European Union: GDPR Updates: Draft Guidelines On Contract As A Legal Basis, Clinical Trial Data Processing, Online Services Used By Children And Biometric Data At The Workplace

Last Updated: 21 May 2019
Article by Haim Ravia

Performance of an Online Services Contract as a Legal Basis for Data Processing

The European Data Protection Board (EDPB) has published draft guidelines on processing personal data in the context of online services, under the legal basis of performance of an online service contract. Processing under the GDPR is permissible only if it is performed under a recognized legal basis. One of those bases is where the processing is necessary for the performance of a contract with the data subject.

The guidelines explain that in order to rely on this legal basis, the controller needs to be able to prove necessity – that the services contract cannot be performed without that particular data processing, and that processing at a lesser degree or scope would not achieve the required contractual performance. Examples of processing that the draft guidelines deem insufficiently necessary for the performance of the contract (and thus impermissible under this legal basis): processing for the purpose of improving the service, for fraud prevention or detection, or for profiling a user's online behavior in order to deliver targeted ads (even if that processing is the funding basis for the provision of a free online service).

The draft guidelines are open for public comments through May 24, 2019.

CLICK HERE to read the EDPB's draft guidelines.

GDPR Interplay with EU Clinical Trial Regulation

The European Commission's Directorate General for Health and Food Safety has published 'Questions and Answers' guidance on the interplay between the EU Clinical Trials Regulation and the GDPR. Although the guidance will fully be relevant only when the EU Clinical Trials Regulation enter into effect (currently anticipated next year), some of the guidance has a bearing on the current state of the law.

The Q&A indicate that processing operations related to a specific clinical trial protocol during its whole lifecycle can be legitimized for the trial's research purposes under the legal bases of the public interest in clinical research, the legitimate interest of the trial sponsor, or in rare cases – consent of trial participants (provided that consent is freely given, specific, withdrawable, informed and unambiguous). The Q&A go on to explain that processing operations for the purposes of drug safety reporting, disclosures to national drug-regulating authorities and archiving of clinical trial data can be legitimized under the legal basis of compliance with legal obligation to which the trial sponsor is subject.
The Q&A also emphasize that the requirement of informed consent under clinical trial law must not be confused with consent as a legal basis for data processing. The former is an ethical and procedural safeguard for the conduct of trials, while the latter is a restrictive legal basis for data processing.

CLICK HERE to read the EU Commission's Q&A.

Draft Code of Practice for Online Services Whose Users Include Children

The UK Information Commissioner's Office (ICO), the UK privacy regulator, has published its draft code of practice for online services likely to be accessed by children. It applies to apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.

According to the draft code, the best interests of the child should be a primary consideration when designing and developing online services. The code also clarifies, among others, that privacy must be ingrained into the service; settings must be "high privacy" by default (unless there's a compelling reason not to); only the minimum amount of personal data should be collected and retained; children's data should not usually be shared; and geolocation services should be switched off by default in most circumstances.

The ICO indicates that when the code is finalized, it expects it to become an international benchmark. As for enforcement, the code warns that "[i]f you do not follow this code, you are likely to find it difficult to demonstrate your compliance, should [the ICO] take regulatory action against you". It is planned as a statutory code of practice prepared under the authority of the UK Data Protection Act 2018.

The code is open for public comments through May 31, 2019.

CLICK HERE to read the ICO's draft code of practice.

Guidelines for French Companies Processing Biometric Data of Employees

The CNIL, the French privacy regulator, has adopted regulations requiring companies that wish to collect and process employees' biometric data to justify the need for a biometrics-based system, implement significant data protection safeguards, and perform data protection impact assessments. These regulations were adopted pursuant to Article 9 of the GDPR, which gives each EU member state latitude to promulgate local rules on processing biometric, genetic or health data.

According to the rules, French employers seeking to use biometric systems will have to demonstrate that lesser privacy-invasive solutions that do not process biometric data are unable to achieve the imperative purposes for which the biometric system is needed. Employers that meet all these conditions will be able to process biometric data of employees without having to obtain their consent. The rules also favor biometric solution which do not store the biometric data in a centralized database.

CLICK HERE to read the CNIL's regulations (in French).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions