Why it is not necessary to always obtain consent for the processing of personal data within the framework of the GDPR
Article for those who have customers in the European Union. I work as a lawyer in the company ISPsystem and for a couple of months I understand the intricacies of the GDPR. In this article I will share my thoughts about him and tell you why you shouldn’t ask the client permission to process personal data for any reason.
For a start, a small but important digression.
')
Recently an acquaintance from a trading company asked to see their contract with a web studio. Those were going to finalize the site of the store. First of all, I opened a technical task and saw that the guys were planning to register the site owner in Roskomnadzor as an operator of personal data. I thought: “Are they serious?” And he himself answered: “Unfortunately, yes.”
The same advice will be in seven out of ten articles-instructions on compliance with the law “On personal data” (152-). Advisors say: “First of all, submit an application for inclusion in the register of personal data operators”. And many of this recommendations follow.
And now attention! Article 22 of the same law determines that if data processing is necessary for the execution of the contract, then it is not necessary to notify Roskomnadzor.
Do you sell products / services via the Internet? Fine! If you do not use the data for anything else, then no notification should be submitted to Roskomnadzor. Here is such a simple recipe.
Well, now to the topic.
On May 25, the European analogue of our 152-FZ - GDPR (General Data Protection Regulation) comes into force. The document concerns everyone who sells goods and services in the territory of the European Union. We at ISPsystem make hosting software and data centers that we buy all over the world, including in the European Union. Therefore, for us the topic is very relevant.
It is difficult to understand the GDPR, and for violation, fines of up to 20,000,000 euros, or 4% of annual global revenue, are threatened. Therefore, they talk a lot about him, and, like in the history of 152-FZ, they give allegedly universal advice: “get consent to the processing of personal data”.
The European Internet is replete with such statements (taken out of context) :
After such articles I want to make 100,500 “ticks of consent”. But is it really necessary to consent to the processing of personal data? No no need! At least - not always.
“Try to understand the main thing. Spoons do not exist "((C) the film" The Matrix ").
We are accustomed to perceive the consent of the user as the only possible basis for data processing. But this is not true. We must take it as a separate legal basis, as one of the grounds. Consensus like brilliant green: helps, but not from everything.
The processing of personal data is legal only if it is carried out in accordance with the principles of art. 5 and on the basis of one of the six legal bases of Art. 6 GDPR.
Despite the fact that the word “consent” is found in the text of the GDPR 72 times, this is just one of the bases for processing, and no more.
According to paragraph 7 of Art. 14 of our 152-FZ, the operator (in the terminology of the GDPR “controller”, the person who defines the goals and means of processing) must also determine the legal basis and goals of the processing of personal data. But for this you need to study many regulations and refer to the specific provisions of the law. The GDPR is simpler: the law only requires a legal basis.
From the standpoint of art. 6 (1) GDPR such bases include:
The consent of the data subject is needed only if no other basis is appropriate. Everywhere and always it is not necessary to receive it. Moreover, according to the GDPR, the data subject should be able to easily change his decision: how to tick, and uncheck it.
Therefore, before beginning the layout of the form with checkmarks, determine what data and why you collect, establish the applicable basis. Refuse to collect information that you collect just in case. It is possible that after this you will not need to receive consent for processing at all. About this and tell you more.
The basis for its content is similar to Russian law (recall the story from the introduction).
According to the sub. (b) Art. 6 (1) GDPR, if data processing is necessary for the execution of a contract, you can easily - and, most importantly, without consent - perform it. Even before the conclusion of the contract, but provided that the actions were requested by the data subject himself (for example, he sent a request).
It is worth making a remark here: the data should be processed only to the extent necessary for the execution of the contract. If the information is needed to fill in the CRM fields, then it remains outside this basis.
A simple example . The company sells goods via the Internet. When making a purchase, the client provides personal data, the store processes them in connection with the execution of the contract. Need to get consent? No, if the data is not redundant and will not be used otherwise.
It is only necessary to inform the user that the data is still being processed, and also to talk about processing methods, protection measures and to acquaint with other information in accordance with the GDPR (Art. 5, Art. 13, 14).
In the order form, the store need only add a notice of familiarization with the policy. It is not necessary to require the putting of a notorious tick of consent; it is not necessary to create technical conditions with the aim of confirming the receipt of consent (clause 42 of the preamble). I would note that it would be nice to have a tick about acquaintance with the policy.
However, if the company wants to use personal data, for example, for point advertising mailings, then this does not fall under the contractual basis. In this case, the processing has two objectives, the second of which must be built on the basis of consent or on the basis of a legitimate interest (about it below).
The second most plastic basis is the “legitimate interest”.
Legal interest is not new to data protection. Differences in the details.
Paragraph 47 of the preamble of the GDPR reveals the meaning of the basis. I think it is useful to bring its full content. According to the text, the term “legitimate interest” is understood as the very basis.
Highlight the main criteria for the application of this basis:
The basis is multifaceted and difficult. Possible situations of its application: fraud prevention, legal protection, direct marketing. In the case of direct marketing should also refer to Art. 21 GDPR and acts of regulating e-commerce, for example, European Directive 2002/58 / EC .
To illustrate the basis of legitimate interest, I will tell you about an absurd case from Russian judicial practice. The essence is in two words: the company from the sphere of housing and communal services transferred to the law firm data on defaulters so that it would prepare a statement of claim to the court. In turn, one of the debtors obtained the bringing of the company to administrative responsibility under Art. 13.11 of the Administrative Code of the Russian Federation, as it did not give consent for the transfer of its data. Absurd! In fact, 152-FZ infringed the rights of participants in civilian traffic and led to the possibility of abuse by the debtor. This would not have happened if the law applied the basis of legitimate interest. In GDPR, it creates a legitimate basis for such data transfer.
Suppose a development company grants access to a web service under a license. Personal data is used to enter into a contract and collect statistics (not anonymized). There are two goals of data processing: the execution of the contract and the improvement of the product, the solution of technical problems.
The first goal relates to the contractual basis (sub. (B) of Art. 6 (1)) and does not require consent.
The second goal can be implemented on the basis of:
a) consent (Sub. (b) Article 6 (1)),
b) the basis of legitimate interest (subf. (f) article 6 (1)).
If the company decides to apply the consent basis, it will have to add an unchecked checkbox to the order form. Do many users agree to provide data for collecting statistics? Hardly.
When applying the basis of legitimate interest, the company only talks about rights without requiring active actions (Article 21 (4) GDPR). Moreover, if the prevailing interest over the rights of the data subject is justified, the company has the right to process the data regardless of the refusal.
Will the company be able to answer questions to apply the basis of legitimate interest? Check:
As you can see, the company has every reason not to get consent. But keep in mind the limitations:
On the other hand, when collecting statistics, you can simply observe the law in another way: to de-personalize the data. Processing anonymized data is not regulated by the GDPR.
GDPR is an extremely broad topic, the details of which cannot be covered in one article.
Here I have not touched upon the processing of special data categories, as well as the subtleties and features of the application of the illustrated bases, rights and obligations of the parties involved in processing, issues of cross-border transmission, and many other issues related to GDPR.
The GDPR emphasizes that personal data does not belong to you, but to the data subject. He must have complete control over them - from receiving information, editing to the right to limit processing or deletion.
Layfkhak on 152-FZ
For a start, a small but important digression.
')
Recently an acquaintance from a trading company asked to see their contract with a web studio. Those were going to finalize the site of the store. First of all, I opened a technical task and saw that the guys were planning to register the site owner in Roskomnadzor as an operator of personal data. I thought: “Are they serious?” And he himself answered: “Unfortunately, yes.”
The same advice will be in seven out of ten articles-instructions on compliance with the law “On personal data” (152-). Advisors say: “First of all, submit an application for inclusion in the register of personal data operators”. And many of this recommendations follow.
And now attention! Article 22 of the same law determines that if data processing is necessary for the execution of the contract, then it is not necessary to notify Roskomnadzor.
Do you sell products / services via the Internet? Fine! If you do not use the data for anything else, then no notification should be submitted to Roskomnadzor. Here is such a simple recipe.
Well, now to the topic.
About GDPR and soil for error
On May 25, the European analogue of our 152-FZ - GDPR (General Data Protection Regulation) comes into force. The document concerns everyone who sells goods and services in the territory of the European Union. We at ISPsystem make hosting software and data centers that we buy all over the world, including in the European Union. Therefore, for us the topic is very relevant.
It is difficult to understand the GDPR, and for violation, fines of up to 20,000,000 euros, or 4% of annual global revenue, are threatened. Therefore, they talk a lot about him, and, like in the history of 152-FZ, they give allegedly universal advice: “get consent to the processing of personal data”.
The European Internet is replete with such statements (taken out of context) :
“You should always get It’s not a legal requirement.If you translate completely at will, it turns out: "you should always get consent."
After such articles I want to make 100,500 “ticks of consent”. But is it really necessary to consent to the processing of personal data? No no need! At least - not always.
“Try to understand the main thing. Spoons do not exist "((C) the film" The Matrix ").
We are accustomed to perceive the consent of the user as the only possible basis for data processing. But this is not true. We must take it as a separate legal basis, as one of the grounds. Consensus like brilliant green: helps, but not from everything.
Reasons for working with personal data
The processing of personal data is legal only if it is carried out in accordance with the principles of art. 5 and on the basis of one of the six legal bases of Art. 6 GDPR.
Despite the fact that the word “consent” is found in the text of the GDPR 72 times, this is just one of the bases for processing, and no more.
According to paragraph 7 of Art. 14 of our 152-FZ, the operator (in the terminology of the GDPR “controller”, the person who defines the goals and means of processing) must also determine the legal basis and goals of the processing of personal data. But for this you need to study many regulations and refer to the specific provisions of the law. The GDPR is simpler: the law only requires a legal basis.
From the standpoint of art. 6 (1) GDPR such bases include:
- a) the consent of the data subject to the processing of personal data for one or more specific purposes;
- b) processing for the execution of the contract, in which the data subject is one of the parties, as well as for the steps preceding the conclusion of the contract;
- c) processing is necessary to comply with legal duties, the subject of which is the controller;
- d) processing to protect the vital interests of the data subject, or other individual;
- e) processing in the public interest or in the exercise of official powers vested in the controller;
- f) processing in order to ensure the legitimate interests of the controller or a third party.
The consent of the data subject is needed only if no other basis is appropriate. Everywhere and always it is not necessary to receive it. Moreover, according to the GDPR, the data subject should be able to easily change his decision: how to tick, and uncheck it.
Therefore, before beginning the layout of the form with checkmarks, determine what data and why you collect, establish the applicable basis. Refuse to collect information that you collect just in case. It is possible that after this you will not need to receive consent for processing at all. About this and tell you more.
Personal data and contract: we process and do not ask
The basis for its content is similar to Russian law (recall the story from the introduction).
According to the sub. (b) Art. 6 (1) GDPR, if data processing is necessary for the execution of a contract, you can easily - and, most importantly, without consent - perform it. Even before the conclusion of the contract, but provided that the actions were requested by the data subject himself (for example, he sent a request).
It is worth making a remark here: the data should be processed only to the extent necessary for the execution of the contract. If the information is needed to fill in the CRM fields, then it remains outside this basis.
A simple example . The company sells goods via the Internet. When making a purchase, the client provides personal data, the store processes them in connection with the execution of the contract. Need to get consent? No, if the data is not redundant and will not be used otherwise.
It is only necessary to inform the user that the data is still being processed, and also to talk about processing methods, protection measures and to acquaint with other information in accordance with the GDPR (Art. 5, Art. 13, 14).
In the order form, the store need only add a notice of familiarization with the policy. It is not necessary to require the putting of a notorious tick of consent; it is not necessary to create technical conditions with the aim of confirming the receipt of consent (clause 42 of the preamble). I would note that it would be nice to have a tick about acquaintance with the policy.
However, if the company wants to use personal data, for example, for point advertising mailings, then this does not fall under the contractual basis. In this case, the processing has two objectives, the second of which must be built on the basis of consent or on the basis of a legitimate interest (about it below).
Legitimate interest or basis without consent
The second most plastic basis is the “legitimate interest”.
Legal interest is not new to data protection. Differences in the details.
Paragraph 47 of the preamble of the GDPR reveals the meaning of the basis. I think it is useful to bring its full content. According to the text, the term “legitimate interest” is understood as the very basis.
“(47) The legitimate interests of the controller <...> or third parties may create legal grounds for processing, provided that they do not prevail over the interests or fundamental rights and freedoms of the data subject , taking into account the reasonable expectations of the data subjects based on the relationship with the supervisor. Such a legitimate interest may occur, for example, if there is an appropriate relationship between the data subject and the controller in situations where the data subject is a client or an employee . In any case, the presence of a legitimate interest needs careful assessment, including whether the data subject in collecting personal data can reasonably expect that the processing will be carried out for the stated purpose <...> The processing of personal data necessary to prevent fraud is also the legitimate interest of the relevant data controller. The processing of personal data for direct marketing purposes can be considered as processing for legitimate interest. ”
Highlight the main criteria for the application of this basis:
- You are pursuing a legitimate goal.
- Processing is necessary, that is, the goal can not be achieved otherwise.
- Handling is balanced, and potential harm is not significant.
- Processing is obvious to the data subject.
The basis is multifaceted and difficult. Possible situations of its application: fraud prevention, legal protection, direct marketing. In the case of direct marketing should also refer to Art. 21 GDPR and acts of regulating e-commerce, for example, European Directive 2002/58 / EC .
To illustrate the basis of legitimate interest, I will tell you about an absurd case from Russian judicial practice. The essence is in two words: the company from the sphere of housing and communal services transferred to the law firm data on defaulters so that it would prepare a statement of claim to the court. In turn, one of the debtors obtained the bringing of the company to administrative responsibility under Art. 13.11 of the Administrative Code of the Russian Federation, as it did not give consent for the transfer of its data. Absurd! In fact, 152-FZ infringed the rights of participants in civilian traffic and led to the possibility of abuse by the debtor. This would not have happened if the law applied the basis of legitimate interest. In GDPR, it creates a legitimate basis for such data transfer.
Basis of legitimate interest in practice
Suppose a development company grants access to a web service under a license. Personal data is used to enter into a contract and collect statistics (not anonymized). There are two goals of data processing: the execution of the contract and the improvement of the product, the solution of technical problems.
The first goal relates to the contractual basis (sub. (B) of Art. 6 (1)) and does not require consent.
The second goal can be implemented on the basis of:
a) consent (Sub. (b) Article 6 (1)),
b) the basis of legitimate interest (subf. (f) article 6 (1)).
If the company decides to apply the consent basis, it will have to add an unchecked checkbox to the order form. Do many users agree to provide data for collecting statistics? Hardly.
When applying the basis of legitimate interest, the company only talks about rights without requiring active actions (Article 21 (4) GDPR). Moreover, if the prevailing interest over the rights of the data subject is justified, the company has the right to process the data regardless of the refusal.
Will the company be able to answer questions to apply the basis of legitimate interest? Check:
| Purpose of use | Improving the stability of the product to respect the interests of the licensee. |
| Need | There is no other way to get statistics in the aggregate of the required parameters. |
| Balance of interests | Handling is balanced, and potential harm is not significant. |
| Openness | Data processing is open and obvious to the data subject. |
As you can see, the company has every reason not to get consent. But keep in mind the limitations:
- Prior to the collection of personal data, the subject must be informed of the purposes and legal interest of the processing (clause (d) of clause 13 (1), clause (b) of clause 14 (2) of the GDPR). That is, the application must be publicly motivated and documented.
- The data subject should be granted the right to object to the processing (art. 21), the right to delete and the restriction.
On the other hand, when collecting statistics, you can simply observe the law in another way: to de-personalize the data. Processing anonymized data is not regulated by the GDPR.
findings
- Do not rush to receive consent to the processing of personal data. First, answer the questions: whose data and which data you collect, for what purpose, what protection measures you apply, to whom you disclose this data, which of the bases will be most applicable.
- If you understand that you are collecting excess data, refuse to collect them. Reason for collecting the rest, measures for their protection and potential transfer channels should be recorded in the personal data processing policy. Moreover, the processing and transmission must be documented. The Information Commissioner's Office tells how to do this and recommends the form of an accounting document.
- If you collect data only for the provision of services and the sale of goods, then you do not need to receive consent (but still need to arrange the policy and perform other formalities).
- If you also collect data for analysis, protection against fraud, illegal activity, determine if this collection falls under the basis of legitimate interest, if so, write about it in the policy. Or anonymize the data, or, if it's easier for you, get consent for processing.
- When accepting consent for processing, consider withdrawing this consent.
- Each of your decisions must be justified on the basis of the specifics of your activity, the data collected, as well as documented in detail.
GDPR is an extremely broad topic, the details of which cannot be covered in one article.
Here I have not touched upon the processing of special data categories, as well as the subtleties and features of the application of the illustrated bases, rights and obligations of the parties involved in processing, issues of cross-border transmission, and many other issues related to GDPR.
The GDPR emphasizes that personal data does not belong to you, but to the data subject. He must have complete control over them - from receiving information, editing to the right to limit processing or deletion.
Source: https://habr.com/ru/post/353724/
All Articles