Course sections

LAWFULLNESS OF PROCESSING PERSONAL DATA, Lecture 1

LAWFULLNESS OF PROCESSING PERSONAL DATA

One of the key elements of GDPR instrument is a list of conditions which allow legal processing of personal data. If any condition is met, processing is legal. Therefore each participant should be aware that in any situation the processing activity should meet the following conditions:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

The consent has to be given freely. The data subject should have a possibility to give separate consent to different personal data processing operations, depending on the specific data collection purposes. The consent should be easily withdrawn too. This condition cannot be a legal basis for processing of personal data when there is a clear imbalance between the data subject and the controller.

  • the data processing is necessary:

      1. for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. The data subject always has to be a party of a contract or a person, who enters into a contract. Completing a contract or entering into a contract by another person, only in favour of the data subject, will not fulfil this condition.

      2. for compliance with a legal obligation to which the controller is subject;

In this case, the processing should have a basis in Union or Member State law. That law could specify the general conditions of GDPR, governing the lawfulness of personal data processing, establishing specifications for determining the controller, the type of personal data which are subject to be processed, the data subjects in question, the entities to which the personal data might be disclosed, the purpose limitations, the storage period, and other measures to ensure lawful and fair processing.

     3. in order to protect the vital interests of the data subject or of another natural person;

This legal basis for processing of personal data should, in principle, take place only when the processing cannot be based on another legal ground. But some types of processing may serve both important grounds of public interest and the vital interests of the data subject. For example when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies.

    4. for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

This condition is similar to a necessity for compliance with a legal obligation. It also requires that processing of personal data has a basis in Union or Member State law. Like in the condition of fulfilling a legal obligation, the law may regulate what subject may perform a task carried out in the public interest or where it is in the public interest to do so, e.g. for health purposes or social protection.

    5. for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The existence of a legitimate interest should be carefully assessed because the interests and fundamental rights of the data subject could, in particular, override the interest of the data controller. Legitimate interests of the controller or a third party may be qualified as the legal basis for processing of personal data if there is a relevant and appropriate relationship between the data subject and the controller, for example in situations where the data subject is a client or in the service of the controller. Also, the processing of personal data necessary for the purposes of fraud-prevention constitutes a legitimate interest of the concerned data controller.