Reading Week 4

Question 1

How are the applications of the principles to concrete situations interepreted under CoE law, and EU law?

Answer 1

Principles are necessarily of a general nature. Their application to concrete situations leaves a certain margin of interpretation and choice of means.

Under CoE law, it is left to the parties to Modernised Convention 108 to clarify this margin of interpretation in their domestic law.

The situation in EU law is different: for the establishment of data protection in the internal market, it was deemed necessary to have more detailed rules at the EU level to harmonise the level of data protection of the national laws of the Member States. The General Data Protection Regulation establishes a layer of detailed rules, under the principles set out in its Article 5, which are directly applicable in the national legal order

Question 2

How are are the principles in GDPR and Modernised convention set out?

Answer 2

Chapter II of the General Data Protection Regulation, entitled ‘Principles’, provides that all personal data processing must comply, firstly, with the principles relating to data quality set out in Article 5 of the GDPR.

One of the principles is that personal data should be “processed lawfully, fairly and in a transparent way”.
Secondly, for data to be processed lawfully, the processing must comply with one of the lawful grounds for making data processing legitimate, listed in Article 6341 for non-sensitive personal data, and in Article 9 for special categories of data (or sensitive data).

Similarly, Chapter II of Modernised Convention 108 which sets out the “basic principles for the protection of personal data”, establishes that to be lawful, data processing
shall be “proportionate in relation to the legitimate purpose pursued”.

Question 3

How is consent under CoE law and under EU law regulated?

Answer 3

Under CoE law, consent is mentioned in Article 5 (2) of Modernised Convention 108. It is also referred to in ECtHR case law and several CoE recommendations.342

Under EU law, consent as a basis for lawful data processing is firmly established in Article 6 of the GDPR and is also explicitly referred to in Article 8 of the Charter. The characteristics of valid consent are explained in the definition of consent in Article 4, while the conditions for obtaining valid consent are detailed in Article 7 and the special rules for child’s consent in relation to information society services are established in
Article 8 of the GDPR.

Question 4

What are some of the criteria consent must satisfy?

Answer 4

As explained in Section 2.4, consent must be freely given, informed, specific, and unambiguous. Consent must be a statement or clear affirmative action signifying agreement to the processing, and the person has the right to withdraw their consent
at any time. Controllers have the duty to keep a verifiable record of the consent.

Question 5

What is free consent under CoE framework and under EU law?

Answer 5

Within the CoE framework of Modernised Convention 108, consent of the data subject must “represent the free expression of an intentional choice”.343
The existence
of free consent is only valid “if the data subject is able to exercise a real choice and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent”.344
In this regard, EU law stipulates that consent
is not considered freely given “if the data subject has no genuine or free choice or
is unable to refuse or withdraw consent without detriment”.

Question 6

What does the GDPR stress about free consent and the Modernised Convention 108?

Answer 6

The GDPR stresses
that “(w)hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.346
The Explanatory Report of Mod-
ernised Convention 108 states that “[n]o undue influence or pressure (which can be of an economic or other nature) whether direct or indirect, may be exercised on the data subject and consent should not be regarded as freely given where the data subject has no genuine choice or is unable to refuse or withdraw consent without
prejudice”.

Question 7

When could free consent be in doubt?

Answer 7

Free consent could also be in doubt in situations of subordination, where there is a significant economic or other imbalance between the controller securing consent and the data subject providing consent.349

A typical example of such imbalances and
subordination is an employer’s processing of personal data, within the context of an employment relationship. According to the Article 29 Working Party, “[e]mployees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of
an offer.

Question 8

When are consent valid circumstances?

Answer 8

This does not mean, however, that consent can never be valid in circumstances where not consenting would have some negative consequences.

However, where goods or services can only be obtained if certain personal data are disclosed to the controller or further on to third parties, the data subject’s consent to
disclose their data, which are not necessary for the contract, cannot be considered a free decision and is, therefore, not valid under data protection law.351 The GDPR is
rather strict in forbidding the bundling of consent with the provision of goods and
services.

Question 9

What is informed consent>

Answer 9

The data subject must have sufficient information before exercising his or her choice. Informed consent will usually comprise a precise and easily understandable description of the subject matter requiring consent. As the Article 29 Working Party explains, consent must be based upon an appreciation and understanding of
the facts and implications of the data subject’s action to consent to the processing.

For consent to be informed, individuals must also be
aware of the consequences of not consenting to processing.

Question 10

What do the GDPR and Modernised Convention 108 say about informed consent/

Answer 10

In view of the importance of informed consent, the GDPR and the Explanatory Report of Modernised Convention 108 sought to clarify the notion. The recitals of the GDPR stipulate that informed consent means that “the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data” processed are intended.354

In the exceptional case of consent used as a derogation to ensure a lawful ground for an international data transfer, the controller must inform the data subject of the possible risks of such a transfer, due to the absence of an adequacy decision and appropriate safeguards, for that consent to be considered valid.355

The Explanatory Report of Modernised Convention 108 specifies that information must be given on the implications of the data subject’s decision, namely “what the
fact of consenting entails and the extent to which consent is given”.

Question 11

How is the quality of info important and what does it mean?

Answer 11

The quality of the information is important. Quality of information means that the information’s language should be adapted to its foreseeable recipients. Information must be given without jargon, in a clear and plain language that a regular user should be able to understand.357
Information must also be easily available to the
data subject and can be provided orally or in writing. Accessibility and visibility of the information are important elements: the information must be clearly visible and
prominent.

Question 12

What is specific consent?

Answer 12

For consent to be valid, it must also be specific to the processing purpose, which must be described clearly, and in unambiguous terms. This goes hand-in-hand with the quality of information given about the purpose of the consent. In this context, the reasonable expectations of an average data subject will be relevant. The data subject must be asked again for consent if processing operations are to be added or changed in a way which could not have reasonably been foreseen when the initial consent was given and thus lead to a change of purpose. When the processing has
multiple purposes, consent should be given for all of them.

Question 13

What is unambiguous consent?

Answer 13

All consent must be given in an unambiguous way.367 This means that there should
be no reasonable doubt that the data subject wanted to express his or her agreement to allow the processing of his or her data. For instance, inactivity from a data subject does not indicate unambiguous consent.
This would be the case for controller’s obtaining consent with statements in their privacy policies such as “by using our service, you consent to the processing of your personal data”. In that case, controllers might have to ensure that users manually and individually consent to such policies.
If consent is given in a written form which is part of a contract, consent for processing personal data must be individualised and in any case “safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is
given.

Question 14

What is the consent requirement for children under GDPR?

Answer 14

The GDPR provides specific protection for children in the context of providing information society services, because “they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”.369

Therefore, under EU law, when providers of information
society services process personal data of children under the age of 16 years on the basis of consent, such processing will be lawful “only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child”.370

Member States may provide for a lower age in national law, though not lower than 13 years.371
Consent by the holder of parental responsibility is not necessary “in the context of preventive or counselling services offered directly to a child.”372 Informa-
tion and communication where processing is addressed to a child should be in clear
and plain language easily understandable by the child.3

Question 15

What does the right to withdraw consent at any time mean?

Answer 15

The GDPR includes a general right to withdraw consent at any time.374 The data sub-
ject must be informed of such a right prior to giving consent and he or she may exercise this right at his or her discretion. There should be no requirement to give reasons for withdrawal and no risk of negative consequences over and above the termination of any benefits which may have derived from the previously agreed data use. Withdrawing consent should be as easy as giving it.375
There can be no free
consent if the data subject is unable to withdraw his or her consent without detri-
ment or if withdrawal is not as easy as giving consent had been.

Question 16

What is the necessity for the performance of a contract?

Answer 16

Under EU law, Article 6 (1) (b) of the GDPR provides another basis for legitimate processing, namely if it is “necessary for the performance of a contract to which the data subject is party”. This provision also covers pre-contractual relationships. For instance, in cases where a party intends to enter into a contract, but has not yet done so, possibly because some checks remain to be completed. If one party needs to process data for this purpose, such processing is legitimate as long as it is “necessary in order to take steps at the request of the data subject prior to entering into a
contract”.

The notion of data processing as a “legitimate basis laid down by law” in Article 5 (2) of Modernised Convention 108 also encompasses “data processing for the fulfilment of a contract (or pre-contractual measures at the request of the data subject)
to which the data subject is party”.

Question 17

What are the legal duties of the controller?

Answer 17

EU law sets out another ground for making data processing legitimate, namely if “it is necessary for compliance with a legal obligation to which the controller is subject” (Article 6(1) (c) of the GDPR). This provision refers to controllers acting in both the private and public sector; the legal obligations of public sector data controllers can also fall under Article 6 (1) (e) of the GDPR. There are many examples of situations where the law obliges private sector controllers to process data about concrete
data subjects.

The legal obligation can originate in Union or Member State law, which could be the basis for one or several processing operations. It should be for the law to determine the purpose of processing, establish specifications to determine the controller, the type of personal data subject to processing, the data subjects concerned, the entities to which the data can be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.380
Any such law that is the basis
for personal data processing must comply both with Articles 7 and 8 of the Charter
and Article 8 of the ECHR.

Question 18

How are the legal duties of the controller under CoE law?

Answer 18

The controller’s legal obligations also serve as a basis for legitimate data processing under CoE law.381
As previously pointed out, the legal obligations of a private sector
controller are just one specific case of the legitimate interests of others, as mentioned in Article 8 (2) of the ECHR. The example on employers processing data about
their employees is, therefore, also relevant for CoE law.

Question 19

What are the vital interests of DS or those of another natura person under EU law?

Answer 19

Under EU law, Article 6 (1) (d) of the GDPR provides that personal data processing is lawful if it “is necessary in order to protect the vital interests of the data subject or of another natural person”. This legitimate ground may only be invoked for processing personal data based on the vital interests of another natural person, if such processing “cannot be manifestly based on another legal basis”.382
Sometimes a
type of processing may be based on the grounds of both public interest and the vital interests of the data subject or that of another person. This is the case, for example, when monitoring epidemics and their development, or where there is a humanitar-
ian emergency.

Question 20

What are the vital interests of DS or those of another natura person under CoE law?

Answer 20

Under CoE law, the vital interests of the data subject are not mentioned in Article 8 of the ECHR. However, the vital interests of the data subject are considered to be implied in the notion of ‘legitimate basis’ of Article 5 (2) of Modernised Conven-
tion 108, which deals with the legitimacy of personal data processing.

Question 21

What is public interest and exercise of official authority?

Answer 21

Given the many possible ways of organising public affairs, Article 6 (1) (e) of the GDPR provides that personal data may lawfully be processed if it “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller […]”.

The use of personal data by authorities acting in the public arena is also subject to Article 8 of the ECHR and is meant to be covered, where appropriate, by Article 5 (2)
of Modernised Convention 108.

Question 22

What are the legitimate interests pursued by the controller or by 3rd party?

Answer 22

Under EU law, the data subject is not the only one with legitimate interests. Article 6 (1) (f) of the GDPR provides that personal data may lawfully be processed if it “is necessary for the purposes of the legitimate interests pursued by the controller
or by the third party or parties [except public authorities in the performance of their tasks] to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection […]”.

Question 23

How must the existence of a legitimate interest assessed?

Answer 23

The existence of a legitimate interest must be carefully assessed in each specific case.394
If the legitimate interests of the controller are identified, then a balancing
exercise must be conducted between those interests and the interests or fundamental rights and freedoms of the data subject.395
The reasonable expectations
of the data subject must be considered during such an assessment to ascertain whether the interests of the controller override the interests or fundamental rights of the data subject.396
If the data subject’s rights override the controller’s legiti-
mate interests, then the controller can take measures and implement safeguards to ensure that the impact on the data subject’s rights is minimised (such as pseudonymising data), and invert the ‘balance’ before being able to lawfully rely on this legitimate basis for processing. In its Opinion on the notion of legitimate interests of the data controller, the Article 29 Working Party underlined the crucial role of accountability and transparency, and of the data subject’s rights to object to the processing of their data, or to it being accessed, modified, deleted or transferred, when balancing the legitimate interests of the controller and the interests of the data sub-
ject’s fundamental rights.

Question 24

What are some legitimate interest of DC in GDPR and in CJEU?

Answer 24

In the GDPR recitals, some examples are given as to what constitutes a legitimate interest of the data controller concerned. For instance, the processing personal data
is allowed without the data subject’s consent when it is done for direct marketing purposes or when such processing is “strictly necessary for the purposes of preventing fraud”.398

Whenever personal data is processed under the ‘legitimate interests’ ground, the individual has the right to object at any time to the processing, on grounds relating to his or her particular situation, according to Article 21 (1) of the GDPR. The controller must stop the processing, unless it demonstrates compelling legitimate grounds
to continue it.

In its case law, the CJEU has expanded on the test to determine what constitutes a
legitimate interest.

Question 25

What are the CoE law concerning legitimate interest?

Answer 25

Regarding CoE law, similar formulations can be found in Modernised Convention 108413
and the recommendations of the CoE. The Profiling Recommendation
acknowledges the processing of personal data for profiling purposes as legitimate if necessary for the legitimate interests of others, “except where such interests are overridden by the fundamental rights and freedoms of the data subjects”.414 In addition, “the protection of the rights and freedoms of others” is mentioned in Article 8 (2) of the ECHR as one of the legitimate grounds to limit the right to data
protection.

Question 26

How is the processing of special categories of data set in CoE law?

Answer 26

CoE law leaves it to domestic law to lay down appropriate protections for using sensitive data, provided the conditions of Article 6 of Modernised Convention 108 are fulfilled, namely that appropriate safeguards complementing the other provisions
of the Convention are enshrined in law.

Question 27

How is the processing of special categories of data set in EU law?

Answer 27

EU law, in Article 9 of the GDPR, contains a detailed regime for processing special categories of data (also called ‘sensitive data’). These data reveal racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership as well as for processing genetic and biometric data for the purposes of uniquely identifying a natural person, and for data concerning health, a person’s sex life or sexual orientation. The processing of sensi-
tive data is prohibited in principle.

Question 28

What are exemptions of prohibition of processing of sensitive data?

Answer 28

There is, however, an exhaustive list of exemptions to this prohibition, which can be found in Article 9 (2) of the regulation and which amount to lawful grounds for processing sensitive data. These exemptions include situations where:

• the data subject explicitly consents to the data processing;
• processing is carried out by a non-profit body with political, philosophical, religious or trade union purposes in the course of its legitimate activities and only relates to its (former) members or to persons who have regular contact with it for such purposes;
• processing concerns data explicitly made public by the data subject;

Question 29

When is processing necessary?

Answer 29

processing is necessary:
* to carry out the obligations of, and to exercise the specific rights of, the controller or of the data subject in the employment, social security and social protection context;

• to protect the vital interests of the data subject or another natural person (when the data subject cannot give consent);
• to establish, exercise or defend legal claims or when courts act in their judicial capacity;
• for preventative or occupational medicine purposes: “for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional”;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
• for public interest reasons in the area of public health; or
• for substantial public interest reasons.

Question 30

What is important for processing special categories of data?

Answer 30

To process special categories of data, a contractual relationship with the data subject is thus not viewed as a legal basis for the legitimate processing of sensitive data, except for a contract with a health professional subject to the obligation of profes-
sional secrecy.

Question 31

What is explicit consent of DS?

Answer 31

Under EU law, the first possible ground for lawful processing of any data, irrespective of whether they are non-sensitive or sensitive data, is the consent of the data subject. In the case of sensitive data, such consent must be explicit. Union or Member State law may, however, provide that the prohibition on processing special categories of data may not be lifted by the individual.418
This could be the case, for
example, when processing involves unusual risks for the data subject.

Question 32

What is the employment law or social securty and social protection law?

Answer 32

Under EU law, the prohibition of Article 9 paragraph 1 can be lifted if the processing is necessary for carrying out obligations or rights of the controller or the data subject in the field of employment or social security. However, the processing needs to be authorised by EU law, national law or a collective agreement under national law, which provide appropriate safeguards for the fundamental rights and interests of the data subject.419
Employment records held by an organisation may include
sensitive personal data under certain conditions specified in the GDPR and relevant national law. Examples of sensitive data may include trade union membership or
health information.

Question 33

When is the vital interest of the DS or other person invoked?

Answer 33

Under EU law, as in the case for non-sensitive data, sensitive data may be processed because of the vital interests of the data subject or another natural person.420
Where
processing is based on the vital interests of another person, this legitimate ground may only be invoked if such processing “cannot be manifestly based on another legal basis”.421
In some cases, processing personal data may protect both individual and public interests, for instance when processing is necessary for humanitarian purposes.

Question 34

How is for the processing of sensitive data legitimate on this basis?

Answer 34

For the processing of sensitive data to be legitimate on this basis, it would have to be impossible to ask the data subject for consent, because, for example, the data subject was unconscious or was absent and could not be reached. In other words,
the person was physically or legally incapable of giving consent.

Question 35

Is processing of personal data allowed for charities or not-for-profit bodies>

Answer 35

Processing personal data is also allowed in the course of the legitimate activities of foundations, associations or other non-profit-seeking bodies with a political, philosophical, religious or trade union aim. However, the processing must relate solely to the members or former members of the body, or to those who have regular contact with the body.423
The sensitive data cannot be disclosed outside of those bodies
without the data subject’s consent.

Question 36

How is data manifestly made public by DS?

Answer 36

Article 9 (2) (e) of the GDPR provides that processing is not prohibited if it relates to data which are manifestly made public by the data subject. Even though the meaning of “manifestly made public by the data subject” is not defined in the regulation, since it is an exception to prohibiting sensitive data processing, it must be construed strictly and as requiring the data subject to deliberately make his or her personal
data public.

It is important to note that making one’s data public does not constitute consent, but it is another permission for processing special categories of data.
The fact that the data subject had made public the processed personal data does not
exempt controllers from their obligations under data protection law. For instance, the principle of purpose limitation continues to apply to personal data even if such data have been made publicly available.

Question 37

How are legal claims dealt with in the GDPR?

Answer 37

The processing of special categories of data which “is necessary for the establishment, exercise or defence of legal claims”, whether in court proceedings or in an administrative or out-of-court procedure,425
is also allowed under the GDPR.426 In this
case, processing must be relevant to a specific legal claim and its exercise or defence respectively, and may be requested by any one of the disputing parties.
When acting in their judicial capacity, courts may process special categories of data within the context of resolving a legal dispute.427
Examples of these special catego-
ries of data processed in this context could include for example, genetic data when establishing parentage, or health status when part of the evidence concerns details
of an injury sustained by a victim of crime.

Question 38

What are reasons for substantial public interest?

Answer 38

According to Article 9 (2) (g) of the GDPR, Member States may introduce further circumstances in which sensitive data may be processed, as long as: * processing data is for reasons of substantial public interest; *
it is provided for by European or national law;
* the European or national law is proportionate, respects the right to data protection and provides suitable and specific measures to safeguard the rights and interests of the data subject.428
A prominent example are electronic health file systems. Such systems permit health
data, collected by health care providers in the course of treating a patient, to be made available to other health care providers of this patient on a large scale, usually nationwide.

Question 39

What does Article 29 Working Party conclude about the establishment of such systems?

Answer 39

The Article 29 Working Party concluded that the establishment of such systems could not occur under existing legal rules for processing data about patients.429
However, it is possible for electronic health file systems to exist if they are based on “reasons of substantial public interest”.430
This would require an explicit legal basis for
their establishment, which would also contain the necessary safeguards to ensure
that the system is run securely.431

Question 40

What are other grounds for processing sensitive data?

Answer 40

The GDPR provides that sensitive data can be processed where processing is necessary for:432

• preventative or occupational medicine purposes, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or Member State law, or pursuant to a contract with a health professional;
• reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Member State law. The law must provide for suitable and specific measures to safeguard the rights of the data subject;
• archiving, scientific or historical research or statistical purposes on the basis of Union or Member State law. The law must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate
  and specific measures to safeguard the rights and interests of the data subject.

Question 41

What are additional conditions under national law?

Answer 41

The GDPR also allows Member States to introduce or maintain additional conditions, including limitations for processing genetic, biometric and health-related data.