If we now focus on individual datasets, and not databases, we should not talk about sui generis rights any longer, since the scenario would be totally different. We are now talking about selling/buying data as such. As previously stated, this is only lawful if data are not at all personal data. Thus, researchers who are willing to sell the data gathered should anonymize the datasets before selling them (See “Identification, pseudonymization and anonymization” subsection in the “Concepts” Section of the General Part of these Guidelines). This is because anonymous data doesn’t fall under the GDPR requirements (as described in the previous section).
If anonymization is not possible, the question that remains is whether access to personal data could be granted to a third party for commercial purposes or whether a researcher could gain access to such database by paying a fee – via a license for using the data or sharing the entire database. This issue requires careful consideration of at least the following factors:
- Selling or buying access to personal data is considered as ‘processing’ under Art. 4(2) because it is a form of ‘dissemination’ or making data available to a third party. As with all other types of processing, GDPR requirements must be observed;
- The most common legal basis for processing for a purpose other than that for which the personal data has been collected initially is the data subject’s consent or a Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1);
- If these conditions do not apply (…) the controllers shall, to ascertain whether processing for another purpose is compatible with the purpose for which the personal data was initially collected, perform a Compatibility Test as described by Article 29 WP. To undergo such as test, the following criteria must be taken into account, inter alia (Art. 6(4)):
- Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing (this is called the ‘link factor’)
- The context in which the data have been collected, in particular regarding the relationship between data subjects and the controller (the ‘context factor’)
- The nature of personal data, in particular whether special categories of personal data are processed, for instance biometrical data (the ‘data factor’)
- The possible consequences of the intended further processing for data subjects (the ‘consequence factor’), meaning the likelihood and severity of negative consequences that could arise for the data subject through the further processing
- The existence of appropriate safeguards, which may include encryption or pseudonymization (the ‘safeguard factor’), meaning how the data could be secured
All these factors are required to evaluate if the purpose of the new processing is compatible with the purpose of the current processing for which the data was initially gathered. The closer the link between the initial purpose and the further processing purpose is, and the lower the possible negative consequences are, the higher is chance that the transmission of the database is lawful. However, many of the factors above can clearly be used to argue against the lawfulness of an unconsented disclosure of a database, which will be explained in the following:
- If the disclosure is unrelated to the original project (e.g., if your research project is finished and afterwards you conclude that you would like to monetize the data), the link factor is not given.
- The context factor may be interpreted as indicating that the more foreseeable, in other words obvious, the further processing purpose (from the data-subjects’ perspective), the more likely it is that it will be found compatible with the original purpose and thus lawful under Art. 6. If the data subjects have not been informed that the data is to be disclosed to a third party, and data subjects have not consented to this, the context factor will clearly act against the lawfulness of the processing.
- The data factor can be interpreted as indicating that the more sensitive the data, the more unlikely it will be for the further processing (here, selling) to be found compatible with the original purpose. Said in other words, if the dataset contains special categories of personal data, such as biometric data or data concerning the sexual orientation of the data subject, providing access to third parties can only happen if a legal ground for such processing applies, according to Art. 9 of the GDRP. Art. 9 prohibits the processing of these “special categories” unless specific circumstances, such as the explicit consent to the processing (Art. 9(2)(a)) are met.
- The consequence factor suggests that the potential impact of sale of the dataset on data-subjects has to be considered in determining whether that sale operation is compatible with the initial purposes for which the data were processed. Usually, companies buy data to enlarge their customer bases. Consequently, they will try contacting data-subjects for their commercial needs. Such interference with the customer’s right to privacy is likely to be considered a significant ‘impact’ which speaks against the lawfulness of the disclosure of a database.
- The safeguard factor requires different considerations. In general, the higher the risks are for the data subjects, the stronger the safeguards need to be. This means that data should be encrypted, protected and pseudonymized as best as possible.
Therefore, before providing access to personal data, the best option is to obtain the data subjects consent or make sure that a Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23, applies. In the absence of any of these circumstances, lawfulness of processing would be unjustifiable.
It also means that questions need to be raised by the parties involved and between them to be able to undergo the compatibility test. Additionally, contracts should support the transfer between the parties to assure each party’s legal obligations are met.
|Some examples of compatibility processing test
Further processing is possible
A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client’s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the data of the client again as the new purposes are compatible with the initial purposes.
Further processing isn’t possible
The same bank wants to share the client’s data with insurance firms, based on the same contract for a bank account and personal loan. That processing isn’t permitted without the explicit consent of the client as the purpose isn’t compatible with the original purpose for which the data was processed.
1See article 6(4) of the GDPR ↑
2A29WP, Opinion 03/2013 on purpose limitation Adopted on 2 April 2013 (WP 203). At: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf (Accessed: 27 May 2020) ↑
3Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en (addressed 27 May 2020) ↑