EU General Data Protection Regulation – Part II


In a previous blog post, here, former Guest Kat Valentina Torelli discussed the scope of protection of the new data protection regime and the new types of personal data introduced by Regulation no. 679/2016 - General Data Protection Regulation (GDPR). In this post, Valentina will discuss on what grounds the processing of personal data can be considered lawful, the new rights afforded individuals with respect to personal data and the regulation on individual automated decision-making, especially “profiling”.

“Within the GDPR, the role of consent has taken on greater importance as the basis for allowing a third party to process the personal data of
another. Thus, consent to process the personal data of another must be sought in a wholly unambiguous manner, meaning that if such a request is included within a document that also addresses other matters, the request must be clearly separated from these other matters. The request for consent must be presented in an easily accessible form, in clear language, and it must enable the so-called "data subject" to understand that consent is being given for the processing of his or her personal data.

Moreover, since such consent must be freely given by the data subject, special attention must be paid to those situations in which the data subject is in effect left with no choice but to give consent. Consent will be deemed not to have been properly given where, for example, there is a clear imbalance of power between the data subject and the controller seeking consent, or where the processing of personal data is not necessary for the performance of the contract, even if it is included in the contract.

Additional provisions include the following:
(1) Consent where the processing of the personal data relates to a minor under the age of 13. Here, a controller will need to implement the means for verifying that consent has been given by the children's parents or guardian.

(2) Sensitive data, as defined, can be processed if explicit consent is given.

(3) In some cases, the prohibition against processing data cannot be overridden by consent if the EU or Member State law provides that such provision cannot be waived by the data subject, as might be the case where the processing of sensitive data is carried out for an unlawful and unnecessary purpose.
Notwithstanding the above, the processing of personal data may still be deemed to be lawful under certain circumstances, even in the absence of consent, as set out in Directive No. 46/1995 – Data Protection Directive. Examples include where the processing is necessary: i) to enter into or perform a contract to which the data subject is a party; or, ii) where a legal obligation of the controller is in furtherance of a legitimate interest of the controller or a third party, unless such interest prejudices a legitimate interest of the data subject's interest or a fundamental right thereof.

A further exception to the prohibition of processing of sensitive data can be based on the Data Protection Directive or provisions of the DGRP. Examples of the latter include where processing is needed in the public interest, for scientific or historical research or a certain statistical analysis, provided that the processing is proportional to the purpose for which it is being used. In addition to the traditional rights of the data subject regarding information, access, rectification and objection, the GDPR expressly grants individuals the right to erasure, data portability and processing restrictions.

The right to erasure of personal data, i.e., the right to be forgotten, can be seen as a consequence of the decision of the Court of Justice of the European Union in case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. The CJEU stated in that case that the data subject can request that his or her personal data be erased when they are no longer necessary for the purposes for which they were collected or processed, or the data subject has withdrawn his or her consent to processing. Also, the right to be forgotten applies where the data subject exercises his or her right to object or the data were unlawfully processed, where the controller has to comply with a legal obligation, or the data collected concern a minor. A data subject also has the right to request the restriction of personal data processing under certain circumstances, similar to those applicable to the right to erasure. For instance, where the personal data are inaccurate, the processing is unlawful or the data are no longer needed for the purposes for which they were collected, the data subject can request that the data controller avoid further processing of personal data that can no longer be changed, with the result that the scope of the processing activity is restricted.

The right to data portability has potentially significant impact on the technological and commercial interests of the controller because it is the gateway for individuals to avoid having their personal data locked-in by controllers. In this context, assuming that the processing is based on proper consent and carried out by automated means, a data subject has the right to request that the controller return the subject’s personal data, in a structured, commonly used and machine-readable format, as well as to be able to pass these data on to another controller without restrictions from the former controller.

It is assumed that the digital economy and the use of digital technologies in everyday life pose challenges to the lawfulness of the collection and processing of Big Data, including personal data, and that individuals leave digital footprints within the context of their online activities. For example, the use of cookies to enable analysis of the individual's behavior or forms of customer tracking means that a large amount of data can be aggregated and analyzed by companies to increase the value and improve their efficiency. In light of this, the GDPR introduces a specific provision regarding the legal consequences related to profiling. An individual has the right not to be subject to a decision based solely on such automated processing that brings about a legal result regarding such person, or otherwise has a significant effect on him, such as in the area of employment or finance.

Profiling is, nevertheless permitted: (i), where it is necessary for entering into or performing a contract with the data subject; ii) it is authorized by the law applicable to the data controller, or iii) where such law also safeguards the rights of the data subject or the data subject has freely given his or her informed consent, as discussed above. The profiling of special categories of data is forbidden unless the data subject has given his or her consent or it is particularly necessary in the public interest.”

IPKat extends a hearty feline “thanks” to Valentina for her two-part contribution on this complex, yet so crucial, subject.