Complying with GDPR: Processing Data and Providing Information
The Resolution recently adopted by the European Parliament shines a light on where some companies are falling short of their GDPR obligations.
The European Parliament has recently adopted a resolution (Resolution) on the evaluation report produced by the European Commission, which reviews the implementation of the General Data Protection Regulation (GDPR) more than two years after it came into force. The Resolution concludes that, overall, the GDPR has been a success, but it does raise some criticisms, particularly in relation to Articles 6 and 12.
Although the UK is no longer a member of the EU, the Data Protection Act 2018 incorporated GDPR requirements into UK law. This has now been amended by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 to form a new UK specific data protection regime, known as the UK GDPR. The UK GDPR still maintains the Article 6 and Article 12 requirements of the EU GDPR, so UK companies should be mindful of the Resolution, as the UK government and the Information Commissioner’s Office are likely to take similar views.
In addition, UK organisations offering goods or services to, or monitoring the behaviour of, EU residents must comply with the EU GDPR.
The Resolution also suggests that the “legitimate interest” basis, under Article 6(1)(f), is not being applied appropriately. Controllers must demonstrate how they have balanced their own legitimate interests against the fundamental rights and freedoms of the data subject. Only where those rights and freedoms do not override the Controller’s legitimate interests, taking into account the data subject’s reasonable expectations in light of their relationship with the Controller, can the Controller rely on legitimate interest as its lawful basis for processing.
The Resolution also highlights that many Controllers are not complying with their obligations under Article 12(1) GDPR, which requires them to provide information about data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This requirement is particularly important in the context of children accessing online platforms.
What are the key takeaways from the Resolution?
- You should also ensure that, if you rely on legitimate interest as a basis for processing, you do so correctly and that your interests in processing personal data are not overridden by the data subject’s rights and freedoms.
- Finally, you must ensure that you provide information about your data processing activities in a clear and easily accessible manner, particularly where you are likely to be processing the data of children by nature of your business or website traffic.