Chapter 2D: Lawful Processing Criteria Flashcards
Define what it means for consent as a lawful basis to be ‘freely given’.
Consent must be freely given; it cannot be relied on if the service is conditional on consent, or if there’s a clear imbalance of power between the data subject and the controller.
It needs to be as easy to withdraw as it is to give.
Define what it means for consent as a lawful basis to be ‘specific’.
All purposes must be outlined.
Define what it means for consent as a lawful basis to be ‘informed’.
The consent section should be clearly distinguishable from other matters, and intelligible and in clear and plain language; it should also be compatible with the original purpose.
Define what it means for consent as a lawful basis to be ‘unambiguous’.
The consent is absolutely clear.
Define what it means for consent as a lawful basis to reflect an ‘indication of wishes’.
It should be a clear, affirmative action (e.g. opting in) and not be accepted as silence, inactivity, a pre-ticked box or opt out
What are the conditions for consent?
Demonstrable - if a written declaration, it should be clearly distinguishable.
They should have the right to withdraw at any time and it should not be conditional for performance of a contract.
What does ‘legitimate interest’ mean as a processing criteria?
For the legitimate interests of the controller, processing is necessary and the interests to meet those interests, which have been balanced against the data subject’s - however, criteria is more restrictive.
What is the restrictive criteria of legitimate interest?
It must be compliant with other legal obligations
Transparent
Economic interests aren’t necessarily sufficient
Fundamental rights and freedoms of the data subjects should be held
Must be compatible with use limitation
Should be adequate safeguards for secondary uses, e.g. pseudonymisation and encryption
Special categories of data are prohibited except if…
There’s explicit consent
In the context of employment
For vital interests of individual
Political, philosophical and religious purposes
The sensitive data is manifestly made public by the DS
Establishment, exercise or defence of legal claims
Substantial public interest
Medicine and social healthcare
Public health
Public archives, scientific or historical research, statistical purposes
Consent re: special category data
Unambiguous, freely given, specific and informed, clear affirmative act
Context of employment for special category data
Only where necessary for a controller to comply with a legal obligation under employment law for candidates, employees or contractors
Vital interests re special category data
Controller must be able to demonstrate that it’s not possible to obtain consent
Political, philosophical and religious purposes re special category data
Covers particular foundations, associations, not for profit bodies or any with trade union aims
Relates to processing of data about members of an organisation or formal members with regular contact
Appropriate safeguards must be in place
The data must not be disclosed outside the organisation without consent
The sensitive data is manifestly made public by the DS re special category data
Self-disclosed by the data subject e.g. media interview, social networking sites
Conditions of establishment, exercise or defence of legal claims re: consent
Controller must establish necessity and there should be a close and substantial connection between processing and purpose