The Regulation stipulates that infringements of “the basic principles for processing, including conditions for consent” are subject to the highest possible administrative fines – up to €20,000,000 or 4% of global annual turnover, whichever is greater. If any detail can get the attention of the people who need to understand this, it is likely that potential fines of that scale will do the job.
The GDPR lays down a set of data processing principles to guide how organisations manage personal data. The principles can be seen as an overview of your most important duties in complying with the Regulation, and anyone reading the Regulation should keep them in mind when interpreting other requirements.
The first six data processing principles can be found in Article 5 of the Regulation and are as follows:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality.
Although these principles are the direct successors of those outlined in the DPD, the Regulation notes that “the objectives and principles of [the DPD] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity”.1 Because of this, organisations should have two primary concerns when ensuring they comply with the principles:
- Understanding the full scope of the principles under the GDPR.
- Ensuring that any distinctions between the previous principles and the new ones are identified and understood.
Although the GDPR has been in effect for more than a year, it is not uncommon for organisations to assume that one principle is much the same as its predecessor. Others might think that the fact they haven’t been investigated by the supervisory authority is proof that they are getting things right. Regardless of how certain you might be that you are acting in accordance with the principles, it is absolutely essential that you confirm this before a data breach reveals that you are, in fact, not in compliance.
In the first instance, organisations need to appreciate that the scope of the GDPR is not the scope of the DPD. The Regulation applies more broadly and has a different scope from the laws that were developed in response to the DPD. (See chapter 4 for a discussion of the GDPR’s scope and how it relates to the privacy compliance framework.)
In the second instance, organisations need to take care that their compliance programmes are sufficiently updated. Too often, updating compliance programmes results in little change; people are set in their habits, they assume the current practices are still ‘good enough’, and the people interpreting the Regulation may suffer from ‘fatigue of repetition’ and miss salient points.
Principle 1: Lawfulness, fairness and transparency
The three components of this principle are clearly linked: the data subject must be told what processing will occur (transparent), the processing must match this description (fair), and the processing must be for one of the purposes specified in the Regulation (lawful). The data subject should also be “informed of the existence of the processing operation”.2
Drawing on existing practice, “Fairness” requires that the controller:
- Is open and honest about its identity;
- Obtains data from someone who is legally authorised/required to provide it;
- Only handles data in ways the data subject would reasonably expect;
- Does not use the data in ways that might unjustifiably have a negative effect on them.
“Transparency” requires the data controller to tell people clearly and openly how (unless it is obvious) they intend to use any personal data that has been collected. These two are regularly linked in the Regulation, most notably in the statement that “the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes”.3 For instance, it is obvious when buying something online that your name and address will be used to fulfil the purchase. It is not, however, reasonable to pass that information to a sister company that offers related products or services without first informing the data subject.
The final component of this first data protection principle, “lawfulness”, describes processing that meets one of the tests set out in Article 6. This is a complex area, and most organisations are likely to need specific legal advice in respect to the lawful basis on which they are processing data. Remember that, if there is no lawful basis, then by definition the processing will be illegal.
Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Note that this only requires one of the conditions to have been met for the processing to be lawful. The Regulation makes it clear that lawfulness “does not necessarily require a legislative act adopted by a parliament”, but that “such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it”.4 Organisations that process personal data in the public interest or as a public authority, must ensure that the processing has “a basis in Union or Member State law”.5
Point (a) – that the data subject has given consent to the processing of his or her personal data for one or more specific purposes – means that the data subject cannot reasonably be expected to consent without being in possession of the facts, nor can those facts be implicit (such as in fulfilment of a contract or compliance with a law). This is consistent with the Regulation’s statement in Recital 50 that:
The processing of personal data for purposes other than those for which the personal data were originally collected should be allowed only where the processing is compatible with the purposes for which the personal data were originally collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.
In chapter 6 we deal, at some length, with the practical issues around consent. In short, consent should not necessarily be the first option selected to be the basis of lawful processing. The test for consent is relatively high. Consent must be:
freely given, specific, informed and unambiguous indication of the data subject’s wishes in which he or she by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.7
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations.8
These tests mean that employers are unlikely to be able to rely on consent in relation to the processing of most personal data relating to their employees. Any such consent would be invalid and the processing would therefore be unlawful.
Consent is accompanied by the right to withdraw consent, and by the rights of rectification and data portability. There may be circumstances in which organisations therefore wish to identify alternative lawful bases for processing, and these come from the other options set out in Article 6.
Organisations should use privacy notices and terms and conditions to give relevant context and transparency, provided that these are clear and accessible. The Regulation explicitly states that “the principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used”.9 Simply including a link to detailed terms and conditions may not be adequate.
©IT Governance Publishing Ltd
Understand your organisation’s GDPR obligations and prioritise the steps you need to take to comply
Now in its third edition, EU GDPR – An Implementation and Compliance Guide provides detailed commentary on the Regulation. This clear and comprehensive book sets out the obligations of data processors and controllers in simple terms and will help you understand how to achieve compliance with the GDPR.