Re: Lawfulness of processing from Simon Steyskal on 2018-10-22 (public-dpvcg@w3.org from October 2018)

From: Simon Steyskal <simon.steyskal@wu.ac.at>
Date: Mon, 22 Oct 2018 09:49:28 +0200
To: Eva Schlehahn <uld67@datenschutzzentrum.de>
Cc: public-dpvcg@w3.org
Message-ID: <afac10c2ee5573986a4d867755b31eab@wu.ac.at>
Hi Eva!

> Please note that all these justifications/legal bases for sensitive 
> data can be addressed by the EU Member States in national laws in order 
> to maintain or introduce further  conditions, including limitations, 
> with regard to the processing of genetic data, biometric data or data 
> concerning health.
> Also noticeable is that the justification of 'legitimate interest' is
> NOT possible when sensitive data are concerned.

Just out of curiosity, can a EU Member State also >remove< certain 
conditions using national laws? Or similarly, explicitly allow the 
justification of 'legitimate interest' with the help of national laws?

br, simon

---
DDipl.-Ing. Simon Steyskal
Institute for Information Business, WU Vienna

www: http://www.steyskal.info/  twitter: @simonsteys

Am 2018-10-19 16:32, schrieb Eva Schlehahn:
> Dear Axel, dear Harsh, dear all,
> 
> A higher level category 'justification for processing', of which
> 'consent' is one subcategory, makes sense.
> 
> However, I really think we should focus on the default list of Art. 6
> GDPR first, which is:
> 
>  * Consent - Art.6 para. 1 (a)
>   * Contract - Art.6 para. 1 (b)
> 
>   * Processing is necessary for the performance of a contract with the
> data subject
> 
>   * Legal obligation - Art.6 para. 1 (c)
> 
>   * This means a law allows or even requires proccessing for
> compliance
> 
>  * This can e.g. entail that an organisation must process certain
> personal data to fulfil its legal duties. An example is the obligation
> to store billing data for a longer time for tax authorities. Another
> example would be the need to comply with justified law enforcement
> access inquiries.
> 
>   * Vital interests of the data subject - Art.6 para. 1 (d)
> 
>  * Processing is necessary to protect vital interests of data subject
> - the classic example is the medical emergency
> 
>  * Task carried out in the public interest or in the exercise of
> official authority vested in the controller -
> Art.6 para. 1 (e)
> 
>  * This entails the processing that e.g. a governmental institution
> needs to do to perform its tasks. An example for public interest if
> e.g. tax authorities pursuing cases of money laundering (fighting
> crime is a public interest). An example for the latter is e.g. a
> registry office needing your information like name and adress to
> register where you live and to give out passports.
> 
>   * Legitimate interest - Art.6 para. 1 (f)
> 
>  * Processing necessary for the purposes of the legitimate interests
> pursued by the controller or by a third party, except where such
> interests are overridden by the interests or fundamental rights and
> freedoms of the data subject.
> 
> I see that Harsh has introduced more aspects in his list. My
> assumption is that this is caused by the fact that the GDPR foresees
> some specific rules and exemptions and he also looked at the
> justifications mentioned for sensitive data, too. However, I think we
> should try to differentiate to maintain a clearer picture of when
> which legal basis can apply.
> 
> Regarding the 'specifics' and exemptions, we should have in mind that:
> 
> 
>   * public authorities cannot refer to the justification 'legitimate
> interest' for the performance of their tasks
> 
>  * the EU or EU Member States can specify the justifications 'Legal
> obligation' and 'Task carried out in the public interest or in the
> exercise of official authority vested in the controller'.
> 
>   * These specifications must fulfill some minimum requirements
> regulated in the GDPR (Art. 6 para. 3 (a) +(b)).
> 
>  * An example for such a specification in national law could e.g. be
> employment law.
> 
>  * a controller can process data for further purposes, as long as
> those are compatible with the original purpose(s).
> 
>  * This is actually not another legal basis! Rather, it is in this
> case assumed that the legal ground of the original processing extends
> to the new purposes
> 
>  * Compatible purpose is bound to specific requirements, which can be
> tricky for a controller to document properly (Art. 6 para. 4)
> 
>  If we want to address sensitive data too (Art. 9  GDPR), we need an
> additional list of justifications applicable for this type of personal
> data.
> 
>   * This is because the justifications for the processing of senstivie
> data are partially different, are made much more specific and often
> have in their individual GDPR provisions very strict preconditions
> that must be fulfilled. Only the following justifications are
> possible:
> 
>   * Explicit consent
>   * Union or Member State law or valid collective agreement only when:
> 
>   * processing  is  necessary  for
> 
>  * carrying out the obligations and exercising specific rights of the
> controller or of the data subject
> 
>   * AND the law or collective agreement provides for appropriate
> safeguards and concerns the field of:
> 
>   * employment law
>   * social security law
> 
>  * social protection law
> 
>   * Vital interests
>   * Legitimate activities with appropriate safeguards by:
> 
>   * a  foundation, association or any other not-for-profit body with a
> political, philosophical, religious or trade union aim
> 
>   * This data can only concern members or former members of these
> bodies or persons, who have regular contact with it in connection with
> its purposes
> 
>  * Data is not allowed to be disclosed outside without data subject
> consent
> 
>   * Data already made manifestly public by data subject
>   * Establishment, exercise or defence of legal claims or whenever
> courts are acting in their judicial capacity
>   * Substantial public interest, on the basis of Union or Member State
> law
>   * A specific medical justifications with preconditions mentioned in
> Art. 9 para 2 (h), such as purposes of preventive or occupational
> medicine
> 
>  * Here, the GDPR especially highlights the importance of professional
> secrecy, see Art. 9 para. 3 GDPR
> 
>   * Public  interest in the area of public health
> 
>  * Archiving purposes in the public interest, scientific or historical
> research purposes or statistical  purposes (also certain with
> preconditions)
> 
>   * Here, the GDPR also imposes certain preconditions to be met, such
> as the implementation of safeguards, see Art. 89 para. 1 GDPR.
> 
>  * Moreover, EU Member States are allowed to regulate specifics and
> derogations in their national laws again.
> 
>  Please note that all these justifications/legal bases for sensitive
> data can be addressed by the EU Member States in national laws in
> order to maintain or introduce further  conditions, including
> limitations, with regard to the processing of genetic data, biometric
> data or data concerning health.
> Also noticeable is that the justification of 'legitimate interest' is
> NOT possible when sensitive data are concerned.
> 
> Oof, that was quite a lot of info at once - and hopefully, not too
> confusing. :-D
> 
> Just my input to the processing justifications possible when personal
> data are concerned. I am curious to hear your own thoughts on it. But
> for now, I wish everyone a great weekend! :)
> 
> Greetings,
> 
> Eva
> 
> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
> Eva Schlehahn, uld67@datenschutzzentrum.de
> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
> mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
> 
> Informationen über die Verarbeitung der personenbezogenen Daten durch
> die Landesbeauftragte für Datenschutz und zur verschlüsselten
> E-Mail-Kommunikation:
> https://datenschutzzentrum.de/datenschutzerklaerung/
> 
> Am 17.10.2018 um 17:58 schrieb Harshvardhan J. Pandit:
> 
>> Hi Axel, Sabrina.
>> I agree that we should also have a taxonomy of "legal basis" for
>> processing.
>> 
>> From the text of GDPR Sabrina shared earlier, I have the following
>> legal basis listed in GDPRtEXT:
>> * Contract with Data Subject
>> * Exempted by National Law
>> * Employment Law
>> * Given Consent
>> * Historic, Statistical, or Scientific Purposes
>> * Legal claims
>> * Legal obligation
>> * Legitimate Interest
>> * Made public by Data Subject
>> * Medical, Diagnostic, or Treatement
>> * Not for Profit Org.
>> * Public Interest
>> * Purpose of New Processing
>> * Vital Interest
>> 
>> I propose we start with this (and the text from GDPR) as our
>> starting point for discussion.
>> 
>> Best,
>> Harsh
>> 
>> On 17/10/18 8:35 AM, Axel Polleres wrote:
>> Dear all,
>> 
>> I agree that we would need then not only to talk about consent but
>> in general a categorisation or "taxonomy" of "justification for
>> processing" or alike (using these as top-level categories), right?
>> 
>> best regards,
>> Axel
>> --
>> Prof. Dr. Axel Polleres
>> Institute for Information Business, WU Vienna
>> url: http://www.polleres.net/  twitter: @AxelPolleres
>> 
>> On 17.10.2018, at 17:19, Sabrina Kirrane <sabrina.kirrane@wu.ac.at
>> <mailto:sabrina.kirrane@wu.ac.at>> wrote:
>> 
>> Hi Axel & all,
>> 
>> As a followup to Rigo's comment yesterday on other lawful means of
>> processing, here is the relevant text from the GDPR:
>> 
>> 1.Processing shall be lawful only if and to the extent that at least
>> one
>> of the following applies:
>> 
>> (a) the data subject has given consent to the processing of his or
>> her
>> personal data for one or more specific purposes;
>> 
>> (b) processing is necessary for the performance of a contract to
>> which
>> the data subject is party or in order to take steps at the request
>> of
>> the data subject prior to entering into a contract;
>> 
>> (c) processing is necessary for compliance with a legal obligation
>> to
>> which the controller is subject;
>> 
>> (d) processing is necessary in order to protect the vital interests
>> of
>> the data subject or of another natural person;
>> 
>> (e) processing is necessary for the performance of a task carried
>> out in
>> the public interest or in the exercise of official authority vested
>> in
>> the controller;
>> 
>> (f) processing is necessary for the purposes of the legitimate
>> interests
>> pursued by the controller or by a third party, except where such
>> interests are overridden by the interests or fundamental rights and
>> freedoms of the data subject which require protection of personal
>> data,
>> in particular where the data subject is a child.
>> 
>> Point (f) of the first subparagraph shall not apply to processing
>> carried out by public authorities in the performance of their tasks.
>> 
>> 
>> Best Regards,
>> Sabrina
>> 
>> --
>> Postdoctoral researcher,
>> Institute for Information Business
>> Vienna University of Economics and Business
>> Tel: +43-1-31336-4494
>> E-mail: sabrina.kirrane [at] wu.ac.at <http://wu.ac.at> [1]
>> Homepage: www.sabrinakirrane.com [2] <http://www.sabrinakirrane.com>
>> [2]
> 
> 
> 
> Links:
> ------
> [1] http://wu.ac.at
> [2] http://www.sabrinakirrane.com
Received on Monday, 22 October 2018 07:49:59 UTC