W3C home > Mailing lists > Public > public-dpvcg@w3.org > November 2018

Re: Lawfulness of processing

From: Simon Steyskal <simon.steyskal@wu.ac.at>
Date: Wed, 07 Nov 2018 07:25:12 +0100
To: Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org, Eva Schlehahn <uld67@datenschutzzentrum.de>
Message-ID: <49ca1214f6ab54772990672db10b28c4@wu.ac.at>
Thx for the insights Rigo!

On a related note and as an example of what you just highlighted:

I just stumbled over following company [1] (located in Finland) that 
requires one to "consent to receive direct marketing" after getting 
verified via SMS/call when creating a trial account (which is required 
in order to be allowed to download a trial version of one of their 
products) [2].

Upon registration they state that consent can be revoked at any time, 
however, in their "Privacy Policy" [3] they state the following:

14 RIGHT TO OBJECT PROCESSING
The person has the right to object, on grounds relating to his/her 
particular situation,
to the processing of Personal Data which is based on either of the 
following legal basis
for processing: (i) when processing has been found necessary for the 
purposes of the
legitimate interests of Solibri or (ii) when processing has been found 
necessary in order
to protect the person's vital interests. The person however does not 
have the right to
object, if Solibri demonstrates compelling legitimate grounds for the 
processing which
override person's interests or fundamental rights and freedoms.

15 RIGHT TO RESTRICTION OF PROCESSING
15.1 ‘Restriction of processing’ means the marking of stored Personal 
Data with the aim
of limiting its use in the future.

15.2 If the person requests, Solibri must restrict processing in the 
following situations:
(a) the accuracy of the Personal Data is contested by the person, for a 
period enabling
Solibri to verify the accuracy of the Personal Data;
(b) the processing is unlawful and the person opposes the erasure of the 
Personal
Data and requests the restriction of its use instead;
(c) Solibri no longer needs the Personal Data for the purposes of the 
processing, but
it is required by the person for the establishment, exercise or defence 
of legal
claims; or
(d) the person has objected to processing, but verification whether the 
legitimate
grounds of Solibri override those of the person is still ongoing.

16 RIGHT TO BE FORGOTTEN
16.1 The person has the right to have his/her Personal Data erased at 
his/her request if one
of the following grounds applies:
(a) the Personal Data is no longer necessary for the purposes for which 
it was collected
or otherwise processed;
(b) the person withdraws consent on which the processing is based and 
where there
is no other legal ground for the processing;
(c) the person objects to the processing in accordance with Section 14;
(d) the Personal Data has been processed unlawfully; or
(e) the Personal Data has to be erased for compliance with a legal 
obligation in Union
or Member State law to which Solibri is subject.

16.2 However, Solibri does not have to erase the data based on above 
grounds to the extent
Solibri still needs to process the data:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by 
law to which
Solibri is subject or for the performance of a task carried out in the 
public interest
or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in 
accordance with legal
requirements;
(d) for archiving purposes in the public interest, scientific or 
historical research
purposes or statistical purposes in accordance with legal requirements; 
or
(e) for the establishment, exercise or defence of legal claims.

---

Especially 14.i, 15.2cd, 16.1c, and 16.2 are in my opinion (as a 
computer scientist but legal layman) highly problematic.
In my understanding, the company basically allows one to revoke consent 
only, if their "legitimate grounds" for processing personal data do not 
override those of the person to whom said personal data belongs to?!

br, simon


[1] https://www.solibri.com
[2] https://solution.solibri.com/
[3] https://solibri.com/privacy/privacy-policy.pdf
[4] https://solibri.com/privacy/customer-data-processing-annex.pdf

---
DDipl.-Ing. Simon Steyskal
Institute for Information Business, WU Vienna

www: http://www.steyskal.info/  twitter: @simonsteys

Am 2018-11-06 18:46, schrieb Rigo Wenning:
> On Monday, October 22, 2018 9:49:28 AM CET Simon Steyskal wrote:
>> Just out of curiosity, can a EU Member State also >remove< certain
>> conditions using national laws? Or similarly, explicitly allow
>> the justification of 'legitimate interest' with the help of
>> national laws?
> 
> Yes, especially Art. 85 GDPR enables Member states to allow certain
> types of data processing in the name of freedom of expression.
> Public law also allows things via Art. 6 (1)e. This has been
> recognised e.g. for the German Kunsturhebergesetz (KUG) that manages
> the right to one's image.
> 
> For legitimate interest, I will refer to Eva. The media industry
> believes they can just continue all the tracking under "legitimate
> interest". I don't believe so and listening to Koen Lenaerts from
> the ECJ, I have even more doubts. A national court will have to
> submit such questions to the ECJ as they have to interpret Union
> Law. And the ECJ will create a somewhat unified interpretation for
> the EU.
> 
>  --Rigo
Received on Wednesday, 7 November 2018 06:25:40 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:54 UTC