One of the foundations of the GDPR is Article 5’s principle that a data controller may only process personal data “lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency').” This obligation has become a hallmark of data protection for European citizens. This installment of The eData Guide to the GDPR will unpack all three of these data processing requirements and discuss the GDPR’s definition of “processing.”
Article 4 defines processing as
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
“Processing” under the GDPR includes almost any action a business would take with someone’s personal data during the normal course of business: monitoring employees (including CCTV use or email monitoring), recording employee clock-in times, shredding documents that contain persona data, sending promotional emails, administering employee payroll, collecting customer information for billing purposes, etc. The breadth of the definition of “processing” makes the requirement that it be done “lawfully, fairly and transparently” even more stringent. Any interaction with personal data must meet these requirements.
Under Article 6, there are only six scenarios in which data can be “lawfully” processed. A business that wants to process someone’s personal data should actively decide (before processing the data) which of these scenarios the processing falls under and explicitly document that scenario. If the processing does not meet one of the six scenarios, the business cannot lawfully process that data. The six scenarios under which it is lawful to process data are:
(1) The data subject has given consent to the processing of his or her personal data for a specific purpose
On its face, consent seems to be one of the simplest ways to lawfully process data. Article 4 severely restricts the ways in which a controller can gain the consent of a data subject. It states that the data subject’s consent must be a “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Recitals 32, 42, and 43 provide clarification on what “freely given, specific, informed and unambiguous” means:
The European Commission provides examples to illustrate when a data subject’s consent would meet these requirements:
An airline company’s privacy notice indicates that the personal data of customers will be processed for a competition that offers a free flight as a prize, using a tick box for customers to agree to participate in the competition. The commission states that customers who tick the box to agree to participate in the competition have clearly signaled their wish to have their personal data processed for the purpose of the competition. Here, there is consent to process data for the purpose of the competition (but that data could not be used for purposes other than the competition).
A company offers online movie services. When collecting the data needed for this contract, the company also asks for data related to sexual orientation and the political beliefs of a person. The commission states that the consent in this case is not free consent, because the person may believe that their consent for the processing of this type of data is necessary for access to the movies they request (the commission calls this “tied consent.”)
(2) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract
Processing is lawful where it is necessary in the context of a contract or the intention to enter into a contract. The European Commission provides an example to illustrate how personal data can be lawfully processed under this scenario:
A company that sells goods online can process data that is necessary to take steps at the request of the individual prior to entering into the contract and for the performance of the contract. In this situation then, the business can lawfully process the name, delivery address, and credit card number (if payment is by card).
(3) Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is lawful when it is carried out in accordance with a legal obligation to which the controller is subject. Recital 45 explains that this scenario does not require a specific law for each individual processing, and that one law may form the basis for several processing operations based on a legal obligation. The European Commission provides the following example to illustrate a correct use of a legal obligation to process personal data:
In order to obtain Social Security coverage, the law obliges a company to provide personal data (for example, the weekly income of employees) to the relevant authority. The company may lawfully collect and provide that specific data to the relevant authority to meet this legal obligation.
(4) Processing is necessary in order to protect the vital interests of the data subject or of another natural person
The processing of personal data is lawful where it is necessary to protect an interest that is essential for the life of the data subject or that of another natural person. The European Commission provides the following example to illustrate a correct use of the vital interest of a person for processing personal data:
A hospital is treating a patient after a serious road accident. The hospital doesn't need the patient’s consent to search for his ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.
(5) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Processing of personal data is lawful when it is in the public interest or in the exercise of a controller’s official authority. The European Commission provides the following example to illustrate a correct use of a public interest processing of personal data:
A professional association such as a bar association or a chamber of medical professionals vested with an official authority to do so may lawfully process a member’s data in order to carry out disciplinary procedures against that person.
(6) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child)
Processing is lawful when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. While this scenario seems straightforward on its face, it requires a more in-depth analysis because Article 6 explicitly includes an exception to the legitimate interest scenario: when the interests or fundamental rights and freedoms of the data subject override the legitimate interest of the processor, the processing is no longer considered lawful.
Recital 47, the European Commission, and opinions written by the precursor to the European Data Protection Board (the Article 29 Data Protection Working Party) explain that the “legitimate interest” analysis is a balancing test between the legitimate interest a business has in processing personal data versus the overriding interests and privacy rights of the data subject. In analyzing this, the business must consider whether a data subject could reasonably expect the extent and type of processing the business intends to conduct. The interests and fundamental rights of the data subject could override the legitimate interest of a business if a data subject would not reasonably expect further personal data processing.
The texts provide a variety of examples of lawful legitimate interests of a business, including the following:
However, these interests must always be analyzed against the interests and fundamental rights of the data subject. For example, a pizza parlor may have a legitimate interest in collecting the personal data of its customers (billing information, recent order history, etc.) to fill customer orders and for use in direct marketing. However, if the pizza parlor collects much more data than the customer would reasonably expect (for example, tracking a customer’s location and website history via a phone app and using predictive data analytics to predict times when a particular customer orders pizza in order to manipulate pricing, etc.), then the fundamental right to privacy of the customer begins to outweigh the legitimate interest of the business to collect this type of data and the processing would not be lawful under the “legitimate interest” scenario.
“Fairness” and “Transparency” are somewhat vague ideas that are tied together by Recital 39, which provides clear rules on how data processors can meet these two standards:
The United Kingdom’s Information Commissioner’s Office also provides a helpful discussion on the principles of fairness and transparency, explaining that the assessment of whether a business is processing data fairly and transparently depends, in part, on how that business obtains the data. If a data subject is “deceived or mislead,” then the processing is unlikely to be fair and transparent. Conversely, the outcome of processing someone’s personal data may cause harm to the person, while still being “fair” (the commissioner uses the example of when personal data is collected to impose a fine for breaking the speed limit. Although the information may cause detriment to the individuals concerned, the proper collection and use of personal data for these purposes will not be unfair.”)
Almost any interaction a business has with someone’s personal data will be considered “processing” under the GDPR. Businesses must take the necessary steps to ensure that any processing is done “lawfully, fairly, and transparently” by considering the following before collecting or using personal data:
(1) Identify whether that processing can be done “lawfully” under one of the six scenarios provided in Article 6. If the processing falls under one of these scenarios, document the reason for processing and the lawful scenario that applies. If the processing cannot meet one of the six lawful scenarios, the business cannot process the data
(2) Ensure that any data that can be lawfully processed is also processed “fairly” and “transparently.” This includes
If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:
 Recitals 32 and 42
 Recitals 32 and 42
 Recital 42
 Recitals 42 and 43
 Recital 47
 Recital 47
 Recital 47
 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC