GDPR: When Is Personal Data Processing Necessary? featured image

GDPR: When Is Personal Data Processing Necessary?

by John DiGiacomo

Partner

gdpr

Last week I wrote about the EU’s new General Data Protection Regulation (GDPR) consumer-friendly approach to personal data collection and storage.

This regulation, which went into effect earlier this year, requires that companies only collect, store, or process personal data when there is consent or when it is necessary. Companies are often surprised at the broad definition of “necessary” under the regulation. Often, they do not need an individual’s consent to collect, store or process their personal data.

The GDPR provides five lawful bases outlining when it is “necessary” to process someone’s data. If your use falls into one of these five categories, then you do not have to worry about obtaining, or losing, consent.

Article 6(1)(b): Contracts

If the processing is “necessary for the performance of a contract” to which the individual is a party, or if the individual requested the company to do something prior to entering into a contract, the processing is necessary and therefore lawful under GDPR.

Here are some transactions that would fall under this category:

  • Paul purchases a t-shirt from an online store, which creates a contract between Paul and the store. The store needs to collect data from Paul, including his shipping address and payment information, in order to complete the contract and hold up its end of the deal.
  • Karen is having brochures printed for her office, and contacts a printing company for a quote. The printing company needs to collect Karen’s email address to send her the official quote. If Karen decides to work with the printing company, the company will need additional information in order to complete the transaction.

Contractual obligation will cover many transactions. However, an important part of the GDPR is that the data is collected for a specific and limited purpose, and that collection is limited to what is necessary for the original purpose. If you want to continue to use the customer’s information for marketing purposes after the transaction has completed, you may need to find a different lawful basis.

Article 6(1)(c): Legal Obligation

If a legal obligation requires you to process an individual’s information, you must do so.

Examples of legal obligation include:

  • A court order requiring a business to turn over information on an individual
  • A financial institution noticing suspicious account activity that could be money laundering reports this activity under relevant criminal statutes
  • Businesses collecting and reporting required information about their employees to relevant government agencies.

As these examples demonstrate, a company’s legal obligations to collect, distribute, or otherwise process personal data are typically spelled out in statutes, regulations, or court orders.

Article 6(1)(d): Vital Interests

The GDPR requires disclosure of personal data in situations when it is necessary to save someone’s life. This typically refers to sharing medical records between doctors, hospitals, and emergency rooms. Sharing information about the patient is permitted, but it is also permitted to share information about parents in order to save a child’s life.

Rule 46 of the GDPR also considers “protecting an interest which is essential” to the life of individuals to fall under this category, such as if processing data is necessary for emergencies, like fighting disease outbreaks, recovering from natural or man-made disasters, or other humanitarian emergencies.

However, it is also clear from the rules that if another lawful basis is available, someone controlling personal data should operate under that basis. Operating under a vital interest basis should be used only as a last resort.

Article 6(1)(e): Public Task

You are allowed to process data if doing so is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority.”

If you work for a government agency, it is often necessary to process personal data. For example, immigration officials working at airports must process data of people at border crossings. This differs from the “legal obligation” basis, in that the data processing activity does not need to be specifically listed in a statute or regulation. However, there must be a clear source of law you can point to when processing data under the public task basis.

Additionally, organizations that are not specifically government agencies but serve a public function may also operate under the public task legal basis. If a private company is charged with parking meter enforcement by a city, then that company may collect data on illegally parked vehicles. If a private company has been hired by a city to test water after a potential contamination, they are permitted to act under the public task legal basis.

Article 6(1)(f): Legitimate Interests

The GDPR also allows a company to process personal data when it is in a company’s legitimate interests to do so, as long as the interest is not outweighed by the interests or fundamental rights in an individual’s data.

This is the broadest of the categories with the most room for interpretation. Although this basis may seem flexible, it is not meant to be a free-for-all. As a company, you should ask:

  • Are you pursuing a legitimate interest?
  • Is the data processing necessary for this purpose?
  • Do the individual’s interests override the legitimate interest?

Legitimate interests include using employee and client data for, marketing, IT security, or fraud prevention. For example, a credit card company might monitor its customers data to prevent identity theft. An email server may analyze incoming mail to weed out spam or potential viruses. Companies can also use information within the realm of “legitimate interests,” meaning that sending mail or emails out to former and current customers can be lawful.

Even though it might be easy to say that every data processing activity falls under the “legitimate interest” lawful basis, your company should not rely on this category as a catch-all. Instead, carefully review your data processing activities to ensure you are operating under the necessary basis that best matches your intentions.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

 

Extra, Extra!
Related Posts

Top Legal Issues an Internet Lawyer Can Help Your Online Business Solve

Top Legal Issues an Internet Lawyer Can Help Your Online Business Solve

Revision Legal

Running an online business has never been more accessible — but the legal risks that come with it are just as real as those facing any brick-and-mortar operation, and often more complex. A website, a social media presence, and a digital product catalog create exposure across privacy law, intellectual property, consumer protection, and online reputation […]

Read more about Top Legal Issues an Internet Lawyer Can Help Your Online Business Solve

5 Reasons to Hire an Internet Lawyer Before Launching Your E-Commerce Website

5 Reasons to Hire an Internet Lawyer Before Launching Your E-Commerce Website

Revision Legal

Launching an e-commerce website involves far more than choosing a platform, uploading products, and opening for business. From the moment you start collecting customer data to the first sale you process, your business is subject to a complex web of federal and state regulations. Mistakes made at launch — incomplete disclosures, unenforceable terms, unregistered trademarks […]

Read more about 5 Reasons to Hire an Internet Lawyer Before Launching Your E-Commerce Website

How Strong Are Your Terms and Conditions? Legal Gaps E-Commerce Owners Miss

How Strong Are Your Terms and Conditions? Legal Gaps E-Commerce Owners Miss

Revision Legal

Most e-commerce businesses invest heavily in acquiring customers — paid ads, SEO, influencer campaigns — but give almost no attention to the legal documents that govern what happens after a customer lands on their site. Terms and conditions are not a formality. They are a contract. When they are vague, outdated, or copied from another […]

Read more about How Strong Are Your Terms and Conditions? Legal Gaps E-Commerce Owners Miss

Put Revision Legal on your side

Let's Discuss Your Case