Legitimate processing of PILegitimate processing – grounds
Does the law require that the processing of PI be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
Under the Data Protection Act 2018 (the DP Act), personal information (PI) processing must be based on one of six grounds to be lawful, which are:
- the individual’s consent;
- performance of a contract to which the individual is or intends to be a party;
- compliance with a legal obligation;
- protection of the vital interests of the individual or another natural person;
- performance of a task carried out in the public interest or the exercise of official authority; or
- the legitimate interests pursued by the data controller or by a third party.
Legitimate processing – types of PI
Does the law impose more stringent rules for processing specific categories and types of PI?
In general, the DP Act prohibits the processing of ‘special categories of personal data’. These categories of personal data include the PI revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, biometric data processed for the purpose for uniquely identifying a natural person, PI concerning health and PI concerning a natural person’s sex life or sexual orientation. However, the law sets out 10 situations or purposes that render the processing lawful.
- The data subject has given explicit consent to the processing of such personal data for one or more specified purposes, except where the law provides that the processing may not be carried out on the basis of consent.
- Processing is necessary for the purposes of carrying out the obligations and exercising statutorily prescribed rights of the controller or of the data subject in the field of employment and social security as well as social protection law, insofar as such processing is authorised by law or a collective agreement providing for appropriate safeguards for the fundamental rights, freedoms and the interests of the data subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
- Processing is carried out in the course of registered activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. This is also contingent on the processing being related solely to the members or to former members of the body, or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects.
- Processing relates to personal data that are manifestly made public by the data subject.
- Processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity.
- Processing is necessary for reasons of substantial public interest, on the basis of law, insofar as such processing is proportionate to the aim pursued; respects the essence of the right to data protection; and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
- Processing is necessary for the purposes of preventive or occupational medicine; the assessment of the working capacity of the employee; medical diagnosis; the provision of health or social care or treatment; or the management of health or social care systems and services on the basis of law or pursuant to contract with a health professional. This is provided that the processing is carried out by, or under the supervision of, a health professional or other person who has an obligation to keep professional secrecy prescribed by law or professional rules.
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care, medicinal products or medical devices, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided that the processing is proportionate to the aim pursued, respects the essence of the right to data protection, and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Data handling responsibilities of owners of PITransparency
Does the law require owners of PI to provide information to individuals about how they process PI? What must the notice contain and when must it be provided?
The obligation to inform individuals on all relevant aspects of personal information (PI) processing falls on the data controller. The notice must be provided at the time the PI is collected. Under the Data Protection Act 2018 (the DP Act), the notice must contain information about:
- the identity and the contact details of the controller and its representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party when such interest is the legal basis for the processing;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer PI to a third country or international organisation and the legal basis for the transfer;
- the period for which the PI will be stored or, if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of PI, or restriction of processing concerning the individual or to object to the processing as well as the right to data portability;
- where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection; and
- the existence of automated decision-making, including profiling, information about the logic involved in the automated decision-making, and the significance and the envisaged consequences of such processing for the individual.
Also, a PI controller who collects PI from a third party must inform the individual about it, within a specified time and with the inclusion of elements largely resembling those when PI is collected from the individual.Exemptions from transparency obligations
When is notice not required?
Where PI is collected from the individual, notice is not required if the individual already has the information about the relevant aspects of the PI processing.
Where PI has not been obtained from the individual, there are three additional exemptions from the controller’s obligation to notify:
- if the provision of information proves impossible or would involve a disproportionate effort;
- if obtaining or disclosure is expressly laid down by law that provides appropriate measures to protect individual’s legitimate interests; or
- where the PI must remain confidential subject to an obligation of professional secrecy regulated by European Union or EU member state law, including a statutory obligation of secrecy.
Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
Individuals may control the use of their PII by not consenting to the PII processing, where consent is the legal basis for the processing. Also, individuals may exercise the right to access their personal information held by PII controllers and other substantive rights.Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PI?
The DP Act prescribes that the PI must be adequate and relevant concerning the purposes for which it is processed. Also, the PI must be accurate and, where necessary, kept up to date. Taking into account the purposes of the processing, every reasonable step must be taken to erase or rectify inaccurate PI without delay.Data minimisation
Does the law restrict the types or volume of PI that may be collected?
The DP Act restricts the volume and types of PI that may be collected.
The PI must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation principle).
The DP Act generally prohibits the processing of ‘special categories of personal data’. These categories include PI revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, PI concerning health and PI concerning a natural person’s sex life or sexual orientation. The law sets out 10 situations in which, exceptionally, processing ‘special categories of personal data’ is permissible.
Processing of PI relating to criminal convictions, offences and security measures may be carried out only under the control of official authority or, when the processing is permitted by law, providing for appropriate safeguards for the rights and freedoms of individuals.Purpose limitation
Are there any restrictions on the purposes for which PI can be used by owners? If there are purpose limitations built into the law, how do they apply?
Under the DP Act, the purpose of the processing of PI must be clearly determined and permissible. As a rule, processing for purposes other than those specified is not allowed.
Personal information collected and processed for a particular purpose may also be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.Use for new purposes
If there are purpose limitations built into the law, how do they apply?
Personal information collected and processed for a particular purpose may also be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
Law stated dateCorrect on
Give the date on which the information above is accurate.
31 May 2022.