Legal bases for personal data processing
The controller cannot process personal data at his discretion. There must be a legal basis. Determining the legal basis is one of the first steps an entrepreneur should take when dealing with personal data. Below, I have prepared a brief summarize of legal grounds and situations in which personal data may be processed.
Art. 6 sec. 1 of GDPR[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) determines six situations in which personal data processing is lawful. It is a closed list and each controller, before starting any operations on data, should make sure that at least one of the following situations indicated in this provision has occurred, i.e .:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Consent for personal data processing
One of the most common grounds for processing personal data is the consent of the data subject. In many forms on the internet you can find check-boxes just to express such consent. Controllers, acting very carefully, obtain consent, even when it is not necessary, because there is a different basis for the processing of personal data. This is not a mistake – it is better to have two bases for processing than none. Therefore, remember – if you are not sure whether you can lawfully process personal data, ask the data subject for consent for processing. Then, such consent (if it has been properly granted) will become the basis for processing.
Processing indispensable for contract performance
Another legal basis for processing of personal data is processing necessary to perform a contract. If you conclude a contract with a natural person, you do not have to ask that person for consent to process personal data in order to perform the contract. The contract execution and its performance will constitute a sufficient legal basis. Moreover, this will be the case even if a contract is not concluded. Art. 6 sec. 1 p. b) of GDPR stipulates that processing of personal data is lawful also in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation to which the controller is subject
Legal provisions impose many obligations on entrepreneurs. Some of them require processing of personal data. In such situation, the controller also doesn’t need to obtain consent for processing. Fulfillment of an obligation imposed on him by law will constitute a sufficient basis. In the case of entrepreneurs, these are not common situations, but sometimes they occur. As an example I can mention disclosure of personal data of representatives of children subject to compulsory vaccinations pursuant to Art. 17 sec. 8 p. 2 of the Act on Preventing and Combating Infections and Infectious Diseases of Humans. Personal data processing to fulfill a legal obligation is much more common in the case of public entities.
Protection of vital interests of data subject or another natural person
In my practice, I encounter this basis for processing of personal data very rarely. Perhaps this is due to the fact that it is not entirely clear what is meant by “protecting vital interests”. Therefore, entrepreneurs rather seek consent to the processing of personal data than risk relying on this legal basis for the processing. As in the case of the controller’s obligation, it is more common in the case of public entities.
Performance of task carried out in public interest
This ground also applies primarily to public entities. Processing of personal data by entrepreneurs as part of exercising public authority entrusted to them, is extremely rare.
Purposes of legitimate interests pursued by controller
The last basis for the processing of personal data resulting from GDPR is processing necessary for the purposes of legitimate interests pursued by the controller. As there is no definition of the legitimate interest of the controller in GDPR, the subject is very broad and sensitive. Controllers are often very creative and try to justify personal data processing on their legitimate interest. This is not always correct. Moreover, when assessing possibility of data processing on this basis, the interests of the controller should be compared with the interests of the data subjects. Pursuant to Art. 6 sec. 1 p. f) of GDPR, personal data may not be processed for the purposes of legitimate interests pursued by the controller if these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This issue is often missed in the controllers’ assessment of the grounds for processing. As an example of personal data processing pursuant to Art. 6 sec. 1 p. f) of GDPR, it is possible to indicate data processing for marketing purposes or for the purpose of conducting a competition. However, there is no consensus in the doctrine – there are many voices claiming that consent for processing should be obtained for this type of activity. Everything depends on the details of a given case, but in my opinion, there are situations when carrying out marketing activities (including the organization of competitions) may be considered as a legitimate interests of the controller.
Przypisy
↑1 | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
---|