Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data must be:

  • processed lawfully, fairly and in a transparent manner. The transparency principle mandates that the data subject be informed prior to the processing by way of a privacy notice containing the elements required under Articles 12 to 14 of the EU General Data Protection Regulation (GDPR) (2016/679);
  • collected and recorded for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, up to date;
  • kept in a form which permits the identification of the data subject for no longer than is necessary for the purposes for which the data is processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Any personal data that is processed in violation of the above principles will be deemed to have infringed the law. Further, in order to process personal data lawfully, data controllers must rely on one or more of the following legal bases:

  • The data subject has consented to the processing of their personal data for one or more specific purposes.
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
  • The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • The processing is necessary to protect the vital interests of the data subject or another natural person.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing is necessary to fulfil the legitimate interests of the controller or a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be stored in a way that allows identification of the data subject for no longer than is necessary in relation to the scope within which the data has been processed (Article 5(1)(e) of the GDPR). In some cases, national law may establish a specific retention period – for example, providers of electronic communication services (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers):

  • can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months; and
  • must retain telephone and electronic communication traffic data, but not the content of such communications, for 72 months from the date of the communication for the purpose of detecting and suppressing criminal offences.

Other sectorial laws may set specific data retention requirements (eg, anti-bribery, anti-money laundering and tax law).

Under the GDPR, data controllers must disclose the period for which personal data will be stored or, if that is not possible, the criteria used to determine that period.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.

Further, data subjects have the right to be informed of:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be disclosed – in particular, recipients in third countries or from international organisations;
  • where possible, the envisaged period for which the personal data will be stored or, if impossible, the criteria used to determine that period;
  • their right to request the controller to rectify or erase their personal data or restrict its processing and object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • any available information as to the personal data’s source where it was not collected from the data subject;
  • the existence of automated decision making, including profiling, which produces legal effects concerning or significantly affecting the data subject so that they can obtain meaningful information about the logic involved and the significance and envisaged consequences of such processing.

Under Articles 15 to 22 of the GDPR, data subjects have further rights, including:

  • the right to lodge a complaint with a supervisory authority;
  • the right to request the data controller to rectify or erase personal data or restrict the processing of data concerning the data subject and to object to such processing;
  • the right not to be subject to a decision based solely on automated processing which produces legal effects concerning or significantly affecting the data subject; and
  • the right to data portability.

Do individuals have a right to request deletion of their data?

Pursuant to Article 17 of the GDPR, data subjects have the right to request that a data controller erases personal data that concerns them without undue delay. The data controller must comply with the request if:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to direct marketing and profiling (to the extent that profiling is related to such direct marketing);
  • the personal data has been unlawfully processed;
  • the personal data must be erased to comply with an EU or EU member state law to which the controller is subject; or
  • the personal data has been collected in relation to an offer of information society services.

Moreover, where the data controller has made the personal data public and is obliged to erase it, the data controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the data controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).

Consent obligations

Is consent required before processing personal data?

The processing of personal data may be based on a data subject’s consent or on one or more of the other legal bases in Article 6 of the GDPR. In order to be valid, consent must be freely given (pursuant to Article 7(4), it must be considered whether the performance of a contract is conditional on consent to process personal data that is unnecessary for the performance of that contract). Consent must be:

  • specific (ie, related to a clearly defined and specific processing operation), informed and constitute an unambiguous indication of the data subject's wishes, thereby excluding the validity of implied consent; and
  • given in the form of a statement or clear affirmative action which signifies agreement to the processing of personal data.

Further, the controller must be able to demonstrate that the data subject has consented to such processing.

For the processing of special categories of personal data (eg, health data or data that may reveal the data subject’s racial or ethnic origin), consent must also be explicit. Special categories of personal data may also be processed when at least one of the legal bases laid down in Article 10 of the GDPR (sometimes, a legal basis of both Articles 6 and 10 must be satisfied, as clarified by the Article 29 Working Party guidelines on the notion of the legitimate interests of the data controller under Article 7 of EU Data Protection Directive (95/46/EC).

If consent is not provided, are there other circumstances in which data processing is permitted?

Aside from consent, personal data may be lawfully processed where at least one of the following grounds apply:

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.

What information must be provided to individuals when personal data is collected?

Pursuant to Article 13 of the GDPR, where personal data is collected from the data subject, they must be preliminarily informed either orally or in writing of:

  • the identity and contact details of the data controller and, where applicable, its representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes and legal basis of the processing for which the personal data is intended;
  • whether the processing is based on the legitimate interest ground and the legitimate interests pursued by the controller or a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • whether the controller intends to transfer personal data to a third country or international organisation, along with further information regarding the lawfulness of the transfer;
  • the period for which the personal data will be stored or, if that is impossible, the criteria used to determine that period;
  • the existence of the right to:
    • request from the controller access to and rectification or erasure of personal data or the restriction of processing concerning the data subject;
    • object to processing; and
    • the right to data portability;
  • the existence of the right to withdraw consent at any time where the processing is based on the data subject’s consent;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract;
  • whether the data subject must provide the personal data and the possible consequences of failure to provide such data;
  • the existence of automated decision making, including profiling, which produces legal effects or significantly affects the data subject; and
  • meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.

Pursuant to Article 14 of the GDPR, where personal data is not collected from the data subject, the data controller must provide the data subject with:

  • the information set out in Article 13, plus the categories of personal data concerned; and
  • the source from which the personal data originates and whether it came from a publicly accessible source.

In this instance, it is not mandatory to inform the data subject of:

  • whether the provision of personal data is a statutory or contractual requirement; or
  • the consequences of refusing to provide such data.

Click here to view the full article.