Re: Lawfulness of processing from Harshvardhan J. Pandit on 2018-11-08 (public-dpvcg@w3.org from November 2018)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Thu, 8 Nov 2018 09:52:31 +0000
To: public-dpvcg@w3.org
Message-ID: <8e71d174-d0d6-0dc4-06ea-0c857913f262@harshp.com>

Thanks for the lucid clarifications Eva & Rigo!
So, coming as a non-legal layman, legitimate interest can be defined as 
something upon which the provision of business/service/goods is based 
on, and without which it cannot be provided/operated. And this should 
not override the fundamental rights of the data subject as clarified by 
the GDPR.

However, I have found it very tricky to determine if something can be 
classified as legitimate interest as not (makes sense, I don't have a 
law degree), especially when looking at privacy policies that specify 
some personal data as being "necessary".

For the DPVCG, would we like to delve deeper to also provide a taxonomy 
to specify terms associated with legitimate interest? And thus forth, 
for other legal basis?

I think this would postpone the first draft due to the work involved, 
but can be something to note down, and perhaps work later?

Best,
Harsh

On 07/11/18 8:48 PM, Rigo Wenning wrote:
> On Wednesday, November 7, 2018 9:11:53 AM CET Eva Schlehahn wrote:
>> Second, they cannot simply diminish the data subject's right to
>> object wrt the direct marketing purposes. Article 21 para. 2 GDPR
>> explicitly says that the data subject *always* has a right to
>> object when data are processed for direct marketing purposes at
>> any time. This also affects any profiles that were built in the
>> context of such direct marketing.
> 
> Adding to Eva...
> 
> The cool part is that if you send them a DNT:1, you objected
> according to Art. 21 (5) GDPR, which is pretty powerful. In that
> case they can't overwrite the user's will with "legitimate
> interest".
> 
> Legitimate interest is certainly not the legitimate interest of one
> party only. That would be easy as that would mean no GDPR
> whatsoever. Or every data collector could just define a "legitimate"
> interest in data collection and ignore the data subject. I don't
> think the main stream interpretation would support that ...
> 
>   --Rigo
> 

-- 
---
Harshvardhan J. Pandit
PhD Researcher
ADAPT Centre, Trinity College Dublin
https://harshp.com/

Received on Thursday, 8 November 2018 09:52:58 UTC