Lawfulness of processing
-
Consent → the main legal basis for the processing of personal data pursuant to article 6(1)(a), users agreeing
→ consent is needed for personalized advertising as proven by the case Italian DPA vs TikTok
- defined within article 4(11) of the GDPR
- freely given, specific and informed, unambiguous, revocable, provable
- What if consent is not possible ?
- Article 6(1)(b)-(f): contractual necessity, legal obligation, legitimate interest (data is needed without harming users), vital interest of the data subject
-
Legitimate Interest → a company can process data if: it has a real reason (security, fraud prevention), it’s necessary for its business, it doesn’t harm users’ rights. Can be used in cases of: Fraud prevention, direct marketing, processing of traffic data, transmission of personal data internally
→ With a huge amount of data there could be a potential lack of control, thus it is not a safe use of legitimate interest
- the interest pursued by the controller or the third party must be legitimate
- legitimates of the controller and/or of the third party:
- carry out scientific research
- facilitate public access to certain information
- develop new systems and functionalities for users of a service
- improve a product or a service of a chatbot
- develop an AI system to detect fraudulent content or behaviour
- the processing must fulfil the condition of necessity
- necessary for the purposes of the legitimate interests pursued by the controller or by a third party
- also involves consideration of the fundamental rights to privacy and protection of personal data, as well as the requirements stemming from the data protection principles
- such as Data Minimization Principle
- the interests or fundamental freedoms and rights of the concerned data subjects are not overridden by the legitimate interests of the controller or of a third party
- the controller must balance their legitimate interests against the data subject’s, rights, freedoms, depends in principle on the specific circumstances of the particular case:
- data subjects’ interests, fundamental rights and freedoms
- impact of the processing on data subjects
- the reasonable expectations of the data subject
→ when assessing whether a given processing of personal data may be based on Article 6(1)(f) GDPR, controllers should see if these three cumulative conditions are met
Obligations and Duties
The data controller and data processor’s perspectives
→ the data controller bears the primary responsibility for ensuring that processing activities are compliant with EU data protection law
→ the data processor is appointed by the controller in the form of a binding written agreement stating that the processor must ensure the security of data
→ in assessing the appropriate level of security, account sahll be taken in particular of the risks that are presented by processing, in particular from [accidental or unlawful destruction, loss, alteration, unauthorised disclosure of data, data breach] → OF → [Personal data transmitted, stored, or otherwise processed]
The Risk Based Approach in the GDPR
- GDPR encourages controllers to engage in risk analysis and to adopt risk-measure responses
- controllers are required to account for risk in complying with many provision of the GDPR
- Controllers that engage in low-risk processing activities, or that adequately address risk, may avoid specific requirements
- The GDPR also requires the supervisory authorities to consider the risk level of the activity when deciding whether to impose fines for a violation
ARTICLE 34
Data breach communication to the data subjects
ARTICLE 35
Data Protection Impact Assessment (DPIA)
Duties and Obligations
- A personal data breach is an incident that involves the unauthorized or accidental access, disclosure, alteration, or destruction of personal data
- Personal data breaches can occur due to various factors, including cybersecurity incidents, human error, or malicious actions