Lecture 4: Legitimate Basis Flashcards
What are some examples of Ordinary Personal Data?
Name, Address, Phone Numbers, E-Mail address, Data of Birth, IP address, Postal Code/City
What are some examples of Sensitive Personal Data?
Racial/Ethnic origin, Political Opinions, Religious beliefs, genetic data, biometric data, health data, sexual orientation
What are the legal bases for processing ordinary personal data?
- Consent
- Performance of a contract
- Compliance with a legal obligation
- Protection of a vital interest
- Task carried out in public interest
- Legitimate Interests
Consent has to be …
“Freely given, specific, informed, and an unambiguous indication”
Consent is not freely given if …
Consent is not freely given in two scenarios:
- When there is a clear power imbalance
- When it does not allow separate consent to be given to different personal data processing operations or if the performance of a contract, including the provision of service, is dependent on the consent despite such consent not being necessary for such performance
To comply with the specific consent requirement a company must …
Consent should be given in relation to one or more specific purposes.
To comply with the specific consent requirement:
(1) purpose specification as a safeguard against function creep,
(2) granularity in consent requests (no bundling),
(3) clear separation of information related.
Declaration of consent should be in an intelligible and accessible form, plain language, no unfair terms
Consent is informed if …
The data subject has been made aware of the identity of the controller and the purposes of the processing
Unambiguous consent means …
that consent must be given through a written statement or oral statement; silence, pre-ticked boxes or inactivity should not constitute consent
Are there any rules for children’s consent? If yes, which rules?
Children Consent: in relation to society information services, the processing of personal data is only lawful if the child is at least 16 years old. If not, the consent is given or authorised by the holder of parental responsibility over the child.
What does the legal basis “Performance of a contract” entail? What are some examples?
When personal data is necessary for the performance of a contract to which the data subject is party
Examples:
1) employment where name, address, bank account are needed
2) purchase of goods online where the webshop needs a name, email, shipping address etc
Also covers pre-contractual relationships
What does the legal basis “Legal obligations” entail? What are some examples?
When personal data is required for data controllers and processors to comply with a legal obligation to which they are subject. Includes both the public and the private sector.
Examples:
1) data controllers acting as employers must process data about their employees for social security and taxation reasons, whereas data controllers in the private sector also has to process data about their customers for VAT and bookkeeping purposes.
2) a verdict or a ruling derived from the law that obliges the data processor to process personal data
What does the legal basis “Vital Interests” entail? What is an example?
It may only be invoked for processing of personal data based on the vital interests of another natural person, if such processing “cannot be manifestly based on another legal basis”
Example:
1) The use of personal data to save the life of the data subject or another person, e.g. retrieving the identity of the data subject perhaps by opening the data subjects mobile phone to contact next of kins
2) in some cases, the use of vital interests as a legitimate basis may be based on the grounds of both public interest and the vital interests of the data subject or that of another person. e.g. when monitoring an epidemic and their development, or where there is a humanitarian emergency
What does the legal basis “Public Interest” entail? What is an example?
often in conjunction with “legal obligations” basis, e.g. where the legitimate basis if based on both fulfilment of a legal requirement and in the interest of the public
Example:
1) The Huber case, on the processing of data of refugees and migrants for statistical purposes and by authorities when investigating the prosecuting criminal activities or those which threaten public security
What does the legal basis “Legitimate Interest” entail? What is an example?
Legitimate interests can be your interests, or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
You must balance your interests against the individual’s. If they would not reasonably expect such processing to take place, or if the processing causes unjustified harm, their interests are likely to override your interests.
Finally, you must keep a record of your legitimate interests assessment to help you demonstrate compliance if required.
Examples:
1) Marketing
2) R&D
3) Preventing fraud
4) Ensuring security of IT Services
Is processing sensitive personal data prohibited?
Trick question. In general, it is prohibited, but there are some exemptions which allow you to process sensitive personal data.