Chapter 7 - Lawful Processing Criteria Flashcards
What are the lawful processing criteria under GDPR?
-Requires controllers to process personal information lawfully, fairly, and in a transparent manner.
-Articles 6 and 9 lay out the criteria for lawful processing, including consent.
-Article 7 sets out the conditions for relying on consent
-Article 8 provides further requirements for consent when offering an information society service to a child.
-Consent is often not the most practical lawful basis for data processing
-GDPR recognises other lawful bases such as fulfilling a contractual obligation, complying with a legal obligation, protecting the data subject’s vital interests, performing a task in the public interest, and the legitimate interests of the controller or a third party
What are the lawful bases for processing personal data and which Article of the GDPR?
-Article 6 outlines the lawful bases for processing personal data.
-If a controller cannot rely on one of these bases, the processing will be unlawful unless an exception applies, such as processing for journalism or research where free speech and other public interests may prevail.
-The lawful bases include (1) consent, (2) contract performance, (3) legal obligation, (4) vital interests, (5) public interest, and (6) legitimate interests.
What does consent mean under GDPR / what are the conditions of consent given by a data subject?
Consent under GDPR means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data.
-Consent must be (1) freely given, (2) specific, (3) informed, and (4) unambiguous indication of wishes
-Controller must demonstrate that the data subject has consented to the processing.
-Consent should be provided in an intelligible and easily accessible form, using clear and plain language, and with no unfair terms.
What does freely given consent mean under GDPR?
-Data subject must have a genuine choice and must be able to refuse or withdraw consent.
-Consent must not be bundled with other matters( e.g., T&Cs) - under Directve & now enshrined into GDPR - Article 7
-Request for consent must be distinguishable from other matters.
-Consent is not freely given if the performance of a contract is conditioned on consent to processing personal data when such processing is not necessary for the performance of the contract
-Other -> EDPB example on use of cookie walls -> require to accept cookies to access content = invalid consent from Dsubject.
What does specific consent mean under GDPR?
-Must be given specifically for the particular processing operation in question.
-Controller should clearly explain its proposed use of the data so the consent given by the data subject is consent to that specific processing.
-When processing has multiple purposes, consent should be given for all of them.
-Whe processing activity changes -> Controller must apply 1. Purpose specification 2. Granularity in consent requests 3. Clear separation of info
-For scientific research purposes, data subjects can legally give their consent to certain areas of research consistent with recognised ethical standards.
What does informed consent mean under GDPR?
-Data subject must be given all necessary details of the processing activity in a language and form they can understand & significance of consent
-Information must be understandable to the average person and avoid legal jargon.
-Minimum information required:
(1) identity of the controller
(2) the purpose of each processing operation
(3) the types of data to be collected
(4) the existence of the right to withdraw consent (5) information about automated decision-making
(6) the possible risks of data transfers to third countries in absene of an adequacy decision / appropriate safeguards
What does unambiguous indication of wishes mean under GDPR?
-Unambiguous indication of wishes means the data subject’s statement or clear affirmative act must leave no doubt as to their intention to give consent.
-An active indication of consent, such as ticking a selection box, is required.
-Silence or pre-ticked boxes/ opt-out do NOT constitute consent.
-Pre-ticked boxes underlined by ECj in Planet 49 decision which examined use of cookies in ePrivacy Direct/ consent
-Consent must be obtained before processing personal data, and it requires an express indication of wishes.
What is the record of consent requirement under GDPR?
-Requires controllers to demonstrate that the data subject has given consent to the processing operation, -Obligates controllers to keep a record of consents given by individual data subjects.
-Controllers should retain proof of consent only for as long as necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.
What are the requirements for consent from children under GDPR?
Article 8 -> when offering information society services directly to a child / controller relies solely on consent & no other criterion -> the processing of personal data is lawful only if the child is at least sixteen years old.
-If the child is under 16 ->consent must be given or authorised by parent/guardian.
-MS may set a minimum age of consent lower than 16 but NOT below 13.
-Controllers must make REASONABLE efforts to verify that consent is given or authorised by the parent or guardian.
What does processing that meets a requirement of necessity mean under GDPR?
All remaining criteria under Article 6 require the processing of personal data to be necessary for certain reasons.
-The test for necessity requires a CLOSE and SUBSTANTIAL connection between the processing and the purposes.
-Processing that is merely convenient or in the interest of a criterion without being necessary will NOT meet these standards.
-Necessity has an objective meaning
-Controllers must carefully consider whether a particular processing operation is strictly necessary for the stated purpose.
What does processing for the performance of a contract mean under GDPR?
-Controller can rely on this criterion when it needs to process the PDof a data subject to perform a contract to which the data subject is or will be a party.
-E.g., data subject purchases a product or service from a controller & controller needs to process the individual’s PD to deliver the product or service.
-The processing MUST be UNAVOIDABLE to complete the contract.
What does processing for compliance with a legal obligation mean under GDPR?
-Processing is necessary for compliance with a legal obligation to which the controller is subject.
-This criterion relates to a legal obligation required by law, such as tax or social security obligations, and cannot be an obligation under a contract.
-Obligations imposed by third countries do not fall within this criterion.
-GDPR provides further provisions for relying on this criterion.
What does processing to protect vital interests mean under GDPR?
-Refers to circumstances of life or death, where the processing is VITAL to an individual’s survival.
-Relevant only in rare emergency situations, such as providing urgent medical care to an unconscious data subject.
-Reliance on this criterion should take place only where the processing cannot be based on another legal basis
What does processing for a task in the public interest mean under GDPR?
-Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
-GDPR provides further provisions for relying on this criterion.
-National EU or MS legislation will determine what tasks are carried out in the public interest.
-Data subjects have the right to object to the use of their data
-Controller must demonstrate compelling legitimate grounds to process the data.
What does processing for legitimate interests mean under GDPR?
necessary for the purposes of the legitimate interests pursued by the controller or a third party
-Except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
-The processing must be necessary for the purpose, the purpose must be a legitimate interest, and the legitimate interest cannot be overridden by the data subject’s interests or fundamental rights and freedoms.
-Controllers must consider the reasonable expectations of data subjects based on their relationship with the controller.
What are the legal obligations and public interest criteria under GDPR?
-GDPR provides more detail about reliance on the criteria of necessary compliance with a legal obligation and necessary performance of a task in the public interest.
-Processing should have a basis in EU or member state law.
-MS can set out detailed requirements for the law, including specifications for determining the controller, type of personal data, data subjects concerned, entities to which personal data may be disclosed, purpose limitations, storage period, and other measures.
-These criteria are relevant for specific processing situations such as freedom of expression, employment, and archiving, scientific, historical, or statistical purposes.
What are the conclusions on lawful processing criteria under GDPR?
-A controller must document which legitimate criterion it relies on when processing personal data and communicate the criterion to the data subject.
-As part of the obligation to provide a privacy notice, a controller must specify the legal basis for the processing and describe the legitimate interests pursued.
-A controller must have properly considered which criteria it can rely on before commencing data processing activity and notify affected data subjects.
What is processing sensitive data under GDPR?
-Article 9 protects special categories of data, also known as sensitive data.
-Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, health data, and data concerning a person’s sex life or sexual orientation.
-Processing sensitive data is prohibited unless an exception applies.
-Exceptions include explicit consent, compliance with employment and social security law, protection of vital interests, legitimate activities of nonprofit bodies, data made public by the data subject, legal claims, substantial public interest, preventive or occupational medicine, public health, and archiving, scientific, historical, or statistical purposes.
What is explicit consent for processing sensitive data under GDPR?
-Explicit consent for processing sensitive data must be unambiguous, freely given, specific, informed, and explicit.
-Requires more than a statement or clear affirmative action.
-It may require written consent or documented in a permanent record.
-Must refer to the actual data or categories of data to be processed.
-MS law may stipulate that giving consent is not enough to avoid the prohibition on processing sensitive data.
What is processing sensitive data for employment and social security purposes under GDPR?
-Necessary for the controller to comply with a legal obligation under employment, social security, or social protection law.
-Relevant for candidates, employees, and contractors as permitted under local employment law.
-Controller must comply with the necessity test, and the extent of this criterion depends on local employment law and interpretation of local rules.
What is processing sensitive data to protect vital interests under GDPR?
-Refers to circumstances of life or death.
-Controller must demonstrate it is not possible to obtain consent because the data subject is physically or legally incapable of giving consent.
-Relevant in emergency situations, such as providing urgent medical care to an unconscious data subject.
What is processing sensitive data by nonprofit bodies under GDPR?
Processing sensitive data by nonprofit bodies with political, philosophical, religious, or trade union aims is allowed if the processing relates solely to members, former members, or persons who have regular contact with the body.
-The processing must be in the course of legitimate activities, with appropriate safeguards, and in connection with specific purposes.
-Sensitive data may only be disclosed outside the organisation with the explicit consent of the data subject.
What is processing sensitive data made public by the data subject under GDPR?
-Allowed if the data subject deliberately discloses sensitive data about themselves, such as sharing information publicly on social networking platforms.
-However, the use of that data is still regulated, and all other data protection principles, including fairness and transparency, still apply.
What is processing sensitive data for legal claims under GDPR?
-Necessary for the establishment, exercise, or defense of legal claims.
-Must be a close and substantial connection between the processing and the purposes.
-For example, processing medical data by an insurance company to determine the validity of a medical insurance claim falls under this criterion.
-Processing sensitive data is also allowed when courts are acting in their judicial capacity.
What is processing sensitive data for substantial public interest under GDPR?
-Allowed for reasons of substantial public interest based on EU or MS law, which must be
(1) proportionate to the aim pursued
(2) respect the essence of the right to data protection
(3) provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
-MS can set specific exemptions for processing sensitive data in the substantial public interest.
-In UK -> Schedule 1 Pt 2 DP Act 2018 sets out number of substantial public interest conditions -> (1) explaining compliance with Art 5 GDPR & (2) Policies regarding retention & erasure
What is processing sensitive data for medical and social care purposes under GDPR?
-Allowed for preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care, treatment, or management of health or social care systems and services.
-The processing may be carried out based on EU or member state law or under a contract with a health professional subject to conditions and additional safeguards.
-Sensitive data may be processed by or under the responsibility of any person for health or social care purposes where that person is subject to an obligation of professional secrecy.
What is processing sensitive data for public health purposes under GDPR?
-Allowed for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices.
-The processing must be based on EU or member state law, which provides suitable and specific measures to safeguard the rights and freedoms of the data subject, including professional secrecy.
What is processing sensitive data for archiving, scientific, historical, or statistical purposes under GDPR?
-Article 9 GDPR -> specific criterion for controllers involved in archiving, scientific, historial, statistical
-Allowed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes based on EU or member state law.
-The processing must be proportionate to the aim pursued, respect the essence of the right to data protection, and provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
-Article 89(1) requires safeguards to ensure respect for the principle of data minimisation, including pseudonymisation.
-Recital 159 indicates broad interpretation of processing for scientific purposes
What is processing data on criminal convictions and offences under GDPR?
-Data on criminal convictions and offences or related security measures requires a greater level of protection.
-Article 10 requires such data to be processed only under the control of an official authority or when the processing is authorized by EU or MS law providing for appropriate safeguards for the rights and freedoms of data subjects
-A comprehensive register of criminal convictions can only be kept under the control of an official authority.
-Private sector controllers must examine the rules under EU or local law for legitimate processing.
What is processing which does not require identification under GDPR?
-Article 11 clarifies that if the purposes for which a controller processes personal data do not or no longer require the identification of a data subject, the controller is not obliged to maintain, acquire, or process additional information to identify the data subject for the sole purpose of complying with the GDPR.
-Consequently, a controller is not required to comply with certain obligations concerning the rights of data subjects unless a data subject provides additional information enabling their identification.
What is the overview on the processing of PD under the GDPR?
-The criteria justifying the processing of sensitive data are relatively narrow to protect individuals from potential misuse of their data that impacts their fundamental rights.
-GDPR adds genetic and biometric data to the original list under the Directive.
-Although financial information misuse poses a significant risk, EU law identifies specific categories of data requiring special protection and requires processing only under a legitimate criterion defined under Article 9.
What is reliance on consent?
Imbalance of Power: Avoid relying on consent where there’s a power imbalance, especially with public authorities.
Employer-Employee Relationship: Consent in employer-employee relationships is problematic due to subordination. Employees must be able to withhold and withdraw consent without prejudice.
Alternative Criteria: Employers should use other legal bases for processing employee data to avoid harm.
Revocation of Consent: Consent must be freely given and revocable. Have a plan for managing revoked consents.
Dual Basis: Using consent plus another legal basis can mislead employees. Be transparent about the basis for processing.
EDPB Guidance: Respect consent choices and stop processing if consent is withdrawn. Avoid unfair practices.
Granularity: Provide separate consent mechanisms for different purposes.
Importance: Understand the challenges of relying on consent, especially in employer-employee relationships, to ensure GDPR compliance and protect individuals’ rights.
What constitutes invalid consent under the GDPR?
Duress or Coercion: Consent obtained through duress or coercion is not valid.
Vulnerable People: There are concerns about whether vulnerable individuals can give valid consent.
How long does consent last under the GDPR, and when should it be refreshed?
No Specific Time Limit: The GDPR does not specify how long consent lasts; it depends on context, scope, and expectations.
Changes in Processing: If processing operations change, new consent is required.
Regular Refresh: The EDPB recommends refreshing consent at regular intervals. The UK’s Information Commissioner suggests every two years, but this can vary.
Children’s Data: Consider other legal bases for processing children’s data, as they require extra protection.
