Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Personally identifiable information (PII) holding has to be legitimised on one of the following specific grounds:

  • consent;
  • performance of a contract (eg, to proceed to payments or other obligations in the contract) or a pre-contractual stage necessitating the collection of PII (to conduct due diligence);
  • compliance with a legal obligation of the PII owner, (eg, imposed by tax legislation, labour law or court order in the course of a criminal investigation);
  • performance of a task in the public interest vested with the PII controller, (eg, when the PII controller is a public authority);
  • protection of the vital interests of a data subject (eg, health) or of another natural person; or
  • protection of the legitimate interest of the PII owner or a third party (eg, one with whom the PII owner has a contractual relationship) that is not overridden by the rights and interests of the data subjects.

 

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Processing of the following personal data is, in principle, prohibited:

  • data recording racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health; and
  • data concerning a natural person’s sex life or sexual orientation.

 

However, the processing of such data is exceptionally permitted if:

  • explicit consent is available, unless consent is not the legal basis for processing;
  • the vital interests of the data subject or of another natural person are concerned, and the data subject is physically or legally incapable of giving consent;
  • a substantial public interest specified by law is at stake;
  • it is necessary to defend a legal claim;
  • it is necessary for reasons of public health, specified in the law;
  • personal data has been manifestly made public by the data subject; or
  • it is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

 

Specific types of data related to beliefs may be processed by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim in the course of their legitimate activities, on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data is not disclosed outside that body without the consent of the data subjects.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

A personally identifiable information (PII) owner must notify the individual whose PII it holds.

If PII is collected from the data subject, then the notification must be made at the time of the collection.

If PII is collected from another source, then the notification must take place:

  • within a reasonable period after collection depending on the circumstances, but not exceeding one month;
  • at the time of the first communication with the data subject, if the PII is to be used for that purpose; or
  • prior to disclosure to another recipient, if PII is to be used for that purpose.

 

The notification must contain:

  • The identity and contact details of the PII owner and the contact details of the data protection officer, if applicable.
  • The purposes and the legal basis of processing. If the legal basis for processing is a legitimate interest of the PII owner, the PII owner must explain the legitimate interest. If the legal basis is a statutory, contractual or pre-contractual obligation, the PII owner has to explain such an obligation, and also the consequences, in case of failure to provide such data.
  • The retention period or the retention criteria.
  • The eventual recipients and data transfers. If PII is transferred outside the EU, the PII owner has to explain whether the PII is transferred to an organisation or a third country covered by an adequacy decision or not. If not, the PII owner has to demonstrate the appropriate safeguards governing such a transfer and offer the ability to have a copy of them.
  • The data subjects’ rights (ie, access, rectification or erasure of personal data, restriction of processing concerning the data subject and objection to processing, as well as the right to data portability and the ability to withdraw consent, if applicable), including the right to lodge a complaint before the supervisory authority.
  • The source of the PII, as well as whether it came from a publicly available source, if the PII was not obtained from the data subject.

 

Exemption from notification

When is notice not required?

Based on the General Data Protection Regulation (GDPR), a notification is not required if the data subject already has all the information required and the PII owner is able to demonstrate that fact (eg, if all the required information was provided before acquiring consent to data processing). Moreover, if PII was obtained by a source other than the data subject, then the notification is not required if:

  • it is impossible;
  • would demand disproportionate effort;
  • would make it impossible or seriously impair the objectives of the processing; or
  • if the PII must remain confidential due to professional or statutory secrecy obligations.

 

Greek Law 4624/2019, articles 31 and 32, provide for additional exemptions from the obligation to notify the data subject, in case of further processing, namely:

  1. if notification would seriously endanger the performance of duties with respect to national security and defence; public security; prevention, investigation, detection or prosecution of criminal offences and execution of penalties; or with respect to other important objectives of general public interest;
  2. if notification would impede establishment, exercise or defence of legal claims and the PII owner's interests override data subject's interests; or
  3. if the right would impede confidential data transfer to the public sector.

 

In the case (1), the PII owner is obliged to inform the public about further processing and explain why data subjects were not individually notified. In its opinion 1/2020 on Greek Law 4624/2019, the Greek Data Protection Authority reserved the right to assess the conformity of these exemptions with the GDPR, as they will be applied in each case.

 

 

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

As a principle, individuals are entitled to provide their consent to the processing of any personal data concerning them. This means that the individual freely (that is, without any coercion or fear of the consequences) gives a specific (that is, related to a particular purpose), informed and unambiguous indication of his or her wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Additionally, PII owners must offer individuals the ability to withdraw their consent to processing in the future as easily as the consent was given.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Not specifically.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

PII may be kept for as long as it is necessary to serve the purpose of processing. No specific retention period is laid down in the GDPR. However, specific retention periods may be found in respective legislation. For example, a school has to maintain medical certificates of pupils for three years; then it has to return old certificates and request new ones.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the finality principle applies.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Further processing is exceptionally permitted in the following cases:

  • if the data subject has given his or her consent to the processing for a specific purpose other than that for which the personal data has been collected;
  • if a law that is both necessary and proportionate in a democratic society provides for such an exception in order to safeguard important aspects of the public interest, such as:
    • national security, defence and public security;
    • the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties;
    • safeguarding against and the prevention of threats to public security, an important economic or financial interest of the European Union, or a member state;
    • the protection of judicial independence and judicial proceedings; or
    • the enforcement of civil law claims;
  • for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, under the condition that such further processing does not permit or no longer permits the identification of data subjects; or
  • if the PII owner can ascertain the compatibility of the initial purpose with the further purpose, taking into account:
    • any link between them;
    • the context in which the PII has been collected, in particular regarding the relationship between the data subjects and the PII owner;
    • the nature of the personal data (ie, if it is simple or sensitive);
    • possible consequences for the data subjects; and
    • the existence of appropriate safeguards (eg, encryption or pseudonymisation).

 

Law stated date

Correct on

Give the date on which the information above is accurate.

25 May 2020.