Legal grounds for processing personal data under the GDPR and D-DPA
We give you a practical overview of the key differences between the General Data Protection Regulation (GDPR) and the draft revision of the Swiss Data Protection Act (D-DPA), the latter of which is still subject to debate.
In our previous article, we discussed the processing of sensitive personal data under the GDPR and the D-DPA. This article focuses on the legal ground(s) for processing personal data under both frameworks.
Legal grounds for processing under the GDPR
One of the principles of the GDPR is that personal data must be processed lawfully. Under the GDPR, the processing of personal data is only lawful if – and to the extent that – a legal ground exists for the processing. The legal grounds are stipulated in an exhaustive list under article 6 of the GDPR. On the basis of this article, data processing is only lawful if:
- the data subject consented to the processing of his/her personal data;
- processing is necessary for the performance of a contract to which the data subject is party;
- processing is necessary to comply with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or another individual;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- processing is necessary for the purpose of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject involved (this requires a balancing of the interests of the data controller or the third party on the one hand, and the interests of the data subject(s) on the other; the so-called balancing test).
If none of the above listed legal grounds apply to the (intended) processing activity, it can be concluded that it is not permitted to process the personal data. If that is the case, then a data controller must always ensure upfront that a legal ground is present for its intended processing activity.
Please note that additional requirements apply to the processing of sensitive personal data. Since processing sensitive personal data is in principle prohibited, this is only lawful if (i) a legal ground for processing exists, and (ii) an exception to the prohibition of processing sensitive personal data applies (as listed under article 9 of the GDPR). In addition, the national implementation acts of the member states may further restrict the processing of sensitive data. Please refer to our previous article for more information regarding the processing of sensitive personal data.
Take caution when using consent as a legal ground
It is important to remember that consent is (usually) not the most favourable legal ground to rely on. There are several reasons for this; for example, it is difficult to meet all the criteria for obtaining valid consent, it is not always possible to ask each data subject individually for their consent, and consent can be withdrawn at any time. When considering using consent as a legal ground for processing, please read our short articles on consent and withdrawal of consent.
Informing data subjects under the GDPR
Prior to starting a processing activity, the data controller must assess whether or not a legal ground for the intended processing activity exists. Additionally, to ensure transparency, the controller is obliged to inform the data subjects of the applicable legal ground for processing their data. In practice, this information is provided to data subjects by means of a privacy notice.
Justification for processing under the D-DPA
Unlike the GDPR, the D-DPA (like the current DPA) does not require a controller or processor to rely on – or indicate – any legal ground in order to process personal data. In other words, processing personal data is generally allowed. This applies even when processing sensitive data, as long as the data is not disclosed to third parties (see below). However, the processing of personal data must not unlawfully breach the privacy of data subjects. A privacy breach occurs especially in the following cases:
- if the processing infringes the principles set forth in the D-DPA;
- if the processing takes place against data subjects’ express declaration of intent;
- if sensitive data is disclosed to a third party.
Since privacy breaches are very broadly defined (specifically including any infringement of the data protection principles set forth in the D-DPA), it is assumed in practice that (almost) every processing activity will result in a privacy breach. Such privacy breach is unlawful unless there is a justification for it. The D-DPA allows the following justifications:
- each data subject concerned has given his/her consent;
- there is an overriding private or public interest for the processing (requiring a balancing of interests);
- the processing activities are provided by law.
In conclusion, the conditions for lawfully processing personal data under the D-DPA are ultimately similar to those under the GDPR. The main differences resulting from the ‘Swiss approach’ are:
- under the D-DPA, there is no need to inform data subjects of the legal grounds on the basis of which their personal data will be processed, even though the data subjects must be informed of the purpose of the processing; and
- there is no special prohibition regarding processing sensitive data, but special rules apply.
Comply with the highest standards
The safest approach for controllers is to comply with the highest standards of both the GDPR and the D-DPA. Organisations should therefore:
- assess whether they have a legal ground/justification for the (intended) processing activity, before starting processing;
- if they rely on consent, make sure that all requirements for obtaining and maintaining valid consent are met; and
- make sure that they promptly inform data subjects of the legal grounds for processing their data.