GDPR: Lawfulness of processing and further processing.

Article 6(1) of the GDPR sets out the conditions that must be satisfied for the processing of personal data to be lawful. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)?the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Consent is now subject to additional requirements including the prohibition on “bundled” consents and the offering of services which are contingent on consent to processing. Consent must be active and processors can no longer rely on pre-ticked boxes. Where online services are offered to children and consent is relied upon for the basis of lawful processing, consent must be given or authorised by a person with parental responsibility for the child. Children under the age of 13 can never, themselves, give consent to the processing of their personal data in relation to online services. Explicit consent is still required to process sensitive data (unless other grounds apply).?

(b)?processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

No change to the position under the Data Protection Act 1998.

(c)?processing is necessary for compliance with a legal obligation to which the controller is subject;

Article 6(3) and Recitals 41 and 45 make it clear that the legal obligation in question must be: (i) an obligation of EU or Member State Law to which the controller is subject; and (ii) such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

The Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.

(d)?processing is necessary in order to protect the vital interests of the data subject or of another natural person;

The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters. (Recital 46)

(e)?processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Article 6(3) and Recital 45 make clear this ground will apply only where the task carried out in the public interest or in the exercise of official authority vested in the controller, is laid down in EU or Member State law to which the controller is subject to.

(f)?processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

This ground shall not apply to processing carried out by public authorities in the performance of their tasks.

The requirement to consider the interests or fundamental rights and freedoms of children is new. Any decision to process data relating to children on the basis of “legitimate interests” should be carefully documented with a risk assessment conducted.

Controllers that rely on “legitimate interests” should maintain a record of the assessment they have made, so they can demonstrate that they have given proper consideration to the rights and freedoms of data subjects. Data processed on this basis is subject to a right to object, which can only be rejected where there are “compelling” reasons. Legitimate interests include:

• Processing for direct marketing purposes or preventing fraud (Recital 47). Controllers must consider the interests or the fundamental rights and freedoms of the data subject when assessing whether their legitimate interests are outweighed by the interests of the data subjects. The interests or the fundamental rights and freedoms of data subjects could in particular override that of the controller where data subjects do not reasonably expect further processing.
• Transmission of personal data within a group of undertakings for the internal administrative purposes, including client and employee data. (Recital 48)
• Processing for the purposes of ensuring network and information security. (Recital 49)
• Reporting possible criminal acts or threats to public security to a competent authority. (Recital 50)

Where legitimate interests are relied on in relation to specific processing operations, this will now need to be set out in relevant information notices. (Articles 13(1)(d) and 14(2)(b)). Data subjects can object to processing based on legitimate interests. The data controller must then prove they have compelling grounds to continue processing the data.

Further Processing

Article 6(4) of the GDPR sets out the factors a controller must take into account to assess whether a new processing purpose is compatible with the purpose for which the personal data were initially collected.

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1)[restrictions relating to the protection of national security, criminal investigations, the protection of judicial independence and judicial proceedings the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions etc...], the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a)?any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b)?the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)?the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)?the possible consequences of the intended further processing for data subjects;

(e)?the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Recital 50 indicates that further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations.?

If you would like to discuss the topic of GDPR readiness in more detail or outsource your DPO role to us, please feel free to get in touch: [email protected]

If you found this article useful, please feel free to like, connect with(or follow me) and share with others.