Rules of European data protection law Flashcards
(13 cards)
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT
Consent is one of the six legitimate grounds for processing personal data.
Consent means “any:
- freely given,
- specific,
- informed and
- unambiguous
indication of the data subject’s wishes”.
→ Consent must be given by a clear affirmative act establishing a:
- freely given,
- specific,
- informed and
- unambiguous
indication of the data subject’s agreement to the processing of his or her personal data.
→ The data subject must have the right to withdraw consent at any time.
→ Within the context of a written declaration that also covers other matters, such as ‘terms of service’,
requests for consent must be:
- in clear and plain language and
- in an intelligible and easily accessible form,
which clearly distinguishes consent from other matters.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (Free consent)
→ EU law stipulates that consent is not considered freely given “if the data subject has :
- no genuine or free choice
- or is unable to refuse or withdraw consent without detriment”.
(Art. 7, par.4 , GDPR)
→ The GDPR stresses that whether:
- the performance of a contract,
- the provision of a service,
is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (Informed consent)
The recitals of the GDPR stipulate that
→ informed consent means that
“the data subject should be aware:
- of the identity of the controller and
- the purposes of the processing for which the personal data” processed are intended.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (Specific consent)
For consent to be valid, it must also:
a) be specific to the processing purpose,
- which must be described clearly, and
- in unambiguous terms.
b) This goes hand-in-hand with the quality of information given about the purpose of the consent.
c) In this context, the reasonable expectations of an average data subject will be relevant.
d) When the processing activity as multiple purposes, consent should be given for all of them.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (Unambiguous consent)
There should be no reasonable doubt that the data subject wanted to express his or her agreement to allow the processing of his or her data.
→ If consent is given in a written form which is part of a contract,
- consent for processing personal data must be individualized and in any case
“safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given”.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (The right to withdraw consent at any time)
The data subject must be informed of such a right prior to giving consent and he or she may exercise this right at his or her discretion.
There can be no free consent if the data subject is unable to withdraw his or her consent without detriment or if withdrawal is not as easy as giving consent had been.
RULES OF EUROPEAN DATA PROTECTION LAW
- CONSENT (Consent requirements for children)
(Art. 8, par. 1, GDPR)
«in relation to the offer of information society services directly to a child, the processing of personal data of a child shall be lawful where
the child is at least 16 years old.
Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility of over the child».
Member States may provide for a lower age. Such lower age is not below 13 years.
RULES OF EUROPEAN DATA PROTECTION LAW
- Necessity for the performance of a contract
Article 6, par. 1, point b) of the GDPR
“necessary for the performance of a contract to which the data subject is party”.
This provision also covers pre-contractual relationships.
If one party needs to process data for this purpose, such processing is legitimate as long as it is “necessary in order to take steps at the request of the data subject prior to entering into a contract”.
RULES OF EUROPEAN DATA PROTECTION LAW
- Legal duties of the controller
(Article 6, par. 1, point c) of the GDPR).
“it is necessary for compliance with a legal obligation to which the controller is subject”
This provision refers to controllers acting in both the private and public sector;
the legal obligations of public sector data controllers can also fall under Article 6, par. 1, point e) of the GDPR.
RULES OF EUROPEAN DATA PROTECTION LAW
- Vital interests of the data subject or those of another natural person
Article 6, par. 1, point d) of the GDPR
“is necessary in order to protect the vital interests of the data subject or of another natural person”.
This legitimate ground may only be invoked for processing personal data based on the vital interests of another natural person, if such processing “cannot be manifestly based on another legal basis”.
Sometimes a type of processing may be based on the grounds of both public interest and the vital interests of the data subject or that of another person.
RULES OF EUROPEAN DATA PROTECTION LAW
- Public interest and exercise of official authority
Article 6, par. 1, point e) of the GDPR
The personal data may lawfully be processed if it “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller […]”.
RULES OF EUROPEAN DATA PROTECTION LAW
- Legitimate interests pursued by the controller or by a third party
Under EU law, the data subject is not the only one with legitimate interests.
Article 6, par. 1, point f) of the GDPR provides that personal data may lawfully be processed if
it “is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties [except public authorities in the performance of their tasks] to whom the data are disclosed,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection […]”.
RULES OF EUROPEAN DATA PROTECTION LAW
- Legitimate interests pursued by the controller or by a third party
(The CJEU - THE COURT OF JUSTICE
OF THE EUROPEAN UNION)
The CJEU clarified that EU data protection law includes the possibility – not an obligation – of communicating data to a third party for the purposes of the legitimate interests pursued by that party.
The CJEU set out three cumulative conditions that must be fulfilled for personal data processing to be lawful on the ‘legitimate interests’ ground.
1) The third party to whom the data are disclosed must pursue a legitimate interest.
In this specific case, this means that requesting personal information to sue a person for causing property damage constitutes a legitimate interest of a third party.
2) The processing of personal data must be necessary for the purposes of the legitimate interests pursued.
In this case, obtaining personal information such as the address and/or ID number is strictly necessary to identify that person.
3) The fundamental rights and freedoms of the data subject must not take precedence over the controller’s or third parties’ legitimate interests.
