Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

The General Data Protection Regulation (GDPR) requires data controllers rely on a legal ground set forth in the GDPR for all processing of personally identifiable information (PII). Additional conditions must also be satisfied when processing sensitive PII.

The grounds for processing non-sensitive PII are:

  • consent of the individual;
  • performance of a contract to which the individual is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • compliance with a legal obligation, other than a contractual obligation (a legal obligation arising under the laws of a non-European Union jurisdiction is not sufficient for the purposes of this ground);
  • protection of the vital interests of the individual (ie, a life or death situation);
  • the processing is necessary for carrying out public functions; or
  • the processing is necessary for the legitimate interests of the data controller (or third parties to whom the PII is disclosed), unless overridden by the individual’s fundamental rights, freedoms and legitimate interests.

 

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Distinct grounds for legitimate processing apply to the processing of sensitive PII (also known as ‘special categories of PII’). ‘Sensitive PII’ is defined as PII relating to a data subject’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or similar beliefs;
  • trade union membership;
  • physical or mental health;
  • sex life or sexual orientation;
  • genetic data;
  • biometric data (when processed for the purpose of uniquely identifying a natural person);
  • commissioning or alleged commissioning of any offence; or
  • any proceedings for committed or alleged offences, the disposal of such proceedings of sentence of any court.

 

Where a controller processes sensitive PII it must establish both a ground for processing both non-sensitive PII (eg, consent, performance of a contract, etc) and a separate ground for processing sensitive PII.  The GDPR sets forth a number of grounds that may be relied upon for the processing of sensitive PII, including:

  • explicit consent of the individual;
  • performance of employment law obligations;
  • protection of the vital interests of the individual (ie, a life or death situation);
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the PII is not disclosed outside that body without the consent of the data subjects;
  • the processing relates to PII, which is manifestly made public by the data subject;
  • the exercise of public functions;
  • processing in connection with legal proceedings, legal advice or in order to exercise legal rights;
  • processing for medical purposes;
  • processing necessary for reasons of public interest in certain specific areas; or
  • processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

 

In addition to the grounds set forth in the GDPR, the Data Protection Act 2018 (DPA) sets forth a number of additional grounds that also may be relied upon, including:

  • processing necessary for monitoring and ensuring equality of opportunity or treatment;
  • preventing or detecting unlawful acts;
  • preventing fraud;
  • processing to comply with regulatory requirements relating to establishing whether a person has committed unlawful acts or has been involved in dishonesty, malpractice or other seriously improper conduct; and
  • in connection with administering claims under insurance contracts or exercising rights and complying with obligations arising in connection with insurance contracts.

 

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

 

Data controllers are obliged to notify individuals of:

  • the data controller’s identity and contact information and, where applicable, the identity and contact information of its representative;
  • the contact details of the data controller’s data protection officer (DPO), if it has appointed one;
  • the purposes for which the personally identifiable information (PII) will be processed and the legal basis for processing;
  • the legitimate interests pursued by the data controller, if applicable;
  • the recipients or categories of recipients of the PII;
  • the fact that the data controller intends to transfer the PII to a third country and the existence or absence of an adequacy decision by the European Commission, and a description of any safeguards (eg, EU Model Clauses) relied upon and the means by which individuals may obtain a copy of them;
  • the period for which PII will be stored or the criteria used to determine that period;
  • a description of the rights available to individuals;
  • the existence of the right to withdraw consent at any time;
  • the right to lodge a complaint with an European Union data protection supervisory authority;
  • whether the provision of PII is a statutory or contractual requirement, or is necessary to enter into a contract, as well as whether the individual is obliged to provide the PII and of the consequences of failure to provide such PII; and
  • the existence of automated decision-making and, if so, meaningful information about the logic involved as well as the significance and envisaged consequences of the processing for the individual.

 

When PII is obtained from a source other than the individual concerned, the data controller must also inform individuals of the source from which the PII originated and the categories of PII obtained.

Notice must be provided at the time the PII is collected from the data subject. When PII is obtained from a source other than the data subject it relates to, the data controller needs to provide the data subject with the notice:

  • within a reasonable period of obtaining the PII and no later than one month;
  • if the data controller uses the data to communicate with the data subject, at the latest, when the first communication takes place; or
  • if the data controller envisages disclosure to someone else, at the latest, when the data controller discloses the data.

 

 

Exemption from notification

When is notice not required?

Where PII is obtained from a source other than the data subject, then provision of notice is not required if:

  • the individual already has the information;
  • the provision of such information would be impossible or require disproportionate effort (in which case the data controller shall take appropriate measures to protect data subjects, including making the relevant information publicly available);
  • the provision of the information would render impossible or seriously impair the achievement of the objectives of the processing;
  • obtaining or disclosure of the PII is required by EU law to which the data controller is subject; or
  • where the PII is subject to an obligation of professional secrecy under UK or EU law.

 

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Individuals have a number of rights in relation to PII held by data controllers:

  • to obtain confirmation of whether the data controller processes PII about the individual and to obtain a copy of that PII (also known as ‘the right of access’);
  • to rectify PII that is inaccurate;
  • to have PII erased in certain circumstances (eg, when the PII is no longer necessary for the purposes for which it was collected by the data controller);
  • to restrict the processing of PII;
  • to obtain a copy of PII in a structured, commonly used and machine-readable format, and to transmit that PII to a third-party data controller without hindrance, to the extent that it is technically feasible (also known as ‘the right to data portability’);
  • to object to the processing of PII in certain circumstances; and
  • not to be subject to decisions based solely on the automated processing of PII, except in particular circumstances.

 

Data processors are not required to comply with data subject rights requests, but are required to provide assistance to data controllers on whose behalf they process PII to respond to any such requests.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

The data controller must ensure that PII is relevant, accurate and, where necessary, kept up to date in relation to the purpose for which it is held.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The data controller must ensure that PII is adequate, relevant and not excessive in relation to the purpose for which it is held. This means that the data controller should not collect or process unnecessary or irrelevant PII. The Data Protection Act 2018 and the General Data Protection Regulation do not impose any specified retention periods. PII may be held only for as long as is necessary for the purposes for which it is processed.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

PII may only be used for specified and lawful purposes, and may not be processed in any manner incompatible with those purposes. The purposes must be specified in the notice given to the individual.

In addition, recent case law has confirmed the existence of a tort of ‘misuse of private information’. Under this doctrine, the use of private information about an individual for purposes to which the individual has not consented may give rise to a separate action in tort against the data controller, independent of any action taken under the DPA.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

PII may not be processed for new purposes unless the further purposes are lawful (ie, based on a lawful ground). It may be processed for a new purpose as long as that purpose is not incompatible with the original purpose, but notice of the new purpose must be provided to the individual. Where a new purpose would be incompatible with the original purpose, it must be legitimised by the consent of the individual unless an exemption applies. For example, PII may be further processed for certain specified public interest purposes, including the prevention of crime or prosecution of offenders and processing for research, historical or statistical purposes.

Law stated date

Correct on

Give the date on which the information above is accurate.

4 May 2020.