Definition data processing
Article 4(2) ‘any operation’ performed upon data, comprises the many possible actions in the data lifecycle
Examples: Recording, Restriction, Retrieval, Consultation, Collection, Organisation, Adaptation or alteration, Structuring, Use, Disclosure, Erasure of destruction, Storage, Alignment or combination
Data processing principles - OECD
Most widely recognised framework for fair information practices
- Collection limitation: limits to collection of personal data, should be obtained by lawful and fair means and (where appropriate) with knowledge or consent of data subject
- Data quality: ‘Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date’.
- Purpose specification: ‘The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose’.
- Use limitation: ‘Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the purpose specification principle] except a) with the consent of the data subject; or b) by the authority of law’.
- Security safeguards: ‘Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data’.
- Openness: ‘There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller’.
- Individual participation: ‘An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended’.
- Accountability: ‘A data controller should be accountable for complying with measures which give effect to the principles stated above’.
Data processing principles - GDPR
Article 5
- Lawfulness, fairness and transparency of processing requires honest practices, such as communicating openly with data subjects about personal data processing activities.
- Purpose limitation requires collecting and processing personal data for the specified purpose only. To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards.
- Data minimisation means processing only personal data that is relevant and necessary for the purpose.
- Accuracy includes processing complete and up-to-date personal data.
- Storage limitation means retaining only personal data that is relevant and necessary for the purpose.
- Integrity and confidentiality require ensuring personal data is secure.
- Accountability means processing personal data responsibly and demonstrating compliance with EU and member state data protection laws.
Application of GDPR - scope
Territorial scope: Article 3, one of the criteria must be met
- Controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU)
- Relating to offering goods or services or monitoring behaviour in the EU (where the controller or processor is not established in the EU)
- Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law
Material scope: must also fall within the material scope, Article 2
- Processing personal data wholly or partly by automated means (processing operation without or partly without human intervention, NOT equal to automated decision-making)
- Processing that forms part of a filing system
Exclusions, data processing NOT regulated by the GDPR for purposes
- Activities outside the scope of EU law: for example, national security activities
- Law enforcement and public security
- And purely personal or household activities
Lawful processing
Six lawful grounds for controllers to process personal data (one must be met), Article 6:
- Consent from the data subject for a specific processing purpose
- Performance of a contract if the processing is necessary to perform the contract (and the data subject is party to the contract), or if the data subject requests the processing to enter into a contract.
- Compliance with legal obligation to which the controller is subject.
- Protection of vital interests of the data subject or another natural person.
- Necessity for the public interest or in the exercise of official authority of the controller.
- As necessary for the legitimate interests of the controller or a third party (unless overridden by the interests, rights or freedoms of the data subject, in particular where the data subject is a child)
Consent (conditions)
- Freely Given: must be clearly distinguishable from other matters, intelligible, and in clear and plain language
- Specific: Data subjects must be informed of all intended purposes for processing their personal data at the time of consent
- Informed: data subjects must be informed, at least, of the controller’s identity, the purpose for processing, and information about how processing may affect data subjects. These details must be communicated using understandable language and form
- Unambiguous: unambiguous indication of wishes. In other words, the wishes of the data subjects must be absolutely clear. This requires a positive, affirmative action, such as checking opt-in or choosing technical settings for web applications. Silence, pre-ticked boxes and inactivity do not qualify as unambiguous indications of a data subject’s wishes
Consent for children
Consent must be given by a parent or guardian when the child is younger than 16 years old.
However, member states have the leeway to lower this threshold to as young as 13 years old
Legitimate interest - controllers
The burden is on the controller to show that the data subject’s fundamental rights and freedoms have not been compromised.
Transparency, adequate safeguards and compliance with other obligations can help a controller support its case that the processing is legal.
The controller must also:
- Ensure that the purpose of processing is a legitimate interest of the controller or third party
- Ensure that processing the personal data is necessary for the legitimate interest
- Inform the data subjects, at the time data is collected, of the controller’s claimed legitimate interests.
- Balance the legitimate interest with those of the data subjects
- Uphold fundamental rights and freedoms of data subjects
Legitimate Interest: Controller-data subject relationship
Relationship is an important factor in distinguishing a legitimate interest. The relationship will have an effect on the data subject’s reasonable expectations.
e.g. the data subject may be the controller’s client or employee.
Controllers or third parties with a legitimate interest may have the purpose of:
- Fraud Prevention
- Direct Marketing
- Sharing personal data within a group of undertakings or institutions affiliated to a central body of internal administrative purposes
- Information Security
Of note is the stipulation that public authorities may NOT rely on legitimate interest as a grounds for processing data.
Processing Special Categories
Article 9 is concerned with protecting special categories of data. These are:
- Racial or Ethnic origin
- Political Opinions
- Religious or philosophical beliefs
- Trade union membership
- Processing of genetic or biometric data for the purposes of uniquely identifying a natural person
- Health
- Sex life
- Sexual orientation
The general starting point under article 9 is that processing of special categories of data is prohibited. However there are some exceptions.
Processing Special Category Exceptions
First, controller must ensure that processing meets at least one of 6 bases for lawfully processing of personal data (see earlier).
If at least one of these are met then the processing must also meet ONE of the exceptions below in order for processing of the special category of data to be lawful. The exceptions are:
1. Explicit Consent (also unambiguous, freely given, specific and informed, in addition clear affirmative act by the data subject required)
2. In the context of employment (if required to comply with a legal obligation under employment, social security and social protection law; for candidates, employees and contractors)
3. Vital interests of the individual (identical to A6, except that under A9, controller must be able to demonstrate that it is not possible to obtain consent, e.g. emergency situations)
4. Political, Philosophical and Religious purposes
5. Sensitive data manifestly made public by the data subject (e.g. in media interviews or social media)
6. Establishment, exercise or defence of legal claims
7. Substantial public interest (must be balanced with the data subject’s right to data protection, e.g. for preventing and detecting crime)
8. Medicine and Social Healthcare (assessing the working capacity of an employee, making a medical diagnosis, providing health or social care or treatment, and managing health or social care systems or services)
9. Public Health (‘protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices’)
10. Public archive or scientific or historical research or statistical purposes
