When can personal data be processed?
Your company/organisation can only process personal data in the following circumstances:
- with the consent of the individuals concerned;
- where there is a contractual obligation (a contract between your company/organisation and a client);
- to meet a legal obligation under EU or national legislation;
- where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
- to protect the vital interests of an individual;
- for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you are processing are not seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case.
Examples
Consent
Your company/organisation offers a music app and asks for citizens’ consent to process their musical preferences in order to suggest tailored songs and possible concerts to them.
Contractual obligation
Your company/organisation sells goods online. It can process data that is necessary to take steps at the request of the individual prior to entering into the contract and for the performance of the contract. So you can process the name, delivery address, credit card number (if payment by card), etc.
Legal obligation
You own a company with employees. In order to obtain social security cover, the law obliges you to provide personal data (for example weekly income of your employees) to the relevant authority.
Public interest
Example: a professional association such as a bar association or a chamber of medical professionals vested with an official authority to do so may carry out disciplinary procedures against some of their members.
Vital interests of a person
A hospital is treating a patient after a serious road accident; the hospital does not need his consent to search for his ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.
Your organisation’s legitimate interests
Your company/organisation ensures its network security by monitoring the use of its employees’ IT devices. Your company/organisation may legitimately process personal data for that purpose, only if the least intrusive method is chosen as regards the privacy and data protection rights of your employees, for example, by limiting the accessibility of certain websites. (Note that this can not be done in EU Member States where national law sets out stricter rules for processing in the employment context).
References
When is consent valid?
When consent is required for the processing of personal data, it is valid only if the following conditions are met:
- it must be freely given;
- it must be informed;
- it must be given for a specific purpose;
- all the reasons for the processing must be clearly stated;
- it is explicit and given via a positive act (for example an electronic tick-box that the individual has to explicitly check online or a signature on a form);
- it uses clear and plain language and is clearly visible;
- it is possible to withdraw consent and that fact is explained (for example an unsubscribe link at the end of an electronic newsletter email).
For consent to be freely given the individual must have a free choice and must be able to refuse or withdraw consent without being at a disadvantage. Consent isn’t freely given if, for example, there is a clear imbalance between the individual and the business/organisation (for example employer/employee relationship) or when a business/organisation requires individuals to consent to the processing of unnecessary personal data as a pre-condition to fulfil a contract or service.
For consent to be informed, the individual must receive at least the following information:
- the identity of the organisation processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw the given consent (for example, an unsubscribe link at the end of an email)
- where applicable the fact that the data will be used for solely automated-based decision-making, including profiling;
- if the consent is related to an international transfer, the possible risks of data transfers to third countries which are not subject of a Commission adequacy decision and where there are no appropriate safeguards.
Remember: where someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given.
Examples
Free consent
You are an airline company and your Privacy Notice indicates that the personal data of customers can be processed for a competition organised by your company offering a free flight as a prize. The customers who ticked the box in agreeing to participate in the competition have clearly signalled their wish to have their personal data processed for the purpose of the competition. There is consent to process data for the purpose of the competition but not for other purposes.
Consent not free
Your company/organisation offers online movie services. When collecting the data needed for this contract you also ask for additional data, such as the sexual orientation or the political beliefs of a person. That person may believe that their consent for the processing of this type of data is necessary to access to the movies they request. The consent in this case is not free consent, it is a ‘tied consent’.
References
- Article 4(11) and Article 7 and Recitals 32, 42-43 of the GDPR
- EDPB guidelines on Consent under Regulation 2016/679
How is consent for processing in scientific research obtained?
Some flexibility in relation to the degree of specification and granularity of consent is allowed in the context of scientific research. When collecting personal data, researchers might not be able to fully identify the purposes for processing. In those cases they can ask individuals to give consent for certain areas of scientific research or parts of research projects. In any case, consent must keep its core elements, that is to say it must be freely given, informed, sought via clear affirmative action and specific to the extent allowed by the research in question. Researchers must make sure they also comply with the ethical and methodological standards required in their field.
Example
A group of researchers wants to study a specific kind of cancer but are aware of the possible implications for other kinds of cancers. In such a case they can ask for a person’s consent to process data relating to cancer research.
Reference
Does consent given before 25 May 2018 continue to be valid today?
If the consent provided by a person prior to the application of the General Data Protection Regulation (GDPR) is in line with the conditions of the GDPR, then there is no need to ask again for the individual’s consent. Your company/organisation has to make sure that the consent given before the GDPR meets the conditions set out in the GDPR.
Examples
No need for new consent
The GDPR came into effect on 25 May 2018. You’ve recently reviewed your company/organisation's privacy policy. You’ve checked that the consent within your organisation was gathered in writing and complied with all the requirements of the GDPR. In that case, you do not need to ask your clients/customers for consent again.
Need to obtain consent again
Your company/organisation obtained consent from clients a few years ago using a system of pre-ticked boxes online. It’s now clear that this manner of obtaining consent is not valid since 25 May 2018. Your company/organisation will have to obtain consent again if it wishes to continue processing the data.
References
What if somebody withdraws their consent?
It should be as easy to withdraw as to give consent. If consent is withdrawn your company/organisation can no longer process the data. Once consent has been withdrawn, your company/organisation needs to ensure that the data is deleted unless it can be processed on another legal ground (for example storage requirements or as far as it is a necessity to fulfil the contract).
If the data was being processed for several purposes your company/organisation can not use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent.
Example
You are providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.
References
- Article 7 and Recitals 32-33, 42, 43 and 58 of the GDPR
- EDPB guidelines on Consent under Regulation 2016/679
What does ‘grounds of legitimate interest’ mean?
As a company/organisation, you often need to process personal data in order to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, processing of personal data can be justified on grounds of legitimate interest.
Your company/organisation must inform individuals about the processing when collecting their personal data.
Your company/organisation must also check that by pursuing its legitimate interests the rights and freedoms of those individuals are not seriously impacted, otherwise your company/organisation cannot rely on grounds of legitimate interest as a justification for processing the data and another legal ground must be found.
Example
Your company/organisation has a legitimate interest when the processing takes place within a client relationship, when it processes personal data for direct marketing purposes, to prevent fraud or to ensure the network and information security of your IT systems.
References
Under what conditions can my company/organisation process sensitive data?
Your company/organisation can only process sensitive data if one of the following conditions is met:
- the explicit consent of the individual was obtained (a law may rule out this option in certain cases);
- an EU or national law or a collective agreement, requires your company/organisation to process the data to comply with its obligations and rights, and those of the individuals, in the fields of employment, social security and social protection law;
- the vital interests of the person, or of a person physically or legally incapable of giving consent, are at stake
- you are a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, processing data about its members or about people in regular contact with the organisation;
- the personal data was manifestly made public by the individual;
- the data is required for the establishment, exercise or defence of legal claims
- the data is processed for reasons of substantial public interest on the basis of EU or national law;
- the data is processed for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or national law, or on the basis of a contract as a health professional;
- the data is processed for reasons of public interest in the field of public health on the basis of EU or national law;
- the data is processed for archiving, scientific or historical research purposes or statistical purposes on the basis of EU or national law.
Further conditions may be imposed by national law on the processing of genetic data, biometric data or data concerning health. Check with your National Data Protection Authority.
Example
You can process sensitive data
A doctor sees a number of patients at his clinic. He logs the visit in a database that includes fields such as name/surname of patient, description of symptoms and medication prescribed. That is considered to be sensitive data. The processing of health data by the clinic is allowed under the data protection law because it is required to treat the person and is carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy.
You cannot process sensitive data
Your company sells dresses online. In order to tailor the services to the specific interests of your clients, you ask them to provide you with information about sizes, preferred colour, payment method, name and the address so that the product can be delivered. In addition, your company asks for your clients’ political views. You need the majority of the information to fulfil your side of the contract. However, clients’ political views are not a requirement to make and deliver their dresses. Your company cannot ask for that information under that contract.
References
What personal data is considered sensitive?
The following personal data is considered ‘sensitive’ and is subject to specific processing conditions:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation.
References
Can data received from a third party be used for marketing?
Before acquiring a contact list or a database with contact details of individuals from another organisation, that organisation must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes. For example, if the organisation acquired it based on consent, the consent should have included the possibility to transmit the data to other recipients for their own direct marketing.
Your company/organisation must also ensure that the list or database is up-to-date and that you do not send advertising to individuals who objected to the processing of their personal data for direct marketing purposes. Your company/organisation must also ensure that if it uses communication tools, such as email, for the purposes of direct marketing, it complies with the rules set out in the ePrivacy Directive (Directive 2002/58/EC1).
Such lists are processed on grounds of legitimate interests and individuals will have a right to object to such processing. Your company/organisation must also inform individuals, at the latest at the time of the first communication with them, that it has collected their personal data and that it will be processing it for sending them adverts.
Example
Two friends, Mrs. A and Mr. B, run, respectively, a gym and a book shop. Each collects data from their respective customers. Mr. B’s book shop is not doing well. His client database has few entries and not many people walk into his shop. He tells Mrs. A that he has a new biography of a famous athlete and asks whether Mrs. A’s clients would be interested in receiving advertising about the book. The terms of Mrs. A’s privacy notice informed her clients that she could share the data with partners offering products in the health and fitness area. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, Mrs. A can send the client list to Mr. B. No data can be sent about an individual who objected to the processing of their personal data.
References
- Article 4(10) and Articles 5-6, 14 and 21 of the GDPR
- EDPB guidelines on Transparency under Regulation 2016/679
- ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13
1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002 p.37).