With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
As we have seen, GDPR is the new law governing the processing of personal data, which is coming into force on 25 May 2018. One of its core requirements (in Article 5) is that all personal data must be processed lawfully, fairly and transparently.
In Article 6, it is specified that processing (including collection) is only lawful if one of the following lawful grounds applies:
For the grounds other than consent, the processing must be necessary for that purpose. This means that if you could reasonably achieve the task (performance of a contract etc) without processing personal data, the lawful ground will not apply.
You should determine what the lawful basis for processing will be ahead of time and notify the data subject of it. When processing data under a different ground from the one for which it was originally collected, you will need to check that the new purpose is compatible with the original purpose (unless the new ground is consent or legal obligation). To do so, you will need to take into account:
Finally, note that for both special categories of data (along with criminal convictions and offenses) and automated decision-making, the requirements are stricter - we will consider these towards the end of this article. First, we will look at the basic grounds in a bit more detail.
This ground is more complicated than it may sound, as there are various requirements about the quality of the consent. It is certainly not acceptable to assume that by providing their personal data, a data subject has therefore consented to you using it in whatever way you see fit. We will look in detail at the requirements to establish valid consent in the next article.
In order for the second ground to hold, one of the following must apply:
Take care when relying on this ground, as it will only cover types of information and processing which are genuinely necessary for these purposes. For example, say that you require people to provide contact details when they purchase goods or services from you. This is likely to be legitimate to the extent that you may need an address to deliver goods, and you may need to contact them about their order. However, this does not mean that it will be legitimate to use these details for research into your customers’ purchasing habits (which will not be necessary to the contract in question).
It may be that you are required by EU or national law to collect certain data, or process it in a certain way. If this is the case, then it is lawful to do so under GDPR.
Key Point: A contractual obligation is not enough to satisfy this requirement. Also note that as written, this does not cover the laws of countries outside of the EU.
This is an extremely narrow ground which will only cover processing necessary to protect an interest “essential to the life of” the data subject or another person. Examples could include certain crime prevention or humanitarian operations. Note that special categories of data cannot be processed under this ground if the data subject is capable of consent (even if they refuse).
This will cover public authorities (such as the government or emergency services) and organizations to which official tasks are delegated. This processing has to be authorized by EU or national law, so it is not generally available to organizations to argue that they are covered as their activities are “in the public interest”. Note that data subjects have the right to object to processing carried out under this ground, under Article 21.
This is a potentially quite flexible category, catching a number of processing activities which are not necessary to the performance of a specific contract, but are nonetheless vitally important to running most types of business.
The nature of these legitimate interests is not spelled out in the text of GDPR. However the explanatory notes provide some guidance. A crucial consideration is the reasonable expectations of data subjects when their data is collected. This will be assessed in light of their relationship to the data controller.
The guidance notes also give the following potential legitimate interests which may justify processing:
What is clear from the text is that these legitimate interests only give a lawful ground if they are not overridden by the interests, rights and freedoms of the data subjects. As such, a balancing act must take place.
Also note that data subjects have the right to object to processing under this ground, under Article 21. If they do so, such processing must stop unless the data controller can demonstrate compelling legitimate grounds for the processing which override the data subject’s rights. If data subjects object to processing for direct marketing (including profiling for this purpose), then you cannot refuse to stop the processing.
Most of the time, for most commercial organizations, the “vital interests” and “official authority” grounds are unlikely to have much impact on your operations.
Of the other grounds, consent is the broadest, allowing you to catch anything not otherwise covered. You can refer to the next article for details on how to make sure that the consent collected is sufficient to make processing lawful.
However, consent can be refused, or it can be withdrawn at any time. The other grounds can therefore allow you to ensure that you are able to collect and process the data you need in order to perform a contract, comply with any legal obligations, and otherwise pursue your legitimate interests (although remember that data subjects can object to this last type of processing).
To see how this might work in practice, the following is likely to be the best approach when entering into a contract with a client (for example through an online submission form):
In Article 9, there are stricter rules for processing the following special categories of personal data:
For these categories, you will still need to have one of the six grounds considered above. However, you will also need one of the following grounds for processing (although there is considerable overlap):
Alternatively, there are other potential grounds which will first have to be established by specific EU or national laws before they can be relied on:
Of this second category, the most important one for most organizations is likely to be the one covering employment, as governments attempt to strike a balance between employee rights over their data and the needs of employers to keep full HR records.
If collection and processing of this information is necessary to your organization, it will be important for you to check that one or more of the above grounds applies, as well as one of the original six.
Comparing these to the standard list of six grounds, consent will still justify the processing of special category data (as long as it is explicit), as will a person’s vital interests (if the data subject is unable to consent) and most cases of legal obligations and official authority. However, neither the performance of a contract nor an organization’s legitimate interests will be enough by itself.
Note that while information about criminal convictions and offences is not a special category, Article 10 states that it should only be processed under the control of official authority or where specifically authorized by law.
In Article 22, there are also stricter rules where decisions are made based solely on automated processing (including profiling). This is only justified under one of the following grounds:
You will need to implement measures to safeguard the data subject’s rights, freedoms and legitimate interests. In practice, the biggest difference between these grounds and the standard six grounds is that legitimate interests are not enough to justify this processing.
Note that these decisions may only be based on the special categories of data (above) if the data subject has given explicit consent, or if it is authorized by law and necessary for reasons of substantial public interest.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.