Grounds for Processing Data and Rights of Data Subjects
Looking Back at Weet 3: Key concepts and principles in data protection law
Handbook on European data protection law: Chapter 4, pp. 139-164
Lawful processing of data
- Processing of sensitive data is subject to a stricter regime
Art. 5 GDPR
- All personal data processing must comply with the principles relating to data
Art. 6 & 9 GDPR
- Lawful grounds for making data processing legitimate
Consent
Art. 8 Charter of Fundamental Rights consent is primary law
Art. 6 GDPR: Consent as basis for processing
Art. 4 GDPR: Definition of valid consent
Art. 7 GDPR: Conditions for obtaining valid consent
Art. 8 GDPR: Special rules for child’s consent
Consent
Free
- Situation A: Municipality develops residence cards with an embedded chip. It is
not compulsory for residents to acquire those electronic cards. However,
residents who do not possess the card do not have access to a series of important
administrative services, such as the ability to pay municipal taxes online, to
submit complaints electronically benefitting from a three-day deadline.
Cannot be based on consent
- Situation B: A large company plans to create a directory containing the names of
all employees, their function in the company and their business addresses, solely
to improve internal company communications. The head of personnel proposes
adding a photo of each employee to the directory to make it easier to recognise
collegues at meetings. Employees’ representatives demand that this should be
done only if the individual employee consents.
Consent can be the basis
- Situation C: Company A is planning a meeting, between three of its employees
and the directors of Company B, to discuss a project. The meeting will take place
at the premises of Company B, who requires Company A to email them the
names, CVs and photos of the participants. Company B argues that it needs the
names and photos of the participants to allow security staff at the building’s
entrance to check that they are the right persons, while the CVs will enable the
directors tob etter prepare fort he meeting.
Cannot be based on consent
- Situation D: Supermarket gives a card and customers who have this card get a
very small discount of price.
, Consent can be the basis
Informed
Specific
Unambiguous
Additional Grounds for Processing Data
Necessity for the performance of a contract
Legal duties of the controller
Vital interests of the data subject or those of another natural person
Public interest and exercise of official authority
Legitimate interests pursued by the controller or by a third party
Processing special categories of data (sensitive data)
Exemptions include situations where:
Data subject explicitly consents to the data processing
Processing is carried out by a non-profit body with political, philosophical, religious or
trade union purposes during its legitimate activities and only relates to its (former)
members or to persons who have regular contact with it for such purposes
Processing concerns data explicitly made public by the data subject
Processing is necessary
The rights of data subjects
1. Right to be informed
- Controllers of processing operations are obliged to inform the data subject at the
time when personal data are collected about their intended processing
o This obligation does not depend on a request from the data subject,
rather the controller must proactively comply with the obligation,
regardless of whether the data subject shows interest in the information
or not
- Art. 12, 13, 14 GDPR
- Content of information (art. 13 lid 1 GDPR)
o Controller’s identity & contact details, including the DPO’s details, if any;
o Purpose and legal basis for the processing, i.e., a contract or legal
obligation;
o Data controller’s legitimate interest, if this provides the basis for
processing;
o Personal data’s eventual recipients or categories of recipients;
o Whether the data will be transferred to a third country or international
organisation, and whether this is based on an adequacy decision or relies
upon appropriate safeguards;
o The period for which the personal data will be stored, and if establishing
that period is not possible, the criteria used to determine the data storage
period;
Voordelen van het kopen van samenvattingen bij Stuvia op een rij:
Verzekerd van kwaliteit door reviews
Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!
Snel en makkelijk kopen
Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.
Focus op de essentie
Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!
Veelgestelde vragen
Wat krijg ik als ik dit document koop?
Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.
Tevredenheidsgarantie: hoe werkt dat?
Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.
Van wie koop ik deze samenvatting?
Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper JustASmallTownGirl. Stuvia faciliteert de betaling aan de verkoper.
Zit ik meteen vast aan een abonnement?
Nee, je koopt alleen deze samenvatting voor €2,99. Je zit daarna nergens aan vast.