Public Interests<\/strong> \u2014 the collection and use of the data is in the public interest. This can be used to justify the archiving of data for scientific or historical research, or the generation of statistics.<\/li>\n<\/ol>\nconsent<\/h2>\n
This is the most clear-cut and strongest legal ground to gather and use personal data under.<\/p>\n
The regulation states that for consent to be valid it must be ‘freely given<\/strong>, specific<\/strong>, informed<\/strong> and unambiguous<\/strong> either by a statement or by a clear affirmative action’<\/em>.<\/p>\nThat means:<\/p>\n
\n- Data subjects<\/em> can’t be railroaded into giving consent, it has to be an actual choice.<\/li>\n
- Silence, pre-ticked boxes, or inactivity do not indicate consent \u2014 the old chestnuts like ‘by using this site you agree …’<\/em> do not count as valid consent under the GDPR.<\/li>\n
- Data subjects<\/em> have to be able to withdraw their consent at a later time. Data controllers<\/em> also have to explicitly inform data subjects<\/em> that they have the right to withdraw their consent, and, provide a clear and simple mechanism for doing so.<\/li>\n
- Consent can’t be inferred, the data subject<\/em> has to pro-actively do something to consent, e.g. verbally state their agreement or click a clearly labeled button\/checkbox.<\/li>\n
- Requests for consent have to be clearly labeled and separated out, you can’t just mush them into the middle of the small print.<\/li>\n<\/ul>\n
Children get extra protections under GDPR:<\/p>\n
\n- Parental consent is needed before digital services (like social networks) can process a child’s personal data<\/em>, and reasonable efforts<\/em> have to be made to verify that consent.<\/li>\n
- Outside of digital services data controllers<\/em> have to assess whether or not a child has the competency<\/em> to understand and consent on their own behalf.<\/li>\n
- Privacy notices<\/em> that children are expected to consent to have to be written in language that children can reasonably be expected to understand.<\/li>\n<\/ul>\n
Note that the GDPR defines as child as anyone under 16<\/strong>, but does allow individual countries to re-define that ages down to a lower-limit of 13.<\/p>\nIndividual Rights<\/h2>\n
The GPDR grants data subjects<\/em> the following rights when it comes to their personal data<\/strong>:<\/p>\n\n- Information<\/strong> \u2014 people have a right to be informed<\/strong> about how their personal data<\/em> will be processed. The mechanism here is the privacy notice<\/em> that data controllers<\/em> must publish.<\/li>\n
- Access<\/strong> \u2014 people the right to see all personal data a data controller<\/em> has stored on them.<\/li>\n
- Rectification<\/strong> \u2014 people have the right to correct any mistakes in the personal data<\/strong> a data controller<\/em> has stored on them. The data processor<\/em> has to fix erroneous data ‘without undue delay<\/em>’, and definitely within one month, and they have to make sure the correction is propagated to any third-party data processors<\/em> they share data with.<\/li>\n
- Erasure<\/strong> \u2014 citizens have a right to request their personal data<\/strong> be deleted by a data controller<\/em>, but it’s not an absolute right, there are caveats.<\/li>\n
- Objection<\/strong> \u2014 data subjects<\/em> have a right to object to certain uses of their personal data<\/em>, and when that happens, the data controller<\/em> has to stop processing the data unless there is a compelling reason not to. Data subjects<\/em> can object to their data being used for direct marketing<\/strong> or research.<\/li>\n
- Restrict Processing<\/strong> \u2014 when there are disputes, a data subject<\/em> can demand the processing of their personal data<\/em> be restricted until the dispute is resolved. E.g. the data subject<\/em> and data controller<\/em> disagree about whether or not a piece of data is accurate, or the data subject<\/em> challenges the legal grounds<\/em> for the processing.<\/li>\n
- Data Portability<\/strong> \u2014 when technically feasible, data subjects<\/em> have a right to request their personal data<\/em> be copied or moved to another data controller<\/em>, including to a competitor. The idea is that people shouldn’t be needlessly locked in to suppliers.<\/li>\n<\/ol>\n
When these rights are violated, data subjects<\/em> have standing to sue data controllers<\/em> for compensation.<\/p>\nPrivacy Notices<\/h2>\n
The primary function of a privacy notice<\/em> is to let citizens know what<\/strong> personal data is being collected, why<\/strong> it’s being collected, and how it’s going to be used<\/strong>. A big part of how it’s going to be used is who<\/strong> it will be shared with.<\/p>\nPrivacy notices don’t just have to be easy to find<\/strong>, they actually have to be highlighted for attention<\/strong>.<\/p>\nPrivacy notices also have to be clear and easy to understand \u2014 no obfuscations, and no hiding important stuff deep in the small print! A privacy notice<\/em> that’s not clear would be considered a violation of the right to be informed<\/strong>.<\/p>\nYou’d imagine it would go without saying, but privacy notices have to be available free of charge<\/strong>. You can’t charge citizens for a privacy notice.<\/p>\nA privacy notice<\/em> should be:<\/p>\n\n- Concise<\/strong> \u2014 it should contain all the information it needs to, but no more. Overloading citizens with so much superfluous information that they can’t find the important stuff is not OK!<\/li>\n
- Transparent and Intelligible<\/strong> \u2014 it should be written in clear, plain language. No using legalese to try confuse citizens!<\/li>\n
- Supplied in Context<\/strong> the privacy notice should be available when consent is given and\/or the personal data<\/em> is collected, or, if the data is acquired indirectly, the data subject<\/em> needs to be provided with the privacy notice within a reasonable time<\/strong>.<\/li>\n<\/ul>\n
Privacy notices must contain: <\/p>\n
\n- Contact details for the data controller’s<\/em> DPO.<\/li>\n
- The legal grounds<\/em> for the data collection (from the list above).<\/li>\n
- A list of the data processors<\/em> that will process the personal data<\/em>.<\/li>\n
- A retention policy for the personal data<\/em> (how long will it be kept).<\/li>\n
- An explanation of a person’s rights regarding the processing of their personal data<\/em> including their right to withdraw consent, to object to certain kinds of data processing, and to complain to the relevant supervisory authority<\/em>.<\/li>\n<\/ul>\n
The notification of a person’s rights has to be clearly separated out from the rest of the notice so it’s easy to find. <\/p>\n
The notification also has to include the right to have their personal data moved or copied to another organisation, even when the other organisation is a competitor. That’s not an absolute right though, it has to be technically feasible.<\/p>\n
SARs (Subject Access Requests)<\/h2>\n
Since citizens have a right to access<\/strong>, data controllers<\/em> have to provide a mechanism for data subjects<\/em> to submit so-called Subject Access Requests<\/em>, or SARs. In general there shouldn’t be a a fee for submitting a SAR, but there are exceptions. If the data is returned electronically, it has to be in a commonly used format.<\/p>\nWhen a data controller<\/em> receives a SAR it has to be passed to their DPO promptly, and they are then responsible for processing it.<\/p>\nGenerally speaking, SARs need to be processed within a month.<\/p>\n
Data Processing Objections<\/h2>\n\n- Data subjects<\/em> have a right of objection<\/strong>. What that means is that they can object to some uses of their personal data<\/em>, and data controllers<\/em> should stop processing the data unless there’s a compelling reason not to. Data subjects<\/em> can object to their personal data<\/em> being used for:<\/li>\n
- Direct Marketing<\/strong> \u2014 this is the most clear-cut type of objection. If a person objects to being direct marketed at, there are no grounds to refuse to stop.<\/li>\n
- Research & Statistics Generation<\/strong> \u2014 this is much less clear-cut, the public interest could out-weigh the individual’s rights, or, the individual might not have grounds on which to object, depending on the circumstances.<\/li>\n
- Processing on the grounds of legitimate Interests, public interest, or the exercise of official authority<\/strong> \u2014 if the legal grounds<\/em> for processing are the data controller’s legitimate interests<\/em>, or, the public interest<\/em>, then data subjects<\/em> have a right to raise an objection, and then a judgement will need to be made on whether or not the processing is legal under the GDPR.<\/li>\n<\/ul>\n
If a data controller<\/em> decides to reject an objection they have to inform the data subject<\/em> that they have rejected their objection, and, that they have the right to complain to the relevant supervising authority<\/em>.<\/p>\nProfiling & Automated Decision Making<\/h3>\n
Data subjects<\/em> can also object to the outcomes of any kind of