The General Data Protection Regulation (GDPR) sets out the six bases on which an organization can process personal data. An example of a basis is the permission that a data subject has given an organization to process his/her personal data. The six GDPR principles describe the conditions and purposes that an organization must comply with before it can process personal data on the basis of a specific basis. An additional condition is that organizations only process personal data from the category of ‘ordinary’ personal data.
The GDPR principles on the basis of which an organization may process personal data:
- 1. Consent of the data subject
- 2. Necessity for the execution of an agreement
- 3. Need to comply with a legal obligation of the organization
- 4. Necessity to protect the vital interests of a data subject
- 5. Necessity for the fulfillment of a task of general interest of the organization
- 6. Necessity for the legitimate interests of the organization
- Exception: sometimes additional basis required from Member State law or Union law
- What happens if an organization does not comply with the GDPR?
- Failure to comply with GDPR obligation
- Failure to comply with GDPR basis
1. Consent of the data subject
,The consent that the data subject or consumer has given to the organization to process personal data for one or more specific purposes.,
One of the bases in the GDPR on the basis of which an organization may process personal data is the consent that someone grants to an organization for this purpose. An organization must always apply the processed personal data for a specific purpose for which the data subject has given the organization permission. If an organization’s personal data processing serves multiple purposes, separate consent is required from the data subject for each of these specific purposes. An exception is when a legal provision obliges the organization to process personal data. In all other cases, the consent of a data subject is required. The right to be forgotten of a data subject can be described in other words as the ‘right to erasure of personal data’, and means that a data subject can withdraw the consent previously granted to an organization for personal data processing.
Specific goal
An organization may only process personal data if it serves a specific purpose . This purpose must be expressly stated. This may be, for example, in a legal provision, which describes the specific purpose, or in a form, where a data subject gives the organization in question permission to process personal data for the specific purpose. An example of a specific purpose is the storage of medical data about a patient by a general practice; These data are of great importance for a general practitioner to provide appropriate care to a patient.
Accountability
An organization must be able to demonstrate that a data subject has given the organization permission to process his/her personal data for a specific purpose. An organization must be able to demonstrate how the consent of a data subject was obtained. This is part of the so-called accountability obligation that organizations that process personal data must adhere to according to the GDPR.
2. Necessity for the execution of an agreement
,The need for the performance of a contract to which the data subject is a party, or to take measures at the request of the data subject for the conclusion of a contract.,
Another basis on which an organization may process personal data according to the GDPR is when the performance of an agreement makes it necessary for an organization to process the personal data of a data subject. In that case, an organization does not have to first ask the data subject for permission. The necessity for the processing of personal data exists when it is not possible for an organization to fulfill the agreements contained in an agreement without this processing; Only then is personal data processing necessary for the execution of an agreement. If the processing of personal data of a data subject is not necessary for the fulfillment of the agreement that an organization has concluded with the data subject, or the measures that the organization must take for this purpose, the data subject must give the organization specific and separate permission for this. to give.
3. Need to comply with a legal obligation of the organization
,The need to comply with a legal obligation of the organization.,
In some cases, an organization is legally obliged to retain certain personal data, which means that the organization is legally obliged to process this personal data. This is, for example, based on a statutory retention period . If an organization is legally obliged to process personal data, a data subject does not need to be asked for permission to process this personal data.
4. Necessity to protect the vital interests of a data subject
“The need to protect the vital interests of a data subject or another natural person.”
A vital interest concerns the health or life of a data subject or another person. In the event that it concerns the processing of personal data in a situation where someone’s life is saved, and the data subject cannot be asked for consent, the organization does not have to ask the data subject for permission to process the personal data. This basis is particularly important for the performance of the tasks and activities of care providers in the medical sector.
5. Necessity for the fulfillment of a task of general interest of the organization
,The necessity for the fulfillment of a task of general interest or in the context of the exercise of the public authority of the organization.,
An organization may be charged with public tasks that are legally established and for which it is necessary that the organization processes personal data. In this case, a data subject does not need to be asked for permission first. The data that is processed must only be used for the specific purpose insofar as this results from the description in the law.
6. Necessity for the legitimate interests of the organization
,The necessity for the legitimate interests of the organization or of a third party, unless the rights and freedoms or data protection interests of a data subject are overridden.,
If the processing of personal data is necessary for the performance of the tasks and activities of an organization, the data subject does not need to be asked for consent to the processing of these personal data.
Exception: sometimes additional basis required from Member State law or Union law
An exception to the rule that one of the six principles of the GDPR must apply before an organization may process personal data, are the cases in which an organization may only process personal data when there is both a GDPR basis and an (additional) ) basis in Union law or Member State law . Simply basing personal data processing on a basis from the GDPR is therefore not enough in those cases. In these cases, the GDPR basis can be seen as a kind of ‘general’ basis on the basis of which an organization processes the personal data of a data subject, and a more ‘specific’ basis from Member State law or Union law is linked to this. Such a basis in Union law or Member State law, for example, describes the further conditions that an organization must meet in order to be allowed to process personal data. The basis under Member State or Union law must determine the specific purpose of the processing of the personal data. Member State law or Union law also determines the type of organization in that case; an organization can be classified as a ‘public law’ or a ‘private law’ organization.
The exceptional cases where an organization must base personal data processing on both a GDPR basis and on a basis under Member State law or Union law are:
- the legal obligation of an organization to process personal data;
- the fulfillment of a task in the general interest by an organization;
- the exercise of public authority by an organization.
What happens if an organization does not comply with the GDPR?
If an organization does not comply with certain rules of European privacy legislation, it may be fined by the Dutch Data Protection Authority (AP). The AP monitors compliance with privacy legislation and thus guarantees the right to protection of personal data in the Netherlands. The fine that the AP can impose on an organization in the event of non-compliance with European privacy legislation can amount to 20 million euros or up to 4% of the organization’s global annual turnover (which may be more). The seriousness of failure to comply with the obligation or basis is related to the amount of the fine that the AP can impose for this.
There are two violations that an organization can commit in relation to non-compliance with the GDPR:
- Failure to comply with an obligation under the GDPR.
- Failure to comply with a basis under the GDPR.
Failure to comply with GDPR obligation
If an organization processes personal data and does not comply with an obligation under the GDPR, the AP can impose a fine on the organization of up to 10 million euros or a fine of up to 2% of the global annual turnover if that amount is more than 10 million euros. An example of a situation in which an organization fails to comply with an obligation under the GDPR is when an organization does not comply with one of the privacy rights of a data subject.
Failure to comply with GDPR basis
If an organization does not comply with a principle of the GDPR, the AP can impose a fine on the organization of up to 20 million euros or 4% of the global annual turnover if that amount exceeds 20 million euros.
read more
- GDPR: What is the meaning of accountability?
- General Data Protection Regulation (GDPR) in short