In the previous blog “Dawn of the GDPR – Are you Ready?” we went through some of the changes that will affect organizations and how you can prepare your business for the upcoming regulations. As described in the blog, companies should be able to answer few fundamental questions on personal data processing. In this blog, however, we will dive deeper into the question on what grounds can you collect personal data.
“As per Article 5 in the data protection regulations, personal data should be processed with the principals of, for instance, lawfulness, purpose limitation, and data minimization. Data collection must be carried out on lawful grounds for a specific purpose. This means that data cannot be collected with a hope of it being useful in the future. There needs to be an explicit lawful purpose for the collection. In Article 6 of the data protection regulation, six grounds for collection, based on which an organization can process personal data, have been listed. For an organization to justify its data collection, one of these grounds must be met.
Consent of Data Subject
Personal data can be processed if the data subject has freely given an informed and specific consent to personal data processing. This ground is not met where the consent for data processing is a part of a broader contract. The request for consent, therefore, needs to be clearly outlined and separated from the broader contract.
Performance of a Contract
Personal data can be processed if it is necessary to perform a contract where the data subject is a party. An employment contract between an employer and employee is an example of such a contract. It would not be possible to perform an employment contract without the processing of personal data.
Legal Obligation of Controller
The processing of personal data is allowed also when it is necessary to follow data controller’s legal obligations. When the ground for processing is a legal obligation, the obligation must be grounded in the legislation of either the European Union or its Member States. For instance, in the context of employment, the employer must retain and process employee personal data to comply with various employer obligations.
Vital Interest or Public Interest
Personal data can be processed when the processing is necessary to protect the vital interests of the data subject or of any natural person. Personal data processing is also allowed when the processing is required to perform tasks in the name of public interest or official authority. Grounds for processing data subjects’ information may be both vital interest and public interest. According to the preface in the data protection regulation, such processing grounds may be met when attempting to stop the spread of epidemics or during humanitarian catastrophes caused by, for example, natural disasters.
Personal data can be processed if the processing is required for the controller’s or a third party’s legitimate interests to be met except in situations where the data subject’s interests or fundamental rights and liberties take precedence over the legitimate interests. This applies especially in the case when the data subject is a child. The grounds for a legitimate interest must be considered carefully. For instance, the processing of personal data for marketing purposes is seen to meet the grounds of legitimate interest of the controller.
So, when you collect data, consider the necessity of the data you collect and make sure that you meet one of the above grounds to comply with the GDPR. When you are sure that your processes are lawful, remember to have appropriate documentation.
Chief Operating Officer
piia.hoffsten (a) isletgroup.fi
+358 40 5877 303
#GDPR #dataprotection #cybersecurity #datasecurity #IsletGroup