Chapter 2D: Lawful Processing Criteria

Question 1

Define what it means for consent as a lawful basis to be ‘freely given’.

Answer 1

Consent must be freely given;
it cannot be relied on if the service is conditional on consent,
or if there’s a clear imbalance of power between the data subject and the controller.

It needs to be as easy to withdraw as it is to give.

Question 2

Define what it means for consent as a lawful basis to be ‘specific’.

Answer 2

All purposes must be outlined.

Question 3

Define what it means for consent as a lawful basis to be ‘informed’.

Answer 3

The consent section should be clearly distinguishable from other matters, and
intelligible and in clear and plain language; it should also be
compatible with the original purpose.

Question 4

Define what it means for consent as a lawful basis to be ‘unambiguous’.

Answer 4

The consent is absolutely clear.

Question 5

Define what it means for consent as a lawful basis to reflect an ‘indication of wishes’.

Answer 5

It should be a clear, affirmative action (e.g. opting in) and not be accepted as silence, inactivity, a pre-ticked box or opt out

Question 6

What are the conditions for consent?

Answer 6

Demonstrable - if a written declaration, it should be clearly distinguishable.
They should have the right to withdraw at any time and it should not be conditional for performance of a contract.

Question 7

What does ‘legitimate interest’ mean as a processing criteria?

Answer 7

The legitimate interest basis incorporates a balancing test weighing the legitimate interests of the data controller with the interests and rights of the data subject; the most flexible lawful basis

Three-part analysis:
(1) Purpose test – are you pursuing a legitimate interest
(2) Necessary test – is the processing necessary for that purpose
(3) Balancing test – do the individual’s interests override the legitimate interest

Many things can be legitimate interests (e.g. fraud prevention, direct marketing etc.)
- Even trivial interests may be legitimate
- Should consider the reasonable expectations of the data subject

WP29 suggests three-prong test:
1) It must be Lawful
2) It must be sufficiently clarly articulated to allow the balancing test to be carried out
3) It must present a real and present interest (non speculative)

Question 8

What is the restrictive criteria of legitimate interest?

Answer 8

It must be compliant with other legal obligations

Transparent

Economic interests aren’t necessarily sufficient

Fundamental rights and freedoms of the data subjects should be held

Must be compatible with use limitation

Should be adequate safeguards for secondary uses, e.g. pseudonymisation and encryption

Question 9

Special categories of data are prohibited except if…

Answer 9

Explicit consent

In the context of employment

For vital interests of individual

Political, philosophical, and religious purposes

The sensitive data is manifestly made public by the DS

Establishment, exercise, or defense of legal claims

Substantial public interest

Medicine and social healthcare

Public health

Public archives, scientific or historical research, statistical purposes

Question 10

Consent for Special Category Data (Art. 9)

Answer 10

Freely given
Specific to the processing at issue
Informed
Unambiguous (clear affirmative act)
Explicit

Question 11

Context of employment for special category data

Answer 11

Only where necessary for a controller to comply with a legal obligation under employment law for candidates, employees or contractors

Question 12

Vital interests for special category data

Answer 12

Controller must be able to demonstrate that it’s not possible to obtain consent

Question 13

Political, philosophical and religious purposes re special category data

Answer 13

Covers particular foundations, associations, not for profit bodies or any with trade union aims

Relates to processing of data about members of an organisation or formal members with regular contact

Appropriate safeguards must be in place

The data must not be disclosed outside the organisation without consent

Question 14

The sensitive data is manifestly made public by the DS re special category data

Answer 14

Self-disclosed by the data subject e.g. media interview, social networking sites

Question 15

Conditions of establishment, exercise or defence of legal claims re: consent

Answer 15

Controller must establish necessity and there should be a close and substantial connection between processing and purpose

Question 16

Conditions of substantial public interest re: consent

Answer 16

This is narrower under GDPR; there should be a balance between reason for processing and DS’ right to data protection. Specific and suitable measures should be taken for DS’ rights and interests. Member states can specify reasons of public interest (e.g. preventing and detecting crime)

Question 17

Conditions of medicine and social healthcare re: consent

Answer 17

To be used to assess the working capacity of an employee, making a medical diagnosis, providing health or social care treatment or managing systems or services

The reason for processing must be based on EU or member state law or necessary to fulfil a contract

Question 18

Conditions of public health re: consent

Answer 18

Must be based on EU or member state law and be protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices

Question 19

Conditions re: public archives or scientific or historical research or statistical purposes for consent

Answer 19

Further interpretation from member state law

Processing proportionate to purpose

Suitable and specific measures to safeguard data subject’s fundamental rights and interests

Question 20

What are the six lawful grounds for processing personal data?

Answer 20

Consent
Contractual necessity
Legal obligation
Vital Interests
Public interest
Legitimate interest

Question 21

What is contractual necessity as a lawful basis?

Answer 21

Where processing is for performance of a contract or taking steps before entering into a contract

Question 22

What is compliance with a legal obligation as a lawful basis?

Answer 22

There’s a legal basis of a high standard for processing - from EU or member state law

Question 23

What is protection of vital interests as a lawful basis?

Answer 23

Should be based on common sense but best interests of an individual (think life or death)

Question 24

What is public interest as a lawful basis?

Answer 24

For an official authority, e.g. tax authority - where specific requirements from member states