Complying with GDPR: Processing Data and Providing Information

The European Parliament has recently adopted a resolution (Resolution) on the evaluation report produced by the European Commission, which reviews the implementation of the General Data Protection Regulation (GDPR) more than two years after it came into force. The Resolution concludes that, overall, the GDPR has been a success, but it does raise some criticisms, particularly in relation to Articles 6 and 12.

Although the UK is no longer a member of the EU, the Data Protection Act 2018 incorporated GDPR requirements into UK law. This has now been amended by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 to form a new UK specific data protection regime, known as the UK GDPR. The UK GDPR still maintains the Article 6 and Article 12 requirements of the EU GDPR, so UK companies should be mindful of the Resolution, as the UK government and the Information Commissioner’s Office are likely to take similar views.

In addition, UK organisations offering goods or services to, or monitoring the behaviour of, EU residents must comply with the EU GDPR.

Under Article 6 of the GDPR, the processing of data is lawful only if at least one of the bases listed in Article 6(1) applies. While the same processing activity may fall under multiple bases, the Resolution urges data supervisory authorities to ensure that data controllers (Controllers) rely on only one legal ground for each purpose of their processing activities, and that they specify how each legal ground is relied upon for their processing. The Resolution is critical of the scattergun approach of some Controllers, who mention all of the legal grounds in their privacy policy without any further explanation. The concern is that Controllers taking this approach hinder the ability of the supervisory authorities to assess whether these legal grounds are in fact appropriate for the processing activities in question.

The Resolution also suggests that the “legitimate interest” basis, under Article 6(1)(f), is not being applied appropriately. Controllers must demonstrate how they have balanced their own legitimate interests against the fundamental rights and freedoms of the data subject. Only where those rights and freedoms do not override the Controller’s legitimate interests, taking into account the data subject’s reasonable expectations in light of their relationship with the Controller, can the Controller rely on legitimate interest as its lawful basis for processing.

The Resolution also highlights that many Controllers are not complying with their obligations under Article 12(1) GDPR, which requires them to provide information about data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This requirement is particularly important in the context of children accessing online platforms.

What are the key takeaways from the Resolution?

1. The Resolution underlines the importance of ensuring your privacy policy accurately details the precise legal basis upon which each of your data processing activities is lawful.
2. You should also ensure that, if you rely on legitimate interest as a basis for processing, you do so correctly and that your interests in processing personal data are not overridden by the data subject’s rights and freedoms.
3. Finally, you must ensure that you provide information about your data processing activities in a clear and easily accessible manner, particularly where you are likely to be processing the data of children by nature of your business or website traffic.

If you have any questions about the issues raised in this article, or would like assistance with checking that your privacy policy and privacy notices are up to date and appropriate for your business, please contact Cathrine Ripley or one of the other members of our Commercial & Technology Team.