- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Mon, 22 Oct 2018 11:47:43 -0400
- To: Simon Steyskal <simon.steyskal@wu.ac.at>, Eva Schlehahn <uld67@datenschutzzentrum.de>
- Cc: public-dpvcg@w3.org
Hi Simon, Eva. I am not a legal expert, so I only have guesses regarding this. GDPR is a regulation, so doesn't it mean that it's obligations are mandatory and cannot be "removed" by member states? In the same vein, I suppose that national laws may augment these obligaitons, but cannot "infringe" upon the rights provided by the regulation? For example, a national law may dictate that user tracking is legitimate interest, but if it infringes with the rights provided by the GDPR, then it would not be legally compatible? P.S. Simon thanks for raising this question. Regards, Harsh On 22/10/18 3:49 AM, Simon Steyskal wrote: > Hi Eva! > >> Please note that all these justifications/legal bases for sensitive >> data can be addressed by the EU Member States in national laws in >> order to maintain or introduce further conditions, including >> limitations, with regard to the processing of genetic data, biometric >> data or data concerning health. >> Also noticeable is that the justification of 'legitimate interest' is >> NOT possible when sensitive data are concerned. > > Just out of curiosity, can a EU Member State also >remove< certain > conditions using national laws? Or similarly, explicitly allow the > justification of 'legitimate interest' with the help of national laws? > > br, simon > > --- > DDipl.-Ing. Simon Steyskal > Institute for Information Business, WU Vienna > > www: http://www.steyskal.info/ twitter: @simonsteys > > Am 2018-10-19 16:32, schrieb Eva Schlehahn: >> Dear Axel, dear Harsh, dear all, >> >> A higher level category 'justification for processing', of which >> 'consent' is one subcategory, makes sense. >> >> However, I really think we should focus on the default list of Art. 6 >> GDPR first, which is: >> >> * Consent - Art.6 para. 1 (a) >> * Contract - Art.6 para. 1 (b) >> >> * Processing is necessary for the performance of a contract with the >> data subject >> >> * Legal obligation - Art.6 para. 1 (c) >> >> * This means a law allows or even requires proccessing for >> compliance >> >> * This can e.g. entail that an organisation must process certain >> personal data to fulfil its legal duties. An example is the obligation >> to store billing data for a longer time for tax authorities. Another >> example would be the need to comply with justified law enforcement >> access inquiries. >> >> * Vital interests of the data subject - Art.6 para. 1 (d) >> >> * Processing is necessary to protect vital interests of data subject >> - the classic example is the medical emergency >> >> * Task carried out in the public interest or in the exercise of >> official authority vested in the controller - >> Art.6 para. 1 (e) >> >> * This entails the processing that e.g. a governmental institution >> needs to do to perform its tasks. An example for public interest if >> e.g. tax authorities pursuing cases of money laundering (fighting >> crime is a public interest). An example for the latter is e.g. a >> registry office needing your information like name and adress to >> register where you live and to give out passports. >> >> * Legitimate interest - Art.6 para. 1 (f) >> >> * Processing necessary for the purposes of the legitimate interests >> pursued by the controller or by a third party, except where such >> interests are overridden by the interests or fundamental rights and >> freedoms of the data subject. >> >> I see that Harsh has introduced more aspects in his list. My >> assumption is that this is caused by the fact that the GDPR foresees >> some specific rules and exemptions and he also looked at the >> justifications mentioned for sensitive data, too. However, I think we >> should try to differentiate to maintain a clearer picture of when >> which legal basis can apply. >> >> Regarding the 'specifics' and exemptions, we should have in mind that: >> >> >> * public authorities cannot refer to the justification 'legitimate >> interest' for the performance of their tasks >> >> * the EU or EU Member States can specify the justifications 'Legal >> obligation' and 'Task carried out in the public interest or in the >> exercise of official authority vested in the controller'. >> >> * These specifications must fulfill some minimum requirements >> regulated in the GDPR (Art. 6 para. 3 (a) +(b)). >> >> * An example for such a specification in national law could e.g. be >> employment law. >> >> * a controller can process data for further purposes, as long as >> those are compatible with the original purpose(s). >> >> * This is actually not another legal basis! Rather, it is in this >> case assumed that the legal ground of the original processing extends >> to the new purposes >> >> * Compatible purpose is bound to specific requirements, which can be >> tricky for a controller to document properly (Art. 6 para. 4) >> >> If we want to address sensitive data too (Art. 9 GDPR), we need an >> additional list of justifications applicable for this type of personal >> data. >> >> * This is because the justifications for the processing of senstivie >> data are partially different, are made much more specific and often >> have in their individual GDPR provisions very strict preconditions >> that must be fulfilled. Only the following justifications are >> possible: >> >> * Explicit consent >> * Union or Member State law or valid collective agreement only when: >> >> * processing is necessary for >> >> * carrying out the obligations and exercising specific rights of the >> controller or of the data subject >> >> * AND the law or collective agreement provides for appropriate >> safeguards and concerns the field of: >> >> * employment law >> * social security law >> >> * social protection law >> >> * Vital interests >> * Legitimate activities with appropriate safeguards by: >> >> * a foundation, association or any other not-for-profit body with a >> political, philosophical, religious or trade union aim >> >> * This data can only concern members or former members of these >> bodies or persons, who have regular contact with it in connection with >> its purposes >> >> * Data is not allowed to be disclosed outside without data subject >> consent >> >> * Data already made manifestly public by data subject >> * Establishment, exercise or defence of legal claims or whenever >> courts are acting in their judicial capacity >> * Substantial public interest, on the basis of Union or Member State >> law >> * A specific medical justifications with preconditions mentioned in >> Art. 9 para 2 (h), such as purposes of preventive or occupational >> medicine >> >> * Here, the GDPR especially highlights the importance of professional >> secrecy, see Art. 9 para. 3 GDPR >> >> * Public interest in the area of public health >> >> * Archiving purposes in the public interest, scientific or historical >> research purposes or statistical purposes (also certain with >> preconditions) >> >> * Here, the GDPR also imposes certain preconditions to be met, such >> as the implementation of safeguards, see Art. 89 para. 1 GDPR. >> >> * Moreover, EU Member States are allowed to regulate specifics and >> derogations in their national laws again. >> >> Please note that all these justifications/legal bases for sensitive >> data can be addressed by the EU Member States in national laws in >> order to maintain or introduce further conditions, including >> limitations, with regard to the processing of genetic data, biometric >> data or data concerning health. >> Also noticeable is that the justification of 'legitimate interest' is >> NOT possible when sensitive data are concerned. >> >> Oof, that was quite a lot of info at once - and hopefully, not too >> confusing. :-D >> >> Just my input to the processing justifications possible when personal >> data are concerned. I am curious to hear your own thoughts on it. But >> for now, I wish everyone a great weekend! :) >> >> Greetings, >> >> Eva >> >> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein >> Eva Schlehahn, uld67@datenschutzzentrum.de >> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223 >> mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ >> >> Informationen über die Verarbeitung der personenbezogenen Daten durch >> die Landesbeauftragte für Datenschutz und zur verschlüsselten >> E-Mail-Kommunikation: >> https://datenschutzzentrum.de/datenschutzerklaerung/ >> >> Am 17.10.2018 um 17:58 schrieb Harshvardhan J. Pandit: >> >>> Hi Axel, Sabrina. >>> I agree that we should also have a taxonomy of "legal basis" for >>> processing. >>> >>> From the text of GDPR Sabrina shared earlier, I have the following >>> legal basis listed in GDPRtEXT: >>> * Contract with Data Subject >>> * Exempted by National Law >>> * Employment Law >>> * Given Consent >>> * Historic, Statistical, or Scientific Purposes >>> * Legal claims >>> * Legal obligation >>> * Legitimate Interest >>> * Made public by Data Subject >>> * Medical, Diagnostic, or Treatement >>> * Not for Profit Org. >>> * Public Interest >>> * Purpose of New Processing >>> * Vital Interest >>> >>> I propose we start with this (and the text from GDPR) as our >>> starting point for discussion. >>> >>> Best, >>> Harsh >>> >>> On 17/10/18 8:35 AM, Axel Polleres wrote: >>> Dear all, >>> >>> I agree that we would need then not only to talk about consent but >>> in general a categorisation or "taxonomy" of "justification for >>> processing" or alike (using these as top-level categories), right? >>> >>> best regards, >>> Axel >>> -- >>> Prof. Dr. Axel Polleres >>> Institute for Information Business, WU Vienna >>> url: http://www.polleres.net/ twitter: @AxelPolleres >>> >>> On 17.10.2018, at 17:19, Sabrina Kirrane <sabrina.kirrane@wu.ac.at >>> <mailto:sabrina.kirrane@wu.ac.at>> wrote: >>> >>> Hi Axel & all, >>> >>> As a followup to Rigo's comment yesterday on other lawful means of >>> processing, here is the relevant text from the GDPR: >>> >>> 1.Processing shall be lawful only if and to the extent that at least >>> one >>> of the following applies: >>> >>> (a) the data subject has given consent to the processing of his or >>> her >>> personal data for one or more specific purposes; >>> >>> (b) processing is necessary for the performance of a contract to >>> which >>> the data subject is party or in order to take steps at the request >>> of >>> the data subject prior to entering into a contract; >>> >>> (c) processing is necessary for compliance with a legal obligation >>> to >>> which the controller is subject; >>> >>> (d) processing is necessary in order to protect the vital interests >>> of >>> the data subject or of another natural person; >>> >>> (e) processing is necessary for the performance of a task carried >>> out in >>> the public interest or in the exercise of official authority vested >>> in >>> the controller; >>> >>> (f) processing is necessary for the purposes of the legitimate >>> interests >>> pursued by the controller or by a third party, except where such >>> interests are overridden by the interests or fundamental rights and >>> freedoms of the data subject which require protection of personal >>> data, >>> in particular where the data subject is a child. >>> >>> Point (f) of the first subparagraph shall not apply to processing >>> carried out by public authorities in the performance of their tasks. >>> >>> >>> Best Regards, >>> Sabrina >>> >>> -- >>> Postdoctoral researcher, >>> Institute for Information Business >>> Vienna University of Economics and Business >>> Tel: +43-1-31336-4494 >>> E-mail: sabrina.kirrane [at] wu.ac.at <http://wu.ac.at> [1] >>> Homepage: www.sabrinakirrane.com [2] <http://www.sabrinakirrane.com> >>> [2] >> >> >> >> Links: >> ------ >> [1] http://wu.ac.at >> [2] http://www.sabrinakirrane.com > -- --- Harshvardhan J. Pandit PhD Researcher ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Monday, 22 October 2018 15:48:09 UTC