The eData Guide to GDPR
One of the foundations of the GDPR is Article 5’s principle that a data controller may only process personal data “lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency').” This obligation has become a hallmark of data protection for European citizens. This installment of The eData Guide to the GDPR will unpack all three of these data processing requirements and discuss the GDPR’s definition of “processing.”
What is Processing?
Article 4 defines processing as
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
“Processing” under the GDPR includes almost any action a business would take with someone’s personal data during the normal course of business: monitoring employees (including CCTV use or email monitoring), recording employee clock-in times, shredding documents that contain persona data, sending promotional emails, administering employee payroll, collecting customer information for billing purposes, etc. The breadth of the definition of “processing” makes the requirement that it be done “lawfully, fairly and transparently” even more stringent. Any interaction with personal data must meet these requirements.
How to “Lawfully” Process Data
Under Article 6, there are only six scenarios in which data can be “lawfully” processed. A business that wants to process someone’s personal data should actively decide (before processing the data) which of these scenarios the processing falls under and explicitly document that scenario. If the processing does not meet one of the six scenarios, the business cannot lawfully process that data. The six scenarios under which it is lawful to process data are:
(1) The data subject has given consent to the processing of his or her personal data for a specific purpose
On its face, consent seems to be one of the simplest ways to lawfully process data. Article 4 severely restricts the ways in which a controller can gain the consent of a data subject. It states that the data subject’s consent must be a “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Recitals 32, 42, and 43 provide clarification on what “freely given, specific, informed and unambiguous” means:
- Unambiguous: The business should actively demonstrate that the data subject has given his or her free consent. If it is a written declaration of a consent that was prepared by the business, the form should use “clear and plain” language and should not contain unfair terms. Silence, pre-ticked boxes or inactivity cannot constitute consent.
- Specific: The data subject’s consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. In the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that, and the extent to which, consent is given.
- Informed: The data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
- Freely given: Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Consent cannot be given in a situation where there is a clear imbalance between the data subject and the controller.
The European Commission provides examples to illustrate when a data subject’s consent would meet these requirements:
An airline company’s privacy notice indicates that the personal data of customers will be processed for a competition that offers a free flight as a prize, using a tick box for customers to agree to participate in the competition. The commission states that customers who tick the box to agree to participate in the competition have clearly signaled their wish to have their personal data processed for the purpose of the competition. Here, there is consent to process data for the purpose of the competition (but that data could not be used for purposes other than the competition).
A company offers online movie services. When collecting the data needed for this contract, the company also asks for data related to sexual orientation and the political beliefs of a person. The commission states that the consent in this case is not free consent, because the person may believe that their consent for the processing of this type of data is necessary for access to the movies they request (the commission calls this “tied consent.”)
(2) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract
Processing is lawful where it is necessary in the context of a contract or the intention to enter into a contract. The European Commission provides an example to illustrate how personal data can be lawfully processed under this scenario:
A company that sells goods online can process data that is necessary to take steps at the request of the individual prior to entering into the contract and for the performance of the contract. In this situation then, the business can lawfully process the name, delivery address, and credit card number (if payment is by card).
(3) Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is lawful when it is carried out in accordance with a legal obligation to which the controller is subject. Recital 45 explains that this scenario does not require a specific law for each individual processing, and that one law may form the basis for several processing operations based on a legal obligation. The European Commission provides the following example to illustrate a correct use of a legal obligation to process personal data:
In order to obtain Social Security coverage, the law obliges a company to provide personal data (for example, the weekly income of employees) to the relevant authority. The company may lawfully collect and provide that specific data to the relevant authority to meet this legal obligation.
(4) Processing is necessary in order to protect the vital interests of the data subject or of another natural person
The processing of personal data is lawful where it is necessary to protect an interest that is essential for the life of the data subject or that of another natural person. The European Commission provides the following example to illustrate a correct use of the vital interest of a person for processing personal data:
A hospital is treating a patient after a serious road accident. The hospital doesn't need the patient’s consent to search for his ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.
(5) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Processing of personal data is lawful when it is in the public interest or in the exercise of a controller’s official authority. The European Commission provides the following example to illustrate a correct use of a public interest processing of personal data:
A professional association such as a bar association or a chamber of medical professionals vested with an official authority to do so may lawfully process a member’s data in order to carry out disciplinary procedures against that person.
(6) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child)
Processing is lawful when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. While this scenario seems straightforward on its face, it requires a more in-depth analysis because Article 6 explicitly includes an exception to the legitimate interest scenario: when the interests or fundamental rights and freedoms of the data subject override the legitimate interest of the processor, the processing is no longer considered lawful.
Recital 47, the European Commission, and opinions written by the precursor to the European Data Protection Board (the Article 29 Data Protection Working Party) explain that the “legitimate interest” analysis is a balancing test between the legitimate interest a business has in processing personal data versus the overriding interests and privacy rights of the data subject. In analyzing this, the business must consider whether a data subject could reasonably expect the extent and type of processing the business intends to conduct. The interests and fundamental rights of the data subject could override the legitimate interest of a business if a data subject would not reasonably expect further personal data processing.
The texts provide a variety of examples of lawful legitimate interests of a business, including the following:
- Where the data subject is a client or in the service of the controller, so that that there is a relevant and appropriate relationship between the data subject and the controller)
- Where the processing is necessary to prevent fraud
- Where the processing is for direct marketing purposes
- Where the processing is necessary information security for the functioning of a company’s IT systems
However, these interests must always be analyzed against the interests and fundamental rights of the data subject. For example, a pizza parlor may have a legitimate interest in collecting the personal data of its customers (billing information, recent order history, etc.) to fill customer orders and for use in direct marketing. However, if the pizza parlor collects much more data than the customer would reasonably expect (for example, tracking a customer’s location and website history via a phone app and using predictive data analytics to predict times when a particular customer orders pizza in order to manipulate pricing, etc.), then the fundamental right to privacy of the customer begins to outweigh the legitimate interest of the business to collect this type of data and the processing would not be lawful under the “legitimate interest” scenario.
How to Process Data Fairly and Transparently
“Fairness” and “Transparency” are somewhat vague ideas that are tied together by Recital 39, which provides clear rules on how data processors can meet these two standards:
- It should be transparent to a person that his or her personal data is being collected, used, analyzed, etc., and to what extent that specific data will be processed
- Information and communications related to the processing should be in plain language and easy to understand
- Data subjects should know who is processing their data and how they are using it
- Data subjects should be aware of any risks, rules, safeguard and rights related to the processing of their data
- The personal data collected should be adequate, relevant, and limited to what is necessary for the purposes of the collection
- The length of time the personal data is maintained should be the minimum needed to accomplish the reason for the collection. Time limits should be set by the collector to ensure that personal data is kept no longer than necessary
- Personal data should only be processed if the purpose for processing could not be accomplished by any other means
- Every reasonable step should be taken to ensure that inaccurate personal data is rectified or deleted
The United Kingdom’s Information Commissioner’s Office also provides a helpful discussion on the principles of fairness and transparency, explaining that the assessment of whether a business is processing data fairly and transparently depends, in part, on how that business obtains the data. If a data subject is “deceived or mislead,” then the processing is unlikely to be fair and transparent. Conversely, the outcome of processing someone’s personal data may cause harm to the person, while still being “fair” (the commissioner uses the example of when personal data is collected to impose a fine for breaking the speed limit. Although the information may cause detriment to the individuals concerned, the proper collection and use of personal data for these purposes will not be unfair.”)
Almost any interaction a business has with someone’s personal data will be considered “processing” under the GDPR. Businesses must take the necessary steps to ensure that any processing is done “lawfully, fairly, and transparently” by considering the following before collecting or using personal data:
(1) Identify whether that processing can be done “lawfully” under one of the six scenarios provided in Article 6. If the processing falls under one of these scenarios, document the reason for processing and the lawful scenario that applies. If the processing cannot meet one of the six lawful scenarios, the business cannot process the data
(2) Ensure that any data that can be lawfully processed is also processed “fairly” and “transparently.” This includes
- providing the data subject with clear and concise information, including who is processing the data, what specific personal data will be processed, the reason for processing the personal data, any risks associated with the processing, how long the personal data will be stored, etc.
- ensuring that only the necessary data is processed and that any personal data in the business’s possession is safely stored
- setting a time limit for how long that data will be stored and destroying any personal data after this time limit has been reached