GDPR: Processing and Lawfulness (5-6)

In continuation of the GDPR series, where we breakdown the Regulation article-by-article, we find ourselves at articles 5 and 6 today. These articles pertain to the criteria required when processing personal data and the lawfulness of the practice.

Article 5:

The controller shall be responsible for all the instances related to personal data below:

  1. Processed lawfully and fairly in relation to the data subject
  2. Collected for a specific purpose that is detailed in the privacy notice and not further processed for reasons incompatible with the original purpose(s); processing in the public interest, for scientific reasons, or for historical research are not reasons that are incompatible with the original purpose.
  3. “Data Minimization” means that only data compatible with the original purpose is processed and nothing more.
  4. Kept accurately and up to date; every reasonable step must be taken to correct inaccuracies.
  5. Kept in a form that permits the identification of data subjects no longer than necessary and for the purposes originally specified.
  6. Processed in a manner that ensures appropriate security and protects against destruction and data loss.

Article 6

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. The data subject has given consent to the processing of their data;
  2. Processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. Processing is necessary in order to protect the vital interests of the public;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject; this does not apply to processing carried out by public authorities in the performance of their tasks;

Member States may introduce more specific provisions to adapt the application of the rules of this Regulation in order to make their restrictions more precise and state-specific.

The basis for processing specified in the third and fifth bullet points above shall be laid down by the Union law or Member State law to which the controller is subject. Processing shall be carried out under legal basis, specific provisions, at the consent of the data subject, and to safeguard public interest.

See more details for this article here. The additional details include security-related safeguards over data processing.

How does this apply to you and me?

Article 5 is important to understand because this will outline how the data controller can “touch” or collect your information. This assures us that the organization doing the collecting and/or processing will do so fairly, legally, accurately, securely, and minimally (i.e. only collect what is needed based on the purpose). This article will allow us, the customer, to hold the processors accountable in regards to what they do with our data and how long they hold onto it. Therefore, Article 5 applies heavily to you and me because it outlines the leverage we have over the processor.

Article 6 builds off of Article 5 in that it details the legality of the processing. This includes our consent to collection and processing, when processing is necessary, and when processing can be performed without consent. You and I should understand that if the processing of our personal information is done outside of any of the provisions listed in Article 6, we have an opportunity to hold the organization accountable and to the letter of the law. Therefore, if a company collects and/or processes your information without your consent, not in the public interest, not out of obligation to a contract, or not to comply with a legal obligation, they are not operating within the boundaries of the Regulation.

HARVEY AND ROSS

If we take a look back at our earlier example, we can make a few observations around how Ross collected and processed data, while also receiving consent from Harvey. Harvey understood the purpose for processing and gave his formal consent to the procedure. The information was collected and processed based on a contract that Ross and Harvey mutually engaged in, which would ultimately be beneficial to the public in the long-term. The failure of Ross is where he doesn’t disclose the fact that data is transmitted to a third-party lab for processing, which is going against the Regulation in more ways than one. The consent form signed by Harvey assures him that his data is collected fairly, accurately, minimally, securely, and purposefully (Article 5). Additionally, Ross provides the purpose for which the processing is performed and Harvey consents to this (Article 6). Therefore, we see that what was done by Ross, in regards to Harvey’s data, meets the requirements of the articles we discussed here. However, we need to remember that Ross didn’t disclose to Harvey that the information would also be processed by an affiliated lab to assist in the process, meaning that there is still some non-compliance on Ross’s part in regards to the Regulation. A skilled privacy lawyer would be able t make a case and include instances where Ross didn’t disclose everything that encompassed Harvey’s data and how it would be handled. This failure would allow for Ross’s clinic to fail to meet the requirements outlined in the consent form and need to seek additional consent from Harvey and the other volunteers, as well as disclose what the third-party lab will be doing with their data.

In conclusion, Article 5 outlines the processing requirements organizations must adhere to and Article 6 outlines the legality of the processing and when it is and is not allowed to be processed.

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.


One comment

Comments are closed.