Under GDPR, data controllers are expected to assess the legal basis for their collection and processing of data and declare it in their privacy policies (for example, mine is here).
The regulations enumerate the various legal basis that data controllers can rely upon
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request
of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests
of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official
authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party,
except where such interests are overridden by the interests
or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular
where the data subject is a child.
In the years since GDPR came into force, there's been a lot of focus on how to properly obtain consent ((a)
), as well as when and why Legitimate Interest ((f)
) can reasonably be used.
However, (to my knowledge) there's been much less focus on clause (c)
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
This clause is often taken at face value: the law says I must collect x
, so I collect x
.
But, it's not always that clear-cut, because the law isn't always specific about what needs to be collected (or how).
In this post I'm going to explore an example that I believe highlights the implications of GDPR on how we design software and processes that need to comply with some form of legal obligation.
As is obligatory for these sorts of posts: I am not a lawyer, I'm just a grumbly git who enjoys thought exercises.
Read more…