Seminar 6-8 - Lawful processing

Question 1

What are the relevant provisions when speaking of Lawful processing?

Answer 1

Relevant provisions
● Chapter II
● Art. 6: Non-sensitive personal data
● Art. 7: Conditions for consent
● Art. 9: Special categories of data
● Art. 10: Personal data regarding criminal convictions and offences
● Art. 87: National identification number

Question 2

What is the most important categorisation when referring to lawful processing?

Answer 2

The GDPR differs between non-sensitive data and sensitive data.

Question 3

GDPR art. 6 mentions six grounds for making the processing of general / non-sensitive personal data lawful? Do Controllers have to fulfill all those grounds?

Answer 3

Controllers must be able to demonstrate that at least one of these grounds applies to their processing. The list is exhaustive, and there is no ranking.
- Example: Data subject must give consent.

Question 4

Where are the conditions for valid consent as defined in the GDPR?

Answer 4

GDPR art. 4(11)

Question 5

What are the 4 conditions for valid consent in the GDPR?

Answer 5

1) freely given,
2) specific,
3) informed and
4) unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Question 6

What’s an important factor to take into account when referring to consent?

Answer 6

○ Imbalance of power can be taken into account (for example in an employee/employer context).

Question 7

What are the consent requirements for children? And where is that found in the GDPR?

Answer 7

Art. 8:
Processing will be lawful “only if, and to the extent that, consent is given or authorized by the holder of parental responsibility over the child”

Question 8

Does the data subject have the right to withdraw consent at any time? And where is that found in the GDPR?

Answer 8

The data subject has a general right to withdraw consent at any time (shall be as easy to withdraw as to give consent), cf. art. 7(3)).

Question 9

Name the 6 conditions for lawful processing of personal Data?

Answer 9

1. Consent (Art. 6(1)(a))
2. Necessity for the performance of a contract (Art. 6(1)(b))
3. Legal obligation of the controller (Art. 6(1)(c))
4. Vital interests of the data subject or those of another natural person (Art. 6(1)(d))
5. Public interest and exercise of official authority (Art. 6(1)(e))
6. Legitimate interests pursued by the controller or by a third party (Art. 6(1)(f))

Question 10

What is the Three-part test for the processing to be lawful (three cumulative conditions by the CJEU)?

Answer 10

○ 1. Purpose test: Are you pursuing a legitimate interest?
○ 2. Necessity test: is the processing necessary for that purpose?
■ Any less intrusive way available to achieve the same result?
○ 3. Balancing test: do the individual’s interests override the legitimate interest?

Question 11

Is it allowed to process sensitive data in principle?

Answer 11

The processing of sensitive data is prohibited in principle, since the processing could create significant risks to the fundamental rights and freedoms of the data subject

Question 12

When is it allowed to process sensitive data? And where in the GDPR is that found?

Answer 12

An exhaustive list of exemptions (10 exceptions) to this prohibition, can be found in art. 9(2) of the regulation and which amount to lawful grounds for processing sensitive data.

Question 13

Name an exemption as where it is allowed to process sensitive data? And where in the GDPR is that found?

Answer 13

Processing concerns data explicitly made public by the data subject.

Question 14

What does Explicit consent of the data subject (Art. 9(2)(a)) mean?

Answer 14

In the case of sensitive data such consent must be explicit (a higher threshold to art. 6(1)(a))

Question 15

What is Employment law or social security and social protection law (Art. 9(2)(b)) exemption?

Answer 15

• Covers situations where employers act as processors (need to process sensitive data of employees for the purpose of complying with their obligations under, e.g., employment law)
● The processing needs to be authorized by EU law, national law or a collective agreement under national law, and must provide appropriate safeguards

Question 16

What is Vital interests of the data subject or another person incapable of giving consent (Art. 9(2)(c)) exemption?

Answer 16

where the data subject is physically (illness) or legally incapable (e.g. minor) of giving consent

Question 17

What is Charities or not-for-profit bodies (Art. 9(2)(d)) exemption?

Answer 17

Non-profit organisations with a political, philosophical, religious or trade union aim (must have the purpose to exercise fundamental freedoms, thus not every NGO is covered

Question 18

What is Data manifestly made public by the data subject (Art. 9(2)(e)) exemption?

Answer 18

Must be construed strictly and as requiring the data subject to deliberately make his or her personal data public (must be the data subject and not another person)

Question 19

What is the Legal claims or courts acting in judicial capacity (Art. 9(2)(f)) exemption?

Answer 19

Processing must be relevant to a specific legal claim and its exercise or defence and may be requested by any one of the disputing parties

Question 20

What is Reasons of substantial public interest exemption? And what are the 3 conditions?

Answer 20

● Three conditions must be fulfilled for the processing to be lawful:
○ 1) the processing data must be for reasons of substantial public interest
○ 2) that is provided for by European or national law; and
○ 3) the European or national law is proportionate, respects the right to data protection and provides suitable and specific measures to safeguard the rights and interests of the data subject

Question 21

What 5 types of consent do we have?

Answer 21

1. Free consent
2. Informed consent
3. Specific consent
4. Unambiguous consent
5. Consent for children

Question 22

Who has the burden of proof with regards to consent? And where is that found in GDPR?

Answer 22

The burden of proof will be on the controller, according to Article 7(1).

Question 23

What is the age limit of valid consent? And can it be lower?

Answer 23

Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Regarding the age limit of valid consent the GDPR provides flexibility, Member States can provide by law a lower age, but this age cannot be below 13 years.

Question 24

What is the definition of consent?

Answer 24

”… any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Question 25

What is Three-part test (“LIA”)?

Answer 25

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?

Question 26

Purpose Limitation – Compatibility assessment examples
1. A company installs a CCTV camera to monitor the main entrance to its building. A sign informs people that CCTV is in operation for security purposes. CCTV recordings show that the receptionist is frequently away from her desk and engages in lengthy conversations while smoking near the entrance area covered by the CCTV cameras. The recordings, combined with other evidence (such as complaints), show that she often fails to take telephone calls, which is one of her duties.

Answer 26

• Incompatible – not in line with the original purpose. The drivers don’t know about it. They are not informed about it properly.

Question 27

Purpose Limitation – Compatibility assessment examples

A public transport company requires bus drivers, each day before starting their shift, to blow into a breathalyser in order to check for the presence of alcohol. The time and date of the test is recorded, along with information on whether the test was successfully passed. This procedure is integrated with an entry-exit system. When bus drivers start their work shift, they are required to hold their magnetic ID card at the breathalyser module and then blow into the breathalyser. The purpose of the collection and further processing of these data, as specified in law and also notified to the employees, is to check that the drivers do not have an unauthorized amount of alcohol in their bodies during the work shift, which is a legal requirement in the country in question. However, unbeknownst to the drivers, the breathalyser system is also used to check if drivers have fulfilled their work time obligations (i.e. whether they have arrived punctually at the start of their shift).

Answer 27

• Incompatible – not in line with the original purpose. The drivers don’t know about it. They are not informed about it properly.

Question 28

Purpose Limitation – Compatibility assessment examples
In order to protect classified information, a government department requires some of its employees to pass a security clearance procedure in order to evidence that they have the required level of trustworthiness. The security clearance procedure is regulated by law and is carried out by another government department. The resulting ‘clean’ (i.e. approved) security clearance certificates are stored by the government department which requested the clearance, as evidence that it is complying with the requirements. Certificates are stored for the duration of employment (and a fixed, limited time afterwards) to allow for auditing compliance with the security clearance requirements internally as well as by a third government department. These purposes, as well as the retention periods, are clearly identified, set forth in legislation, and also communicated to staff. The ‘clean’ certificates provide no additional information beyond the fact that the screening procedure has been successfully carried out.

Answer 28

• Compatible. Data subjects are informed about it and it’s identified properly.

Question 29

Purpose Limitation – Compatibility assessment examples
A doctor’s wife runs a small independent travel agency. The doctor provides his wife with details of patients who have recently been discharged from hospital. His wife uses the information to send the patients offers for her ‘Get Well Quick’ range of recuperative seven- day breaks.

Answer 29

• Not compatible. Maybe art. 8 – Sensitive data. Not compatible.

Question 30

Purpose Limitation – Compatibility assessment examples
A supermarket takes part in a new public health initiative promoted by the government’s Department of Wellbeing. The supermarket uses its already available analytics software and customer purchasing database (obtained via its ‘loyalty card’ system) to identify customers that buy excessive amounts of alcohol or large quantities of high-fat foods. It then sends out leaflets prepared by another private government partner to these customers’ home addresses. The leaflets provide nutritional and lifestyle advice and offer appointments at a local ‘well- being’ clinic, which also participates in the government campaign. The data subjects are not informed of this initiative prior to the supermarket sending out the leaflets, and the initiative itself is not defined in law.

Answer 30

• Not compatible.

Question 31

Purpose Limitation – Compatibility assessment examples
Following a public campaign about safe use of the internet, a school decides to forward the contact information of all school children aged 8 to 13 and their parents to a non-profit organisation running an innovative and highly effective government-subsidised workshop that teaches children how to use the internet safely. The non-profit organisation then sends leaflets to the parents and children, inviting them to register for the workshop.

Answer 31

• Not compatible.

Question 32

Purpose Limitation – Compatibility assessment examples
A small tour operator specialising in mountain trekking organises a holiday program for a group of eight participants. During the holidays, lots of photos are taken by the manager of the company who is a keen photographer and has also been serving as a tour guide and overall organiser for the trip. Many of the photos are subsequently shared among the participants via password-protected access on a photo-sharing website, with the understanding that photos may be used for personal and non-commercial purposes only.

Answer 32

• Compatible

Question 33

Is the consent valid?
When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent.

Answer 33

Not valid: The consent is not given freely (art. 7(4)) since they limit the use of the app even though this has nothing to do with the consent

Question 34

Is the consent valid?
A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again.

Answer 34

Valid: it is informed, freely and when the consent is revoked, they stop the collecting the data.

Question 35

Is the consent valid?
A public university asks students for consent to use their photographs in a printed student magazine. As a bonus, it organizes a free lunch for those students who agree to such use. For the students who refuse it, though, the school reserves an extra and the most unpopular lecture with a boring professor.

Answer 35

Maybe valid: It is okay to motivate (by giving a sandwich) those who consent, since this is not the same as “punishing” those who do not consent. But you can argue that the consent is not freely since those who does not consent to participate in a boring lecture.

Question 36

Is the consent valid?
A film crew is planning to film a lecture at the Faculty of Law (KU). The Faculty Management asks all the teachers and students to agree to be on the video, be positive and smile during filming. Those teachers and students who refuse, are asked to skip the lecture so not to ruin the Faculty promotional material with bored faces and negative attitude.

Answer 36

Not valid: It is not freely “art. 4(7)”, since they deprive the students/teacher access to the lecture.

Question 37

Is the consent valid?
An online service sends messages via Bluetooth to people who have activated Bluetooth on their mobiles; the service relies on activation of Bluetooth as consent.

Answer 37

Not valid: There is no actual consent nor any is it informed.

Question 38

Is the consent valid?
Same facts as in 5, but one is informed about the service e.g. via signage and approaches a few centimetres from the board with his or her mobile.

Answer 38

Probably valid: Since you are presented with information and still actively chooses to put you phone next to the board, then the consent is valid.

Question 39

Is the consent valid?
A company decides that their website should feature employees’ names and main roles. Each employee is asked whether they would like to have their pictures uploaded alongside each name. Individuals who want to have their picture uploaded are invited to send a picture to a given address.

Answer 39

Valid: It is both informed and freely given.

Question 40

Is the consent valid?
A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services. The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geo-localisation or online behavioural advertising are necessary for the provision of the photo editing service, however, users cannot use the app without consenting to these purposes.

Answer 40

Not valid: The consent is not freely since you cannot use their app if you don’t consent, even though this is not necessary for the app to work.

Question 41

Is the consent valid?
A bank asks customers for consent to allow third parties to use their payment details for direct marketing purposes. This processing activity is not necessary for the performance of the contract with the customer and the delivery of ordinary bank account services. It is unclear if the customer’s refusal to consent to this processing purpose will lead to the denial of banking services, closure of the bank account, or, depending on the case, an increase of the fee.

Answer 41

Not valid: it is not informed since it is unclear what will happen if you don’t consent, it is also not freely since you will get an increase in your fee.

Question 42

What two types of data do we have?

Answer 42

1. General personal data, art. 6
2. Special categories of data, art. 9

Processing has to comply with both.

Question 43

What indicates informed consent?

Answer 43

(i) the controller’s identity
(ii) the purpose of each of the processing operations for which consent is sought
(iii) what (type of) data will be collected and used (iv) the existence of the right to withdraw consent
(v) information about the use of the data for automated decision-making in accordance with Article 22 (2)(c) where relevant
(vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46

Question 44

Give an example of Art 6 (d)Vital interests?

Answer 44

Rare occasions.

You will be data processing in a sense if you help a person who is unconscious on the train for example.

Question 45

Give an example of Art 6 (e)Public interest/official authority ?

Answer 45

• Tax authority collecting and processing an individual’s tax return to establish and verify the amount of tax to be paid
• Bar association or a chamber of medical professionals vested with an official authority to do so may carry out disciplinary
procedures against some of their members

Question 46

Give an example of Legitimate interests pursued by the controller or by a third party (Art. 6(1)(f))?

Answer 46

• exercise of the right to freedom of expression or information, including in the media and the arts
• conventional direct marketing and other forms of marketing or advertisement

Question 47

Name an example of how consent can be explicit?

Answer 47

Two stage verification of consent can also be a way to make sure explicit consent is valid.