Understanding the GDPR Conditions & Rights

Posted on by Know Your Compliance
Locks depicting data protection security
10
Jan

Initially published in 2017 ahead of the General Data Protection Regulation (GDPR) enforcement, this article has been updated for those new to the UK GDPR. Understand some of the GDPR Conditions & Rights that apply under the UK’s data protection Regulation and see how to comply with your obligations.

Lawfulness of Processing Conditions

Word data written inside a magnifying glassThe onus is on a firm’s processors and/or controllers to identify and evidence their legal and/or contractual basis for processing, prior to carrying out any processing. The Regulation sets out the GDPR Conditions & Rights in straightforward text, which is supported by guidance notes in the Information Commissioner’s Office website.

Once a legal basis has been established for processing data, this must be recorded and evidence of the determination retained. The processing of personal data is only considered as being lawful where one or more of the below Article 6 clauses apply: –

  • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • (c) processing is necessary for compliance with a legal obligation to which the controller is subject
  • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Article 6 also speaks to the continued transparency of the information provided to data subjects for the collection, processing and storage of personal data. Such information must be provided to individuals at the point their personal data is collected and must be clear and transparent as to the collection of data, use or intended use and reliance on consent to process. With an individuals right to withdraw consent being a part of the GDPR, it it even more inportant for firms to ensure that they are collecting data in a clear, easily accessible and transparent manner.

Extended Jurisdiction

Gavel and block setArticle 3 of the GDPR sets out the territorial scope of the regulation for those processing data and was considered one of the biggest changes to the then data privacy laws.

Jurisdiction and territorial scope in the UK’s Data Protection Act 1998 (DPA) was somewhat ambiguous. However, the GDPR made it clear that the Regulation applies to the processing of personal data of data subjects who are in the UK, regardless of whether the processing takes place in the UK or not. The regulation also applies to the processing of personal data by a controller not established in the UK, but in a place where UK law applies by virtue of public international law and/or where the processing activities are related to: –

  • The offering of goods or services to UK citizens (irrespective of whether a payment is required).
  • The monitoring of a data subjects behaviour as far as their behaviour takes place within the UK.

Consent

GDPR text across an office buildingThe conditions for consent were greatly stengthened in the UK GDPR. The responsibility is now on those processing personal data to demonstrate that they have obtained the data subjects consent in a clear, intelligable and transparent manner. Consent notices must be jargon free and easily accessible and note the right to withdraw. The purpose for the data processing must be made clear and consent must be verifiable. Maintaining up to date, accurate and clear consent records is a mandatory requirement where consent has been used.

Where the individual gives consent in the form of a written declaration where there are also other matters being noted, that consent has to be clear and easily distinguishable. It should stand apart from the other matters being discussed in the content and ensure that the data subject knows they are giving consent for their data to be processed and stored.

As part of the GDPR, data subjects have the right to withdraw their consent at any time. This does not affect the lawfulness of the processing based on consent before its withdrawal. Firms must make sure that an individual can withdraw their consent as easily and as clearly as they gave it.

Processing of Special Categories Personal Data

Referred to ‘sensitive personal data‘ under the previous DPA, the GDPR lists ‘special categories’ as personal data that can or may reveal: –

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life or sexual orientation

Processing of special category personal data is strictly prohibited, unless the data subject has given explicit consent to the processing of such personal data for one or more specified purposes. The processing of special category personal data is permitted where that processing is: –

  1. necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
  2. necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  3. carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
  4. related to personal data which are manifestly made public by the data subject
  5. necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  6. necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
  7. necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
  8. necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
  9. necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The Right to Erasure

Pencil erasing binary codeAlso known as ‘The Right to be Forgotten’, data erasure entitles the data subject to have the data controller erase their personal data and cease any further processing and/or dissemination of the data. It could also see any related third parties forced to cease processing the data as well.

Article 17 of the GDPR states that data subjects have the right to request erasure where: –

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6 or point (a) of Article 9, and where there is no other legal ground for the processing.
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
  • the personal data has been unlawfully processed.
  • the personal data has to be erased for compliance with a legal obligation in UK law to which the controller is subject.
  • the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).

If personal data has been made public and there is a valid request to erase, data controllers will be obligated (within reason of costs and taking account of available technology) to take reasonable steps to inform all other known controllers of the individuals valid erasure request.

The data subjects right to erasure and the data controllers obligation to inform third party controllers does not apply to the extent that processing is necessary for: –

  1. exercising the right of freedom of expression and information.
  2. compliance with a legal obligation which requires processing by UK law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  3. reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3).
  4. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
  5. the establishment, exercise or defence of legal claims.

Sanctions, Penalties and Compensation

Bundle of money in notesUnder the GDPR, firms who breach the regulations have been fined far more than was allowed under the previous data protection regime. The greater penalties include fines of up to 4% of the annual global turnover or €20 Million (whichever is greater).

Records of Processing

Under the GDPR, it is mandatory to keep strict and transparent records of all processing activites. Such records must be in writing, including in electronic form and must be available to the supervisory authority on request.

Each processing record must contain all of the following information: –

  • the name and contact details of the controller.
  • any the joint controller (where applicable).
  • the controller’s representative (where applicable).
  • the data protection officer.
  • the purposes of the processing.
  • a description of the categories of data subjects and of the categories of personal data.
  • the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations.
  • transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable).
  • where possible, the envisaged time limits for erasure of the different categories of data and a general description of the technical and organisational security measures referred to in Article 32(1).

Each processor and, where applicable, the processor’s representative must maintain a record of: –

  • all categories of processing activities carried out on behalf of a controller.
  • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting (and where applicable, the name and contact details of the controller/processor’s representative and the data protection officer).
  • the categories of processing carried out on behalf of each controller.
  • transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable).
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The above obligations do not apply to an enterprise or organisation employing less than 250 people, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Further Guidance on the GDPR Conditions & Rights

If you are a business or individual with obligations under the UK GDPR, take a look at the ICO UK GDPR Guidance and Resources section on their website. This guide is packed with free and useful information on what the GDPR is and how you can implement it into your business.

Read more about our exclusive GDPR Policy Templates and Data Protection Training Packages.