GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Lawfully, Fairly and Transparent
Lawfully refers to the duty to process personal data only when there is an appropriate legal basis or legislative measure under the GDPR, EU, or Member State Law. Strictly speaking only when you count with legitimate grounds to process personal data, e.g., explicit consent, you can collect and carry out the processing activities. In that sense, situations, where the collection of personal data has been done by a non-authorised access, would be unlawful and therefore contrary to this principle. Relevant references: Articles 5, 6, 9 and 10 / Recitals: 39, 45 and 63.
Fairly, requires providing sufficient information to the data subject to make the processing fair and transparent. In particular, the data subject needs to be informed of the existence of the processing activities and its purposes at the moment of collection. The information shall include all necessary details to ensure fairness and transparent processing, taking into account the specific circumstances and context in which the personal data is processed. If it is the case, the data subject should be informed of the existence of profiling and consequences and any legal obligation on the data subject to provide with him/her personal data and its consequences if he or she does not do so. Relevant references: Article 5 and 6 / Recitals: 39, 45, 60 and 71.
Transparent, refer to the responsibility to ensure that any information or communication to the data subject shall be concise, easily accessible and easy to understand – clear and plain language; especially when is addressed to a child. Furthermore, to ensure a fair and transparent processing, this duty concerns the information that should be accessible to the data subject. By rule, all natural persons should be made aware of risk, rules, safeguards, and rights concerning the processing of him/her personal data and how to exercise their rights to such activities. Relevant references: Articles: 5, 12 to 22 and 34 / Recitals: 39, 58 to 63
and 71.
Purpose Limitation
This principle can be divided in two:
personal data may only be collected for specified (defined), explicit (clear) and legitimate purposes (legal basis) determined at the moment of collection. Undefined and/or unlimited purposes is unlawful;
personal data must only be processed in a manner compatible with those purposes. Otherwise, it is required a new and separate legal basis.
Now, there are two specific exemptions to this principle:
89(1) processing for archiving, scientific, historical or statistical purposes as far as appropriate technological and organizational measures are in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.
6(4) processing for another purpose compatible with the purpose for which the personal data are initially collected. To assess the compatibility the following
points should be considered: (i) the fair processing information the controller initially provided to the data subject; (ii) the relationship between the purposes for which the data have been collected and the purposes of further processing;
(iii) the context in which the data were collected and the reasonable expectations of the data subjects as to their further use; (iv) the nature of the data and the impact of the further processing on the data subjects; and (v) the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Relevant references: Article 5 and 6 / Recitals 39, 45 and 50.
Data Minimization
This principle refers to the duty to process personal data only when it is adequate (appropriate), relevant (pertinent) and limited to what is necessary for the purposes for which they are processed (not excessive). To limit the storage of the personal data to a strict minimum, there is a need to establish time limits to delete data or to have periodic reviews to assess what should be erased. Also, to respect data minimisation an assessment should be made regarding the need to process personal data since if there is another reasonable privacy-friendly solution that can fulfill the purposes, the personal data shouldn’t be handled. Relevant references: Article 5 and 25 / Recitals 39 and 156.
Accuracy
This principle imposes the responsibility to take every reasonable step to ensure that personal data are accurate and up to date concerning the specific purposes for which they are processed. Inaccurate data shall be erased or rectified without delay. Attention should be given to the word “reasonable”, the steps required shouldn’t be something that would involve a disproportionate effort. Relevant references: Articles 5 and 18 / Recital 39.
Storage Limitation
This principle refers to the obligation to keep the personal data as far as necessary to identify the data subjects for the purposes established. In that sense, the data retention has to be set in a way that personal data is erased when the purposes have been served. Now, there is one specific exemption to this principle:
89(1) processing for archiving, scientific, historical or statistical purposes as far as appropriate technological and organizational measures is in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.
Relevant references: Articles 5, 6, 23 and 25 / Recital 39 and 45.
Integrity and Confidentiality
This principle establishes the duty to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical
or organisational measures. Relevant references: Articles 5 and 32 / Recital 74 to 84, 94 and 95.
Accountability
This principle states the obligation to comply with the principles and to be able to demonstrate that processing is performed in accordance with them. Relevant references: Articles 5 and 24.
Final Notes:
The obligations to comply with the principles rely on the Data Controller(s). However, the Data Processor(s) shall observe them and act accordingly – keep in mind the Data Processor’s obligation under article 28 (3)(h) GDPR.
Union or Member State Law may restrict by way of legislative measure the scope of article 5 as long as its provisions correspond to the rights and obligations provided in articles 12 to 22, and such restrictions respect the essence of the fundamental rights and freedoms and is necessary and proportionate measure in a democratic society to safeguard: national security, defence, public security, etc.
It’s no secret that we might find regulatory gaps because of the technological developments. Keep pace with the times is not an easy task, but I trust our authorities would provide with more light regarding the many interfaces that are between law, regulation, and technology.
Art. 6 GDPR Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
Union law; or
Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
the possible consequences of the intended further processing for data subjects;
the existence of appropriate safeguards, which may include encryption or Pseudonymisation.
Suitable Recitals
(39) Principles of data processing; (40) Lawfulness of data processing; (41) Legal basis or legislative measures; (42) Burden of proof and requirements for consent;
(43) Freely given consent; (44) Performance of a contract; (45) Fulfillment of legal obligations; (46) Vital interests of the data subject; (47) Overriding legitimate interest; (48) Overriding legitimate interest within group of undertakings; (49) Network and information security as overriding legitimate interest; (50) Further processing of personal data; (171) Repeal of Directive 95/46/EC and transitional provisions.
COMMENTARY:
Article 6(1) GDPR sets out the conditions that must be satisfied for the processing of personal data to be lawful (For provisions relating to sensitive data see section on sensitive data and lawful processing). These grounds broadly replicate those in the Data Protection Directive. These are:
6(1)(a) – Consent of the data subject
The GDPR approaches consent more restrictively; in particular it seeks to ensure that consent is specific to distinct purposes of processing (see section on consent). Particular conditions are imposed in the case of children online (See section on children).
6(1)(b) – Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract
No change to the position under the Data Protection Directive.
6(1)(c) – Necessary for compliance with a legal obligation
This replicates an equivalent ground under the Data Protection Directive. However, Article 6(3) and Recitals 41 and 45 make it clear that the legal obligation in question must be:
an obligation of Member State or EU law to which the controller is subject; and
“clear and precise” and its application foreseeable for those subject to it.
The recitals make it clear that the relevant “legal obligation” need not be statutory (i.e. common
Comments (0)