Today we will continue discovering GDPR principles by giving attention to two new principles introduced by GDPR. Both of them seem to be burdensome and restrictive for controllers, presenting their new duties and restraints.
The purpose limitation principle
The purpose limitation principle says the personal data collected for one purpose should not be used for another one. Processing for another purpose requires further permission or consent unless it is compatible with the original one. When there is an intention to use compatible purpose, a controller must consider three issues: the context in which personal data has been collected, the nature of data and possible consequences of further processing. The purpose limitation principle is related to:
“The right to object to processing”: A controller must have a lawful basis for processing the personal data. However, when that lawful basis is either public or legitimate interest, the data subjects may object to such processing. GDPR requires the controller to demonstrate his compelling reasons for continuing the processing, or that the processing is necessarily based on his legal rights or duties. Without such demonstration, organisation must stop the processing activity. The data subject also has options to object to processing for specific purposes such as direct marketing, etc.
Example: A bank receives a written request from customer to remove his personal data from its database. The customer argues that processing his data has led to him being refused a service provided by another financial institution. In this case, the bank does not have to comply with this notice because the credit referencing is necessary for the contract the customer has signed. Although he cancels the contract and withdraws his consent and bank has to comply with his objection and stop processing his personal data, the data already processed shall not be subject of this objection. Bank should inform that the effect on the customer is not unwarranted, since sharing information about the customer’s payment history is justified and the customer had been informed in advance.
If the bank intended to use personal data for direct marketing purposes, there are no exemptions to refuse the objection to processing.
Organisations often collect personal data and then later decide the purposes for which they plan to use them. Such approach is already forbidden by Directive. GDPR tightens the restrictions even more, as it allows collecting only necessary personal data for a specific purpose, informing the data subjects in advance. The data minimisation principle requires processing only minimum amount of personal data. You simply cannot collect personal data that are not strictly necessary in connection with the provision of service demanded by the data subject, unless the data subject agrees. Each organisation should carefully consider the extent of collected data and its data collection practices.
Example: When opening an account with the bank, some banks may ask you to fill in questionnaires where some additional questions may have been aimed on collecting data for marketing purposes and better targeting on their customers. As GDPR states, the banks have to provide you the same services without asking for unnecessary information.
Data minimisation principle makes itself felt in following rights:
“The Right to be forgotten”: It states that the data subjects can ask the organisation holding their personal data to delete them if keeping such data is not compliant with the requirements of the GDPR. If the organisation has a lawful basis for processing personal data, it will not be significantly affected by the right to be forgotten.
Example: The client withdrew the contract few years ago. As he wants to make sure the organisation does not use any of his information for any purposes, he asks the controller to delete his personal data. We intentionally don’t use bank in this example as usually; because there might be another legal requirement in banking sector.
“The Right to restrict processing”: Data subjects can limit the purposes for which the data controller can process those data, even though they might not be entitled to require the controller to erase their data. The processing of personal data may be restricted by data subject if the processing has doubtful accuracy, the processing is unlawful or the controller does not need the data for the original purpose, but kept them for legal actions.
Example: If bank client questions the accuracy of retained personal data, he may force bank to stop processing, even though the data are processed on proper lawful basis. This right act like a step to the right to erasure.
“The Right related to automated processing”: Individuals have the right not to be subject to a controller’s decision based on automated processing which significantly affects them (as profiling). Data subject should be able to obtain human intervention; express point of view and ask for explanation. Such processing is permitted for entering into a contract or is authorised by the law or given the explicit consent. Suitable safeguards may include anonymization or pseudonymization as components of profiling-based activities.
Example: Data profiling can be used to predict the creditworthiness of individuals with a view to determine whether to allow indebtedness. Bank has to inform clients of the use of profiling, including information on how algorithm works and on the risk factors used to calculate desired data. Data protection impact assessment prior to the processing is another requisite; beside all general GDPR information required.
We shall pay further attention to impact and risk assessment in coming blogs.