The digital market has given rise to a new world of possibilities for data collection, processing, storage, sharing and analysis. Legal uncertainty within the digital market most certainly leads to reduced competition along with customer security and privacy being exposed to potential breaches. As a result of individual privacy and security concerns, the GDPR was introduced as an attempt to restore individual confidence and give control an individual’s own personal data. Disobeying the rules of the GDPR by organisations collecting personal data of individuals may lead to hefty fines! Consult LexGo for further information, but continue reading if you are interested in knowing the intricacies of the GDPR.
The GDPR lays an obligation of data controllers to store personal data in a manner which does not go beyond necessity. The rights of the data subject were developed with the right to erasure and the RtDP. These rights are not absolute rights, subject to third party interests. The background and adoption of the GDPR was based on the individual’s right from denying controllers the possibility to misuse or mismanage their personal data. The OECD Privacy Experts are of the view that challenges to traditional personal privacy principles in the current data environment are ever more pertinent due to the introduction of connected devices and these complications are intensified which leads to the deterioration of individual security and privacy rights.
The basis of the introduction of the GDPR lies in the EU Charter of Fundamental Rights [hereinafter the Charter] Article 8(1) which expresses that “[e]veryone has the right to the protection of personal data.” The qualifying right mentions within Article 8(2) that “[s]uch data must be processed fairly for specified purposes.” Finally, article 8(3) states that “[c]ompliance with these rules shall be subject to control by an independent authority.” Supervisory authority is mentioned in article 51 of the GDPR “responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union”.
The processing ground by controllers must be satisfied Article 6 of the GDPR. Processing thus needs to be based on consent or on a contract or data processed on any other legal ground including legitimate interest under article 6(1)(f) of the GDPR. The exception here for the data processing is the other grounds than legitimate interest. Then, are controllers able to prevent data subjects from relying on the RtDP by invoking a legitimate interest as a ground for processing personal data? Article 20(3) and even recital of the GDPR respectively, exclude portability of data when processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
As per the GDPR, only personal data, relating to a natural person who is identified or identifiable can be subject to a data portability request. Anonymous data is excluded. Pursuant to article 11(1) of the GDPR data controllers are not required to maintain data in an identifiable form for the purposes of meeting a portability requests. When read together, articles 20 and 11 GDPR may motivate controllers to opt for processing pseudonimysed datasets so as to avoid the obligations of data portability when they are unwilling to share for the purposes of sharing their datasets. As specified in article 11(2) GDPR, when data is pseudonymous, data controllers are not obliged to re-identify, unless the data subject “provides additional information enabling his or her identification” which is likely to be the case in a portability request.
Comments