The lawfulness principle means that all data processing must comply with the law and have a valid legal basis, such as fulfilling a contract, complying with legal obligations, protecting someone’s vital interests, or serving the public interest. If none of these apply, the controller must either obtain the data subject’s consent or demonstrate that their or a third party’s legitimate interests override the individual’s right to privacy.
Despite clear legal guidelines, mistakes are still very common. Drawing on the decisional practice of the Czech data protection authority (the DPA), we have prepared a series of the most common errors undermining lawful data processing. Here are the first three. More will be revealed in the next article.
Overlooking Broader Lawfulness
Lawful data processing is not limited to GDPR compliance; it also requires adherence to other legal frameworks. Controllers sometimes focus on GDPR requirements while neglecting those established under local laws.
In many cases, the DPA has fined organisations for non-compliance with laws that directly affect the processing of specific personal data. For example, copying ID cards requires consent under the Act on Identity Cards, and storing non-essential cookies demands the visitor’s prior consent under the Act on Electronic Communications.
In other instances, local laws may not directly regulate data processing but still influence its lawfulness. For example, a residential facility for people in need collected special categories of personal data (i.e. sensitive data) to provide care services, relying on the legal basis of substantial public interest on the basis of law, which applies to processing sensitive data in social care facilities. However, the facility lacked the required public law authorisation necessary to provide care services, which rendered the legal basis invalid. This then led to the DPA imposing sanctions.
Organisations must ensure they comply with all applicable laws—not just GDPR—before processing personal data. Keeping "their side of the street clean" is essential to keep to the principle of lawfulness.
Misinterpreting Necessity
Except for consent, the principle of necessity underpins all legal bases for data processing. Controllers can only process data that is essential to achieve the purpose, not just because it is part of their chosen method. In other words, data should not be processed just because the organisation operates its business in a certain way. There are many instances where data controllers process information they do not necessarily need for their activities.
Unnecessary data is then processed without a valid legal basis. For example, the DPA fined accommodation providers who scanned or copied entire ID documents of foreign guests to comply with police reporting obligations, believing they were processing the data to meet legal requirements. However, the reporting form only asks for specific information, such as the passport ID number and visa number. To fulfil this legal obligation, it is sufficient to view the travel document or visa and note down the necessary information—there is no need to store it.
Controllers must critically assess whether their activities can be carried out with less—or no—personal data and limit processing to only what is truly necessary.
Over-Reliance on Consent
Consent is often overused as a legal basis for processing. Many controllers mistakenly view consent as a universal safety net, but this is not the case. If another legal basis applies, relying on consent is not only unnecessary but also unlawful.
Take, for example, a company that was fined after using an electronic form on its website to conclude a contract, where users were asked to tick a box agreeing to the processing of their personal data. The company believed they had everything covered with this consent, but the DPA’s inspection revealed otherwise. The data collected on the website was actually necessary to perform the contract to which the data subject is party and to take steps at the request of the data subject before entering into a contract, so the company had a valid legal basis for its processing and the consent was superfluous. In this case, less is often more.
Using consent for data processing is often unnecessary and can be unlawful if another legal basis applies.
Stay tuned
In our next article, we will reveal three more common mistakes that undermine lawful data processing. Do not miss it!
In the meantime, if you have any questions about data protection, please contact our experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.