Article 6 GDPR. Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. „Guidelines on transparency under Regulation 2016/679“. WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 – endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility – Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

3.2 Lawfulness

67. The controller must identify a valid legal basis for the processing of personal data. Measures and safeguards should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.

68. Key design and default elements for lawfulness may include:

• Relevance – The correct legal basis shall be applied to the processing.

• Differentiation [26] – The legal basis used for each processing activity shall be differentiated.

_{[26] EDPB. „Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects“. Version 2.0, 8 October 2019. edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines-art_6-1-b- adopted_after_public_consultation_en.pdf}

• Specified purpose – The appropriate legal basis must be clearly connected to the specific purpose of processing.[27]

_{[27] See section on purpose limitation below.}

• Necessity– Processing must be necessary and unconditional for the purpose to be lawful.

• Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data within the frames of the legal basis.

• Gaining consent – consent must be freely given, specific, informed and unambiguous.[28] Particular consideration should be given to the capacity of children and young people to provide informed consent.

_{[28] See Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en}

• Consent withdrawal – Where consent is the legal basis, the processing should facilitate withdrawal of consent. Withdrawal shall be as easy as giving consent. If not, then the consent mechanism of the controller does not comply with the GDPR.[29]

_{[29] See Guidelines 05/2020 on consent under Regulation 2016/679, p. 24. https://edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en}

• Balancing of interests – Where legitimate interests is the legal basis, the controller must carry out a weighted balancing of interest, giving particular consideration to the power imbalance, specifically children under the age of 18 and other vulnerable groups. There shall be measures and safeguards to mitigate the negative impact on the data subjects.

• Predetermination – The legal basis shall be established before the processing takes place.

• Cessation – If the legal basis ceases to apply, the processing shall cease accordingly.

• Adjust – If there is a valid change of legal basis for the processing, the actual processing must be adjusted in accordance with the new legal basis.[30]

_{[30] If the original legal basis is consent, see Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under- regulation-2016679_en}

• Allocation of responsibility – Whenever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject, and design the measures of the processing in accordance with this allocation.

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.3 Fairness

69. Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject. Measures and safeguards implementing the principle of fairness also support the rights and freedoms of data subjects, specifically the right to information (transparency), the right to intervene (access, erasure, data portability, rectify) and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination of data subjects in such processes).

70. Key design and default elements may include:

• Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as over the scope and conditions of that use or processing.

• Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.

• Expectation – Processing should correspond with data subjects’ reasonable expectations.

• Non-discrimination – The controller shall not unfairly discriminate against data subjects.

• Non-exploitation – The controller shall not exploit the needs or vulnerabilities of data subjects.

• Consumer choice – The controller should not „lock in“ their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20.

• Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.

• No risk transfer – Controllers should not transfer the risks of the enterprise to the data subjects.

• No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.

• Respect rights – The controller must respect the fundamental rights of data subjects and implement appropriate measures and safeguards and not impinge on those rights unless expressly justified by law.

• Ethical – The controller should see the processing’s wider impact on individuals’ rights and dignity.

• Truthful – The controller must make available information about how they process personal data, they should act as they declare they will and not mislead the data subjects.

• Human intervention – The controller must incorporate qualified human intervention that is capable of uncovering biases that machines may create in accordance with the right to not be subject to automated individual decision making in Article 22.[32]

_{[32] See Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49826}

• Fair algorithms – Regularly assess whether algorithms are functioning in line with the purposes and adjust the algorithms to mitigate uncovered biases and ensure fairness in the processing. Data subjects should be informed about the functioning of the processing of personal data based on algorithms that analyse or make predictions about them, such as work performance, economic situation, health, personal preferences, reliability or behaviour, location or movements.[33]

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.4 Purpose Limitation [34]

_{[34] The Article 29 Working Party provided guidance for the understanding of the principle of purpose limitation under Directive 95/46/EC. Although the Opinion is not adopted by the EDBP, it may still be relevant as the wording of the principle is the same under the GDPR. Article 29 Working Party. „Opinion 03/2013 on purpose limitation“. WP 203, 2 April 2013. ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2013/wp203_en.pdf}

71. The controller must collect data for specified, explicit, and legitimate purposes, and not further process the data in a manner that is incompatible with the purposes for which they were collected.[35] The design of the processing should therefore be shaped by what is necessary to achieve the purposes. If any further processing is to take place, the controller must first make sure that this processing has purposes compatible with the original ones and design such processing accordingly. Whether a new purpose is compatible or not, shall be assessed according to the criteria in Article 6(4).

_{[35] Art. 5.1.b GDPR}

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.5 Data Minimisation

73. Only personal data that is adequate, relevant and limited to what is necessary for the purpose shall be processed. [36] As a result, the controller has to predetermine which features and parameters of processing systems and their supporting functions are permissible. Data minimisation substantiates and operationalises the principle of necessity. In the further processing, the controller should periodically consider whether processed personal data is still adequate, relevant and necessary, or if the data shall be deleted or anonymized.

_{[36] Art. 5(1)(c) GDPR}

74. Controllers should first of all determine whether they even need to process personal data for their relevant purposes. The controller should verify whether the relevant purposes can be achieved by processing less personal data, or having less detailed or aggregated personal data or without having to process personal data at all.[37] Such verification should take place before any processing takes place, but could also be carried out at any point during the processing lifecycle. This is also consistent with Article 11.

_{[37] Recital 39 GDPR so states: „…Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.“}

75. Minimising can also refer to the degree of identification. If the purpose of the processing does not require the final set of data to refer to an identified or identifiable individual (such as in statistics), but the initial processing does (e.g. before data aggregation), then the controller shall delete or anonymize personal data as soon as identification is no longer needed. Or, if continued identification is needed for other processing activities, personal data should be pseudonymized to mitigate risks for the data subjects’ rights.

76. Key design and default data minimisation elements may include:

• Data avoidance – Avoid processing personal data altogether when this is possible for the relevant purpose.

• Limitation – Limit the amount of personal data collected to what is necessary for the purpose

• Access limitation – Shape the data processing in a way that a minimal number of people need access to personal data to perform their duties, and limit access accordingly.

• Relevance – Personal data should be relevant to the processing in question, and the controller should be able to demonstrate this relevance.

• Necessity – Each personal data category shall be necessary for the specified purposes and should only be processed if it is not possible to fulfil the purpose by other means.

• Limitation – Limit the amount of personal data collected to what is necessary for the purpose

• Aggregation – Use aggregated data when possible.

• Pseudonymization – Pseudonymize personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately.

• Anonymization and deletion – Where personal data is not, or no longer necessary for the purpose, personal data shall be anonymized or deleted.

• Data flow – The data flow should be made efficient enough to not create more copies than necessary.

• „State of the art“ – The controller should apply up to date and appropriate technologies for data avoidance and minimisation.

Article 16 GDPR. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.6 Accuracy

77. Personal data shall be accurate and kept up to date, and every reasonable step shall be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. [38]

_{[38] Art. 5(1)(d) GDPR}

78. The requirements should be seen in relation to the risks and consequences of the concrete use of data. Inaccurate personal data could be a risk to the data subjects’ rights and freedoms, for example when leading to a faulty diagnosis or wrongful treatment of a health protocol, or an incorrect image of a person can lead to decisions being made on the wrong basis either manually, using automated decision-making, or through artificial intelligence.

79. Key design and default accuracy elements may include:

• Data source – Sources of personal data should be reliable in terms of data accuracy.

• Degree of accuracy – Each personal data element should be as accurate as necessary for the specified purposes.

• Measurably accurate – Reduce the number of false positives/negatives, for example biases in automated decisions and artificial intelligence.

• Verification – Depending on the nature of the data, in relation to how often it may change, the controller should verify the correctness of personal data with the data subject before and at different stages of the processing (e.g. to age requirements).

• Erasure/rectification – The controller shall erase or rectify inaccurate data without delay. The controller shall in particular facilitate this where the data subjects are or were children and later want to remove such personal data.[39]

_{[39] Cf. Recital 65.}

• Error propagation avoidance – Controllers should mitigate the effect of an accumulated error in the processing chain.

• Access – Data subjects should be given information about and effective access to personal data in accordance with the GDPR articles 12 to 15 in order to control accuracy and rectify as needed.

• Continued accuracy – Personal data should be accurate at all stages of the processing, tests of accuracy should be carried out at critical steps.

• Up to date – Personal data shall be updated if necessary for the purpose.

• Data design – Use of technological and organisational design features to decrease inaccuracy, for example present concise predetermined choices instead of free text fields.

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.7 Storage limitation

80. The controller must ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.[40] It is vital that the controller knows exactly what personal data the company processes and why. The purpose of the processing shall be the main criterion to decide in how long personal data shall be stored.

_{[40] Art. 5(1)(c) GDPR}

81. Measures and safeguards that implement the principle of storage limitation shall complement the rights and freedoms of the data subjects, specifically, the right to erasure and the right to object.

82. Key design and default storage limitation elements may include:

• Deletion and anonymization – The controller should have clear internal procedures and functionalities for deletion and/or anonymization.

• Automation – Deletion of certain personal data should be automated

• Storage criteria – The controller must determine what data and length of storage is necessary for the purpose.

• Enforcement of retention policies – The controller must enforce internal retention policies and conduct tests of whether the organization practices its policies.

• Effectiveness of anonymization/deletion – The controller shall make sure that it is not possible to re-identify anonymized data or recover deleted data, and should test whether this is possible.

• Automation – Deletion of certain personal data should be automated.

• Storage criteria – The controller shall determine what data and length of storage is necessary for the purpose.

• Justification – The controller shall be able to justify why the period of storage is necessary for the purpose and the personal data in question, and be able to disclose the rationale behind, and legal grounds for the retention period.

• Enforcement of retention policies – The controller should enforce internal retention policies and conduct tests of whether the organization practices its policies.

• Backups/logs – Controllers shall determine what personal data and length of storage is necessary for back-ups and logs.

• Data flow – Controllers should beware of the flow of personal data, and the storage of any copies thereof, and seek to limit their „temporary“ storage.

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.8 Integrity and confidentiality

83. The principle of integrity and confidentiality includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The security of personal data requires appropriate measures designed to prevent and manage data breach incidents; to guarantee the proper execution of data processing tasks, and compliance with the other principles; and to facilitate the effective exercise of individuals’ rights.

Article 30 GDPR. Records of processing activities

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

[…]

Article 7 GDPR. Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

[…]

Article 28 GDPR. Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

[…]

Article 82 GDPR. Right to compensation and liability

[…]

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

[…]

Article 83 GDPR. General conditions for imposing administrative fines

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.9 Accountability [41]

_{[41] See Recital 74, where controllers are required to demonstrate the effectiveness of their measures.}

86. The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with all of the abovementioned principles.

87. The controller needs to be able to demonstrate compliance with the principles. In doing so, the controller may demonstrate the effects of the measures taken to protect the data subjects’ rights, and why the measures are considered to be appropriate and effective. For example, demonstrating why a measure is appropriate to ensure the principle of storage limitation in an effective manner.