent
The sensitive data is manifestly made public by the DS re special category data
Self-disclosed by the data subject e.g. media interview, social networking sites
Conditions of establishment, exercise or defence of legal claims re: consent
Controller must establish necessity and there should be a close and substantial connection between processing and purpose
Conditions of substantial public interest re: consent
This is narrower under GDPR; there should be a balance between reason for processing and DS’ right to data protection. Specific and suitable measures should be taken for DS’ rights and interests. Member states can specify reasons of public interest (e.g. preventing and detecting crime)
Conditions of medicine and social healthcare re: consent
To be used to assess the working capacity of an employee, making a medical diagnosis, providing health or social care treatment or managing systems or services
The reason for processing must be based on EU or member state law or necessary to fulfil a contract
Conditions of public health re: consent
Must be based on EU or member state law and be protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices
Conditions re: public archives or scientific or historical research or statistical purposes for consent
Further interpretation from member state law
Processing proportionate to purpose
Suitable and specific measures to safeguard data subject’s fundamental rights and interests
What are the six lawful grounds for processing personal data?
Consent Contractual necessity Legal obligation Vital Interests Public interest Legitimate interest
What is contractual necessity as a lawful basis?
Where processing is for performance of a contract or taking steps before entering into a contract
What is compliance with a legal obligation as a lawful basis?
There’s a legal basis of a high standard for processing - from EU or member state law
What is protection of vital interests as a lawful basis?
Should be based on common sense but best interests of an individual (think life or death)
What is public interest as a lawful basis?
For an official authority, e.g. tax authority - where specific requirements from member states
