Chapter 7 (Lawful Processing Criteria)

Question 1

What Article of the GDPR outlines the lawful bases for processing personal data?

Answer 1

Article 6 of the GDPR

Question 2

What are the 6 legal grounds for processing data under the GDPR?

Answer 2

1. Consent from data subject
2. Contract Performance: including steps requested by data subject prior to entering contract
3. Legal obligation
4. Vital interest of individuals: re data subject or another natural person
5. Public interest
6. Legitimate interest: of the controller or by a third party

Question 3

Under the GDPR, what 4 conditions must a data subject’s consent meet to be considered valid?

Answer 3

The consent must be:
1. Freely given
2. Specific
3. Informed, and
4. Show an unambiguous indication of wishes

Question 4

Who has the responsibility of demonstrating that the data subject has consented to the process?

Answer 4

The controller.

Question 5

According to the EDPB, consent is the appropriate lawful basis for processing only when what exists?

Answer 5

The data subject is offered control and a genuine choice on the use of their personal data.

Question 6

Under the GDPR, what does freely given consent mean?

Answer 6

It means the data subject must have a genuine choice and must be able to refuse or withdraw consent.

Question 7

Why did the Directive, and then the GDPR, require the controller to provide a wholly separate document just dealing with obtaining consent?

Answer 7

The reasoning behind this separation was a data subject is not giving free consent if their consent is bundled with some other issue.

Question 8

If a data subject’s consent is given in the context of a written declaration that also concerns other matters, how must the request for consent be presented?

Answer 8

The request for consent must be presented in a manner clearly distinguishable from the other matters.

Question 9

The GDPR indicates that consent shouldn’t be relied upon when what exists? What are two examples?

Answer 9

Consent shouldn’t be relied upon where there is a clear imbalance between the data subject and controller.

Some examples include:
1. When the controller is a public authority
2. The employee-employee relationship

Question 10

If data processing has multiple purposes, does a controller need to get consent for each purpose?

Answer 10

Yes.

Question 11

According to the EDPB, in order for consent to be specific a controller must apply what 3 things?

Answer 11

1. Purpose specification as a safeguard.
2. Granularity in consent requests.
3. Clear separation of info as it relates to obtaining consent for data processing activities from info about other matters.

Question 12

What allowance does the GDPR make for consent related to scientific research purposes?

Answer 12

When it’s not possible to fully identify the purpose of scientific research, data subjects can legally give their consent consistent with recognized ethical standards for scientific research.

Question 13

Under the GDPR, what does informed consent mean?

Answer 13

Means that the data subject is given all the necessary details of the processing activity in a language and form they can understand so they can comprehend how the processing will affect them.

Question 14

According to the EDPB what 6 things must be provided (at a minimum) in order to obtain valid consent?

Answer 14

1. Identity of controller
2. Purpose of each of the processing operations for which consent is sought
3. Type(s) of data to be collected and used
4. Existence of right to withdraw consent
5. Info about use of data for automated decision-making in accordance with Article 22(2)(c)
6. The possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards

Question 15

If consent is going to be relied upon by multiple controllers must all controllers be specifically named for the consent? For the processors?

Answer 15

Yes, the EDPB expects all controllers to be specifically named.

Processors do not need to be named.

Question 16

Does silence or prefixed boxes (an opt-out option) constitute consent? If not why?

Answer 16

No, because in order for consent to be unambiguous the data subject must give an active indication of consent through an affirmative action.

Question 17

Does the GDPR expressly state a controller must retain written evidence to demonstrate it has obtained consent from data subject?

Answer 17

No, however since the burden of proof is on the controllers written records are required for all practical purposes.

Question 18

What type of consent does Article 8 of the GDPR deal with?

Answer 18

Consent with respect to children and information society services offered to children.

Question 19

In order to rely on consent as a legal basis for processing children’s personal data, how old must the child be for their consent to be valid?

Answer 19

The child must be at least 16 years old.

Question 20

If a child is under 16 years old processing via consent is only lawful if what occurs?

Answer 20

If and to the extent that consent is given or authorized by the holder of personal responsibility over the child.

Question 21

Under the GDPR, May member states set a minimum age of consent less than 16 years old?

Answer 21

Yes, so long as the minimum age of consent is not lower than 13.

Question 22

The minimum age consent rule applies only in what context?

Answer 22

1. An information society service offered directly to a child, and
2. Where the controller relies solely on consent or perhaps can’t rely on other criteria.

Question 23

Under the GDPR is there a specific time limit for how long consent can last?

Answer 23

No.

Question 24

Under the GDPR, the test for the necessity of processing personal data requires what?

Answer 24

A close and substantial connection between the processing and the purposes.

Question 25

When is contract performance a relevant legal basis for processing personal data?

Answer 25

When a data subject purchases a product or service from a controller and, through the delivery of that product or device, the controller needs to process the individual’s personal data.

Question 26

When processing data based on a legal obligation, does this include obligations under a contract? A legal obligation from a non-EU country?

Answer 26

An obligation under a contract a controller has entered into or imposed by a non-EU country do not qualify as a sufficient legal obligation.

Generally relates to things like tax or social security obligations.

Question 27

Is the vital interests principle used often as a legal grounds for processing data?

Answer 27

No, because it refers to circumstances of life or death, i.e. processing the data is vital to an individual’s survival.

Question 28

Can a data subject object when a controller is processing data on the legal grounds that processing is necessary for the public interest/under the controller’s vested official authority?

Answer 28

Yes, if an objection occurs the controller must show that it has compelling legit grounds that override the data subject’s interests, rights, and freedoms.

Question 29

What are 3 factors involved in determining whether a controller has a legitimate interest in processing personal data?

Answer 29

1. The processing must be necessary for the purpose.
2. The purpose must be a legitimate intent of the controller or third party.
3. The legit interest can’t be overridden by the data subject’s interests or fundamental rights and freedoms.

Question 30

Recital 47 of the GDPR states that a legit interest can exist when what is present?

Answer 30

Where there is a relevant and appropriate relationship b/w the data subject and controller in situations such as where the subject is a client or in the service of the controller.

Question 31

What are 4 examples the GDPR gives of legitimate interest and reasonable expectations re data processing ?

Answer 31

1. Purpose of preventing fraud
2. Direct marketing
3. Sharing personal data within a group of undertakings or institutions affiliated with a central body for internal admin purposes (e.g. client or employee personal data)
4. To ensure network information security

Question 32

Can a data subject object when a controller is processing data on the legal grounds that processing is based on controller’s legitimate interest?

Answer 32

Yes. Controller must show that its interest overrides data subject’s interests, rights, and freedoms.

Question 33

If a data subject makes a justified objection to controller’s processing of data based on a legit interest can the controller keep processing data?

Answer 33

No, must hold off on proceeding until the objection has been addressed.

Question 34

In order to rely on the legal grounds of legal obligation and/or public interest, the processing should have a basis in what?

Answer 34

EU or member state law.

Question 35

Article 9 of the GDPR is concerned with protecting what?

Answer 35

Special categories of data know as sensitive data.

Question 36

What qualifies as sensitive data?

Answer 36

Personal data revealing:
1. Racial or ethnic origins
2. Political opinions
3. Religious or philosophical beliefs
4. Trade Union membership
5. Processing of genetic data
6. Biometric data for the purpose of uniquely identifying a natural person
7. Data concerning health
8. A natural person’s sex life or sexual orientation

Question 37

Should photographs of individuals systematically be considered to be sensitive data?

Answer 37

No. They are covered by the definition of biometric data only when processed through a specific technical means that allow the unique identification or authentication of an individual.

Question 38

How is Article 9 of the GDPR structured with regards to processing sensitive data?

Answer 38

The general starting point is that processing is prohibited unless one of the narrow exceptions applies.

Question 39

Under the GDPR, what are the 10 exceptions that allow a data controller to process sensitive data?

Answer 39

1. Explicit consent (unless EU or member state law states that prohibition can’t be lifted)
2. To carry out obligations/exercise rights of controller/data subject in the field of employment, social security, and/or social protection law
3. Protects vital interest of data subject physically or legally incapable of giving consent
4. Legit activities of a foundation, association, or any other not-for-profit body with philosophical, religious, or trade union aims
5. Personal data which are manifestly made public by data subject
6. Establishing, exercising, or defending legal claims or court acting in judicial capacity
7. Substantial public interest based on EU or member state law
8. Preventive or occupational medicine, assessment of the employee’s working capacity, medical diagnosis, provision of health or social care, or treatment or the management of health or social care systems and services
9. Public interest in the area of public health
10. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1)

Question 40

How does the consent requirement for sensitive data (Article 9) differ from the consent requirement for personal data in general (Article 6)

Answer 40

In addition to being unambiguous, freely given, specific and informed, consent under Article 9 must be explicit.

Question 41

The EDPB’s guidelines indicate that explicit consent under the GDPR refers to what?

Answer 41

The way consent is expressed by data subjects.

Question 42

What are some examples of explicit consent?

Answer 42

1. Filling in an electronic form
2. Sending an email
3. Using electronic signatures
4. Employing two-stage verification

Question 43

Can there be circumstances where a member state’s law stipulates consent isn’t enough to avoid the prohibition on processing sensitive data?

Answer 43

Yes.

Question 44

The sensitive data exception for nonprofit institutions with philosophical, or trade union aims generally applies to what type of organizations?

Answer 44

1. Churches
2. Other religious establishments
3. Political parties

Question 45

The sensitive data exception for nonprofit institutions with philosophical, or trade union aims allows processing to occur for what type of data subjects?

Answer 45

1. Members of the given institution
2. Former members of the given institution
3. Those who have regular contact with the institution

Question 46

If the sensitive data exception for nonprofit institutions with philosophical, or trade union aims applies what are 4 restrictions that are placed on the processing?

Answer 46

The processing must only take place
1. In the course of the institution’s legit activities
2. With appropriate safeguards
3. In connection with their specific purposes, and
4. Cannot be disclosed outside of the institution without the explicit consent of the relevant data subject

Question 47

The GDPR tightens up member state’s ability to set down in law what they consider to be in the substantial public interest by adding what 3 additional requirements?

Answer 47

That the laws
1. Are proportionate to the aim pursued
2. Show respect for the essence of the right of data protection
3. Provide specific measures to safeguard the fundamental rights and interests of the data subject

Question 48

Processing sensitive data under the medical or social care purpose exception may be carried out on the basis of what laws or legal documents?

Answer 48

1. EU laws
2. Member state laws
3. A contract with a health professional subject to the conditions an safeguards provided in Paragraph 3 Article 9 of the GDPR

Question 49

The medical or social care purpose exception for processing sensitive data is generally understood to cover whom?

Answer 49

1. Doctors
2. Nurses
3. Others involved in health care professions

Question 50

Give 2 examples of when the public health interest exception for processing sensitive data may apply.

Answer 50

1. Protection against serious cross-border threats to health
2. Ensuring high standards of quality and safety of health care and of medicinal products or medical devices

Question 51

The GDPR added what two data elements to the original sensitive data list under the Directive?

Answer 51

1. Genetic data
2. Biometric data