GDPR and Cross-Border Discovery
What does the General Data Protection Regulation (GDPR) govern?
Regulation (EU) 2016/6791, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).)
What personal data is considered sensitive?
The following personal data is considered ‘sensitive’ and is subject to specific processing conditions:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation. (Article 4(13), (14) and (15) and Article 9 and Recitals (51) to (56) of the GDPR)
When can personal data be processed?
Your company/organisation can only process personal data in the following circumstances:
- with the consent of the individuals concerned;
- where there is a contractual obligation (a contract between your company/organisation and a client);
- to meet a legal obligation under EU or national legislation;
- where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
- to protect the vital interests of an individual;
- for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case. (Article 6 and Recitals (40) to (49) of the GDPR / Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC)
How much data can be collected?
Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation’s responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected. (Article 5(1)(c) and Recital (39) of the GDPR)
Can data be processed for any purpose?
No. The purpose for processing of personal data must be known and the individuals whose data you’re processing must be informed. It is not possible to simply indicate that personal data will be collected and processed. This is known as the ‘purpose limitation’ principle. (Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203))
What information must be given to individuals whose data is collected?
At the time of collecting their data, people must be informed clearly with this information.
The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
When data is obtained from another company/organisation, your company/organisation should provide the information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed. (Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR / Article 29 Working Party guidelines on transparency)
What data can we process and under which conditions?
The type and amount of personal data you may process depends on the reason you’re processing it (legal reason used) and what you want to do with it. You must respect several key rules, including
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
- you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
- you must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’).
- you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
- you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
- you must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’). (Article 5(1); Recital 39 / Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203))
For how long can data be kept and is it necessary to update it?
You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Your company/organisation must also ensure that the data held is accurate and kept up-to-date. (Article 5(1)(e) and Recital (39) of the GDPR)
Under what conditions can my company/organisation process sensitive data?
Your company/organisation can only process sensitive data if one of the following conditions is met:
- the explicit consent of the individual was obtained (a law may rule out this option in certain cases);
- an EU or national law or a collective agreement, requires your company/organisation to process the data to comply with its obligations and rights, and those of the individuals, in the fields of employment, social security and social protection law;
- the vital interests of the person, or of a person physically or legally incapable of giving consent, are at stake;
- you are a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, processing data about its members or about people in regular contact with the organisation;
- the personal data was manifestly made public by the individual;
- the data is required for the establishment, exercise or defence of legal claims;
- the data is processed for reasons of substantial public interest on the basis of EU or national law;
- the data is processed for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or national law, or on the basis of a contract as a health professional;
- the data is processed for reasons of public interest in the field of public health on the basis of EU or national law;
- the data is processed for archiving, scientific or historical research purposes or statistical purposes on the basis of EU or national law.
Further conditions may be imposed by national law on the processing of genetic data, biometric data or data concerning health. Check with your National Data Protection Authority.