This article is for those businesses that serve customers in the European Union. This article explains why you should not always ask the customer for his permission to process personal data.
GDPR and some grounds for mistakes
In May 2018, Europe is switching to the updated rules of the processing of personal data, established under the General Data Protection Regulation – GDPR.
The document concerns everyone who sells goods and services on the territory of the European Union.
Administrative fines of up to 20,000,000 EUR or 4% of annual global revenue are planned for those violating new rules. Therefore, there is a lot of talk about GDPR. Most “advisors” often give an ostensibly universal tip: “You should always get user consent to process his personal data.”
However, is it always necessary to get the data subject’s consent to the processing of personal data? No. At least – not always.
We are used to considering obtaining the user consent as the only possible basis for data processing. However, this is not true. It is necessary to perceive it as a separate legal basis, just as one of the grounds.
Grounds for working with personal data
Processing of personal data is lawful only if it is made by the principles of Article 5 and based on one of the four provisions of Article 6 GDPR.
Even though the word “consent” is found 72 times throughout the GDPR text, this is just one of the grounds\bases of processing personal data and not more.
It is important to determine the legal basis correctly.
Article 6.1 (GDPR) states that processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The consent of the data subject is necessary only if no other basis is suitable. It is not necessary to receive it everywhere and always. Moreover, according to the GDPR, the subject of the data should be able to change his decision easily – check OR uncheck the appropriate check-box.
Therefore, before you start creating check-boxes, understand what data and for what reason you are collecting, determine the applicable legal basis. Stay away from collecting unnecessary information that you may collect for “just in case.” It is possible that you do not need to get consent at all.
Personal data and contracts: process and do not ask
According to Article 6.1(b), if the processing of data is necessary for the performance of a contract, you can freely and, most importantly, without user consent – do it. You can even do it before the conclusion of a contract, but on condition that your actions were requested by the data subject himself, for example, he sent an application form.
It is important to note that data must be processed only to the extent necessary for the execution of the contract. If the information is needed to fill in the CRM fields, then it remains outside this basis.
A simple example. A company sells products via the Internet. When making a purchase, customers provide personal data, the store processes it to comply with the terms of the contract. If the information you collect is not redundant and will not be used in any other way, there is no need to get user consent here.
It is only necessary to inform the user that the data is being processed. You should tell users about the methods of processing their data, protection measures, and let them know some other info described in Article 5, 13, 14 GDPR.
The order form of an online store only needs to have a notice that customers should read the data procession policy. It is not necessary to demand checking the notorious check-box granting consent. There is also no need creating technical conditions to confirm the receipt of user consent – preambular paragraph 42. Pedantic business owners may have a check-box that customers check to confirm they familiarized themselves with the data processing policy.
However, if the company wants to use personal data, for example, for targeted email ads, such situation does no longer fall under the contractual basis. In this case, data processing has two purposes, the second of which must be based on user consent or based on the Legitimate Interest.
Legitimate Interest or basis without consent
The second most flexible basis is Legitimate Interest.
Legitimate Interest is not new in the field of data protection, but there are some differences in details.
Preambular paragraph 47 of the GDPR reveals the meaning of this basis. It is useful to bring its full content. Under the text, “legitimate interest” GDPR means the very basis itself:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Let us draw the main criteria for applying this basis:
- Your goal is legitimate.
- Processing is necessary, that is, the goal cannot be achieved in any other way.
- Processing is balanced, and potential harm is insignificant.
- Processing is obvious to and understood by the data subject.
This legal basis is multifaceted and complex. Possible application cases include fraud prevention, legal protection, direct marketing. In the case of direct marketing, you should also refer to Article 21 GDPR and other acts of regulation of electronic commerce, for example, European Directive 2002/58/EC.
Using the basis of Legitimate Interest in practice
Let’s suppose a software development company provides access to a web service (under a license.) Personal data is used for the conclusion of the contract and collecting statistics (not depersonalized.) There are two purposes of data processing here: contract execution and product improvement, solving technical problems.
The first goal relates to a contractual basis Article 6.1(b) and does not require obtaining user consent.
The second goal can be implemented based on:
- Consent – Article 6.1(b)
- Legitimate Interest – Article 6.1(f)
If the company decides to apply the Consent basis, it will have to add to the order form an unchecked check-box. How many users are going to agree to provide data for the purpose of collecting statistics? Not many.
Ethical Hacking Training – Resources (InfoSec)
If the company decides to apply the Legitimate Interest, the company should only inform the subject about his rights, without requiring any active actions – Article 21.4 GDPR.
Will the company be able to use the Legitimate Interest basis? Let’s check:
|Purpose of use||Improving the stability of the product for the interests of the licensee.|
|Necessity||There is no other way to obtain statistics that will include all necessary parameters.|
|Balance of interests||Processing is balanced, and potential harm is not significant.|
|Openness||Data processing is open and obvious to the data subject.|
As we can see, the company has every reason not to get user consent. However, still we should remember the limitations:
- Before the collection of personal data, the subject should be informed of its goals and Legitimate Interest: Article 13.1(d), Article 14.2(b) GDPR.
- The subject of data collection should be given the right to object to data processing Article 21, the right to remove collected data or restrict access to it.
On the other hand, when collecting statistics, it simple to observe the law in another way: depersonalize the data. The processing of anonymous data is not regulated by the GDPR.
- There is absolutely no need to rush to get customers consent to process their personal data. It is better first to answer some questions: whose and what data do you collect, for what purpose, what protection measures do you apply, to whom do you disclose this data, which of the legal bases will be most applicable.
- If you understood that you are collecting redundant\excessive data, refuse to collect it. The grounds for collecting the rest of data (extremely important data), measures to protect it, and potential sharing of it should be outlined in the personal data processing policy. Moreover, data processing, transmission, and sharing must be documented. The Information Commissioner’s Office explains how to do this.
- If you collect data only for the purpose of providing services or selling goods, then you do not need to obtain user consent but still, need to inform him about the personal data processing policy.
- If you collect data for analysis, protection against fraud, other statistical needs, determine whether this falls under the basis of Legitimate Interest, if so, write about it in the personal data processing policy. You can also anonymize the data, or, if it is easier to you, get user consent.
- Getting data processing consent, consider the possibility of revoking this consent.
- Each decision must be based on the specifics of your business, the data collected, and be documented in each detail.
New GDPR rules is an extremely extensive topic. All details cannot be covered in one article.
We have not touched the processing of special data categories, as well as all the specifics of the application of the illustrated bases, the rights, and obligations of the parties involved in processing, the issues of cross-border data transfers and many other problems related to GDPR.
GDPR emphasizes that personal data belongs not to you, but to the data subject. It is he who must have complete control over it – from obtaining information, editing it, to the right to limit data processing or removal of data.