Guidance on special categories of data. The General Data Protection Regulations (“GDPR”) defines special categories of data to include personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, health data, sexual orientation, trade union membership, and data concerning a person’s sex life. The ICO’s guidance explains that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with the fundamental rights of individuals or open someone up to discrimination.
The ICO clarifies that a biological sample, by itself, will not be considered as genetic data, unless analyzed in a manner that allows it to be linked to a specific individual, even if that individual’s identity is unknown. Similarly, the guidance explains that facial imaging and fingerprints, by themselves, are not considered biometric data, unless “specific technical processing” (such as facial recognition or fingerprint verification) has been carried out that establishes an individual’s biometric profile. The guidance also states that special categories data includes information that is likely, even if not certain, to reveal an individual’s health, religion, political views or ethnic origin.
Processing of special categories of data is permitted only where
based on one of the lawful bases for such processing under the
GDPR, such as the data subject’s explicit consent, where the
data subject has publicly published the data or where the
processing is necessary for the provision of medical services,
public health, research purposes, or a special public
interest.
The guidance further explains that processing special categories of
data often requires conducting a Data Protection Impact Assessment
and the appointment of a Data Protection Officer.
CLICK HERE to read the full ICO
guidance.
Guidelines on data protection by design and by
default. The European Data Protection Board
(“EDPB”) released its initial guidelines on the GDPR
Article 25 requirement for data protection by design and by
default. The guidelines clarify that data controllers must
implement data protection by design as early as time of determining
the means of processing; as well as conducting periodic reviews of
their compliance with this requirement during the time of
processing. Data controllers are required to consider the available
technical and organizational measures and the nature, scope,
context and purpose of processing, as well as the potential risk
the processing imposes on the rights and freedoms of data
subjects.
The guidelines emphasize that data protection by default requires
controllers to ensure the default settings of the processing of
personal data must be designed with data protection in mind. This
means, among others, that by default, only personal data which are
necessary for each specific purpose of the processing is processed,
that data is retained for a minimum period of time, and is accessed
by the minimum amount of people. Data controllers must be able to
demonstrate their compliance with this requirement, document the
reasons behind their design choices, and the effectiveness of the
implemented measures.
The EDPB clarifies that technology providers are required to
support the controllers’ compliance with these obligations;
and encourages controllers to use technology providers that offer
processing technology that implements data protection by design and
by default.
CLICK HERE to read the EDPB
guidelines.
Final guidelines on the territorial scope of the
GDPR. The EDPB released the final version of its
guidelines on the territorial scope of the GDPR, stating that
pursuant to Article 3 of the GDPR, the regulations’
applicability will be determined considering two alternative
factors – whether an organization has an establishment in the
EU, and whether an organization is targeting individuals in the
EU.
The guidelines state that the GDPR applicability on an organization
is dependent on its data related activities; it is well possible
that the same organization will be subject to the GDPR with
relation to only certain, but not all, of its data processing
activities.
The guidelines also state that a processor will be directly
subject to the GDPR where it processes personal data for a
controller, and the processing is related to the controller’s
processing activities that are subject to the GDPR. This may
subject such processors to GDPR requirements such as, a duty to
appoint a Data Protection officer, to maintain a record of its
processing activities, and to appoint an EU representative, and may
subject the processor to the authority of the EU privacy and data
protection regulators.
The guidelines also provide guidance on when an organization will
not be considered as offering goods and services in the EU; stating
that where an organization’s terms of service indicate that
the organization does not target EU residents, and where its
charges are solely in a currency of a non-EU state, then it will
not be considered as targeting EU residents, and therefore, will
not be subject to the GDPR.
CLICK HERE to read the EDPB
guidelines.
A €47,000 penalty for violation of consent
rules. The Polish Personal Data Protection Office
(the “PDPO”) imposed a €47,000 fine on
ClickQuickNow, a polish company, which was found to have not
implemented appropriate technical and organizational measures to
enable data subjects to withdraw their consent to the processing of
their personal data.
The PDPO has found that the company’s mechanism of the
consent withdrawal did not result in a quick withdrawal. The
company intentionally imposed difficulties on individuals asking to
withdraw their consent from receiving marketing communications and
forced them to state the reason for withdrawing consent, which is
not required by the GDPR. Furthermore, failure to indicate the
reason resulted in discontinuation of the process of withdrawing
consent of said individuals.
The PDPO stated that the company failed to take into account the
principle that withdrawal of consent should be as simple as giving
it, and intentionally applied complicated procedures in relation to
the withdrawal of consent.
When determining the amount of the administrative fine, the
President of the PDPO did not take into account any mitigating
circumstances affecting the final penalty as he found that the
company intentionally provided contradictory communications to the
data subject interested in withdrawing consent, which resulted in
an ineffective withdrawal of consent. In this way, the company made
it difficult, or even impossible, to exercise the rights of the
data subjects. The company was also ordered to adjust the process
of processing requests for withdrawing consent to data processing
to the provisions of the GDPR, and to delete the data of data
subjects who are not its customers and that have objected to
processing the personal data concerning them.
CLICK HERE to read the EDPB’s
press release on the matter.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.