Why you do not always need to obtain consent to the processing of personal data within the framework of the GDPR
An article for those with customers in the European Union. I work as a lawyer at ISPsystem and have been understanding the intricacies of GDPR for a couple of months now. In this article I will share my thoughts about him and tell you why it is not necessary for any reason to ask the client for permission to process personal data.
To begin with, a small but important digression.
Recently, a friend from a trading company asked me to see their contract with a web studio. Those were going to modify the store website. First of all, I opened the terms of reference and saw that the guys were planning to register the site owner in Roskomnadzor as an operator of personal data. I thought: “Are they serious?” And he himself answered: “Unfortunately, yes.”
The same advice will be in seven out of ten articles-instructions on compliance with the law "On Personal Data" (152-FZ). Advisers say: "First of all, submit an application for inclusion in the register of personal data operators." And many of these recommendations follow.
Now attention! Article 22 of the same law determines that if data processing is necessary for the execution of the contract, then Roskomnadzor should not be notified.
Do you sell products / services online? Excellent! If you do not use the data for anything else, then you do not need to submit a notification to Roskomnadzor. Here is such a simple recipe.
Well, now to the topic.
On May 25, the European analogue of our 152-ФЗ - GDPR (General Data Protection Regulation), comes into force . The document applies to everyone who sells goods and services in the European Union. We at ISPsystem make software for hosting and data centers , which are bought all over the world, including in the European Union. Therefore, for us the topic is very relevant.
It’s difficult to understand GDPR, and fines of up to 20,000,000 euros or 4% of annual global revenue are threatened for violation. Therefore, they talk a lot about him, and as in the story of 152-FZ they give supposedly universal advice: “get consent to the processing of personal data”.
The European Internet is full of such statements (taken out of context) :
After such articles, I want to make 100,500 “ticks of consent”. But do you really always need consent to the processing of personal data? There is no need! At least - not always.
“Try to understand the main thing. A spoon does not exist ”((C) the film“ The Matrix ”).
We are used to perceiving user consent as the only possible basis for data processing. But this is not true. It should be perceived as a separate legal basis, as one of the grounds. Consent is like green: it helps, but not from everything.
The processing of personal data is legal only if it is carried out in accordance with the principles of Art. 5 and on the basis of one of the six legal bases of Art. 6 GDPR.
Despite the fact that the word “consent” occurs 72 times in the text of the GDPR, this is just one of the grounds for processing, and no more.
According to paragraph 7 of Art. 14 of our 152-ФЗ, the operator (in the terminology of the GDPR “controller”, the person who determines the goals and means of processing) must also determine the legal grounds and goals for the processing of personal data. But for this you need to study a lot of regulations and refer to specific provisions of the laws. GDPR is simpler: the law requires only a legal basis.
From the position of Art. 6 (1) GDPR, these bases include:
The consent of the data subject is necessary only if no other basis is suitable. Everywhere and always it is not necessary to receive it. Moreover, according to GDPR, the data subject should have the opportunity to easily change his decision: how to check and uncheck it.
Therefore, before starting the layout of the form with “checkmarks”, determine what data and why you collect, set the applicable basis. Refuse to collect information that you collect just in case. It is possible that after that you will not need to obtain consent to processing at all. I’ll tell you more about this.
The basis of its content is similar to Russian legislation (recall the story from the introduction).
According to sub. (b) Art. 6 (1) GDPR, if data processing is necessary for the execution of the contract, you can easily - and, most importantly, without consent - produce it. Even before the conclusion of the contract, but provided that the actions were requested by the data subject (for example, he sent an application).
Here it is worth making a remark: the data should be processed only to the extent necessary for the execution of the contract. If the information is needed to fill in the CRM fields, then it remains outside this basis.
Simple example. The company sells goods over the Internet. When making a purchase, the client provides personal data, the store processes them in connection with the execution of the contract. Need to get consent? No, if the data is not redundant and will not be used in any other way.
It is only necessary to inform the user that the data is still being processed, as well as talk about processing methods, protection measures and familiarize themselves with other information in accordance with the GDPR (Art. 5, Art. 13, 14).
In the order form, the store needs to be added only a notice of familiarization with the policy. It is not necessary to require putting the notorious checkmark on consent, creating technical conditions in order to confirm receipt of consent (paragraph 42 of the preamble). I note that it would be nice to have a tick about familiarizing yourself with the policy.
However, if the company wants to use personal data, for example, for targeted advertising mailings, then this no longer falls under the contractual basis. In this case, the processing has two goals, the second of which should be built on the basis of consent or on the basis of legitimate interest (about it below).
The second most plastic basis is “legitimate interest”.
Legitimate interest is not new to data protection. The differences are in the details.
Paragraph 47 of the GDPR preamble reveals the meaning of the basis. I think it is useful to give its full content. In the text, “legitimate interest” is understood as the basis itself.
We single out the main criteria for applying this basis:
The basis is multifaceted and difficult. Possible situations of its application: fraud prevention, legal protection, direct marketing. In the case of direct marketing, you should also refer to Art. 21 GDPR and e-commerce regulations, e.g. European Directive 2002/58 / EC .
To illustrate the basis of legitimate interest, I’ll tell you about an absurd casefrom Russian judicial practice. In a nutshell: a company from the housing and communal services sector submitted to the law firm data on non-payers so that it would prepare a statement of claim to the court. In turn, one of the debtors managed to bring the company to administrative responsibility under Art. 13.11 Administrative Code, as consent to the transfer of their data did not give. Absurd! In fact, 152-ФЗ infringed on the rights of participants in civil turnover and led to the possibility of abuse by the debtor. This would not have happened if the law used a basis of legitimate interest. In the GDPR, it creates a completely legitimate ground for such data transfer.
Suppose a developer company provides access to a web service under a license. He uses personal data to conclude an agreement and collect statistics (not impersonal). There are two goals of data processing: contract execution and product improvement, solution of technical problems.
The first objective relates to the contractual basis (subparagraph (b) of Article 6 (1)) and does not require consent.
The second goal can be realized on the basis of:
a) consent (subparagraph (b) of article 6 (1)),
b) the basis of legitimate interest (subparagraph (f) of article 6 (1)).
If the company decides to apply the consent basis, it will have to add an unchecked checkbox to the order form. How many users will agree to provide data for collecting statistics? Unlikely.
When applying the basis of legitimate interest, the company only talks about the rights, without requiring active action (Article 21 (4) GDPR). Moreover, if the prevailing interest over the rights of the data subject is justified, the company has the right to process data regardless of refusal.
Will the company be able to answer questions to apply the basis of legitimate interest? Check:
As you can see, the company has every reason not to get consent. But keep in mind the limitations:
On the other hand, when collecting statistics, you can simply observe the law in another way: anonymize the data. The processing of anonymized data is not regulated by the GDPR.
GDPR is an extremely broad topic, the details of which cannot be covered in one article.
Here I did not touch on the processing of special categories of data, as well as the intricacies and features of the application of the illustrated bases, the rights and obligations of the parties involved in processing, cross-border transmission issues and many other problems related to GDPR.
GDPR emphasizes that personal data does not belong to you, but to the data subject. That he should have complete control over them - from receiving information, editing to the right to restrict processing or deletion.
Lifehack at 152-FZ
To begin with, a small but important digression.
Recently, a friend from a trading company asked me to see their contract with a web studio. Those were going to modify the store website. First of all, I opened the terms of reference and saw that the guys were planning to register the site owner in Roskomnadzor as an operator of personal data. I thought: “Are they serious?” And he himself answered: “Unfortunately, yes.”
The same advice will be in seven out of ten articles-instructions on compliance with the law "On Personal Data" (152-FZ). Advisers say: "First of all, submit an application for inclusion in the register of personal data operators." And many of these recommendations follow.
Now attention! Article 22 of the same law determines that if data processing is necessary for the execution of the contract, then Roskomnadzor should not be notified.
Do you sell products / services online? Excellent! If you do not use the data for anything else, then you do not need to submit a notification to Roskomnadzor. Here is such a simple recipe.
Well, now to the topic.
About GDPR and soil for error
On May 25, the European analogue of our 152-ФЗ - GDPR (General Data Protection Regulation), comes into force . The document applies to everyone who sells goods and services in the European Union. We at ISPsystem make software for hosting and data centers , which are bought all over the world, including in the European Union. Therefore, for us the topic is very relevant.
It’s difficult to understand GDPR, and fines of up to 20,000,000 euros or 4% of annual global revenue are threatened for violation. Therefore, they talk a lot about him, and as in the story of 152-FZ they give supposedly universal advice: “get consent to the processing of personal data”.
The European Internet is full of such statements (taken out of context) :
“You should always get consent for the data you wish to collect. "Not only will that meet the requirement of a legal basis to collect, but it's also a general requirement under the GDPR."If you translate it completely freely, it turns out: "you should always get consent."
After such articles, I want to make 100,500 “ticks of consent”. But do you really always need consent to the processing of personal data? There is no need! At least - not always.
“Try to understand the main thing. A spoon does not exist ”((C) the film“ The Matrix ”).
We are used to perceiving user consent as the only possible basis for data processing. But this is not true. It should be perceived as a separate legal basis, as one of the grounds. Consent is like green: it helps, but not from everything.
Reasons for working with personal data
The processing of personal data is legal only if it is carried out in accordance with the principles of Art. 5 and on the basis of one of the six legal bases of Art. 6 GDPR.
Despite the fact that the word “consent” occurs 72 times in the text of the GDPR, this is just one of the grounds for processing, and no more.
According to paragraph 7 of Art. 14 of our 152-ФЗ, the operator (in the terminology of the GDPR “controller”, the person who determines the goals and means of processing) must also determine the legal grounds and goals for the processing of personal data. But for this you need to study a lot of regulations and refer to specific provisions of the laws. GDPR is simpler: the law requires only a legal basis.
From the position of Art. 6 (1) GDPR, these bases include:
- a) the consent of the data subject to the processing of personal data for one or more specific purposes;
- b) processing for the execution of the contract in which the data subject is one of the parties, as well as in relation to the steps preceding the conclusion of the contract;
- c) the processing is necessary to comply with the legal obligations of which the controller is subject;
- d) processing to protect the vital interests of the data subject or other natural person;
- e) processing in the public interest or in the exercise of official powers vested in the controller;
- f) processing to ensure the legitimate interests of the controller or third party.
The consent of the data subject is necessary only if no other basis is suitable. Everywhere and always it is not necessary to receive it. Moreover, according to GDPR, the data subject should have the opportunity to easily change his decision: how to check and uncheck it.
Therefore, before starting the layout of the form with “checkmarks”, determine what data and why you collect, set the applicable basis. Refuse to collect information that you collect just in case. It is possible that after that you will not need to obtain consent to processing at all. I’ll tell you more about this.
Personal data and contract: we process and do not ask
The basis of its content is similar to Russian legislation (recall the story from the introduction).
According to sub. (b) Art. 6 (1) GDPR, if data processing is necessary for the execution of the contract, you can easily - and, most importantly, without consent - produce it. Even before the conclusion of the contract, but provided that the actions were requested by the data subject (for example, he sent an application).
Here it is worth making a remark: the data should be processed only to the extent necessary for the execution of the contract. If the information is needed to fill in the CRM fields, then it remains outside this basis.
Simple example. The company sells goods over the Internet. When making a purchase, the client provides personal data, the store processes them in connection with the execution of the contract. Need to get consent? No, if the data is not redundant and will not be used in any other way.
It is only necessary to inform the user that the data is still being processed, as well as talk about processing methods, protection measures and familiarize themselves with other information in accordance with the GDPR (Art. 5, Art. 13, 14).
In the order form, the store needs to be added only a notice of familiarization with the policy. It is not necessary to require putting the notorious checkmark on consent, creating technical conditions in order to confirm receipt of consent (paragraph 42 of the preamble). I note that it would be nice to have a tick about familiarizing yourself with the policy.
However, if the company wants to use personal data, for example, for targeted advertising mailings, then this no longer falls under the contractual basis. In this case, the processing has two goals, the second of which should be built on the basis of consent or on the basis of legitimate interest (about it below).
Legal interest or basis without consent
The second most plastic basis is “legitimate interest”.
Legitimate interest is not new to data protection. The differences are in the details.
Paragraph 47 of the GDPR preamble reveals the meaning of the basis. I think it is useful to give its full content. In the text, “legitimate interest” is understood as the basis itself.
“(47) The legitimate interests of the controller <...> or a third party may create legal grounds for processing, provided that they do not prevail over the interests or fundamental rights and freedoms of the data subject , taking into account the reasonable expectations of the data subject, based on the relationship with the controller. Such legitimate interest may take place, for example, if there is an appropriate relationship between the data subject and the controller in situations where the data subject is a client or an employee . In any case, the presence of a legitimate interest needs to be carefully assessed, including as to whether the data subject can reasonably expect the collection of personal data to be processed for this purpose<...> The processing of personal data necessary in order to prevent fraud is also a legitimate interest of the respective data controller. The processing of personal data for direct marketing purposes may be considered as processing serving a legitimate interest. ”
We single out the main criteria for applying this basis:
- You are pursuing a legitimate aim.
- Processing is necessary, that is, the goal cannot be achieved in any other way.
- Processing is balanced, and potential harm is not significant.
- The processing is obvious to the data subject.
The basis is multifaceted and difficult. Possible situations of its application: fraud prevention, legal protection, direct marketing. In the case of direct marketing, you should also refer to Art. 21 GDPR and e-commerce regulations, e.g. European Directive 2002/58 / EC .
To illustrate the basis of legitimate interest, I’ll tell you about an absurd casefrom Russian judicial practice. In a nutshell: a company from the housing and communal services sector submitted to the law firm data on non-payers so that it would prepare a statement of claim to the court. In turn, one of the debtors managed to bring the company to administrative responsibility under Art. 13.11 Administrative Code, as consent to the transfer of their data did not give. Absurd! In fact, 152-ФЗ infringed on the rights of participants in civil turnover and led to the possibility of abuse by the debtor. This would not have happened if the law used a basis of legitimate interest. In the GDPR, it creates a completely legitimate ground for such data transfer.
The basis of legitimate interest in practice
Suppose a developer company provides access to a web service under a license. He uses personal data to conclude an agreement and collect statistics (not impersonal). There are two goals of data processing: contract execution and product improvement, solution of technical problems.
The first objective relates to the contractual basis (subparagraph (b) of Article 6 (1)) and does not require consent.
The second goal can be realized on the basis of:
a) consent (subparagraph (b) of article 6 (1)),
b) the basis of legitimate interest (subparagraph (f) of article 6 (1)).
If the company decides to apply the consent basis, it will have to add an unchecked checkbox to the order form. How many users will agree to provide data for collecting statistics? Unlikely.
When applying the basis of legitimate interest, the company only talks about the rights, without requiring active action (Article 21 (4) GDPR). Moreover, if the prevailing interest over the rights of the data subject is justified, the company has the right to process data regardless of refusal.
Will the company be able to answer questions to apply the basis of legitimate interest? Check:
| Purpose of use | Improving the stability of the product to meet the interests of the licensee. |
| Necessity | It is impossible to obtain statistics in the aggregate of the necessary parameters in another way. |
| Balance of interests | Processing is balanced, and potential harm is not significant. |
| Openness | Data processing is open and obvious to the data subject. |
As you can see, the company has every reason not to get consent. But keep in mind the limitations:
- Prior to the collection of personal data, the subject should be informed about the purposes and legitimate interests of the processing (clause (d) of Article 13 (1), clause (b) of Article 14 (2) GDPR). That is, the application must be publicly motivated and documented.
- The data subject must be granted the right to object to the processing (Article 21), the right to delete and restrict.
On the other hand, when collecting statistics, you can simply observe the law in another way: anonymize the data. The processing of anonymized data is not regulated by the GDPR.
conclusions
- Do not rush to get consent to the processing of personal data. First, answer the questions: whose and what data do you collect, for what purpose, what protective measures do you use, to whom do you disclose this data, which of the bases will be most applicable.
- If you realize that you are collecting redundant data, refuse to collect it. Record the grounds for collecting the rest, measures for their protection and potential transmission channels in the personal data processing policy. Moreover, processing and transfer must be documented. The Information Commissioner's Office explains how to do this and recommends an accounting form .
- If you collect data only for the provision of services and the sale of goods, then you do not need to obtain consent (but you still need to draw up a policy and perform other formalities).
- If you also collect data for analysis, protection against fraud, illegal activity, determine whether this collection falls under the basis of legitimate interest, if so, write about it in the policy. Either anonymize the data, or if it’s easier for you, get consent to the processing.
- When consenting to processing, consider revoking this consent.
- Each of your decisions should be justified based on the specifics of your activity, the data collected, and also documented in detail.
GDPR is an extremely broad topic, the details of which cannot be covered in one article.
Here I did not touch on the processing of special categories of data, as well as the intricacies and features of the application of the illustrated bases, the rights and obligations of the parties involved in processing, cross-border transmission issues and many other problems related to GDPR.
GDPR emphasizes that personal data does not belong to you, but to the data subject. That he should have complete control over them - from receiving information, editing to the right to restrict processing or deletion.