The definition of lawfulness is given in Art. 6(1) GDPR. It reads as follows:
|Processing shall be lawful only if and to the extent that at least one of the following applies:
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Whereas purposes of processing must be specified and explicit (see Art. 5(1)(b), and therefore also sufficiently narrow and specific, the above are clearly categories of purposes. (Where the word purpose was used explicitly, it is therefore written in italics). They are commonly called legal basesand are references by their position in Article 6; for example, consent would then be the legal basis of Art. 6(1)(a).
The GDPR provides two Articles that state further requirements for lawfulness for two different cases: sensitive data and data concerning criminal convictions. In particular these are the following:
Art. 9 GDPR states that the processing of particularly sensitive data is in principle prohibited and lists 10 exceptions to that rule. The exceptions are comparable in structure to the legal bases of Art. 6. The Article specifies that data are particularly sensitive, if they reveal:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data,
- biometric data for the purpose of uniquely identifying a natural person,
- data concerning health, or
- data concerning a natural person’s sex life or sexual orientation.
For these data, more stringent requirements apply in order for their processing to be considered lawful. For example, instead of just consent of Art. 6(1)(a), the processing of such sensitive data requires a more demanding level of consent called explicit consent (see Art. 9(2)(a) GDPR).
Like Art. 9 does for particularly sensitive data, Art 10 GDPR further restricts the processing of “data relating to criminal convictions and offences or related security measures”. In particular, to be lawful, the processing must be either “carried out only under the control of official authority or when [it] is authorized by Union or Member State law provid[e] for appropriate safeguards for the rights and freedoms of data subjects”.
There are several Articles and Recitals in the GDPR that specify the concept of consent (of Art. 6(1)(a) GDPR) in further detail. The most important are the following:
- Art. 4(11) which defines consent;
- Art. 7 which lists conditions for consent; and
- Art. 8 whichregulates conditions applicable to child’s consent in relation to information society services.
Considering that consent is a complex concept, the European Data Protection Board has issued authoritative Guidelines 05/2020 on consent under Regulation 2016/679.
Besides consent, also the concept of legitimate interest pursued by the controller (of Art. 6(1)(f) GDPR) is difficult to fully understand. What is crucial here is the restriction of “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. This means, that the legitimate interest of the controller must be balanced with the interests of data subjects. To determine, whether this is the case, the controller has to conduct a so-called balancing test. How to do this is described in XXXX in the chapter Major Actions and Tools. It is predominantly based on the Article 29 Working Party’s authoritative Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. While this opinion is based on the Data Protection Directive that pre-dated the GDPR, it is in general applicable to the interpretation of Art. 6(1)(f) GDPR. It is recommended for further reading on the subject.
Arguably, the whole GDPR is about fairness. The following points out some articles of the GDPR that illustrate this particularly well.
One area where fairness is evident regards the requirements of transparency. Here, Art. 12(1) states that controllers shall provide information “to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.” Evidently, this prohibits the unfair practice to provide the required information in a form that is inaccessible to data subjects.
Similarly, consent cannot be implicit, but rather requires an explicit “statement or by a clear affirmative action” (see Art. 4(11) GDPR). The same article further states that consent must be freely given, specific, informed and unambiguous”. Further, at any time, without need for justification, a data subject must be able to withdraw consent as easily as it was given. These stringent requirements for consent directly prohibit many manipulative practices, including the “nudging” of data subjects.
Several data subject rights can directly be associated with fairness. These include:
- The right to rectification (Art. 16 GDPR) to prevent data subjects to suffer negative consequences due to inaccurate data;
- The right to restriction of processing (Art. 18 GDPR) that prevents controllers from further using data that have been reported to be inaccurate or pertain to processing the data subject has objected to;
- The right to data portability (Art. 20 GDPR) that prevents lock-in situations and a possible loss (e.g. of investment) when users change their relationship with the controller;
- The right to object (Art. 21 GDPR) where in the case of a legal basis of Art. 6(1)(f) GDPR, data subjects can present their specific situations under which their interest prevail over the legitimate interests of the controller;
- The right not to be subject to a decision based solely on automated processing (Art. 22 GDPR), that also provides the right to obtain human intervention on the part of the controller (see paragraph 3).
Another indication of fairness is where the controller must take the data subjects’ point of view into consideration. This is for example evident in Recital 50 GDPR that requires to consider the reasonable expectations by data subjects when determining whether a purpose is compatible according to Art. 6(4). It also appears in Data Protection Impact Assessments (Art 35 GDPR), where controllers, where appropriate, shall seek the views of data subjects or their representatives (Art. 35(9) GDPR).
Several articles in the GDPR provide further detail on the principle of transparency. They include the following:
- Articles 12 through 14 describe in detail the information that controllers must provide up-front to data subjects.
- Art. 15 describes the information that needs to be provided on request by data subjects, including full access to their data.
- Art. 34 describes how data subjects need to be informed of data breaches, where it is likely to result in a high risk.
- Art. 38(4) designates the Data Protection Officer at the controller as access point for data subjects.
- Art. 12 and 19 describe the information that controllers must provide to data subjects who exercise one of their rights.
- Art. 30 records of processingand 35 Data Protection Impact Assessment describe the information that needs to be provided to supervisory authorities. (The latter only if the processing likely results in a high risk).
- Art. 58(1) specifieshow controllers must be transparent towards supervisory authorities by being answerable (point a), allow inspections and audits (point b), and grant access to their premises (point f).
- Art. 33 describes breach notifications towards supervisory authorities.
Considering the importance of transparency in the GDPR, the European Data Protection Board has provided an authoritative interpretation of related obligations in their Guidelines on Transparency under Regulation 2016/679 (wp260rev.01). This is recommended for further reading.
1The term legal basis is used extensively in the GDPR and is recommended here as preferential term. Alternatively, the GDPR also contains the term legal ground. In the literature, the term lawful basis is also used. ↑
2EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0, Adopted on4 May2020, https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en (last visited 22/05/2020). ↑
3Article 29 Data Protection Working Party, 844/14/EN, WP217, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, Adopted on 9 April 2014, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf (last visited 22/05/2020). ↑
5A prime example for a possible loss of investment is the collection of personal photos. ↑
6EDPB, Guidelines on Transparency under Regulation 2016/679 (wp260rev.01), https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (last visited 22/05/2020). ↑