GDPR (part 3 van 5): 'Principles for processing and Consent
In the second part of this series we discussed the Do's, Don'ts and alternatives that are relevant for working responsibly with personal data. The main message was that simple routines could contribute to this end and the use of programs with which the university did not formalize a data processing agreement is regarded as unlawful under the GDPR as of the 25th of May. This section will deal with two important and frequently discussed aspects of the GDPR, namely: 'Principles for processing and Consent'.
Use of personal data
The use of personal data depends on the basis for which they were requested and/or intended to use. The principle for processing personal data is therefore closely linked to the core purpose of the process. It is important that the processing does not deviate from the initial core goal (also not at a later stage). The GDPR describes six principles and processing must be based on one of them. If an activity is already based on one of the six principles, the obligation to also comply with the conditions of the other accounting policies is no longer required.
Important for researchers: in order to determine which research projects pose risks in their storage and processing of personal data, all researchers will soon receive an online Qualtrics survey. On the basis of the survey and on the initiative of researchers themselves, further steps can be taken to remove these risks.
The principles will be briefly discussed below:
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
The processing of personal data for the performance of a contract is a basis on which an activity can be based. A good example is an agreement in the form of an employment contract. In order to be able to pay wages, employers need the bank account numbers of their employees. This makes it lawful for the employers to use the bank account numbers in order to pay the salaries of their employees. The same applies to, for example, online purchases, where you as a consumer enter into an agreement with a seller for the purchase of a product. In addition to bank account numbers, the seller also needs the address details of the consumer in order to be able to send the product. The scope of this principle is therefore very broad. The processing of personal data of students falls under this principle. University and students have an education agreement, under which students state their personal details in order to prove for example that they are eligible for a study program, reside in the Netherlands or abroad and to have the tuition fees debited by the university.
Processing is necessary for compliance with a legal obligation to which the controller is subject
This principle is largely self-evident. An example of such a legal obligation is to offer an extra-curricular program to exceptional students in addition to the regular study programs of the university (Honours College). In order to be able to comply with this legal obligation, it is necessary for the university to make a selection of the eligible students and to approach them on the basis of their study results. This gives the university the right to process this data in order to fulfil this legal obligation. Another legal obligation for the university is the storage of obtained study results and diplomas for a certain period after graduation or deregistration. The processing of personal data necessary for the fulfilment of such obligations can therefore be considered as lawful.
Processing is necessary in order to protect the vital interest of the data subject or of another natural person
This principle mainly relates to medical personal data of natural persons. Patients' medical records can therefore be processed and shared between doctors on this principle, because it protects the vital interests of the concerned individuals. The interpretation of this basis is, however, much more complicated than the other principles, because it often involves special personal data. Always contact the Center for Digital Scholarship for advice on your research project if you process special personal data.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
This principle applies to organisations that perform a public task for the public interest or public authority. This principle only applies to tasks that are legally defined. Organisations that are the most relevant for this principle are, for example, the police and municipalities. However, public interest can also be interpreted more broadly. For example, the Dutch Data Protection Authority indicates that research into development aid can also serve the general interest and therefore also be based on this principle.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
The legitimate interest is the trade-off between the relevant and appropriate relationships between the organisation and the data subjects whose personal data are being processed. An example of a legitimate interest is the processing of personal data for direct marketing purposes by the organisation. The conditions for this principle are: the organisation has a legitimate interest, the processing is necessary to realize this interest and the organisation has weighed the interests of the organisation and those involved. Organisations that are established under public law are exempted in the GDPR to be able to rely on this principle. The tasks of public organisations are laid down by law. This exception therefore also applies to Leiden University because the university has a legal basis in the General Administrative Law Act of the Netherlands (Awb art. 1: 1) as a public-law organisation.
In the case of tasks that are not defined by law, the university can rely on this principle. Retaining alumni relations, for example, is a legitimate interest of the university to use personal data from its alumni to maintain the relationships.
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Below, the last condition, namely consent, will be discussed in more detail.
If the above principles cannot be applied to the lawfulness of the processing, explicit permission must be requested from the data subject for the use of his or her personal data. It is a common phenomenon that when registering an account or a simple request the person concerned is sometimes forced to passively agree with providing consent for the use of his personal data by the organisation for marketing purposes and to receive advertising/newsletters. This will be prohibited under the GDPR. The person concerned must give active permission (i.e. not pre-ticked boxes) that has been written in an explicit and unambiguous form. For what (the purpose) and how long (storage period) the personal data will be used should also be indicated.
In addition to explicitly requesting consent, this must also be retained and be able to be demonstrated on request. It will therefore be mandatory to archive the consent given in order to be able to demonstrate a legitimate use of personal data when asked about it.
A final relevant aspect in relation to the principles and obtaining consent is the storage period of personal data. When requesting consent, it must be indicated for how long the data will be stored and for which stated purposes it will be used for. After the expiration date of this period, these personal data must also be actually destroyed. In case of an interim change in the purposes or extensions of the storage periods, the processor must always request permission from the data subjects again.
By dealing with the foundations and obtaining permission for the processing of personal data, the most relevant aspects of the AVG were discussed. Next week these aspects will be summarized and the finishing touches to our preparations will be discussed.