Grounds for Processing Data and Rights of Data Subjects
Looking Back at Weet 3: Key concepts and principles in data protection law
Handbook on European data protection law: Chapter 4, pp. 139-164
Lawful processing of data
- Processing of sensitive data is subject to a stricter regime
Art. 5 GDPR
- All personal data processing must comply with the principles relating to data
Art. 6 & 9 GDPR
- Lawful grounds for making data processing legitimate
Consent
Art. 8 Charter of Fundamental Rights consent is primary law
Art. 6 GDPR: Consent as basis for processing
Art. 4 GDPR: Definition of valid consent
Art. 7 GDPR: Conditions for obtaining valid consent
Art. 8 GDPR: Special rules for child’s consent
Consent
Free
- Situation A: Municipality develops residence cards with an embedded chip. It is
not compulsory for residents to acquire those electronic cards. However,
residents who do not possess the card do not have access to a series of important
administrative services, such as the ability to pay municipal taxes online, to
submit complaints electronically benefitting from a three-day deadline.
Cannot be based on consent
- Situation B: A large company plans to create a directory containing the names of
all employees, their function in the company and their business addresses, solely
to improve internal company communications. The head of personnel proposes
adding a photo of each employee to the directory to make it easier to recognise
collegues at meetings. Employees’ representatives demand that this should be
done only if the individual employee consents.
Consent can be the basis
- Situation C: Company A is planning a meeting, between three of its employees
and the directors of Company B, to discuss a project. The meeting will take place
at the premises of Company B, who requires Company A to email them the
names, CVs and photos of the participants. Company B argues that it needs the
names and photos of the participants to allow security staff at the building’s
entrance to check that they are the right persons, while the CVs will enable the
directors tob etter prepare fort he meeting.
Cannot be based on consent
- Situation D: Supermarket gives a card and customers who have this card get a
very small discount of price.
, Consent can be the basis
Informed
Specific
Unambiguous
Additional Grounds for Processing Data
Necessity for the performance of a contract
Legal duties of the controller
Vital interests of the data subject or those of another natural person
Public interest and exercise of official authority
Legitimate interests pursued by the controller or by a third party
Processing special categories of data (sensitive data)
Exemptions include situations where:
Data subject explicitly consents to the data processing
Processing is carried out by a non-profit body with political, philosophical, religious or
trade union purposes during its legitimate activities and only relates to its (former)
members or to persons who have regular contact with it for such purposes
Processing concerns data explicitly made public by the data subject
Processing is necessary
The rights of data subjects
1. Right to be informed
- Controllers of processing operations are obliged to inform the data subject at the
time when personal data are collected about their intended processing
o This obligation does not depend on a request from the data subject,
rather the controller must proactively comply with the obligation,
regardless of whether the data subject shows interest in the information
or not
- Art. 12, 13, 14 GDPR
- Content of information (art. 13 lid 1 GDPR)
o Controller’s identity & contact details, including the DPO’s details, if any;
o Purpose and legal basis for the processing, i.e., a contract or legal
obligation;
o Data controller’s legitimate interest, if this provides the basis for
processing;
o Personal data’s eventual recipients or categories of recipients;
o Whether the data will be transferred to a third country or international
organisation, and whether this is based on an adequacy decision or relies
upon appropriate safeguards;
o The period for which the personal data will be stored, and if establishing
that period is not possible, the criteria used to determine the data storage
period;
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller JustASmallTownGirl. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $3.15. You're not tied to anything after your purchase.