Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
cyberlaw:privacy [2019/07/01 16:07]
112.118.228.112
cyberlaw:privacy [2019/07/01 16:09] (current)
112.118.228.112
Line 84: Line 84:
    
 Consent is only valid only if it is freely given, specific, informed and is unambiguous. As to the practical operation of consent required, Art 29 Working Party (WP 29) has provided further clarification on its Guidelines on Consent. While WP 29 was an advisory body replaced by the European Data Protection Board (EDPB) under GDPR, since EDPB so far has not issued anything in replacement,​ the WP29 document continues to serve as an interpretive guideline for GDPR and EDPB under Art 94(2) GDPR since EDPB has not issued any superseding guidelines. The Guidelines analyzed the requirements under Art 4(11) GPDR, and considered what constitutes valid consent under different situations – such as imbalance of power, bundled consent, performance of a contract etc. Consent is only valid only if it is freely given, specific, informed and is unambiguous. As to the practical operation of consent required, Art 29 Working Party (WP 29) has provided further clarification on its Guidelines on Consent. While WP 29 was an advisory body replaced by the European Data Protection Board (EDPB) under GDPR, since EDPB so far has not issued anything in replacement,​ the WP29 document continues to serve as an interpretive guideline for GDPR and EDPB under Art 94(2) GDPR since EDPB has not issued any superseding guidelines. The Guidelines analyzed the requirements under Art 4(11) GPDR, and considered what constitutes valid consent under different situations – such as imbalance of power, bundled consent, performance of a contract etc.
- +
 ###### Situation - Bundled consent ###### Situation - Bundled consent
  
 Bundled consent refers to consent that is given via a written declaration that contains multiple data processing purposes. For example, a mobile application asks for consent to collect data for GPS localization in their service agreement, which may also contain a clause stating that the data will be transferred to 3rd parties for advertising purpose. By signing the agreement, the data subject consents to a ‘bundle’ of data processing purposes. Although not explicitly spelt out in the law itself, it entrenched in the ‘freely given’ element and therefore bundled consent is invalid under GDPR. Bundled consent refers to consent that is given via a written declaration that contains multiple data processing purposes. For example, a mobile application asks for consent to collect data for GPS localization in their service agreement, which may also contain a clause stating that the data will be transferred to 3rd parties for advertising purpose. By signing the agreement, the data subject consents to a ‘bundle’ of data processing purposes. Although not explicitly spelt out in the law itself, it entrenched in the ‘freely given’ element and therefore bundled consent is invalid under GDPR.
    
-In order to determine whether the situation render consent not freely given, it is essential to determine the scope of the contract and whether the collection of data is necessary for the performance of the contract. For example, by denying the unnecessary data processing, the data subject will act to their detriment since he will also deny the processing of data for the enforcement of the contract. Thus, such consent is not ‘freely given’. +In order to determine whether the situation render consent not freely given, it is essential to determine the scope of the contract and whether the collection of data is necessary for the performance of the contract. For example, by denying the unnecessary data processing, the data subject will act to their detriment since he will also deny the processing of data for the enforcement of the contract. Thus, such consent is not ‘freely given’.# 
- +
 ###### Situation - Employment ###### Situation - Employment
  
Line 98: Line 98:
    
 Nevertheless,​ processing of personal data may still likely to be legitimate under Art6(1)(b) if the employer can show that the processing is necessary for the performance of the employment contract. Nevertheless,​ processing of personal data may still likely to be legitimate under Art6(1)(b) if the employer can show that the processing is necessary for the performance of the employment contract.
- +
 ###### Situation - Granularity ###### Situation - Granularity
  
Line 104: Line 104:
  
 For multiple purpose collection, Art 7(2) and Recital 32 GDPR require consent to be given distinguishably. What this essentially means is that data subject should be given the choice to accept or reject a particular purpose, rather than having to consent to a bundle of processing purposes. ​ A lack of granularity may invalidate consent given since it is not specific, as required under Art 6(1)(a), which is closely linked to the requirement of a freely given consent. For multiple purpose collection, Art 7(2) and Recital 32 GDPR require consent to be given distinguishably. What this essentially means is that data subject should be given the choice to accept or reject a particular purpose, rather than having to consent to a bundle of processing purposes. ​ A lack of granularity may invalidate consent given since it is not specific, as required under Art 6(1)(a), which is closely linked to the requirement of a freely given consent.
- +
 ###### Performance of a Contract ###### Performance of a Contract
  
 Performance of a contact forms a legal basis for processing personal data where it is necessary in the context of a contract or the intention to enter into a contract. Performance of a contact forms a legal basis for processing personal data where it is necessary in the context of a contract or the intention to enter into a contract.
- +
 ##### Fulfillment of Legal Obligation ##### Fulfillment of Legal Obligation
  
 This requirement does not require a specific law for each individual processing. It is sufficient if the data user can demonstrate that the processing is necessary for the performance of a task carried out in the public interest or for official authority to exercise their power. This requirement does not require a specific law for each individual processing. It is sufficient if the data user can demonstrate that the processing is necessary for the performance of a task carried out in the public interest or for official authority to exercise their power.
- +
 ##### Vital Interest of the data subject ##### Vital Interest of the data subject
  
 As suggested in Recital 46, this basis should come last in line and other legal bases under Art 6 should be exhausted first. As suggested in Recital 46, this basis should come last in line and other legal bases under Art 6 should be exhausted first.
- +
 ##### Legitimate interest ##### Legitimate interest
  
  • cyberlaw/privacy.txt
  • Last modified: 3 weeks ago
  • by 112.118.228.112