Chapter 7 Lawful processing criteria

Question 1

Which GDPR articles regulate lawful processing?

Answer 1

Article 6 and 9 (SCPD)
Article 7 - consent
Article 8 - offering of information society services to a child

Question 2

Lawful bases under GDPR

Answer 2

consent
fulfilling a contractual obligation
complying with legal obligation
protecting DS’s vital interests
performing a task in the public interest
legitimate interests of the controller or third party when balanced against the rights and interests of a DS

Question 3

Conditions for consent

Answer 3

Freely given
Specific
Informed
Unambiguous indication of wishes (by statement or clear affirmative action signifies agreement to the processing)

Question 4

Whose responsibility is to demonstrate the DS has given consent?

Answer 4

Controller’s

Question 5

Criteria if consent is pre-formulated by the controller

Answer 5

the C should be provided in an intelligible, easily accessible form, using clear and plain language, with no unfair terms

Question 6

When is consent appropriate choice?

Answer 6

DS is offered control and genuine choice on the use of their PD

Question 7

Explain “freely given consent”

Answer 7

genuine choice
able to refuse or withdraw

Question 8

How must the request for consent be presented?

Answer 8

in a manner clearly distinguishable from other matters

Question 9

When the consent is not freely given

Answer 9

when the performance of a contract is conditioned on consent for processing of PD and such processing is not necessary for the performance of the contract

Question 10

In which situations the consent should not be relied upon?

Answer 10

where there is a clear imbalance between the DS and the controller (e.g. public authority, employment relationship)

Question 11

What does it mean that the consent must be granular

Answer 11

separate consent mechanism must be provided for each purpose

Question 12

Specific consent

Answer 12

must be given specifically for the particular processing operation in question - C must explain its proposed use of data, specific processing

multiple purposes - consent should be given for all of them

EDPB guidelines:
- purpose specification as a safeguard against function creep
- granularity in consent requests
- clear separation from information about other matters

Question 13

What is informed consent

Answer 13

DS must be given all the necessary details of the processing activity in a language and form they can understand

The following information must be provided:
- identity of C
- purpose for each processing operation
- types of data
- automated decision making
- transfers to third countries (if the C is given for transfers) in the absence of the adequacy decision and appropriate safeguards
- right to withdraw

If more than one controller, all must be named. P don’t need to be named

Question 14

Explain unambiguous indication of wishes

Answer 14

statement or clear affirmative act
there is no doubt of DS’s intention to give consent
in case of doubt it will be construed against the C
pre-ticked boxes not valid consent
must be obtained before the processing begins

consent is not the same as opt-out option (lack of action indicates lack of objection not consent)

Question 15

Why does a C need to keep a record of consent

Answer 15

to be able to demonstrate that the DS has given consent to processing operation

Question 16

How long may a C retain the proof of consent

Answer 16

only for as long as is strictly necessary to comply with a legal obligation or to establish, exercise or defend legal claims

Question 17

When is consent invalid?

Answer 17

If given under duress or coercion

Question 18

What are specifics for consent from children

Answer 18

Consent is regulated in relation to information society services offered to children if the C relies solely on consent and can’t rely on any other criterion
under GDPR the child must be 16, if younger the consent must be given or authorized by the holder of personal responsibility over the child - the C must make reasonable efforts to very this!
MS may set a minimum age lower than 16 but at least 13

Question 19

When consent needs to be refreshed?

Answer 19

If processing operation change
at regular intervals (UK ICO - every 2 years)

Question 20

Explain the meaning of the requirement of necessity

Answer 20

For all other criteria (except consent) the processing must be necessary - close and substantial connection btw the processing and purposes
Processing must be necessary for the stated purpose (not only convenient or in the interest)

Question 21

Lawful basis CONTRACT

Answer 21

necessary
for the performance of the contract to which DS is a party or
take steps at the request of the DS prior to entering into a contract
processing must be unavoidable in order to complete the contract

Question 22

Lawful basis LEGAL OBLIGATION

Answer 22

necessary for compliance with legal obligation to which the C is subject
the C is required by law to comply with the obligation (e.g. tax, social security)
it can’t be a law by a 3rd country!

Question 23

Lawful basis VITAL INTERESTS

Answer 23

necessary to protect vital interests of the DS or another natural person
circumstances of life or death, rare emergency situations
the processing can’t be manifestly based on another legal basis

Question 24

Lawful basis PUBLIC INTEREST

Answer 24

necessary for the performance of public task carried out in public interest or in exercise of official authority vested in the C
National EU or MS law will determine what tasks are carried out under this criterion

DS have the right to object
C must demonstrate it has compelling legitimate grounds that override the interests, rights and freedoms of the DS or for the establishment, exercise or defence of legal claims

Question 25

Lawful basis LEGITIMATE INTERESTS

Answer 25

necessary for the purposes of legitimate interests pursued by the C or a 3rd party
exception: LI are overridden by interests or fundamental rights and freedoms of the DS which require protection of PD, especially if DS is a child
public authorities can rely on LI only if processing is outside the performance of their tasks

Question 26

Explain 3 criteria for LI

Answer 26

necessary
purpose must be a legitimate interest of the C or 3rd party
LI cannot be overridden by DS’s fundamental R&F or interests (DS’s reasonable expectations based on their relationship with the controller, e.g. DS is the C’s client)

It is appropriate if the C uses PD in a way DS would reasonably expect, has minimal privacy impact, there is a compelling justification for the processing

3-part test:
identify the LI
the processing is necessary to achieve it
balance the LI against DS’s R&F&I
Test must be documented as Legitimate interest assessment

DS have right to object, in this case the C must demonstrate it has compelling, legitimate grounds that overrides the F&R&I … or for the establishment, defense or exercise of legal claims

Question 27

Legal obligation and the public interest

Answer 27

in both cases, the processing should have a basis in EU or member state law
non EU law is not valid in these cases
MS will define the requirements of the law
The regulation within EU will be varied

Question 28

Additional C’s obligations

Answer 28

C must document the legal basis it is relying on
must communicate it to the DS in a privacy notice