W3C home > Mailing lists > Public > public-dpvcg@w3.org > October 2018

Re: Lawfulness of processing

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Tue, 23 Oct 2018 13:19:05 +0200
To: public-dpvcg@w3.org
Message-ID: <829c2765-3b43-ee7a-0df3-a7a37e068f6f@datenschutzzentrum.de>
Hi all,

@Harsh: You are quite correct recognizing that the GDPR is directly 
binding to the EU Member States and about the 'augmentation' 
possibility. Also correct is that the GDPR as EU regulation typically 
sets the minimum protection standard for personal data that the 
countries should not undermine with their national law. It is 
foreseeable that some EU Member States will try this nonetheless with 
their national laws (which is also the case in Germany).

This of course triggers legal debates and may even trigger court 
proceedings due to the incompatibility with the GDPR. It has been 
partially recognised already that an adaptation of the previously 
non-compliant laws is necessary. Elsewise, the concerned countries risk 
that large parts of the current national provisions are disregarded by 
data protection authorities and courts. Or, that those provisions get 
only an interpretation in conformity with the Regulation.

Therefore, when in doubt, I'd always stick with the GDPR. :)

Greetings,

Eva


Am 22.10.2018 um 17:47 schrieb Harshvardhan J. Pandit:
> Hi Simon, Eva.
> I am not a legal expert, so I only have guesses regarding this.
> GDPR is a regulation, so doesn't it mean that it's obligations are 
> mandatory and cannot be "removed" by member states?
> In the same vein, I suppose that national laws may augment these 
> obligaitons, but cannot "infringe" upon the rights provided by the 
> regulation?
> For example, a national law may dictate that user tracking is 
> legitimate interest, but if it infringes with the rights provided by 
> the GDPR, then it would not be legally compatible?
>
> P.S. Simon thanks for raising this question.
>
> Regards,
> Harsh
>
> On 22/10/18 3:49 AM, Simon Steyskal wrote:
>> Hi Eva!
>>
>>> Please note that all these justifications/legal bases for sensitive 
>>> data can be addressed by the EU Member States in national laws in 
>>> order to maintain or introduce further  conditions, including 
>>> limitations, with regard to the processing of genetic data, 
>>> biometric data or data concerning health.
>>> Also noticeable is that the justification of 'legitimate interest' is
>>> NOT possible when sensitive data are concerned.
>>
>> Just out of curiosity, can a EU Member State also >remove< certain 
>> conditions using national laws? Or similarly, explicitly allow the 
>> justification of 'legitimate interest' with the help of national laws?
>>
>> br, simon
>>
>> ---
>> DDipl.-Ing. Simon Steyskal
>> Institute for Information Business, WU Vienna
>>
>> www: http://www.steyskal.info/  twitter: @simonsteys
>>
>> Am 2018-10-19 16:32, schrieb Eva Schlehahn:
>>> Dear Axel, dear Harsh, dear all,
>>>
>>> A higher level category 'justification for processing', of which
>>> 'consent' is one subcategory, makes sense.
>>>
>>> However, I really think we should focus on the default list of Art. 6
>>> GDPR first, which is:
>>>
>>>     * Consent - Art.6 para. 1 (a)
>>>      * Contract - Art.6 para. 1 (b)
>>>
>>>      * Processing is necessary for the performance of a contract 
>>> with the
>>> data subject
>>>
>>>      * Legal obligation - Art.6 para. 1 (c)
>>>
>>>      * This means a law allows or even requires proccessing for
>>> compliance
>>>
>>>     * This can e.g. entail that an organisation must process certain
>>> personal data to fulfil its legal duties. An example is the obligation
>>> to store billing data for a longer time for tax authorities. Another
>>> example would be the need to comply with justified law enforcement
>>> access inquiries.
>>>
>>>      * Vital interests of the data subject - Art.6 para. 1 (d)
>>>
>>>     * Processing is necessary to protect vital interests of data 
>>> subject
>>> - the classic example is the medical emergency
>>>
>>>     * Task carried out in the public interest or in the exercise of
>>> official authority vested in the controller -
>>> Art.6 para. 1 (e)
>>>
>>>     * This entails the processing that e.g. a governmental institution
>>> needs to do to perform its tasks. An example for public interest if
>>> e.g. tax authorities pursuing cases of money laundering (fighting
>>> crime is a public interest). An example for the latter is e.g. a
>>> registry office needing your information like name and adress to
>>> register where you live and to give out passports.
>>>
>>>      * Legitimate interest - Art.6 para. 1 (f)
>>>
>>>     * Processing necessary for the purposes of the legitimate interests
>>> pursued by the controller or by a third party, except where such
>>> interests are overridden by the interests or fundamental rights and
>>> freedoms of the data subject.
>>>
>>> I see that Harsh has introduced more aspects in his list. My
>>> assumption is that this is caused by the fact that the GDPR foresees
>>> some specific rules and exemptions and he also looked at the
>>> justifications mentioned for sensitive data, too. However, I think we
>>> should try to differentiate to maintain a clearer picture of when
>>> which legal basis can apply.
>>>
>>> Regarding the 'specifics' and exemptions, we should have in mind that:
>>>
>>>
>>>      * public authorities cannot refer to the justification 'legitimate
>>> interest' for the performance of their tasks
>>>
>>>     * the EU or EU Member States can specify the justifications 'Legal
>>> obligation' and 'Task carried out in the public interest or in the
>>> exercise of official authority vested in the controller'.
>>>
>>>      * These specifications must fulfill some minimum requirements
>>> regulated in the GDPR (Art. 6 para. 3 (a) +(b)).
>>>
>>>     * An example for such a specification in national law could e.g. be
>>> employment law.
>>>
>>>     * a controller can process data for further purposes, as long as
>>> those are compatible with the original purpose(s).
>>>
>>>     * This is actually not another legal basis! Rather, it is in this
>>> case assumed that the legal ground of the original processing extends
>>> to the new purposes
>>>
>>>     * Compatible purpose is bound to specific requirements, which 
>>> can be
>>> tricky for a controller to document properly (Art. 6 para. 4)
>>>
>>>  If we want to address sensitive data too (Art. 9  GDPR), we need an
>>> additional list of justifications applicable for this type of personal
>>> data.
>>>
>>>      * This is because the justifications for the processing of 
>>> senstivie
>>> data are partially different, are made much more specific and often
>>> have in their individual GDPR provisions very strict preconditions
>>> that must be fulfilled. Only the following justifications are
>>> possible:
>>>
>>>      * Explicit consent
>>>      * Union or Member State law or valid collective agreement only 
>>> when:
>>>
>>>      * processing  is  necessary  for
>>>
>>>     * carrying out the obligations and exercising specific rights of 
>>> the
>>> controller or of the data subject
>>>
>>>      * AND the law or collective agreement provides for appropriate
>>> safeguards and concerns the field of:
>>>
>>>      * employment law
>>>      * social security law
>>>
>>>     * social protection law
>>>
>>>      * Vital interests
>>>      * Legitimate activities with appropriate safeguards by:
>>>
>>>      * a  foundation, association or any other not-for-profit body 
>>> with a
>>> political, philosophical, religious or trade union aim
>>>
>>>      * This data can only concern members or former members of these
>>> bodies or persons, who have regular contact with it in connection with
>>> its purposes
>>>
>>>     * Data is not allowed to be disclosed outside without data subject
>>> consent
>>>
>>>      * Data already made manifestly public by data subject
>>>      * Establishment, exercise or defence of legal claims or whenever
>>> courts are acting in their judicial capacity
>>>      * Substantial public interest, on the basis of Union or Member 
>>> State
>>> law
>>>      * A specific medical justifications with preconditions 
>>> mentioned in
>>> Art. 9 para 2 (h), such as purposes of preventive or occupational
>>> medicine
>>>
>>>     * Here, the GDPR especially highlights the importance of 
>>> professional
>>> secrecy, see Art. 9 para. 3 GDPR
>>>
>>>      * Public  interest in the area of public health
>>>
>>>     * Archiving purposes in the public interest, scientific or 
>>> historical
>>> research purposes or statistical  purposes (also certain with
>>> preconditions)
>>>
>>>      * Here, the GDPR also imposes certain preconditions to be met, 
>>> such
>>> as the implementation of safeguards, see Art. 89 para. 1 GDPR.
>>>
>>>     * Moreover, EU Member States are allowed to regulate specifics and
>>> derogations in their national laws again.
>>>
>>>  Please note that all these justifications/legal bases for sensitive
>>> data can be addressed by the EU Member States in national laws in
>>> order to maintain or introduce further  conditions, including
>>> limitations, with regard to the processing of genetic data, biometric
>>> data or data concerning health.
>>> Also noticeable is that the justification of 'legitimate interest' is
>>> NOT possible when sensitive data are concerned.
>>>
>>> Oof, that was quite a lot of info at once - and hopefully, not too
>>> confusing. :-D
>>>
>>> Just my input to the processing justifications possible when personal
>>> data are concerned. I am curious to hear your own thoughts on it. But
>>> for now, I wish everyone a great weekend! :)
>>>
>>> Greetings,
>>>
>>> Eva
>>>
>>> Unabh√§ngiges Landeszentrum f√ľr Datenschutz Schleswig-Holstein
>>> Eva Schlehahn, uld67@datenschutzzentrum.de
>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>> mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
>>>
>>> Informationen √ľber die Verarbeitung der personenbezogenen Daten durch
>>> die Landesbeauftragte f√ľr Datenschutz und zur verschl√ľsselten
>>> E-Mail-Kommunikation:
>>> https://datenschutzzentrum.de/datenschutzerklaerung/
>>>
>>> Am 17.10.2018 um 17:58 schrieb Harshvardhan J. Pandit:
>>>
>>>> Hi Axel, Sabrina.
>>>> I agree that we should also have a taxonomy of "legal basis" for
>>>> processing.
>>>>
>>>> From the text of GDPR Sabrina shared earlier, I have the following
>>>> legal basis listed in GDPRtEXT:
>>>> * Contract with Data Subject
>>>> * Exempted by National Law
>>>> * Employment Law
>>>> * Given Consent
>>>> * Historic, Statistical, or Scientific Purposes
>>>> * Legal claims
>>>> * Legal obligation
>>>> * Legitimate Interest
>>>> * Made public by Data Subject
>>>> * Medical, Diagnostic, or Treatement
>>>> * Not for Profit Org.
>>>> * Public Interest
>>>> * Purpose of New Processing
>>>> * Vital Interest
>>>>
>>>> I propose we start with this (and the text from GDPR) as our
>>>> starting point for discussion.
>>>>
>>>> Best,
>>>> Harsh
>>>>
>>>> On 17/10/18 8:35 AM, Axel Polleres wrote:
>>>> Dear all,
>>>>
>>>> I agree that we would need then not only to talk about consent but
>>>> in general a categorisation or "taxonomy" of "justification for
>>>> processing" or alike (using these as top-level categories), right?
>>>>
>>>> best regards,
>>>> Axel
>>>> -- 
>>>> Prof. Dr. Axel Polleres
>>>> Institute for Information Business, WU Vienna
>>>> url: http://www.polleres.net/  twitter: @AxelPolleres
>>>>
>>>> On 17.10.2018, at 17:19, Sabrina Kirrane <sabrina.kirrane@wu.ac.at
>>>> <mailto:sabrina.kirrane@wu.ac.at>> wrote:
>>>>
>>>> Hi Axel & all,
>>>>
>>>> As a followup to Rigo's comment yesterday on other lawful means of
>>>> processing, here is the relevant text from the GDPR:
>>>>
>>>> 1.Processing shall be lawful only if and to the extent that at least
>>>> one
>>>> of the following applies:
>>>>
>>>> (a) the data subject has given consent to the processing of his or
>>>> her
>>>> personal data for one or more specific purposes;
>>>>
>>>> (b) processing is necessary for the performance of a contract to
>>>> which
>>>> the data subject is party or in order to take steps at the request
>>>> of
>>>> the data subject prior to entering into a contract;
>>>>
>>>> (c) processing is necessary for compliance with a legal obligation
>>>> to
>>>> which the controller is subject;
>>>>
>>>> (d) processing is necessary in order to protect the vital interests
>>>> of
>>>> the data subject or of another natural person;
>>>>
>>>> (e) processing is necessary for the performance of a task carried
>>>> out in
>>>> the public interest or in the exercise of official authority vested
>>>> in
>>>> the controller;
>>>>
>>>> (f) processing is necessary for the purposes of the legitimate
>>>> interests
>>>> pursued by the controller or by a third party, except where such
>>>> interests are overridden by the interests or fundamental rights and
>>>> freedoms of the data subject which require protection of personal
>>>> data,
>>>> in particular where the data subject is a child.
>>>>
>>>> Point (f) of the first subparagraph shall not apply to processing
>>>> carried out by public authorities in the performance of their tasks.
>>>>
>>>>
>>>> Best Regards,
>>>> Sabrina
>>>>
>>>> -- 
>>>> Postdoctoral researcher,
>>>> Institute for Information Business
>>>> Vienna University of Economics and Business
>>>> Tel: +43-1-31336-4494
>>>> E-mail: sabrina.kirrane [at] wu.ac.at <http://wu.ac.at> [1]
>>>> Homepage: www.sabrinakirrane.com [2] <http://www.sabrinakirrane.com>
>>>> [2]
>>>
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://wu.ac.at
>>> [2] http://www.sabrinakirrane.com
>>
>
Received on Tuesday, 23 October 2018 11:19:38 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:54 UTC