An agreement is one of the most commonly used legal bases for processing. A typical example is a company operating an online store that has sold a product to a consumer and needs to process the customer’s address information in order to ship the product. The address information is necessary to deliver the product the customer has ordered.
To use an agreement as a legal basis for processing, it is important to note that:
- The person whose personal data is being processed must be a party to the agreement.
- The processing of the relevant personal data must be necessary for the performance of the agreement.
- The agreement basis cannot be used to process special categories of personal data (Art. 9).
The agreement basis can only be used from the time an agreement has been entered into, not before. The same information may, however, be registered before the agreement is entered into if this is done to implement measures at the request of the data subject prior to entering into an agreement.
The agreement only applies between the individual who has entered into the agreement and the entity that is party to the agreement, in practice the organisation number stated as controller. This means that customer data or HR data cannot automatically be shared with other partners or other companies. If such sharing is to take place, a separate legal basis is required.
The Regulation’s rules on information security are set out in Article 32, while Articles 33 and 34 provide rules on notification to the Data Protection Authority and to the data subject, respectively, in the event of a “personal data breach”.
A personal data breach is defined in Article 4 as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
The controller shall document every personal data breach, including the facts relating to the breach, its effects and the remedial action taken, cf. Art. 33(5).
Under Article 33, the controller must notify the Data Protection Authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach is not notified within 72 hours, the reasons for the delay must be given.
If it is likely that the breach will result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the breach to the data subject without undue delay, cf. Article 34.
If a processor becomes aware of a breach, the processor shall notify the controller without undue delay. This is natural because it is the controller that has the duty to notify the Data Protection Authority and, where applicable, the data subjects, not the processor.
The Data Protection Authority has categorised personal data breaches so that a breach may involve one or a combination of the following situations:
- Breach of confidentiality – accidental or unlawful disclosure of, or access to, personal data.
- Breach of integrity – accidental or unlawful alteration of personal data.
- Breach of availability – accidental or unlawful loss of access to, or destruction of, personal data.
The Data Protection Authority has also listed typical examples of incidents that must be reported:
- Dispatch errors:
- Sensitive or otherwise protected personal data sent to the wrong recipient by post or e-mail.
- Digital messages that reveal other recipients’ e-mail addresses in a context where recipients should be protected.
- Dispatch to the correct recipient which, by mistake, also contains protected personal data about others.
- Postal items sent to the correct recipient where information about the recipient that should be shielded is visible on the outside (for example, an invitation to a religious association meeting).
- Postal items where the content is missing, or where the envelope has been torn open.
- Hacking or data intrusion – where personal data has been extracted, altered or made unavailable, or where it is likely that this has happened.
- Failed or inadequate access control – allowing unauthorised persons access to protected personal data.
- Online publication of personal data that should not have been published, or where the data has not been sufficiently anonymised.
- Physical break-in where unencrypted digital data or paper documents containing personal data have gone missing.
- Incorrect disposal – discarding or otherwise disposing of information without proper deletion or shredding.
- Lost/misplaced/forgotten:
- Paper documents
- Laptops, tablets or phones where the content is not encrypted
- USB sticks or other small storage media where the content is not encrypted
A controller is responsible for implementing appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. The implementation shall take account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity. The controller is also responsible for reviewing and updating these measures.
To demonstrate compliance, a controller may adhere to approved codes of conduct in accordance with Art. 40 or an approved certification mechanism in accordance with Art. 42.
Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. There must be an arrangement that transparently sets out the respective responsibilities under the Regulation. The arrangement must reflect the actual roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement must be made available to the data subjects. A data subject may exercise their rights against any of the controllers, regardless of internal allocation of responsibilities.
Where a controller is not established in the EU but processes personal data of data subjects in the Union, the controller shall designate a representative in writing. The representative acts on behalf of the controller and serves as a contact point for data subjects. The representative must be established in one of the Member States where the relevant data subjects are located.
Appointing a representative does not relieve the controller of liability. Where an organisation processes personal data from the EU, it is nevertheless not required to appoint a representative if the processing is only occasional and does not include large-scale processing of data as referred to in Art. 9(1) or Art. 10. The requirement also does not apply to public authorities or bodies.
Where legitimate interest is used as the legal basis for processing, the controller is obliged to be transparent about this. The controller must:
- inform that legitimate interest is the legal basis used, and
- explain which interests are being pursued.
It is a condition for using this legal basis that the data subject’s fundamental rights and interests do not override the controller’s interest in processing the data. This balancing test must be carried out and documented by the controller.
In assessing the inconvenience or harm processing may cause the individual, it is natural to consider:
- the purpose of the processing, including whether it also serves the data subject’s interest or may have negative consequences
- the types of data being processed and whether they are sensitive, even if they are not special categories under Article 9
- the scope of the processing – the amount of data per data subject, number of data subjects, processing duration and any dissemination of the data
The balancing test must be documented, including for the data subject and for supervisory authorities in the event of an audit.
Fines are regulated in Art. 83 (and complemented by Art. 84 in national law) and are designed to be effective, proportionate and dissuasive. The level of fines is harmonised across Europe to avoid “safe havens” and may reach up to four percent of global annual turnover or 20 million euros, whichever is higher.
In Norway, one of the largest fines has been notified to Oslo Municipality for security breaches in an app they used. The breach allowed unauthorised persons to access a school’s systems and retrieve information about pupils and employees. The notified fine was 2 million NOK, as information about children is considered sensitive under Article 9.
Internationally, Facebook has received a fine of 5 billion US dollars in connection with the Cambridge Analytica scandal. The basis was failure to comply with consent requirements before sharing personal data. Data subjects were subjected to targeted marketing ahead of a presidential election on the basis of analyses of their personal details. Large volumes of data were shared and analysed without consent or knowledge, which contributed to the size of the fine.
PWC was fined 150,000 euros for influencing the data subjects’ consent, which must be freely given. The company also violated the principle of transparency by relying on a legal basis employees were not aware of, and failed to provide adequate documentation for the chosen legal basis.
In some situations, a more extensive assessment of the processing of personal data is required – a Data Protection Impact Assessment (DPIA). The main objective is to ensure thorough assessment where processing is likely to result in a high risk to the rights and freedoms of data subjects.
As a main rule, a DPIA shall be carried out where processing is likely to result in a high risk to data subjects. Exceptions apply where the processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority.
Because the outcome of a DPIA may be that the processing must be changed or cannot be carried out at all, it should be performed as early as possible in a development or procurement process.
- Assess whether the processing falls within criteria typically indicating high risk. The Data Protection Authority has described types of processing where a DPIA is required.
- If an exception to the DPIA requirement applies, a DPIA is not necessary.
- If the organisation has a Data Protection Officer (DPO), the DPO should be involved. It should also be considered whether relevant industry standards exist. Organised groups of data subjects (for example patient organisations) may be consulted.
- Conduct the DPIA analysis itself.
- If a high risk still remains, the Data Protection Authority must be consulted for prior consultation. Norwegian law allows for regulations specifying that the Data Protection Authority may grant a licence (authorisation) and may impose conditions.
The organisation should first identify which processes require a DPIA. Once identified, an appropriate team should be established, and suppliers or partners involved in integrations and solutions may be invited.
The analysis is typically carried out through workshops and meetings. It is important to collect as much relevant information as possible beforehand, to avoid delays. Someone with data protection competence must participate, alongside system owners, business process experts, technical architects and relevant partners. Experience with risk assessments (ROS analyses) is also useful.
Once the DPIA is approved, the organisation should consider which parties need to be informed about the assessment.
- A systematic description of the planned processing operations, the purposes of the processing and, where applicable, the legitimate interests pursued.
- An assessment of whether the processing is necessary and proportionate in relation to the purposes.
- An assessment of the risks to the rights and freedoms of data subjects.
- A description of the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation.
A processor processes personal data on behalf of a controller. Processing requires a basis in a written contract or other legal act.
The contract shall bind the processor with respect to:
- duration of the processing
- nature and purpose of the processing
- type of personal data
- categories of data subjects
- the obligations and rights of the controller
The contract shall, among other things, include:
- The processor shall only process personal data on documented instructions from the controller, unless required to do so by law. In such cases, the processor shall inform the controller of that legal requirement before processing.
- The contract shall ensure that persons authorised to process personal data are bound by confidentiality.
- The processor shall take all measures required pursuant to Art. 32.
- Written authorisation from the controller is required for the use of sub-processors, including changes in or replacement of existing sub-processors.
- The processor shall implement appropriate technical and organisational measures to assist the controller in fulfilling obligations under Chapter III regarding data subjects’ rights.
- The processor shall assist the controller in meeting obligations under Art. 32 on security and Art. 36 on prior consultation.
- There must be routines for deletion and/or return of personal data after the end of the provision of services.
- The processor shall make available to the controller all information necessary to demonstrate compliance with Art. 28.
Where the processor engages a sub-processor, the same data protection obligations shall be imposed. If the sub-processor fails to fulfil its data protection obligations, the processor remains fully liable to the controller.
If the processor determines the purposes and means of processing, it will be considered a controller for that processing.
- Data subject – the individual whose personal data is processed.
- Personal data – any information relating to an identified or identifiable natural person, for example history, assessments, licence plate numbers, meter readings, images, voice recordings, biometric data, survey responses, toll passages, payment history, etc.
- Processing activity – any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Legal basis – processing requires a basis in one of the legal grounds listed in Art. 6.
- Restriction of processing – the marking of stored personal data with the aim of limiting their future processing.
- Profiling – any form of automated processing of personal data used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences or characteristics.
- Pseudonymisation – processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information. The additional information shall be kept separately and subject to technical and organisational measures.
- Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
- Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons authorised to process personal data under the direct authority of the controller or processor. Often also called sub-processor.
- Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
- Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Genetic data – personal data relating to the inherited or acquired genetic characteristics of a natural person obtained from biological samples, providing unique information about the physiology or health of that person.
- Biometric data – personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that person.
- Health data – personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about their health status.
- Representative – a natural or legal person established in the Union who is designated in writing by the controller or processor in accordance with Art. 27 to represent them regarding their obligations under the GDPR.
- Supervisory authority – an independent public authority established by a Member State pursuant to Art. 51.
- Cross-border processing –
- processing of personal data which takes place in the context of the activities of establishments of a controller or processor in more than one Member State; or
- processing which takes place in the context of a single establishment but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Article 3 regulates the territorial scope. Together with Article 2, it determines which processing activities the Regulation applies to.
The Regulation applies:
- To the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.
- To the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services to such data subjects in the Union, whether or not payment is required, or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
- To the processing of personal data by a controller not established in the Union but in a place where the law of a Member State applies by virtue of public international law.
If a controller or processor is not established in the EEA but processes personal data about individuals in the EEA, it must comply with the Regulation if it offers goods or services to those individuals, whether or not payment is required.
The same applies where such actors monitor the behaviour of individuals in the EU. The term “monitoring” is not exhaustively defined, but Recital 24 clarifies that it includes tracking natural persons on the internet, including the subsequent profiling, particularly to make decisions concerning them or to analyse or predict their personal preferences, behaviours or attitudes.
The right to be informed covers the Regulation’s transparency requirements between the controller and the data subject. Article 12 is a general provision on transparency and refers to other rights provisions in the same chapter.
Article 12 must be read in light of Art. 5(1)(a), which states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The controller shall:
- ensure that data subjects receive information enabling them to assess whether their data are processed fairly
- ensure that information is provided in a form that is actually understandable to the intended audience
- facilitate the exercise of other rights by ensuring transparency, such as the rights to rectification and erasure
Articles 13 and 14 specify what must be communicated. The information must be actively provided, in a manner that is easy to access, read and understand.
- Article 13 applies when data are collected directly from the data subject.
- Article 14 applies when data are collected from other sources.
The controller must provide:
- the identity and contact details of the controller and, where applicable, of the controller’s representative
- the contact details of the Data Protection Officer, where applicable
- the purposes of the processing and the legal basis
- where the legal basis is Art. 6(1)(f), the legitimate interests pursued by the controller or a third party
- the recipients or categories of recipients of the personal data
- where applicable, details of transfers to third countries or international organisations and reference to the safeguards applied
In addition, the controller must provide:
- the period for which the personal data will be stored, or the criteria used to determine that period
- information on the right to request access, rectification, erasure, restriction, data portability and to object
- where the processing is based on Art. 6(1)(a) or Art. 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- the right to lodge a complaint with a supervisory authority
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the data and the possible consequences of failure to provide such data
- the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4), and, at least in those cases, meaningful information about the logic involved and about the significance and the envisaged consequences of such processing
The controller shall provide the same information as above, plus:
- from which source the personal data originate, and
- if applicable, whether they came from publicly accessible sources
The information shall be provided:
- within a reasonable period after obtaining the personal data, but at the latest within one month
- if the data are to be used for communication with the data subject, at the latest at the time of the first communication
- if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed
¶ Data protection by design and by default
Data protection by design and by default is regulated in Art. 25. “Privacy by design” was developed by the Information and Privacy Commissioner of Ontario in the 1990s and has since been adopted internationally.
Data protection by design requires that the controller implement appropriate technical and organisational measures designed to implement data protection principles in Art. 5 effectively. The measures must be suitable to:
- achieve the intended purposes, and
- reduce the risks to the rights of data subjects
Measures may include technical solutions and organisational provisions such as training staff who process personal data. The guidelines encourage the implementation of such measures at the earliest stages of designing new processing operations.
Requirements are assessed in light of:
- the state of the art
- implementation costs (including time and human resources)
- the nature, scope, context and purposes of processing
- the risks and surrounding circumstances
The controller is responsible for keeping up to date with technological advances. It is not sufficient to implement generic measures; each measure must have a real and demonstrable effect.
Art. 25 does not prescribe specific measures, provided the set of measures chosen is adequate for the organisation’s processing activities.
When assessing risk, the EDPB refers to Art. 35 on DPIAs. A DPIA describes the processing and assesses necessity and proportionality in light of risk, and can also be used as a basis for the risk analysis required under Art. 25.
Examples of measures:
- Pseudonymisation to comply with principles such as confidentiality, integrity and data minimisation.
- Systems that technically limit collection and storage to only what is necessary for the purpose.
Data protection by default requires that the default configuration of a system be the most privacy-friendly, especially where the system controls:
- the amount of personal data collected
- the extent of processing
- storage duration
- accessibility of data
Personal data shall by default not be made accessible to an indefinite number of people or retained indefinitely. Only data necessary for each specific purpose shall be processed.
This applies both to parameters set by the controller and options made available to data subjects. The controller must specify purposes beforehand, in order to ensure appropriate measures are in place for the specific processing.
For example, a social media platform should set users’ profile settings to the most privacy-friendly default so that personal data are not by default available to an undefined number of persons.
The right of access gives the data subject the right to obtain a copy of personal data as well as additional information. Under Art. 15, the data subject has the right to obtain information about:
- the purposes of the processing
- the categories of personal data
- the recipients or categories of recipients, in particular recipients in third countries or international organisations
- the envisaged period for which the personal data will be stored, or the criteria used to determine that period
- the right to request rectification, erasure, restriction, data portability and to object
- the right to lodge a complaint with a supervisory authority
- where the data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing
A well-written privacy notice will often cover most of this, except for the actual copy of the specific personal data and, in some cases, a complete list of third parties and processors.
The right of access means that the data subject may gain insight into many types of documents, including internal documents and free-text fields or chat messages where the person is mentioned. The right of access applies only to personal data about that individual; other information can, for example, be redacted.
Recital 59 recommends that organisations provide tools to enable electronic requests, especially where the processing is electronic. Organisations should consider creating an access request form that data subjects can complete and submit electronically. However, an access request is valid regardless of how it is submitted, and organisations must make it clear that using a form is not mandatory.
Chapter V of the Regulation applies where a controller or processor transfers, or intends to transfer, personal data to third countries or international organisations.
A third country is a country outside the EU. EEA countries (Norway, Iceland, Liechtenstein) are not considered third countries once they have implemented the Regulation.
One legal basis for transfer is an adequacy decision by the European Commission, recognising that a third country ensures an adequate level of data protection. Transfers to such countries are comparable to transfers within the EU/EEA and do not require additional authorisation or notification to the Data Protection Authority. As of 11 December 2019, there were 13 adequacy decisions.
Where there is no adequacy decision, a transfer may take place if the controller or processor has provided “appropriate safeguards” and on condition that data subjects have enforceable rights and effective legal remedies, cf. Art. 46(2). These safeguards may include:
- Standard Contractual Clauses adopted by the European Commission
- binding corporate rules (BCRs)
- approved codes of conduct or certification mechanisms
If the standard clauses do not fit the situation, it is possible to draft bespoke contractual terms. Such contracts must be approved by the Data Protection Authority, with endorsement by the European Data Protection Board (EDPB).
Public authorities that transfer personal data to foreign counterparts may include data protection clauses in administrative arrangements, such as a Memorandum of Understanding or similar. These must grant data subjects enforceable rights and effective remedies and must be approved by the Data Protection Authority.
If none of the transfer mechanisms apply, transfers to third countries may still be lawful in a limited set of exceptional situations. These exceptions are narrow, and depending on which derogation is used, the Data Protection Authority must be notified in advance. More information is available on the Data Protection Authority’s website.
A Data Protection Officer is a resource designated by the organisation to provide guidance and information on obligations under the GDPR. The DPO shall monitor compliance with the Regulation, other EU provisions and national data protection rules. This includes:
- allocation of responsibilities
- raising awareness and training staff involved in processing personal data
- advising on processing operations
The DPO must have sufficient independence and cannot hold a position in the organisation’s top management. The DPO may be internal or external. There are no formal educational requirements, but the DPO must be appointed based on expertise and professional qualities. The DPO acts as the contact point for the supervisory authority and for data subjects.
The obligation to appoint a DPO arises when the organisation:
- is a public body or authority, or
- as part of its core activities, regularly and systematically monitors data subjects on a large scale (the Data Protection Authority uses smart meters (AMS) as an example), or
- as part of its core activities, processes special categories of personal data such as health data, sexual life, political or religious beliefs, biometric data, etc., in accordance with Art. 9, or
- is a processor for organisations that fall into the categories above.
Monitoring sickness absence among the organisation’s own staff is generally not regarded as a core activity, in contrast to health care provision in a hospital. Providers of electronic communications services (telecoms) are obliged to appoint a DPO.
Article 5 lays down the general, fundamental principles for processing. These:
- define what constitutes lawful processing
- are central to interpreting the rest of the Regulation and any national rules
As a baseline, all processing must comply with these principles, and any exception must be explicitly provided for in the Regulation.
Personal data shall:
- Be processed lawfully, fairly and transparently in relation to the data subject (lawfulness, fairness and transparency).
- Be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
- Be adequate, relevant and limited to what is necessary in relation to the purposes (data minimisation).
- Be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay (accuracy).
- Be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes (storage limitation).
- Be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
In certain situations, the data subject has the right to obtain restriction of processing. Restriction means that personal data are still stored but further processing is limited or paused.
The data subject has the right to restriction where:
- The accuracy of the personal data is contested by the data subject, and the organisation is verifying the accuracy.
- The processing is unlawful, but the data subject opposes erasure and requests restriction instead.
- The organisation no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims.
Article 18 regulates this right.
The right to data portability applies where the legal basis is consent or contract and the processing is carried out by automated means (i.e. not paper-based).
This right allows the individual to:
- receive personal data concerning them in a structured, commonly used and machine-readable format, and/or
- have the personal data transmitted directly from one controller to another where technically feasible.
The data subject is entitled to information about how personal data are processed. This is often provided in a privacy notice or privacy information.
Articles 13 and 14 set out the information that must be provided (see the section on Information). The right of access gives the data subject the additional right to obtain a copy of their personal data and supplementary information. This helps the data subject understand how and why organisations use their personal data and allows them to verify compliance.
Article 16 gives data subjects the right to have inaccurate personal data rectified. The data subject can also have incomplete personal data completed.
Article 17 provides the right to erasure (“the right to be forgotten”). The right is not absolute and does not apply, for example, where the controller must comply with a legal obligation requiring retention, such as bookkeeping rules that require accounting records to be kept for a certain period.
The data subject has the right to object to processing where they have specific reasons related to their particular situation. The right to object is not absolute and depends on the legal basis for processing and the data subject’s situation, cf. Art. 21.
If an organisation receives an objection and does not have compelling legitimate grounds to override it, it must stop the processing. However, deletion may not always be appropriate if the data are also processed for other lawful purposes. In such cases, the organisation may need to keep the data for those other purposes.
Automated decision-making refers to decisions taken solely by automated means, without human involvement.
Organisations may use fully automated decisions producing legal effects or similarly significant effects only if:
- the decision is necessary for entering into or performing a contract,
- it is authorised by Union or Member State law, provided that suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests are in place, or
- it is based on the data subject’s explicit consent.
All processing must have a legal basis under Art. 6. The alternatives are:
- the data subject has given consent to the processing of personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
Article 2 sets out the material scope of the GDPR. The Regulation applies broadly and generally to any processing of personal data, electronic or physical, where the data are structured or processed in a way that enables retrieval of personal data.
The Regulation is technology-neutral and applies regardless of the technology used.
The article provides that the Regulation applies to:
- fully or partly automated processing (IT systems, etc.), and
- non-automated processing of personal data which form part of a filing system or are intended to form part of a filing system (manual registers, etc.)
Article 2(2) provides exceptions to the material scope. These relate to processing in connection with certain activities. For example:
- processing in the course of an activity which falls outside the scope of Union law
- processing carried out by Member States in the framework of the Common Foreign and Security Policy
- processing carried out by a natural person in the course of a purely personal or household activity – here, context is decisive
- processing by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security
Under Art. 6(1)(a), processing may be based on the data subject’s consent. Consent used as a legal basis must be linked to one or more specific purposes.
The Regulation does not prescribe a specific form for consent, but the controller must be able to demonstrate that consent has been obtained and what the data subject has consented to. It must also be possible to document that the data subject was informed of the content of the consent.
Consent must be given before processing begins.
According to Art. 4(11), consent means:
“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.”
For consent to be valid:
- Freely given – there must be a genuine choice; consent should not be bundled with other conditions or given under pressure or power imbalance. Consent is therefore often unsuitable in employment relationships and for public authorities exercising their powers.
- Specific – it must relate to clearly defined purposes.
- Informed – the data subject must understand what they are consenting to; the information must be easily accessible, clear and in plain language.
- Unambiguous – it must involve a clear affirmative action (e.g. ticking a box).
Consent can be withdrawn at any time, and it must be as easy to withdraw as to give. Once consent is withdrawn, the data may no longer be processed on the basis of consent and will normally have to be erased, unless another legal basis exists (for example, bookkeeping rules requiring retention of some records).
The legal bases for processing special categories of personal data are set out in Art. 9. As a main rule, it is prohibited to process personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person's sex life or sexual orientation.
Exceptions to the prohibition include:
- explicit consent from the data subject
- necessity in the field of employment, social security and social protection law, in accordance with Union or Member State law or collective agreements
- protection of vital interests where the data subject is physically or legally incapable of giving consent
- processing by foundations, associations or other not-for-profit bodies with a political, philosophical, religious or trade-union aim, within the framework of their legitimate activities and with appropriate safeguards
- data which are manifestly made public by the data subject
- necessity for the establishment, exercise or defence of legal claims
- reasons of substantial public interest, on the basis of Union or Member State law, subject to proportionality, respect for the essence of the right to data protection and suitable safeguards
- necessity for the purposes of preventive or occupational medicine, assessment of working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of law or contract with a health professional
- reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices
- necessity for archiving in the public interest, scientific or historical research purposes or statistical purposes.
¶ 1. Derogations from the right to information and access (Articles 13 and 14)
- The controller is not obliged to provide information where the data subject already has the information listed in Art. 13(1)–(3), but must ensure that previously provided information is still adequate.
- Art. 14(5)(a)–(d) provides derogations from the information obligation where:
- it is impossible to provide the information (and this must be factually demonstrated),
- it would involve a disproportionate effort (balancing effort against the disadvantage to data subjects),
- providing the information is likely to render impossible or seriously impair the achievement of the objectives of the processing,
- the collection or disclosure is expressly laid down by law, or
- the data must remain confidential subject to an obligation of secrecy under Union or Member State law.
- Art. 14(4) provides an exception from the right to obtain a copy where this would adversely affect the rights and freedoms of others.
Exceptions to the “right to be forgotten” are grounded in other overriding interests such as freedom of expression and information, public health and broader public interests. Under Art. 17(3), the right to erasure does not apply where processing is necessary for:
- exercising the right of freedom of expression and information,
- compliance with a legal obligation or performance of a task carried out in the public interest or in the exercise of official authority,
- reasons of public interest in the area of public health,
- archiving in the public interest, scientific or historical research or statistical purposes,
- the establishment, exercise or defence of legal claims.
There are two exceptions to the obligation to notify recipients of rectification or erasure:
- where it is impossible to provide notification (assessed objectively), and
- where it would involve a disproportionate effort (taking into account the number of recipients and the resources required to contact them).
Art. 21(6) limits the right to object where processing is necessary for the performance of a task carried out in the public interest and the processing serves purposes of scientific or historical research. The limitation applies only as long as the processing is necessary for these purposes.
¶ 5. Derogations from the prohibition on automated decisions and profiling (Art. 22)
The prohibition does not apply where the controller can rely on one of the legal grounds in Art. 22(2):
- the decision is necessary for entering into, or performance of, a contract with the data subject (point (a)),
- the decision is authorised by Union or Member State law which lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (point (b)),
- the decision is based on the data subject’s explicit consent (point (c)).
```