Recital - 44.
Performance of a Contract
Executive Summary
Processing of individual data is a necessary part of contract law and the process of agreeing to a contract between parties.
Quick Wins
Add a catchall phrase to contracts that stipulates that data collection and processing may occur as part of fulfilling a contract. Derogation of that data at some future time will invalidate the contract and the data subject will incur penalties associated with early termination.
Recital Text
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
, 45
Recital - 45.
Fulfilment of Legal Obligations
Executive Summary
Recital 45 is exclusive to jurisdictional processing of data and does not apply to private entities.
Recital Text
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing.A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.It should also be for Union or Member State law to determine the purpose of processing.Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.
, 46
Recital - 46.
Vital Interests of the Data Subject
Executive Summary
Special categories of data relate to areas of health, genotype, mental condition and other data which, if disclosed, would cause embarrassment or loss for the data subject. This type of data must be protected with the most formidable data protection tools your organization uses.
Recital Text
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
, 47
Recital - 47.
Overriding Legitimate Interest
Executive Summary
If it is in the interest of the controller or data subject, additional processing may be allowed in very limited circumstances.
Recital Text
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
, 48
Recital - 48.
Overriding Legitimate Interest within Group of Undertakings
Executive Summary
Controllers may transfer data within their institutions or corporate entities.
Recital Text
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
, 49
Recital - 49.
Network and Information Security as Overriding Legitimate Interest
Executive Summary
Personal data can be collected and processed by a controller for the purposes of researching and securing technology networks.
Recital Text
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
, 50
Recital - 50.
Further Processing of Personal Data
Executive Summary
Controllers and processors are not permitted to use data in a way that the data subject has not agreed to in advance.
Quick Wins
Add an addendum to agreements that permits 'normal business relationships including customer service, sales and product management follow up conversations. Also include notifications and alerts related to the data collection process.
Recital Text
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing.In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.
Executive Summary
Add phrases to contracts to address that data collection and processing may occur as part of fulfilling a contract such as customer service as well as for legitimate concerns such as legal obligations with authorities, humanitarian purposes, network information security, or transfer within their corporate entity.
Article ID: 286
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-lawfulness-of-processing-contractual-agreements-286.html