Chapter 7 Lawful processing criteria Flashcards
Which GDPR articles regulate lawful processing?
Article 6 and 9 (SCPD)
Article 7 - consent
Article 8 - offering of information society services to a child
Lawful bases under GDPR
consent
fulfilling a contractual obligation
complying with legal obligation
protecting DS’s vital interests
performing a task in the public interest
legitimate interests of the controller or third party when balanced against the rights and interests of a DS
Conditions for consent
Freely given
Specific
Informed
Unambiguous indication of wishes (by statement or clear affirmative action signifies agreement to the processing)
Whose responsibility is to demonstrate the DS has given consent?
Controller’s
Criteria if consent is pre-formulated by the controller
the C should be provided in an intelligible, easily accessible form, using clear and plain language, with no unfair terms
When is consent appropriate choice?
DS is offered control and genuine choice on the use of their PD
Explain “freely given consent”
genuine choice
able to refuse or withdraw
How must the request for consent be presented?
in a manner clearly distinguishable from other matters
When the consent is not freely given
when the performance of a contract is conditioned on consent for processing of PD and such processing is not necessary for the performance of the contract
In which situations the consent should not be relied upon?
where there is a clear imbalance between the DS and the controller (e.g. public authority, employment relationship)
What does it mean that the consent must be granular
separate consent mechanism must be provided for each purpose
Specific consent
must be given specifically for the particular processing operation in question - C must explain its proposed use of data, specific processing
multiple purposes - consent should be given for all of them
EDPB guidelines:
- purpose specification as a safeguard against function creep
- granularity in consent requests
- clear separation from information about other matters
What is informed consent
DS must be given all the necessary details of the processing activity in a language and form they can understand
The following information must be provided:
- identity of C
- purpose for each processing operation
- types of data
- automated decision making
- transfers to third countries (if the C is given for transfers) in the absence of the adequacy decision and appropriate safeguards
- right to withdraw
If more than one controller, all must be named. P don’t need to be named
Explain unambiguous indication of wishes
statement or clear affirmative act
there is no doubt of DS’s intention to give consent
in case of doubt it will be construed against the C
pre-ticked boxes not valid consent
must be obtained before the processing begins
consent is not the same as opt-out option (lack of action indicates lack of objection not consent)
Why does a C need to keep a record of consent
to be able to demonstrate that the DS has given consent to processing operation
How long may a C retain the proof of consent
only for as long as is strictly necessary to comply with a legal obligation or to establish, exercise or defend legal claims
When is consent invalid?
If given under duress or coercion
What are specifics for consent from children
Consent is regulated in relation to information society services offered to children if the C relies solely on consent and can’t rely on any other criterion
under GDPR the child must be 16, if younger the consent must be given or authorized by the holder of personal responsibility over the child - the C must make reasonable efforts to very this!
MS may set a minimum age lower than 16 but at least 13
When consent needs to be refreshed?
If processing operation change
at regular intervals (UK ICO - every 2 years)
Explain the meaning of the requirement of necessity
For all other criteria (except consent) the processing must be necessary - close and substantial connection btw the processing and purposes
Processing must be necessary for the stated purpose (not only convenient or in the interest)
Lawful basis CONTRACT
necessary
for the performance of the contract to which DS is a party or
take steps at the request of the DS prior to entering into a contract
processing must be unavoidable in order to complete the contract
Lawful basis LEGAL OBLIGATION
necessary for compliance with legal obligation to which the C is subject
the C is required by law to comply with the obligation (e.g. tax, social security)
it can’t be a law by a 3rd country!
Lawful basis VITAL INTERESTS
necessary to protect vital interests of the DS or another natural person
circumstances of life or death, rare emergency situations
the processing can’t be manifestly based on another legal basis
Lawful basis PUBLIC INTEREST
necessary for the performance of public task carried out in public interest or in exercise of official authority vested in the C
National EU or MS law will determine what tasks are carried out under this criterion
DS have the right to object
C must demonstrate it has compelling legitimate grounds that override the interests, rights and freedoms of the DS or for the establishment, exercise or defence of legal claims
Lawful basis LEGITIMATE INTERESTS
necessary for the purposes of legitimate interests pursued by the C or a 3rd party
exception: LI are overridden by interests or fundamental rights and freedoms of the DS which require protection of PD, especially if DS is a child
public authorities can rely on LI only if processing is outside the performance of their tasks
Explain 3 criteria for LI
necessary
purpose must be a legitimate interest of the C or 3rd party
LI cannot be overridden by DS’s fundamental R&F or interests (DS’s reasonable expectations based on their relationship with the controller, e.g. DS is the C’s client)
It is appropriate if the C uses PD in a way DS would reasonably expect, has minimal privacy impact, there is a compelling justification for the processing
3-part test:
identify the LI
the processing is necessary to achieve it
balance the LI against DS’s R&F&I
Test must be documented as Legitimate interest assessment
DS have right to object, in this case the C must demonstrate it has compelling, legitimate grounds that overrides the F&R&I … or for the establishment, defense or exercise of legal claims
Legal obligation and the public interest
in both cases, the processing should have a basis in EU or member state law
non EU law is not valid in these cases
MS will define the requirements of the law
The regulation within EU will be varied
Additional C’s obligations
C must document the legal basis it is relying on
must communicate it to the DS in a privacy notice
