The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.
Question: Does a company’s reason for processing information impact whether it must honor a right of access?
Answer: No.
The GDPR recognizes six situations in which a company may process personal data. As the following chart illustrates some individual rights – such as the right to be forgotten – are dependent upon which permissible purpose a company relies upon. Other individual rights – such as the right to access personal information – are not.
|
Permissible Purpose |
Right to be forgotten |
Right to Access data |
Right to data portability |
Right to rectification |
Right to object to processing |
|
Consent (i.e., Article 6(1)(a)) |
Y |
Y |
Y1 |
Y |
Y2 |
|
Contract (i.e., Article 6(1)(b)) |
Y |
Y |
Y3 |
Y |
X |
|
Compliance with legal obligation (i.e., Article 6(1)(c)) |
X |
Y |
X |
Y |
X |
|
Protecting vital interest of data subject (i.e., Article 6(1)(d)) |
Y |
Y |
X |
Y |
X |
|
Public interest (i.e., Article 6(1)(e)) |
Y4 | Y | X | Y | Y |
|
Legitimate interest of controller (i.e., Article 6(1)(f)) |
Y5 | Y | X | Y | Y |
