Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.

 

 

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.

What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.

Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.

What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.

Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.

Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.

When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).

Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.

How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.

posted by admin on aprile 22, 2016

Privacy

(No comments)

On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.

Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.

In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.

The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.

With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.

 

 

  • Recent comments

  • Popular posts

    • None found