Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

PII holding has to be legitimised on one of the following specific grounds:

  • consent;
  • performance of a contract (eg, to proceed to payments or other obligations in the contract) or a precontractual stage necessitating the collection of PII (to conduct due diligence);
  • compliance with a legal obligation of the PII owner, (eg, imposed by tax legislation, labour law or a court order in the course of a criminal investigation);
  • performance of a task in the public interest vested with the PII controller, eg, when the PII controller is a public authority;
  • protection of the vital interests of a data subject (eg, health) or of another natural person; or
  • protection of the legitimate interest of the PII owner or a third party (for example with whom the PII owner has a contractual relationship) that is not overridden by the rights and interests of the data subjects.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Processing of personal data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is in principle prohibited.

The processing of such data is exceptionally permitted if:

  • an explicit consent is available, unless consent is not the legal basis for processing;
  • the vital interests of the data subject or of another natural person are concerned, and the data subject is physically or legally incapable of giving consent;
  • a substantial public interest specified by law is at stake;
  • it is necessary to defend a legal claim;
  • it is necessary for reasons of public health, specified in the law;
  • personal data has been manifestly made public by the data subject; or
  • it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Specific types of data related to beliefs may be processed by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim in the course of their legitimate activities, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes, the PII owner must notify the individual whose PII it holds. If PII is collected from the data subject, then the notification must be made at the time of the collection. If PII is collected from another source, then the notification must take place within a reasonable period after collection depending on the circumstances, and in any case not exceeding one month, or at the time of the first communication with the data subject, if the PII is to be used for that purpose, or prior to a disclosure to another recipient, if PII is to be used for such a purpose.

The notification must contain:

  • the identity and contact details of the PII owner and the contact details of the DPO, if applicable;
  • the purposes and the legal basis of processing. If the legal basis for processing is a legitimate interest of the PII owner, the PII owner must explain the legitimate interest. If the legal basis is a statutory, contractual or pre-contractual obligation, the PII owner has to explain such an obligation, and also the consequences, in case of failure to provide such data;
  • the retention period or the retention criteria;
  • the eventual recipients and data transfers. If PII is transferred outside the EU, the PII owner has to explain whether the PII is transferred to an organisation or a third country covered by an adequacy decision or not. If not, the PII owner has to demonstrate the appropriate safeguards governing such a transfer and offer the ability to have a copy of them;
  • the data subjects’ rights (access, rectification or erasure of personal data, restriction of processing concerning the data subject and objection to processing, as well as the right to data portability and the ability to withdraw consent, if applicable), including the right to lodge a complaint before the supervisory authority; and
  • if PII owner has not been obtained the PII from the data subject, the PII owner has to inform the data subject about the source of the PII, as well as whether it came from a publicly available source.
Exemption from notification

When is notice not required?

A notification is not required if the data subject already has all the information required and the PII owner is able to demonstrate such fact, for example, if all the required information has been provided before acquiring consent to data processing.

Additionally, if PII has been obtained by a source other than the data subject, then notification is not required if it is impossible, would demand disproportionate effort or would make impossible or impair seriously the objectives of the processing; or if the PII must remain confidential due to professional or statutory secrecy obligations.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

As a principle, individuals are entitled to provide their consent to the processing of any personal data concerning them. This means that the individual freely (that is, without any coercion or fear of the consequences) gives a specific (that is, related to a particular purpose), informed and unambiguous indication of his or her wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Additionally, PII owners must offer individuals the ability to withdraw their consent to processing in the future as easily as the consent was given.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Not specifically.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

PII may be kept for as long as it is necessary to serve the purpose of processing. No specific retention period is laid down in the GDPR. However, specific retention periods may be found in respective legislation. For example, a school has to maintain medical certificates of pupils for three years; then it has to return old certificates and request new ones.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the finality principle applies.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Further processing is exceptionally permitted in the following cases:

  • if the data subject has given his or her consent to the processing for a specific purpose other than that for which the personal data has been collected;
  • if a law that is both necessary and proportionate in a democratic society provides for such an exception in order to safeguard important aspects of the public interest, such as national security, defence, public security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, an important economic or financial interest of the EU or a member state, the protection of judicial independence and judicial proceedings, the enforcement of civil law claims, etc;
  • for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, under the condition that such further processing does not permit or no longer permits the identification of data subjects; or
  • if the PII owner can ascertain compatibility of the initial purpose with the further purpose, taking into account any link between them, the context in which the PII has been collected, in particular regarding the relationship between the data subjects and the PII owner, the nature of the personal data (if it is simple or sensitive), possible consequences for the data subjects and the existence of appropriate safeguards, which may include encryption or pseudonymisation.