- From: Eva Schlehahn <uld67@datenschutzzentrum.de>
- Date: Fri, 19 Oct 2018 16:32:59 +0200
- To: public-dpvcg@w3.org
- Message-ID: <6473bcc6-443e-84f2-0823-e3f16fe3fa7c@datenschutzzentrum.de>
Dear Axel, dear Harsh, dear all,
A higher level category 'justification for processing', of which
'consent' is one subcategory, makes sense.
However, I really think we should focus on the default list of Art. 6
GDPR first, which is:
* Consent - Art.6 para. 1 (a)
* Contract - Art.6 para. 1 (b)
o Processing is necessary for the performance of a contract with
the data subject
* Legal obligation - Art.6 para. 1 (c)
o This means a law allows or even requires proccessing for compliance
o This can e.g. entail that an organisation must process certain
personal data to fulfil its legal duties. An example is the
obligation to store billing data for a longer time for tax
authorities. Another example would be the need to comply with
justified law enforcement access inquiries.
* Vital interests of the data subject - Art.6 para. 1 (d)
o Processing is necessary to protect vital interests of data
subject - the classic example is the medical emergency
* Task carried out in the public interest _or_ in the exercise of
official authority vested in the controller -
Art.6 para. 1 (e)
o This entails the processing that e.g. a governmental institution
needs to do to perform its tasks. An example for public interest
if e.g. tax authorities pursuing cases of money laundering
(fighting crime is a public interest). An example for the latter
is e.g. a registry office needing your information like name and
adress to register where you live and to give out passports.
* Legitimate interest - Art.6 para. 1 (f)
o Processing necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, _except
where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject_.
I see that Harsh has introduced more aspects in his list. My assumption
is that this is caused by the fact that the GDPR foresees some specific
rules and exemptions and he also looked at the justifications mentioned
for sensitive data, too. However, I think we should try to differentiate
to maintain a clearer picture of when which legal basis can apply.
Regarding the 'specifics' and exemptions, we should have in mind that:
* public authorities cannot refer to the justification 'legitimate
interest' for the performance of their tasks
* the EU or EU Member States can specify the justifications 'Legal
obligation' and 'Task carried out in the public interest or in the
exercise of official authority vested in the controller'.
o These specifications must fulfill some minimum requirements
regulated in the GDPR (Art. 6 para. 3 (a) +(b)).
o An example for such a specification in national law could e.g.
be employment law.
* a controller can process data for further purposes, as long as those
are compatible with the original purpose(s).
o This is actually _not another legal basis_! Rather, it is in
this case assumed that the legal ground of the original
processing extends to the new purposes
o Compatible purpose is bound to specific requirements, which can
be tricky for a controller to document properly (Art. 6 para. 4)
If we want to address sensitive data too (Art. 9 GDPR), we need an
additional list of justifications applicable for this type of personal
data.
* This is because the justifications for the processing of senstivie
data are partially different, are made much more specific and often
have in their individual GDPR provisions very strict preconditions
that must be fulfilled. Only the following justifications are possible:
o _Explicit_ consent
o Union or Member State _law____or____valid____collective
agreement_ only when:
+ processing is necessary for
# carrying out the obligations and exercising specific
rights of the controller or of the data subject
+ AND the law or collective agreement provides for appropriate
safeguards and concerns the field of:
# employment law
# social security law
# social protection law
o Vital interests
o Legitimate activities with appropriate safeguards by:
+ a foundation, association or any other not-for-profit body
with a political, philosophical, religious or trade union aim
# This data can only concern members or former members of
these bodies or persons, who have regular contact with
it in connection with its purposes
# Data is not allowed to be disclosed outside without data
subject consent
o Data already made manifestly public by data subject
o Establishment, exercise or defence of legal claims or whenever
courts are acting in their judicial capacity
o Substantial public interest, on the basis of Union or Member
State law
o A specific medical justifications with preconditions mentioned
in Art. 9 para 2 (h), such as purposes of preventive or
occupational medicine
+ Here, the GDPR especially highlights the importance of
professional secrecy, see Art. 9 para. 3 GDPR
o Public interest in the area of public health
o Archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes (also
certain with preconditions)
+ Here, the GDPR also imposes certain preconditions to be met,
such as the implementation of safeguards, see Art. 89 para.
1 GDPR.
+ Moreover, EU Member States are allowed to regulate specifics
and derogations in their national laws again.
Please note that all these justifications/legal bases for sensitive data
can be addressed by the EU Member States in national laws in order to
maintain or introduce further conditions, including limitations, with
regard to the processing of genetic data, biometric data or data
concerning health.
Also noticeable is that the justification of 'legitimate interest' is
NOT possible when sensitive data are concerned.
Oof, that was quite a lot of info at once - and hopefully, not too
confusing. :-D
Just my input to the processing justifications possible when personal
data are concerned. I am curious to hear your own thoughts on it. But
for now, I wish everyone a great weekend! :)
Greetings,
Eva
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Eva Schlehahn, uld67@datenschutzzentrum.de
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/
Am 17.10.2018 um 17:58 schrieb Harshvardhan J. Pandit:
> Hi Axel, Sabrina.
> I agree that we should also have a taxonomy of "legal basis" for
> processing.
>
> From the text of GDPR Sabrina shared earlier, I have the following
> legal basis listed in GDPRtEXT:
> * Contract with Data Subject
> * Exempted by National Law
> * Employment Law
> * Given Consent
> * Historic, Statistical, or Scientific Purposes
> * Legal claims
> * Legal obligation
> * Legitimate Interest
> * Made public by Data Subject
> * Medical, Diagnostic, or Treatement
> * Not for Profit Org.
> * Public Interest
> * Purpose of New Processing
> * Vital Interest
>
> I propose we start with this (and the text from GDPR) as our starting
> point for discussion.
>
> Best,
> Harsh
>
> On 17/10/18 8:35 AM, Axel Polleres wrote:
>> Dear all,
>>
>> I agree that we would need then not only to talk about consent but in
>> general a categorisation or "taxonomy" of "justification for
>> processing" or alike (using these as top-level categories), right?
>>
>> best regards,
>> Axel
>> --
>> Prof. Dr. Axel Polleres
>> Institute for Information Business, WU Vienna
>> url: http://www.polleres.net/ twitter: @AxelPolleres
>>
>>> On 17.10.2018, at 17:19, Sabrina Kirrane <sabrina.kirrane@wu.ac.at
>>> <mailto:sabrina.kirrane@wu.ac.at>> wrote:
>>>
>>> Hi Axel & all,
>>>
>>> As a followup to Rigo's comment yesterday on other lawful means of
>>> processing, here is the relevant text from the GDPR:
>>>
>>> 1.Processing shall be lawful only if and to the extent that at least
>>> one
>>> of the following applies:
>>>
>>> (a) the data subject has given consent to the processing of his or her
>>> personal data for one or more specific purposes;
>>>
>>> (b) processing is necessary for the performance of a contract to which
>>> the data subject is party or in order to take steps at the request of
>>> the data subject prior to entering into a contract;
>>>
>>> (c) processing is necessary for compliance with a legal obligation to
>>> which the controller is subject;
>>>
>>> (d) processing is necessary in order to protect the vital interests of
>>> the data subject or of another natural person;
>>>
>>> (e) processing is necessary for the performance of a task carried
>>> out in
>>> the public interest or in the exercise of official authority vested in
>>> the controller;
>>>
>>> (f) processing is necessary for the purposes of the legitimate
>>> interests
>>> pursued by the controller or by a third party, except where such
>>> interests are overridden by the interests or fundamental rights and
>>> freedoms of the data subject which require protection of personal data,
>>> in particular where the data subject is a child.
>>>
>>> Point (f) of the first subparagraph shall not apply to processing
>>> carried out by public authorities in the performance of their tasks.
>>>
>>> Best Regards,
>>> Sabrina
>>>
>>> --
>>> Postdoctoral researcher,
>>> Institute for Information Business
>>> Vienna University of Economics and Business
>>> Tel: +43-1-31336-4494
>>> E-mail: sabrina.kirrane [at] wu.ac.at <http://wu.ac.at>
>>> Homepage: www.sabrinakirrane.com <http://www.sabrinakirrane.com>
>>
>
Received on Friday, 19 October 2018 14:33:36 UTC