Datafication 4 Flashcards
Steps of finding a legal basis
- Define what kind of personal data specific processing
- Find >= 1 legal basis for processing that are required to fulfill the purpose(s)
Kind of personal data
- Ordinary Information Art. 6
- Sensitive Information Art. 9
- National ID Art. 87 = regulation possible by Member States
- Criminal convictions & offences Art. 10 = control of authorities
Sensitive Information Art. 9
exhaustive list in Art. 9, wide interpretation (due to protection of fundamental rights)::
- Race or ethnic origin,
- political opinion,
- religion/philosophy,
- genetic data, biometric data
- trade union membership
- health physically & mental
- sex life & sex. orientation
- not: salary
Legal Basis Art. 6: Ordinary Information
- Consent
- Legitimate Interest
- Performance of a Contract
- Compliance with a legal obligation
- Protection of vital interest
- Public interest or official authority
Consent definition
- Any freely given, specific, informed & unambiguous indication of ds wishes that signifies agreement to processing
FSIU (Ferdi Schmidt ist Ultra)
Consent - freely given
refusal & withdraw without detriment (genuine & free choice)
Consent - specific
- choice for each specific purpose
- goal: user control & transparency for ds, safeguard against function creep (Zweckerweiterung)
-> Granularity in consent request
-> Clear separation from information about other matters (Art. 7)
-> written declaration: intelligible & easily accessible form
Consent - informed
- ds info on at least 1) dc identity, 2) purpose
(and: 3) what data collected & used, 4) right of withdraw, 5) use of data for automated decision making, 6) risk of data transfers) - info must be proportionate to average ds expectations & right to privacy impact
- info provided as user-friendly as possible
Consent - unambigious
- obvious that ds gave consent to particular processing &
- affirmative action written or oral (= active declaration; indirect answer not enough)
e.g. Consent: prepicked boxes?
- no
- not unambigious including no affirmative action
- yes: ticking boxes
e.g. consent: click fatigue in digital context?
consent questions no longer read -> obligation on controller to solve issue, incl. obtaining consent of internet users via their browser setting
withdraw of consent
as easy as given -> dc must erase personal data without undue delay (if no other legal basis) (Art. 7)
Responsibility of dc: consent
- Controller must be able to demonstrate consent given (Art. 7)
- Always necessary before processing of pd
Legitimate Interest - definition
- balancing test”:
- processing necessary for legitimate interests of controller or 3rd party (e.g. public)
- except overridden by interest or fundamental rights & freedoms of ds which require protection of personal data (especially when data subject = child)
Legitimate Interest - balancing interest steps
- Identify a legitimate interest of data controller or 3rd party (incl. commercial, individual or societal beneficial interests)
- Show that processing is necessary to achieve legitimate interest pursued
- Balance it against individuals’ interests, rights & freedoms (cause harm?; inc. impact on ds, safe-guards)
Legitimate interests- necessity
check if other less invasive means are available to serve the same end
e.g. Legitimate interests - limitations on monitoring
Mitigation measures (to ensure proper balance; especially in case of monitoring employees): limitations …
- Geographical e.g. monitoring only in specific places & not in sensitive areas such as religious places, sanitary zones, break rooms
- Data-oriented e.g. no monitoring of personal electronic files & communication)
- Time-related e.g. sampling instead of continuous monitoring
e.g. Rigas satiskme case (taxi company wanted to sue passenger for damages, police refused to provide contact information)
- CJEU basis = legitimate interest
- 3 steps: 1. Requesting pd to sue person for causing property damage = legitimate interest of 3rd party, 2. Obtaining pd such as address or ID = strictly necessary to identify person, 3. Balance against individuals interests, rights & freedoms
e.g. legal basis in employment context?
- consent rarely “freely-given” -> legitimate interest as basis
Performance of a contract - definition
processing necessary for performance of a contract with data subject as party or to take steps at data subject request prior to entering contract
Legal basis for normal data