The General Data Protection Regulation (the “GDPR”) comes into effect on 25 May 2018. As mentioned previously (General Data Protection Regulation – Does it apply to you?) the GDPR has wide application including application to establishments outside the European Union that process personal data in connection with offering goods or services within the EU. In order to achieve compliance any party to whom the GDPR applies will need to ensure that it can show that any personal data is processed lawfully as stated by the GDPR.
The GDPR defines personal data as
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier …”.
Processing is defined as
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
Any party controlling or processing personal data as defined above will need to show positively that the processing is lawful. Article 6.1 of the GDPR states:
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Where processing is based on the consent of the data subject (see (a) above) the controller should be able to demonstrate that the data subject has given consent to the processing operation¹. It is clear that consent needs to be positive. Silence, pre-ticked boxes or inactivity would not constitute consent.
Under the GDPR:
- For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
- The data subject should have the right to withdraw his or her consent at any time². Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
- Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations.³
- Consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Any party to whom the GDPR applies is recommended to review what personal data it might control or process and to establish what grounds listed in Article 6.1 above would apply to make any such processing lawful.
If consent of the data subject if to be relied upon then such consent should be recorded. Consent given in the past may not satisfy the requirements of the GDPR and if in doubt should be refreshed by obtaining further consent from the data subject.
¹ GDPR Recital 42
² GDPR Article 7(3)
³ GDPR Recital 43