How to Ensure that Your Data Processing Practices Are GDPR-Compliant: The GDPR Explained
In this article, we will discuss the main principles in Chapter Two of the General Data Protection Regulation (GDPR), which are the foundation of the GDPR and lay out the requirements for how organisations should collect, use, and store personal data. However, this article does not include any form of legal advice or educational materials. It only reflects my understanding of the law in question and how it operates.
Lawfulness, fairness and transparency:
Art. 5(a) of the GDPR states that personal data shall be processed lawfully, fairly and in a transparent manner. This means that organisations must have a legal basis for processing personal data, and they must be transparent about how they are collecting, using, and storing personal data. Lawfulness was widely explained in Art. 6 as processing the collected data shall be lawful only if at least one of the following applies:
(a) The individual has given consent to the processing of his or her personal data for one or more specific purposes.
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
This clause means that the organisation can process personal data if necessary to fulfil a contract the individual has entered into with the organisation. For example, if an individual orders a product from an online store, the store can process the individual’s personal data (such as their name, address, and payment information) in order to fulfil the order.
The clause also applies to situations where the organisation needs to process personal data in order to take steps at the request of the individual before entering into a contract. For example, if an individual applies for a job, the employer can process the individual’s personal data (such as their resume and contact information) in order to assess the individual’s suitability for the job. However, this clause only applies if the processing of personal data is “necessary” for the performance of the contract or for taking steps at the request of the individual.
(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
This means that organisations can process personal data if it is necessary to protect the life or health of the individual or another person. For example, if an individual is unconscious and needs medical attention.
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This means that organisations can process personal data if it is necessary to perform a task that is in the public interest or carried out by an organisation that has been given official authority. For example, a government agency can process personal data in order to investigate a crime or to provide social welfare benefits.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Under this clause, organisations can process personal data if it is necessary to pursue their legitimate interests, but only if those interests do not override the interests or fundamental rights and freedoms of individuals. For example, processing personal data to improve the quality of a product or service or processing personal data to prevent fraud or abuse. However, under the same clause, this Point(f) does not apply to processing carried out by public authorities in the performance of their tasks.
Conditions for consent
Art. 6(a) confirmed that the individual has to give consent to the processing of his or her personal data. Art. 7 has explained the conditions for which such consent will be validly obtained.
Art.7(2):
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
For example, if a company is asking for consent to use a person’s personal data for marketing purposes, and the request for consent is buried in long and complex terms of service agreement, then the consent will not be valid. The request for consent must be presented in a clear and concise way so that the person can easily understand what they are consenting to.
Art. 7(3)
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
This paragraph can be divided into four separate sentences. The first sentence of the paragraph states that the individual shall have the right to withdraw his consent at any time. This means that he/she can change his mind about giving consent, and he can do so at any time.
The second sentence of the paragraph states that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. This means that if the individual withdraws his consent, the organisation cannot be held liable for any processing that was done before the consent was withdrawn.
The third sentence states that the individual shall be informed of his right to withdraw his consent prior to giving consent. This means that the organisation must inform the data subject that he/she has the right to withdraw his consent before they give their consent.
The fourth sentence of the paragraph states that it shall be as easy to withdraw as to give consent. This means that the organisation must make it as easy for the individual to withdraw his consent as it was for him to give his consent in the first place.
We can understand from this paragraph that the right to withdraw consent is an important right for individuals, and it is one of the ways that the individual can control his personal data. Organisations that process personal data must respect the right of individuals to withdraw their consent, and they must make it easy for them to do so.
Art.7 (4)
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
This means that if an organisation is asking for consent to process personal data that is not necessary for the performance of a contract, then the organisation must carefully consider whether the consent is freely given. For example, if a company is asking for consent to use a person’s personal data for marketing purposes, and the consent is conditional on the person agreeing to purchase a product, then the consent is not likely to be freely given. The person may feel pressured to give their consent in order to purchase the product. The same applies if a company is asking for consent from an employee to process his personal data, then the employee may feel pressured to give their consent because they are afraid of losing their job.
Overall, the assessment of whether consent is freely given is a complex matter, and there is no single answer that will apply in all cases. Organisations that process personal data must carefully consider all of the factors involved in order to ensure that they are obtaining valid consent from individuals.
In conclusion, Chapter Two of the General Data Protection Regulation (GDPR) has explained several important concepts in data protection law. The way of having individuals’ personal data must be lawful, fair and transparent, ensuring that the collected data is only processed for legitimate purposes.
The GDPR sets out strict requirements for data processing and consent, and organisations that process personal data must carefully consider these requirements in order to ensure that they are obtaining valid consent from individuals.
In the next articles, we will provide a more in-depth analysis of the General Data Protection Regulation (GDPR), with a focus on its key provisions.
Please subscribe to our LinkedIn page to make sure you do not miss out on our future articles about GDPR and how it affects your business data handling.