Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.

 

 

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.

What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.

Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.

What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.

Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.

Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.

When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).

Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.

How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.

posted by Giusella Finocchiaro on ottobre 17, 2017

Privacy

(No comments)

Here is the article by Giusella Finocchiaro and Laura Greco, published in Agenda Digitale on 1st September 2017.

Much has already been said on the new data protection requirements introduced by Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (and coming into full force from 25th May 2018).

At first reading, the stringent and precautionary nature of the new legislation was already evident, being characterised by an approach based on the risk assessment of data processing and the accountability of the processing subjects.

As confirmation, it is enough to take a look at the considerable number of obligations the Regulation imposes on data controllers and processors. Compliance with the Regulation particularly aims to organise the entire data processing procedure on the principles of privacy by design and default, with the objective of ensuring that both technological and organisational security measures are adequate compared to the potential risks to which data are exposed during processing.

In the framework of the obligations directed at measuring the risks relating to processing activities, one (particularly) stands out for its relevance and challenging nature, namely, the so called Data Protection Impact Assessment (DPIA), a preventive measure that obliges controllers to verify whether processing might expose personal data to high risk, taking into consideration the specific characteristics of the processing itself involved: namely, its nature, subject, context and purpose as well as the use of new technologies. Although strongly recommended for all types of processing, the DPIA is not mandatory except in cases specifically indicated in the Regulation or in the legislation of Member States.

One particular field in which the DPIA appears not only to be suitable but also essential for data controllers is the work sector. In fact data processing carried out in a work environment seems to fall into under the heading of systematic monitoring of data regarding vulnerable subjects.

The term “vulnerable” is not used at random. Working Party art. 29 uses this term to define employees in the “Guidelines on Data Protection Impact Assessment (DPIA)” adopted on 4th April 2017, where the work environment is considered at risk for the rights of data subjects when taking into account the imbalance of bargaining power in favour of the data controller. Working Party art. 29, which had already given indications in the past with regard to the rights of employees in the field of data protection (see opinion 8/2001, WP48 and working document WP55 of 2002) dedicates its recent opinion 2/2017 to the subject of data processing in the work environment.

In this document the Group of European DPAs updated its considerations on the subject matter in light of the new provisions and in particular, of the new obligations introduced by the Regulation.

Confirming that data processing in the work environment must necessarily comply with the principles of transparency, necessity and minimisation, the Group underlines that consent cannot be considered a requirement for safe and reliable legitimacy since workers cannot consider themselves completely free to give consent to or oppose data processing due to the contractual relationships that bind them to their employer. Hence, in the Group’s opinion, other legal bases would be preferable such as the implementation of the work contract, the controller-employer’s compliance with a legal obligation or his legitimate interest.

However, identifying the conditions which make data processing legal is not sufficient where employee monitoring is concerned: there is the need for a clear, understandable and comprehensive policy – the Group confirms – which keeps employees fully informed of monitoring activities and their related purposes.

And it is right here, between the pillars of lawfulness of data processing and transparency that the DPIA fits in, the risk-based safeguard measure, which combines a proportionality test of the legitimate interest of the employer, the technologies used to assure protection of this and the rights of privacy and secrecy of employee communications. According to the Working Party, the introduction of any technology designed to monitor and control workers should be preceded by a DPIA in order to verify whether the data processing (and the ways in which it is carried out) are commensurate with the risk the employer must face.

Following a theoretical presentation of the framework of the Regulation, its fundamental principles and innovations, the Group of DPAs closely examines a series of data processing scenarios that may occur in an organisation’s routine procedure, with particular reference to the use of new technologies. The Group focuses in particular on those technologies that permit the monitoring of employees not only at their work place but also at their homes and, more generally, in their private lives. This happens for example where BYOD (Bring Your Own Device) technologies are used, which allow workers to use their own personal devices for work purposes. The mixed use of such devices might create the risk of processing information outside the work sphere. Therefore, in order to avoid such an eventuality, the Group recommends adopting appropriate measures which would make identifying the use of the device possible.

Finally, in outlining the protection afforded to workers, the European DPAs not only take into account the advanced technological context but also the business world: processing carried out by a business group based in different Member States may mean the transfer of employee data to third countries. In such cases – as well as in the case of the use of applications and cloud-based services that imply a cross-border flow of personal data – data transfer will be legal on condition that the third country data importer assures an adequate level of data protection.

To summarise: legality, transparency, proportionality, balancing of interests, minimisation. These are the key words (and the pillars) of data processing in the work environment.

In addition, it is worth keeping in mind that art. 88, paragraph 1 of the Regulation provides that Member States may “by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. This leads to a further reflection on the adequacy of the modifications made to law no. 300, 20th May 1970, (“Workers’ Statute”) by the recent Jobs Act reform. Therefore, there needs to be evaluation of whether the new provisions are in effect sufficient in light of the Working Party recommendations and given the scenarios envisioned, or whether further action by the Italian legislator will be necessary.

 

 

  • Recent comments

  • Popular posts

    • None found