Lawful basis for the collection and processing of data
No always required, use only if other basis not applicable
Also valid if subject has asked you to do something prior to entering into a contract
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
“processing is necessary for compliance with a legal obligation to which the controller is subject.”
Must be able to identify the obligation that is being relied on
“processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
“The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…”
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.
Must document how you arrived at the justification
Conducting a Legitimate Interest Assessment (ICO terminology, not GDPR) for each process is not required under GDPR but it would be harder to prove your interest is legit retrospectively
Nature of data processing must not be unexpected to a reasonable person in the circumstances
Refer to ICO list of reasonable expectations, it's a good list
And therefore needs to be communicated to the subject transparently
Information about the processing that is carried out, the purpose and on what basis you are justifying it should be included on your privacy statement
Subject can object to the processing
If they object and it is for direct marketing you have to stop.
If it's not for marketing you might be able to continue but must justify why.
Must document the assessment of why legitimate interests apply
Must inform the subject of the nature of the processing
Impacts and Safeguards
Is this sort of processing likely to result in a significant impact on the subject?
If so you need to be able to demonstrate why your legitimate interest overrides that potential harm
Still may need consent under PECR
PECR due to be replaced with ePR
PECR is the UK law that sets out how the ePrivacy Directive is implemented in the UK
ePR is a set of European Regulations, which means they will become law in and of themselves
Special Category Data
Criminal Offence Data
Automated decision making and profiling
Right to object :
Objections to direct marketing must always be respected
Not permitted if will have a legal or similarly significant effect
authorised by law (e.g fraud, tax evasion)
Necessary for entering into a contract
With the subject's consent
Need to prove it is legit
Need to allow subject to challenge decision and request a review
Must explain that this is happening, explain the logic in a meaningful way and explain the significance and envisaged consequences of the processing
Don't have to describe the exact algorithm
Classifiying for statistical purposes is OK (?)
Profiling to predict ability, characteristics or behaviour is covered
Consent likely required with clear explanation
If due to a contract, processing must be limited to that necessary for fulfilling contract
Could be based on legitimate interests so long as level of profiling is justified by the interest. More intrusive profiling requires better justification
Deriving additional characteristics that are sensitive from other data is covered by "Special categories of data" - tread carefully
More from the EU
(47) ... "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest"
Subject has the right to retrieve or request their data be transferred to other services.
Not all data though.
Only applies to data an individual has provided manually or by their interactions with the service
Not for data derived from their activities
Only for data based on consent or contract
Only when processed automatically
International transferring of data