Data Protection for Organisations
Lawfulness of processing
Article 6 of the GDPR sets out the legal grounds for the processing of personal data. This means that when processing personal data, a controller is required to satisfy one or more of these legal grounds to legitimise the processing activity.
(a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw his or her consent at any time. Silence, inactivity or pre-tixd boxes shall not constitute valid consent.
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
When two parties mutually agree to enter into a contractual agreement and which entails the processing of personal data.
Example An individual enters into a two-year contract with a service provider; the service provider processes such personal data in terms with the contractual agreement.
(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
Wherever there is a statutory duty that obliges the data controller to process personal data.
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
This condition applies in cases of life or death situations, such as where an individual’s medical history is disclosed to a hospital’s Accident and Emergency department treating them after a serious road accident where the individuals consent cannot be given or when the individual’s consent has been reasonably withheld.
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Examples
In terms of article 36 of the Malta Statistics Authority Act, the NSO has the power to request “any person or undertaking to complete a form, questionnaire or other record” for the purposes of obtaining statistical information.
The Courts of Jutice, being an official authority, after various attempts to deliver the service of a judicial act, in terms of article 187 (3) of the Code of Organization and Civil Procedure, may order that such service is affected by publishing a summary containing personal data in the Gazette.
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
A balancing exercise must be carried out to weigh the legitimate interest and the data subjects’ fundamental rights and freedoms on the other. For an interest to be legitimate, it must be compelling and beneficial to the society at large. The data controller must indeed have a significant benefit to derive from the processing of the personal data and such benefit should not be vague, frivolous or based on mere conjectures.
This balancing test is not a simple analysis but places a responsibility on the Commissioner to assess all the elements which may be pivotal to determine whether the impact on the rights of the data subjects is significant enough to override the processing undertaken by a data controller.
Examples
A journalist might argue that notwithstanding that a public figure is enjoying his or her private life; photographs may be taken and published without the required consent since the general public will have a legitimate interest in knowing the public figures whereabouts or how she or he behaved generally in their private life. However, this is not always the case as it has been decided by the European Court in Human Rights numerous times.
An individual is to institute court proceedings against his debtor as he did not honor such payments, thus the individual discloses the debtor’s personal data to his lawyer for this purpose. In this case, although the debtor has not consented to such disclosure, such processing is legitimate since the individual has a legitimate interest to seek repayment of such debt.