Re: Lawfulness of processing

Hi Simon, hi all,

the main things pretty wrong in their privacy policy are from my 

First, a controller simply cannot switch the legal basis for processing 
at a whim. They need to decide in advance (!) of the data collection (!) 
according to which legal ground they want to process. Consent and 
legitimate interest are clearly separate legal grounds. So if they ask 
consent for direct marketing purposes, they cannot apply the rules for 
legitimate interest in that regard.

Second, they cannot simply diminish the data subject's right to object 
wrt the direct marketing purposes. Article 21 para. 2 GDPR explicitly 
says that the data subject *always* has a right to object when data are 
processed for direct marketing purposes at any time. This also affects 
any profiles that were built in the context of such direct marketing.



Am 07.11.2018 um 07:25 schrieb Simon Steyskal:
> Thx for the insights Rigo!
> On a related note and as an example of what you just highlighted:
> I just stumbled over following company [1] (located in Finland) that 
> requires one to "consent to receive direct marketing" after getting 
> verified via SMS/call when creating a trial account (which is required 
> in order to be allowed to download a trial version of one of their 
> products) [2].
> Upon registration they state that consent can be revoked at any time, 
> however, in their "Privacy Policy" [3] they state the following:
> The person has the right to object, on grounds relating to his/her 
> particular situation,
> to the processing of Personal Data which is based on either of the 
> following legal basis
> for processing: (i) when processing has been found necessary for the 
> purposes of the
> legitimate interests of Solibri or (ii) when processing has been found 
> necessary in order
> to protect the person's vital interests. The person however does not 
> have the right to
> object, if Solibri demonstrates compelling legitimate grounds for the 
> processing which
> override person's interests or fundamental rights and freedoms.
> 15.1 ‘Restriction of processing’ means the marking of stored Personal 
> Data with the aim
> of limiting its use in the future.
> 15.2 If the person requests, Solibri must restrict processing in the 
> following situations:
> (a) the accuracy of the Personal Data is contested by the person, for 
> a period enabling
> Solibri to verify the accuracy of the Personal Data;
> (b) the processing is unlawful and the person opposes the erasure of 
> the Personal
> Data and requests the restriction of its use instead;
> (c) Solibri no longer needs the Personal Data for the purposes of the 
> processing, but
> it is required by the person for the establishment, exercise or 
> defence of legal
> claims; or
> (d) the person has objected to processing, but verification whether 
> the legitimate
> grounds of Solibri override those of the person is still ongoing.
> 16.1 The person has the right to have his/her Personal Data erased at 
> his/her request if one
> of the following grounds applies:
> (a) the Personal Data is no longer necessary for the purposes for 
> which it was collected
> or otherwise processed;
> (b) the person withdraws consent on which the processing is based and 
> where there
> is no other legal ground for the processing;
> (c) the person objects to the processing in accordance with Section 14;
> (d) the Personal Data has been processed unlawfully; or
> (e) the Personal Data has to be erased for compliance with a legal 
> obligation in Union
> or Member State law to which Solibri is subject.
> 16.2 However, Solibri does not have to erase the data based on above 
> grounds to the extent
> Solibri still needs to process the data:
> (a) for exercising the right of freedom of expression and information;
> (b) for compliance with a legal obligation which requires processing 
> by law to which
> Solibri is subject or for the performance of a task carried out in the 
> public interest
> or in the exercise of official authority vested in the controller;
> (c) for reasons of public interest in the area of public health in 
> accordance with legal
> requirements;
> (d) for archiving purposes in the public interest, scientific or 
> historical research
> purposes or statistical purposes in accordance with legal 
> requirements; or
> (e) for the establishment, exercise or defence of legal claims.
> ---
> Especially 14.i, 15.2cd, 16.1c, and 16.2 are in my opinion (as a 
> computer scientist but legal layman) highly problematic.
> In my understanding, the company basically allows one to revoke 
> consent only, if their "legitimate grounds" for processing personal 
> data do not override those of the person to whom said personal data 
> belongs to?!
> br, simon
> [1]
> [2]
> [3]
> [4]
> ---
> DDipl.-Ing. Simon Steyskal
> Institute for Information Business, WU Vienna
> www:  twitter: @simonsteys
> Am 2018-11-06 18:46, schrieb Rigo Wenning:
>> On Monday, October 22, 2018 9:49:28 AM CET Simon Steyskal wrote:
>>> Just out of curiosity, can a EU Member State also >remove< certain
>>> conditions using national laws? Or similarly, explicitly allow
>>> the justification of 'legitimate interest' with the help of
>>> national laws?
>> Yes, especially Art. 85 GDPR enables Member states to allow certain
>> types of data processing in the name of freedom of expression.
>> Public law also allows things via Art. 6 (1)e. This has been
>> recognised e.g. for the German Kunsturhebergesetz (KUG) that manages
>> the right to one's image.
>> For legitimate interest, I will refer to Eva. The media industry
>> believes they can just continue all the tracking under "legitimate
>> interest". I don't believe so and listening to Koen Lenaerts from
>> the ECJ, I have even more doubts. A national court will have to
>> submit such questions to the ECJ as they have to interpret Union
>> Law. And the ECJ will create a somewhat unified interpretation for
>> the EU.
>>  --Rigo

Received on Wednesday, 7 November 2018 09:05:10 UTC