The lawfulness principle means that all data processing must comply with the law and have a valid legal basis, such as fulfilling a contract, complying with legal obligations, protecting someone’s vital interests, or serving the public interest. If none of these apply, the controller must either obtain the data subject’s consent or demonstrate that their or a third party’s legitimate interests override the individual’s right to privacy.
Despite clear legal guidelines, mistakes are still very common. Drawing on the decisional practice of the Czech data protection authority (the DPA), we have prepared a series of the most common errors undermining lawful data processing. In our previous article (link), we described three common mistakes. Here are three more that we have learned from the DPA’s decisions.
Processing Publicly Available Data Without Justification
Publicly accessible data, such as information from trade registers or trademark databases that pertains to individuals, remains personal data and is still subject to data protection rules. Controllers cannot assume that publicly available data is free for unrestricted use and always need a legal basis to process it.
The DPA has repeatedly fined companies for using data from public sources without a valid legal basis. The authority has emphasised that, in most cases, the legitimate interest of the controller in using publicly available personal data for a purpose different from that for which it was published (e.g. not for verifying the solvency of a business partner, but for contacting individuals with service offers) does not override the rights of the data subjects.
Processing publicly available data for purposes other than those for which it was published is rarely permissible and can lead to issues.
Faulty Anonymisation
Truly anonymised data—data that cannot be used to identify an individual—is not subject to data protection regulations. However, many controllers mistakenly rely on pseudonymisation, where identifiers are concealed but the individual can still be identified. The processing of data relating to an identifiable individual is still personal data processing and still requires a legal basis.
A good example of non-anonymous personal data from the DPA’s decisional practice is web browsing history. This is a unique set of activities linked to specific users in the online environment. It is important to remember that a person can be identified not just by a specific identifier, but by one or more characteristics of their physical, physiological, genetic, psychological, economic, cultural, or social identity. Social identity, for example, refers to a person’s set of behaviours. In the digital world, a unique pattern of behaviour in the browser can define an individual’s social identity, which can ultimately lead to the identification of that person.
Companies need to take extra care when anonymising data and ensure that they have a valid legal basis for the anonymisation process itself.
Failure to Prove Legal Basis
When challenged, controllers must be able to demonstrate their legal basis for processing personal data. One company faced challenges after relying on verbal consent obtained over the phone. While the company ensured its operators were properly trained—requesting consent to process personal data during the call—and immediately began entering it into the system, the calls were not recorded. As a result, there was no evidence to prove that consent had actually been given.
Companies must have verifiable evidence of consents in line with the accountability principle.
The Bottom Line
Data protection laws are intricate and violations can be costly. To stay compliant, organisations must not only adhere to GDPR but also respect local regulations, process only the necessary data, and avoid using consent as a catch-all solution. A thorough understanding of the rules and proper implementation is crucial to avoid penalties and protect personal data responsibly.
If you have any questions about data protection, please contact our experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.