Читать книгу International Data Protection Laws - Amit Luhach - Страница 11

4

Lawful Processing

Technical and Organizational Measures

The GDPR requires the controller and the processor, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate TOMs to safeguards rights and freedoms of the data subject and ensure appropriate security of personal data against unauthorized and unlawful processing and accidental loss.¹ The functions, processes, controls, systems, procedures and measures are part of the TOMs that the controllers and the processors should implement to ensure secure processing and storage of personal data, avoid data breaches and facilitate compliance with the GDPR. This may be done by pseudonymization and encryption of personal data; by ensuring confidentiality, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident. The GDPR mandates regular testing, assessing and evaluating the effectiveness of these TOMs for ensuring the security of the processing. However, in applying TOMs, the controller and the processor are required to take into account the state of the art, the cost of implementation, the risks to rights and freedoms of natural persons and the nature, scope, context and purposes of the processing.² TOMs are an integral part of the IT security framework; other important legislation in this aspect is the European Cybersecurity Act of the European Network and Information Systems Agency (ENISA) which aims to improve the level of cybersecurity in the EU and establishes a harmonized approach to cybersecurity certification of information and communications technology products, services and processes. The act requires the Member States to designate one or more national cybersecurity certification authorities. It also sets up assessment bodies to determine conformity with the Act and requires the Member States to determine penalties for certification violations and infringement of European cybersecurity certification schemes.³

Personal Data Processing

The processing of personal data is lawful only when it is be based on one of the grounds set out in Article 6 of the GDPR⁴:

 data subject´s consent5

 the performance of a contract with the data subject6

 compliance with a legal obligation7

 protection of vital interests of the data subject8

 performance of a task carried out in public interest or in the exercise of the controller´s official authority9

 controller or third party´s legitimate interests unless it overrides interests or fundamental rights and freedoms of the data subject. However, this does not apply to the processing carried out by public authorities in the performance of their tasks10.

Consent

Consent is defined as freely given, informed, specific and unambiguous indication of wishes by clear affirmative action, signifying agreement to the processing of personal data.¹¹ Explicit consent is required to process special categories of data¹² if no other ground exists. The conditions of valid consent have been set out in Article 7 and 8 (special rules for a child´s consent concerning an information society service). A consent given by the data subject must be explicit for one or more specific purposes. The context is to be taken into consideration in deciding hereon. For example, the consent given by an employee in an employer-employee relationship is considered free only in exceptional circumstances where no consequence is connected to acceptance or rejection of an offer.¹³ Informed consent means that the data subject knows the identity of the controller and the purposes of the processing.¹⁴ The burden of proof lies with the controller. The request for consent shall not be clubbed with other matters and be specific to the purposes; it should be presented in a clearly distinguishable, intelligible, easily accessible form, using clear and plain language. The data subject has the right to withdraw it at any time. However, processing that had been carried out on basis of that consent before its withdrawal shall not be affected by such withdrawal, and the data subject must be informed of that before he provides such consent. The consent should be as easy to withdraw as it is to be given. In determining whether the consent was freely given regard should be taken of whether the performance of contract including that of services is conditional on consent, to process the personal data not necessary for such contract.¹⁵ The CJEU has stated that “citizens of the Union wishing to make such journeys are not free to object to the processing of their fingerprints. In those circumstances, persons applying for passports cannot be deemed to have consented to that processing”.¹⁶ The European Data Protection Board (EDPB)¹⁷ has updated its guidelines on consent which helps in interpreting the validity of consent provided by the data subject when interacting with a cookie-wall, or scrolling or swiping through a web-page.¹⁸ Special conditions apply to the child´s consent where the child´s personal data is required to be processed. In such a case, consent must be given by parental authority. Member States may lower the requirement to 13 years. The responsibility to verify such consent lies with the controller. These provisions are not prejudicial to the contract law of the Member States as to the rules on validity, formation or effect of a contract concerning a child.

Performance of Contract

The CJEU has held that in case of a contractual relationship between controller and data subject “processing of personal data is permissible only if it is necessary for compliance with a legal obligation to which the controller is subject or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.¹⁹ As per the GDPR, such processing should either be based on Union law or Member State law. The GDPR does not require a specific law for each processing. Moreover, legitimate purposes of processing also need to be determined by the Union or Member State law. The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. The legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.²⁰

Vital interests

The processing of personal data to protect the vital interest of the data subject or of another natural person is allowed only where it cannot be manifestly based on any other legal basis. Some types of processing may serve both as important grounds of public interest and the vital interests of the data subject, for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies.²¹

Processing of Sensitive Data

The GDPR prohibits the processing of sensitive data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life, and sexual orientation unless the stricter allowances as in Article 9 are complied with.²² Processing of sensitive data is lawful only if one of the grounds are met:

 data subject´s explicit consent23

 processing for employment, social security and social protection law24

 protection of vital interests of a natural person where consent cannot be obtained25

 in case of legitimate activities of the non-profit body with political, philosophical, religious or trade union aims26

 data made publicly available by the data subject27

 in connection with legal claims28

 substantial public interest29

 preventive or occupational medicine, assessing worker capacity, medical diagnosis, provision of health or social care or treatment, or managing the health or social care systems and services30

 public interest in the area of public health31

 archiving in the public interest, scientific or historical research or statistics32