The General Data Protection Regulation (GDPR) is a milestone in the development of data protection law that may not be overestimated in its relevance. The GDPR implements various changes as compared to the current situation. German and other companies should prepare for these changes entering into force May 2018.
1. Principles for Processing Personal Data
Art. 5 GDPR stipulates the below principles for processing personal data:
- lawful and fair data processing
- transparent data processing
- data processing for specified, explicit and legitimate purposes
- data minimisation
- accuracy of data processing
- storage limitation
- integrity and confidentiality of data processing
These principles have largely been in place under the regulation’s predecessor, Art. 6 Data Protection Directive (DPD), and have been of relevance to interpretation of the German Data Protection Act (BDSG) even though they were not directly implemented in the wording of the BDSG. The principles of Art. 5 GDPR in particular turn relevant for interpreting justifications for processing personal data contained in the GDPR and other statutes. They also limit and define the member states’ competence to complement the GDPR with domestic legal instruments as provided for in various GDPR opening clauses.
Companies shall understand these principles as general principles for tailoring their data protection organisation without a need for direct implementation or a direct requirement to base any particular assessment on these principles. Assessment of particular data handling shall rather be carried out by applying statutory justifications e.g. in Art. 6 GDPR.
Both DPD and GDPR consider data processing as illegal unless there is a specific justification in place (see Recital 40 GDPR). Art. 6(1) GDPR contains a number of justifications for processing personal data, Art. 9(2) GDPR for processing special categories of personal data (not subject to this article) and chapter IX for processing personal data in special processing situations.
Under Art. 6(1)(a) GDPR, the data subject’s consent is a valid justification for processing personal data. Also under Art. 7(a) DPD and Section 4(1) BDSG, data subjects’ consent is considered as a justification for data processing. Detailed requirements regarding the declaration of consent follow from Art. 7 GDPR and Recitals 32, 42 and 43 GDPR. In addition, there are more specific requirements for collecting a declaration of consent from children in the context of information society services.
Under the GDPR, as under the current legal framework, a declaration of consent must be freely given, based on an informed decision of the concerned person and made in a clear manner (see Recital 32 GDPR). Differing from today’s requirements under Section 4a(1) Sentence 3 BDSG, under the GDPR a declaration of consent must not generally be made in writing. Rather, written, oral, electronic and other ways to express a declaration of consent are considered equal (see Recital 32 GDPR). Also implicit declarations of consent will therefore be legally valid where provided by the data subject in an active manner. Remaining silent – or in an online context – pre-checked boxes are no active expression of consent under Art. 8 GDPR and hence no declaration of consent.
The data controller has the burden of proof in regard to the requirements of a valid declaration of consent according to Art. 7 (1) GDPR. From a data controller’s perspective, it would therefore be prudent to collect declarations of consent in written or electronic form and retain it at least for the duration of the processing. Art. 7 GDPR expressively states that a data subject may revoke a declaration of consent at any time with effect for the future. This is in line with the current understanding of Section 4a (1) BDSG. Accordingly, a data controller is bound by an obligation to design any consent-based data processing in a manner that enables execution of individually revoked declarations of consent.
Under Art. 8(1) GDPR, children may provide a valid declaration of consent in the context of information society services from the age of 16. A declaration of consent expressed by children under the age of 16 becomes valid upon the parent’s confirmation. According to Art. 4 No. 25 GDPR and Directive (EU) 2015/1535 on procedures for the provision of information in the field of technical regulations and of rules on information society services, information society services are typically provided in return for money in the context of distance distribution, such as in app purchases and other (mobile) value added services.
4. General Statutory Justifications
The GDPR contains general statutory justifications for processing personal data in Art. 6(1)(b)-(f) GDPR. Under these rules, personal data may be processed if necessary for the purposes listed below:
- performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6(1)(b) GDPR,
- compliance with a legal obligation – Art. 6(1)(c) GDPR,
- protecting the vital interests of the data subject or of another natural person – Art. 6(1)(d) GDPR,
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art. 6(1)(e) GDPR,
- legitimate interests pursued by the controller or by a third party – Art. 6(1)(f) GDPR.
These statutory justifications are at large similar to their predecessors in Art. 7(b)-(f) DPD and Section 28 BDSG. For affected companies, particularly relevant are the justification to process personal data for the performance of contractual obligations and to pursue legitimate interests as currently covered by Section 28(1) No. 2 BDSG and Section 28(1) No. 2 BDSG. Similar justifications will also be in place under the GDPR.
In order to justify data processing for the performance of contractual obligations under Art. 6(1)(b) GDPR, the data controller must check and ensure that such data processing is in fact required for the performance of contractual obligations. The extent to which data processing is permitted is in the first place defined by the scope of contractual obligations as agreed by the parties.
Processing personal data under the legitimate interest justification of Art. 6(1)(f) GDPR requires justified interests of the data controller that outweigh the data subjects opposed interests, i.e. a balancing of interest test. When carrying out such balancing of interest, the data controller must in particular consider the data subjects’ fundamental rights and freedoms. Art. 6(1)(f) GDPR now explicitly states that when processing children’s personal data under a legitimate interest justification, one must particularly consider their specific interests.
In order to assess the scope of justified data processing under the legitimate interest justification of Art. 6(1)(f) GDPR, it appears prudent to apply the principles developed under the predecessor rule of Section 28 (1) No. 2 BDSG mutatis mutandis. In addition, Recital 47 GDPR contains further guidance for an appropriate connection between data controller and data subject and the foreseeability of data processing that turns relevant when establishing the legitimate interest justification. Where such appropriate connection is in place, e.g. in a sales and purchase of goods relationship, common data processing will be rather easy to justify. However, as today under the BDSG, also under the GDPR, justifying data processing under legitimate interests will always depend on assessing the circumstances of the individual case.
5. Special Processing Situations
Chapter IX GDPR contains statutory justifications and the permission for Member States to implement individual justifications for special processing situations. Member States may in particular “reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.” In other words, member states may implement justifications for data processing for such purposes.
Principles and rules governing the freedom of expression, press publications and scientific research as in place at a member state regulatory level will therefore continue to establish data protection justifications in certain cases. Art. 86 GDPR provides for a similar rule in regard to the right to information about public authorities’ activities which namely may turn relevant for the German Federal Freedom of Information Act (IFG) [PDF] and the German States’ Freedom of Information Acts. These laws will continue to provide for data protection justifications in particular cases.
Art. 88 GDPR establishes employment data protection law at the EU regulatory level by giving the member states authority to implement respective data protection rules. Art. 88 GDPR may trigger a new discussion about implementing employment data protection rules in Germany. So far, there have been a number of draft laws and legislative initiatives – the only result being the minimalistic and “temporary” provision in Section 32 BDSG.
Processing personal data for archival purposes, scientific and historic research is under Art. 89(1) GDPR in principle subject to the GDPR. Under Art. 89(2) GDPR, the Member States may, however, implement additional legal provisions. As currently the case, also under the GDPR, the German Federal Archive Act (Bundesarchivgesetz) and the German States’ Archive Acts may therefore restrict data protection rights and provide for data protection justifications.
The church data protection acts, namely the Church Act on Data Protection of the Protestant Church and the Regulation on Church Data Protection of the Catholic Church will be applicable under Section 91 GDPR. Currently, there is a respective Setup under Art. 140 German Constitution (Grundgesetz) in connection with Art. 137 of the German Constitution of 1919 (Weimarer Reichsverfassung). However, under Section 91 GDPR, the church data protection acts apply only to the extent that they are in line with the principles of the GDPR.
The GDPR further develops German and European data protection law in particular on the basis of the DPD. This also holds true for the principles for processing personal data and data protection justifications that are subject of this article. Companies do not have to completely change their data processing procedures under the GDPR. Where data processing is in line with current data processing requirements, at large the requirements under the GDPR are likely to be fulfilled as well. In any case, it is advisable to carefully assess deviating legal requirements and to implement respective measures in preparation for the GDPR.
Other parts of this series:
Part 1: EU Data Protection Regulation – New Series
Part 2: Fines, Penalties and Damages for Data Protection Infringements