Click here for Arsenal FC news and reports

Results 1 to 3 of 3

Thread: Attn SW: Article 6 of the GDPR seems to offer a loophole - an alternative to consent.

  1. #1

    Attn SW: Article 6 of the GDPR seems to offer a loophole - an alternative to consent.

    This is from the actual legislation document, my bold added. It describes the conditions under which processing is considered lawful, of which consent is one condition:
    Lawfulness of processing
    1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official
    authority vested in the controller;
    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
    (from http://eur-lex.europa.eu/legal-conte...6R0679&from=EN)

    Point (b) suggests that if you are doing business with them, then data required to do that business is fair game without consent, including steps leading up to business if initiated by them. This looks to cover my scenario of the sales enquiry.

    Point (f) looks like potentially a get-out where you are pursuing your commercial interests to no detriment of the data subject.

    In the ICO document offering guidance for consent it describes these two points as follows:

    A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your bligations under an employment contract. This also includes steps taken at their request before entering into a contract
    .
    Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
    (from https://ico.org.uk/media/about-the-i...ion-201703.pdf)

    Field day for lawyers determining what constitutes 'harm to the individual’s rights and interests' perhaps but a potential loophole, no?

  2. #2
    Quote Originally Posted by Ash View Post
    This is from the actual legislation document, my bold added. It describes the conditions under which processing is considered lawful, of which consent is one condition:


    (from http://eur-lex.europa.eu/legal-conte...6R0679&from=EN)

    Point (b) suggests that if you are doing business with them, then data required to do that business is fair game without consent, including steps leading up to business if initiated by them. This looks to cover my scenario of the sales enquiry.

    Point (f) looks like potentially a get-out where you are pursuing your commercial interests to no detriment of the data subject.

    In the ICO document offering guidance for consent it describes these two points as follows:



    (from https://ico.org.uk/media/about-the-i...ion-201703.pdf)

    Field day for lawyers determining what constitutes 'harm to the individual’s rights and interests' perhaps but a potential loophole, no?
    Definitely seems to cover your Sales Enquiry, not even a loophole but common sense.

    Still would preclude you from any future marketing of the person unless consent was sought at the time or in a subsequent communication. Even any subsequent profiling of your client database could be an issue - with this person's details included - unless that was made clear to the person at the time and clear and obvious consent obtained.

  3. #3
    Quote Originally Posted by SWv2 View Post
    Definitely seems to cover your Sales Enquiry, not even a loophole but common sense.

    Still would preclude you from any future marketing of the person unless consent was sought at the time or in a subsequent communication. Even any subsequent profiling of your client database could be an issue - with this person's details included - unless that was made clear to the person at the time and clear and obvious consent obtained.
    Yes, consent would still be required for marketing & profiling but not for the enquiry process, sale and delivery of service.

    and I still think there are ambiguities opened up from 6.f around "legitimate interests".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •