Lecture 4: Legitimate Basis

Question 1

What are some examples of Ordinary Personal Data?

Answer 1

Name, Address, Phone Numbers, E-Mail address, Data of Birth, IP address, Postal Code/City

Question 2

What are some examples of Sensitive Personal Data?

Answer 2

Racial/Ethnic origin, Political Opinions, Religious beliefs, genetic data, biometric data, health data, sexual orientation

Question 3

What are the legal bases for processing ordinary personal data?

Answer 3

1. Consent
2. Performance of a contract
3. Compliance with a legal obligation
4. Protection of a vital interest
5. Task carried out in public interest
6. Legitimate Interests

Question 4

Consent has to be …

Answer 4

“Freely given, specific, informed, and an unambiguous indication”

Question 5

Consent is not freely given if …

Answer 5

Consent is not freely given in two scenarios:

1. When there is a clear power imbalance
2. When it does not allow separate consent to be given to different personal data processing operations or if the performance of a contract, including the provision of service, is dependent on the consent despite such consent not being necessary for such performance

Question 6

To comply with the specific consent requirement a company must …

Answer 6

Consent should be given in relation to one or more specific purposes.
To comply with the specific consent requirement:
(1) purpose specification as a safeguard against function creep,
(2) granularity in consent requests (no bundling),
(3) clear separation of information related.
Declaration of consent should be in an intelligible and accessible form, plain language, no unfair terms

Question 7

Consent is informed if …

Answer 7

The data subject has been made aware of the identity of the controller and the purposes of the processing

Question 8

Unambiguous consent means …

Answer 8

that consent must be given through a written statement or oral statement; silence, pre-ticked boxes or inactivity should not constitute consent

Question 9

Are there any rules for children’s consent? If yes, which rules?

Answer 9

Children Consent: in relation to society information services, the processing of personal data is only lawful if the child is at least 16 years old. If not, the consent is given or authorised by the holder of parental responsibility over the child.

Question 10

What does the legal basis “Performance of a contract” entail? What are some examples?

Answer 10

When personal data is necessary for the performance of a contract to which the data subject is party

Examples:

1) employment where name, address, bank account are needed
2) purchase of goods online where the webshop needs a name, email, shipping address etc

Also covers pre-contractual relationships

Question 11

What does the legal basis “Legal obligations” entail? What are some examples?

Answer 11

When personal data is required for data controllers and processors to comply with a legal obligation to which they are subject. Includes both the public and the private sector.

Examples:

1) data controllers acting as employers must process data about their employees for social security and taxation reasons, whereas data controllers in the private sector also has to process data about their customers for VAT and bookkeeping purposes.
2) a verdict or a ruling derived from the law that obliges the data processor to process personal data

Question 12

What does the legal basis “Vital Interests” entail? What is an example?

Answer 12

It may only be invoked for processing of personal data based on the vital interests of another natural person, if such processing “cannot be manifestly based on another legal basis”

Example:

1) The use of personal data to save the life of the data subject or another person, e.g. retrieving the identity of the data subject perhaps by opening the data subjects mobile phone to contact next of kins
2) in some cases, the use of vital interests as a legitimate basis may be based on the grounds of both public interest and the vital interests of the data subject or that of another person. e.g. when monitoring an epidemic and their development, or where there is a humanitarian emergency

Question 13

What does the legal basis “Public Interest” entail? What is an example?

Answer 13

often in conjunction with “legal obligations” basis, e.g. where the legitimate basis if based on both fulfilment of a legal requirement and in the interest of the public

Example:
1) The Huber case, on the processing of data of refugees and migrants for statistical purposes and by authorities when investigating the prosecuting criminal activities or those which threaten public security

Question 14

What does the legal basis “Legitimate Interest” entail? What is an example?

Answer 14

Legitimate interests can be your interests, or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

You must balance your interests against the individual’s. If they would not reasonably expect such processing to take place, or if the processing causes unjustified harm, their interests are likely to override your interests.

Finally, you must keep a record of your legitimate interests assessment to help you demonstrate compliance if required.

Examples:

1) Marketing
2) R&D
3) Preventing fraud
4) Ensuring security of IT Services

Question 15

Is processing sensitive personal data prohibited?

Answer 15

Trick question. In general, it is prohibited, but there are some exemptions which allow you to process sensitive personal data.

Question 16

What are the exemptions allowing you to process sensitive personal data?

Answer 16

1) The data subject has been given explicit consent
2) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment and social security and social protection law
3) to protect the vital interests of the data subject or another natural person
4) legitimate activities with the appropriate safeguards by a foundation, association etc, with a political, philosophical, religious or trade union aim
5) processing relates to data which are manifestly made public by the data subject
6) necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity
7) necessary for substantial public interests
8) necessary for preventive or occupational medicine, for the assessment of working capacity, provision of health or social care, treatment and so on
9) necessary for public interest in the area of public health, e.g. protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care or medicinal products or medical devices
10) necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes

Question 17

What does explicit consent entail? What are some examples?

Answer 17

GDPR considers consent through a written and signed statement as valid explicit consent

Example:
In the digital context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned doc carrying the signature of the data subject, or by using an electronic signature

in theory, an oral statement may be enough, yet it is very difficult to prove for the controller that all the conditions for valid explicit consent were met when the statement was recorded

Question 18

When assessing whether legitimate interests is a valid basis, it helps to think of a three part test, called the balancing test. What are the three steps in this test?

Answer 18

1) Identify a legitimate interest
2) Show that the processing is necessary to achieve it
3) Balance it against the individual’s rights and freedoms

Finally, you must keep a record of your legitimate interests assessment to help you demonstrate compliance if required.