The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be: 

• processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
• accurate and where necessary kept up to date (the “accuracy principle”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
• processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
• processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

• The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
• The data is only used for the specified purpose;
• The publication serves the public interest;
• Applying the Data Protection Law would hinder the purpose;
• The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

• Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
• Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
• Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

How is personal data collected

The law No. 18-07 applies to any public or private entity likely to receive, store and process personal data. As soon as an entity receives data, whether in digital form or not, it must comply with law No. 18-07.

Personal data is, notably, collected through direct input, cookies, social media, mobile apps, surveys, public records, purchase transactions, and by employers or institutions.

How is personal data processed

Personal data processing may only be processed with the express consent of the data subject (or consent of the legal representatives of a child, failing which by authorisation of the competent judge).

The data subject may withdraw his / her consent at any time. 

Personal data may only be communicated to a third party for purposes directly related to the functions of the data controller and the recipient. Such communication is subject to the prior consent of the data subject.

However, in some cases, consent is not required if the processing is necessary:

• to comply with a legal obligation to which the data subject or the data controller is obliged;
• to protect the data subject's life; 
• for the performance of a contract to which the data subject is a party or to the performance of pre-contractual measures taken at their request;
• to safeguard the vital interests of the person concerned, if they are physically or legally unable to give their consent;
• for the performance of a task carried out in the public interest. Or in the exercise of official authority vested in the data controller or the third party to whom the data is communicated; or
• for the accomplishment of a legitimate interest pursued by the data controller or the recipient, within the interest and/or fundamental rights and freedoms of the data subject.

Specific rights and protections

The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right to object to their data being collected.

According to Article 9 of the law No. 18-07 (free translation): 

“Personal data must be:

1. processed lawfully and fairly;
2. collected for specified, explicit and legitimate purposes legitimate purposes and may not be further processed in a way that is incompatible with those purposes;
3. adequate, relevant and not excessive in relation to the purposes for which they are collected or processed;
4. accurate, complete and, where necessary, kept up to date;
5. kept in a form which permits identification of the data subjects for no longer than is the purposes for which they were collected or processed.”

Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by law.

To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive personal data processing results from a legal provision, APD must be provided with notice.

All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect to private life as well as to legal and constitutional guarantees.

It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held for longer than is necessary for that purpose.

There are specific rules applicable to the processing of personal data related to the following:

• Sensitive data on health and sexual life
• Illicit activities, crimes and administrative offenses
• Solvency and credit data
• Video surveillance and other electronic means of control
• Advertising by email
• Advertising by electronic means (direct marketing)
• Call recording

Specific rules for the processing of personal data within the public sector also apply.

Personal data collected for purposes of processing must be truthful, adequate, relevant and not excessive in relation with the scope and purpose for which they were obtained. The gathering of data shall not take place by unfair or fraudulent means or in an otherwise illegal manner.

Personal data may not be used for purposes different from or incompatible with those for which the personal data was initially collected. Personal data must be accurate and properly updated when necessary. Totally or partially inaccurate personal data, or those that are incomplete, shall be suppressed and substituted, or completed where relevant, by the person responsible for the archive or database, whenever such person becomes aware of the inaccurate or incomplete character of the information.

Consent from the data subject is required, which must be free, express and informed consent and in writing or in another equivalent form, unless:

• The personal data were obtained from sources open to unrestricted public access

• The personal data were obtained as part of the performance of state duties or in compliance with a legal obligation 
• The personal data consists of lists whose data are limited to the name, national identity document number, tax or social security identification, occupation, date of birth and domicile

• The personal data are derived from a contractual, scientific or professional relationship and are necessary for such relationship

• The personal data result from operations conducted by financial entities with their clients or consist in the information such financial entities receive from their clients pursuant to the Financial Entities Law

When the authorization for the collection and processing of data is requested, the data subject must be informed about the purpose for which the data will be processed, as well as about the individuals or groups of individuals who will have access to the processed information. In addition, the archive, registry or data bank where the information will be kept must be identified, together with the person responsible for it. The data subject must be informed about the voluntary or compulsory nature of the answers requested from such owner, as well as about the consequences of providing the personal data or of refusing to give such information or of providing untruthful information. The data subject must also be informed about the right to access, rectify and suppress the relevant data.

Special rules apply to sensitive data. No person may be required to disclose sensitive data. Sensitive data may only be collected and processed where necessary, and with consent, as expressly permitted by law, or for statistical or scientific purposes provided the person they refer to may not be identified.

Data related to criminal records may only be processed by the relevant public authorities.

• By and large, the entities must obtain prior express consent from data subjects to lawfully collect and process personal data․ The consent is not necessary in the cases directly provided by the legislation or if the data is being collected from public sources.
• The data subject may give his or her consent in person or through the representative, where the power of attorney specifically provides for such a power.
• The data subject's consent shall be considered to be given and the processor shall have the right to process, where:
  • personal data are indicated in a document addressed to the processor and signed by the data subject, except for the cases when the document, by its content, is an objection against processing of personal data;
  • the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the purposes of operations prescribed by this Agreement;
  • the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the processor. 
• Personal data may be processed without the data subject's consent, where the processing of data is directly provided for by law.
• The processor of personal data or the authorised person, for obtaining the data subject's written consent, shall notify the data subject of the intention to process the data.
• The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on using the personal data.

The processor of personal data for obtaining the data subject's consent notifies of the intention to process the data. The notification shall include:

• surname, name, patronymic of the data subject;
• legal grounds and purpose of the processing of personal data;
• list of personal data subject to processing;
• list of operations to be performed upon personal data for which the subject's consent is requested;
• scope of persons to whom personal data may be transferred;
• name (surname, name, patronymic, position) of the processor or his or her representative requesting the data subject's consent and registered office or place of registration (actual residence);
• information on requiring by the data subject rectification, destruction of personal data, terminating the processing of data or on carrying out other operation relating to the processing;
• validity of the consent requested, as well as the procedure and consequences of withdrawing the consent.

Characteristics for processing publicly available personal data

• A regime of publicly available information of personal data (phone directories, address books, biographical directories, private announcements, declaration of income, etc.) may be established by the data subject's consent or in cases provided for by law. The name, surname, year, month and day of birth, place of birth, place of death, year, month and day of death, as well as the personal data which by conscious operations carried out by the data subject aimed at making publicly available becomes publicly available for certain scope of persons or public at large, shall be considered as publicly available.
• Information on the data subject, except for information provided for by previous clause, may be removed from publicly available sources of personal data at the request of data subject or through judicial procedure.
• The data being processed on the basis of an agreement may be removed from publicly available sources of personal data by mutual consent or through judicial procedure.

Characteristics for processing sensitive personal data

• The processing of special category personal data without the person's consent shall be prohibited, except when the processing of data is directly provided for by law.
• The processing of personal data provided for by the previous clause shall immediately be terminated, where the grounds and purpose of the processing of data were eliminated.

Characteristics for processing personal data of persons with incapacity or limited capacity and minors under the age of 16

In case of incapacity or limited capacity of the data subject or of being a minor under the age of 16, consent for processing his or her personal data shall be given by a legal representative / parent of the data subject

Characteristics for processing biometric personal data

Biometric personal data shall be processed only by the data subject's consent, except for cases provided for by law and where the purpose pursued by law is possible to implement only through processing of these biometric data.

Processing of personal data by an authorized person assigned by the processor of data

Personal data may also be processed by an authorized person assigned by the processor. The assignment shall be in writing, which shall include

• legal grounds and conditions;
• the purpose of the processing of personal data;
• the list of personal data subject to processing;
• the scope of data subjects;
• the scope of persons to whom personal data may be transferred;
• technical and organizational measures for the protection of personal data and other necessary information.

Personal data shall be processed only within the scope of the assignment. The processor of data shall be responsible for the processing of personal data within the scope of the assignment. Where the assignment does not comply with the requirements of the Law, the authorized person must inform in writing thereon to the processor of data and refuse the processing.

Blocking or destruction of personal data

The data subject shall have the right to get familiarized with his or her personal data, and require the processor to rectify, block or destruct his or her personal data, where the personal data are not complete or accurate or are outdated or has been obtained unlawfully or are not necessary for achieving the purposes of the processing.

In case of doubts with regard to the rectification, blocking or destruction of personal data by the processor, the data subject shall have the right to apply to the authorized body for the protection of personal data to make clear the fact of his or her personal data being rectified, blocked or destructed and by the request to be provided with information.

In case of incomplete, inaccurate, outdated, unlawfully obtained personal data or those unnecessary for achieving the purposes of the processing, the processor of personal data shall be obliged to carry out necessary operations for making them complete, keeping up to date, rectifying or destructing.

The processor shall be obliged to destruct or block personal data that are not necessary for achieving the legitimate purpose.

National Ordinance Person Registration 

Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration. 

Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in his possession, with which a personal registration of which he is not the holder. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and up-to-date.

At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of:

• The organization’s identity and contact information;

• Why it is collecting (or how it will use the) information about the individual;

• The entities or types of entities to which it might give the personal information;

• Any law requiring the collection of personal information;

• The main consequences (if any) for the individual if all or part of the information is not provided;

• The fact that the organization’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organization will deal with such complaint; and

• Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them).

Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for each significant collection of personal information, and providing this to individuals  prior to collecting their personal information.

This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be included in a privacy policy.

In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between "data processors" and "data controllers".

Organizations must not use or disclose personal information about an individual unless one or more of the following applies:

• The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organization to use or disclose the information for that secondary purpose;
• The individual consents;
• A "permitted general situation" or "permitted health situation" exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public; or
• It is required or authorized by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:

• The information used is not sensitive information; 
• Either the individual has consented or would reasonably expect the organisation to use or disclose the information for direct marketing, or it is impracticable to seek the individual’s consent, and (among other things) the individual is told that they can opt out of receiving marketing from the organization;
• Each direct marketing communication includes a simple means by which the individual can opt out; and

• The individual has not previously requested to opt out of receiving direct marketing communications.

The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing.

If an organization plans to use personal information in wholly or substantially automated decision making that could reasonably be expected to significantly affect the rights or interests of an individual, from late 2026 onwards, the organization must include details of the use of automated decision making in its privacy policy.

The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

• The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity's functions or activities;
• Collection is required or authorized by law or a court / tribunal order;
• A "permitted general situation" or "permitted health situation" exists; for example, the entity has reason to suspect that unlawful activity relating to the entity's functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public;
• The entity is an enforcement body and the collection is reasonably necessary for that entity's functions or activities; and
• The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the members of the organization (or to individuals who have regular contact with the organization relating to its activities).

Organizations must provide individuals with access to their personal information held by the organization upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.

Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core principle of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance, potentially for years after a particular decision regarding processing of personal data. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce national legislation regarding processing of genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by national legislation (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Austria regulation

The Austrian DSG imposes further obligations upon controllers and processors. Pursuant to Section 6, all employees, agents or contractors of a controller or a processor who have access to personal data must be contractually obliged to transfer personal data only after receiving an adequate and documented instruction by their employer (confidentiality obligation). All employees, agents or contractors of a controller or a processor must be subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Measures must be taken to ensure that all employees, agents or contractors of a controller or a processor are bound by the aforementioned undertakings and/or obligations of confidentiality even after the termination of their respective contract, regardless of the cause or form thereof.

CCTV, or rather more broadly processing of images made in public or private spaces, including related sound recordings, are subject to further regulation and requirements pursuant to Sections 12 and 13 DSG. This provision provides limitations regarding the lawfulness of such processing as compared to Art 6 GDPR, as processing of image data is only permissible in the following cases:

• processing is necessary in order to protect the vital interests of the data subject
• the data subject has given their consent
• the processing is required or permitted by specific statutory law, or
• the interests of the data controller override the interests of the data subjects in the specific case, and the processing is proportionate

Overriding legitimate interests are assumed by the law in some cases listed as examples, such as preventive protection of property or persons on private properties or publicly accessible spaces controller by the data controller.

The capturing of images / CCTV is always prohibited in the following cases:

• processing of images capturing persons in their personal area of life without their express consent
• processing of CCTV images for the purpose of employee monitoring
• the automated comparison of personal data obtained by means of capturing images / CCTV without explicit consent and for the creation of personality profiles with other personal data, or
• the evaluation of personal data obtained by means of image capturing on the basis of special categories of personal data (Art. 9 GDPR) as a selection criterion

In early 2020, the Austrian Data Protection Authority has published a non-binding opinion, referring to two decisions of the Federal Administrative Court, and stating that Sections 12 and 13 DSG are not in line with the GDPR and shall therefore no longer be applied. The Authority shall assess CCTV data processings exclusively on the basis of the GDPR. However, the contents of the Sections 12 and 13 DSG are still practically used as criteria for assessment of the lawfulness of the processing.

Other additional regulations for processing of data include:

• regulation relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Section 7), which allows processing of such data if they are publicly accessible, have been collected lawfully for other research purposes or other lawful purposes, or are pseudonymized; other data may only be processed to the extent there are specific statutory regulations, the data subjects have given their consent or the Data Protection Authority has approved the processing
• further regulation regarding the processing of data for purposes pursuant to Art 89(1) GDPR, most notably for research purposes, included in the Act on Research Organisation (Forschungsorganisationsgesetz - FOG); this regulation includes provisions which lessen to some extent the requirements for processing of special categories of data, including in particular the concept of "broad consent", and limit the rights of data subjects in this respect
• regulation relating to the processing of addresses for informing or sending questionnaires to data subjects (Section 8), which in principle requires consent for such processing, but also provides some derogations
• regulation regarding data processing in cases of catastrophes (Section 10)

Collection and processing of personal data can be implemented either with obtaining a prior consent of a data subject or when the data is of open category (i.e. non-confidential).

DPA in The Bahamas has only limited extraterritorial effect (as it concerns data controllers). Per Section 4(1) of DPA, the Act only applies to: data controllers established in The Bahamas (where the data is processed in the context of the local establishment); and data controllers established outside The Bahamas that use equipment in The Bahamas for processing data (other than for transit through The Bahamas). 

In the above context, an ‘established’ data controller can be any of the following (in accordance with Section 4(3) of DPA): an individual ordinarily resident in The Bahamas; a body incorporated or registered under Bahamian law; a partnership or other unincorporated association formed under Bahamian law; and any person that does not fall into any of the foregoing categories but maintains an office, branch or agency in The Bahamas through which they carry on a business activity or regular practice. It can be seen, therefore, that a nexus to The Bahamas of the kind described above must be established for DPA to apply outside the jurisdiction. 

Data controllers are defined in Section 2 DPA as a person who, alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be processed. Data controllers owe a statutory duty of care to data subjects pursuant to Section 12(1) as it regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data. Further, Section 12(2) provides that data controllers must use contractual or other legal means to provide a ‘comparable’ level of protection from any third party to whom he discloses information for the purpose of data processing. 

Data controllers, under Sections 6(1), must abide by several core duties as it relates that the collection, processing, keeping, use and disclosure of data of data subjects, namely, to ensure:

• The data or information constituting the data has been collected by means which are lawful and fair in the circumstances of the case (e.g., data subjects should not be deceived or misled as to the purpose(s) for which the data is being processed or collected – and the use of such data should not cause damage or distress to the data subject);
• The data is accurate and kept up to date where necessary (except in the case of data back-up);
• The data is only kept only for one or more specified or lawful purpose(s);
• The data is not used or disclosed in a manner which is incompatible with that/those purpose(s);
• The data collected is adequate, relevant and not excessive in relation to that purpose or purposes;
• The data is not kept for a period longer than necessary for the purpose(s) for which it was collected (except in cases where personal data needs to be kept for historical, statistical or research purposes);
• There are appropriate security measures in place to prevent unauthorised access to, or alteration, disclosure or destruction of data and against its accidental loss or destruction.

Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.

Processing of personal data can only occur with the consent of the data subject, unless the processing is necessary:

• to implement a contract to which the data subject is a party;
• to take steps at the request of the data subject to conclude a contract;
• to implement an obligation required by law, contrary to a contractual obligation or an order from a competent court;
• to protect the vital interests of the data subject; or
• to exercise the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.

Processing of sensitive personal data is also prohibited without the consent of the data subject, except when the processing:

• is required by the data controller to carry out their obligations;
• is necessary for the protection of the data subject;
• of the data is made available to the public by the data subject;
• is necessary to exercise any of the procedures of claims of legal rights or the defence thereof;
• is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare, treatment or management of healthcare services;
• is carried out within the activities of associations, unions and other non-profit organisations;
• is carried out by a competent public entity; or
• is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society's individuals.

Data controllers are prohibited from processing the following personal data types without the prior written authorization of the Authority:

• automatic processing of sensitive personal data of data subjects who cannot provide consent;
• automatic processing of biometric data;
• automatic processing of genetic data (unless such processing was provided by physicians and specialists at a licensed medical establishment and is necessary for purposes of preventative medicine or diagnostic medicine, or purposes to provide treatment or healthcare);
• automatic processing of personal data files that are in the possession of two or more data controllers that are processing personal data for different purposes; or
• processing that consists of visual recording to be used for monitoring purposes.

There are no statutes that expressly allow the collection and processing of identification information.

The CA 2023 came into force in full on 18 September 2023 repealing the Digital Security Act 2018. The provisions of the CA 2023 closely mirror those of the Digital Security Act 2018, with the only modifications being a decrease in penalties for specific offenses. Section 26 of the CA 2023 has been drafted in very wide terms. The contents of this provision would appear to provide, inter alia, that if anyone without lawful authority collects, sells, keeps possession of, supplies or uses identification information of another person, it would constitute an offence¹. The punishment for violation of Section 26 of the CA 2023 is imprisonment of a term not exceeding two years or a fine not exceeding Taka 5,00,000 (approx. US$ 4,545 as of 3 January 2023 ) or both.

Please note that the CA 2023 does not contain any exceptions to the Section 26 requirement. However, identification information may be, among other things, collected and stored by a person if he has lawful authority. The term "lawful authority" has not been defined in the CA 2023. The Government of Bangladesh has not yet issued any clarification as to what would constitute 'lawful use' and has provided no guidance on what would satisfy the 'lawful authority' requirement. It is for these reasons (among others) that the legislation has been widely criticised.

In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store such identification information.

Where personal data relating to a data subject is collected from the data subject, the data controller must, at the time when personal data is obtained, provide the data subject with the following:

• the identity and the contact details of the data controller and, where applicable, of the data controller's representative;
• the contact details of the data privacy officer, where applicable;

Processingof personal data is only lawful where:

• the data subject has given consent to the processing of his personal data for one or more specific purposes; or 
• the processing is necessary
  
  
  • for the performance of a contract to which the data subject is a party;
  • for the taking of steps at the request of the data subject with a view to entering into a contract;
  • for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
  • in order to protect the vital interests of the data subject;
  • for the administration of justice;
  • for the exercise of any functions of either House of Parliament;
  • for the exercise of any functions conferred on any person by or under any enactment;
  • for the exercise of any functions of a public authority;
  • for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject; or
  • processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data Protection Law contains a wide range of legal bases for personal data processing:

• data subject’s consent;
• if the processing is required for:
  • administrative or criminal proceedings, operational-search activities;
  • administration of justice and the enforcement of court orders and other enforcement documents;
  • performing monitoring activities (supervision) in accordance with the legislation;
  • implementation of legislation on national security, on combating corruption, on preventing money laundering, financing of terrorist activities and financing weapons of mass destruction proliferation;
  • the implementation of legislation on elections and referendum;
  • state social insurance purposes;
  • formalising employment relationships, in the process of employment activities;
  • notarial activities;
  • Belarusian citizenship issues;
  • assignment and payment of pensions, benefits;
  • the organisation and carrying out of national statistical observations;
  • scientific and other research purposes, on condition that the personal data are depersonalised;
  • accounting, calculation, charging of fees for housing and utility services, other services, taxes;
• processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of performing actions stipulated by this contract;
• if personal data are specified in a document addressed to the operator and signed by the data subject;
• processing is essential for the performance of certain journalist’s activities;
• processing is required to protect the subject's life, health or other interests if obtaining of consent is not possible;
• if personal data were previously disseminated;
• in order to fulfil the duties / powers stipulated in legislation;
• in other cases expressly provided in legislation.

Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of personal data to the territories of states that do not ensure proper protection of data subjects rights.

The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form (e.g. via tick-box at the website or SMS / email verification). Operator shall provide proof, if be required, that it has collected proper consent for personal data processing.

Before obtaining consent, the operator shall provide the subject of personal data with the following information:

• name (full name) and location (address of residence) of the operator;
• purpose of personal data processing;
• list of personal data to be processed;
• consent validity term;
• information about the persons authorised by operator to process personal data (if those are engaged);
• what actions be done with personal data;
• a general description of the processing methods;
• other relevant information.

In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising them, the consequences of giving and withdrawing consent.

Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at the time he/she provides the consent.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Belgium regulation

The Data Protection Act adds only specificities to the general processing requirements. The age for consent of children for the purposes of article 8.1 GDPR  is 13 year¹. When processing genetic, biometric and health data, a controller needs to indicate who has access to these personal data, keep a list of the categories of people who have access to these data, keep this list at the disposal of the DPA, and ensure that these people are bound by a legal, statutory or contractual obligation of confidentiality². The Data Protection Authority has adopted specific guidelines regarding the processing of biometric data³. 

The Data Protection Act also provides a list of legal bases for processing data relating to criminal convictions and offences and requires an access management list and confidentiality duties (as described here above) for processing such data⁴.

Data subject rights

The Data Protection Act provides further exceptions to data subject’s rights, including the right to be informed when personal data is received from authorities under special regimes⁵ or when personal data is disclosed to these bodies⁶. With respect to the special regimes addressed in the Data Protection Act, the Data Protection Act also sets out the corresponding data subject rights (which are often more limited than those included in the GDPR)⁷. 

The Data Protection Act clarifies that data subject rights, including the right to information in judicial proceedings/decisions, will be accommodated in accordance with the Judicial Code, the Code on Criminal proceedings and any specific laws related to criminal law procedure⁸.

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 383):

• processed lawfully, fairly and transparently;
• collected for specific, explicit, and legitimate purposes and not subsequently processed in a manner inconsistent with those purposes;
• processed appropriately, in a manner relevant and not excessive with regard to the purposes for which they are collected and processed;
• accurate and, if necessary, updated. All reasonable steps must be taken to ensure that inaccurate or incomplete data is erased or corrected;
• kept in a form that allows the identification of data subjects for a period not exceeding that necessary to achieve the purposes for which they are collected or for which they are processed;
• processed in a manner that ensures appropriate security of personal data

Notwithstanding the above, the overriding principle governing the processing of personal data in Benin is the prior consent of the data subject (see Articles 6 of the Data protection Law and 389 of the Digital Code.)

There are some exceptions to this principle. The prior consent of a data subject is not required when processing the data is meant to:

• comply with a legal obligation to which the controller is subject to;
• perform a task in the public interest or a task falling within the exercise of public authority, which is entrusted to the controller or the third party to whom the data are shared;
• perform a contract to which the data subject is a party or perform pre-contractual measures taken at the request of the data subject;
• protect fundamental interests or rights;
• perform certain activities in the framework of journalism, research or artistic or literary expression in compliance with the ethical rules of these professions.

When the processing is entrusted to a subcontractor, the controller or, where appropriate, his representative in the Republic of Benin, must:

• choose a subcontractor providing sufficient guarantees sufficient guarantees with regard to technical and organizational security and organizational measures relating to the processing;
• conclude a contract with the processor either in writing or via electronic means;
• define among other things the responsibility of the processor with regard to the data controller and their incumbent obligations in the privacy and security of the data

Under the applicable data protection law in Benin, individuals possess the following rights:

• right to obtain all their personal data in a clear format, as well as any available information as to their origin;
• right to withdraw consent for personal data processing at any time;
• the right to object, for lawful reasons, to the processing of their personal data;
• right to oppose the processing of their personal data for marketing purposes;
• right to rectify or erase personal data when it is deemed inaccurate or incomplete;
• right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks or harm;
• right to be forgotten, or to have information made public about themselves deleted from records; and
• right to obtain damages from data controllers when a breach occurs, leading to a material or non-pecuniary damage to a person.

Right to be informed

Data controllers must provide data subjects with information describing, among other things:

• the processing activities, such as data category;
• the purpose of processing;
• data recipients;
• the existence of profiling activities; and
• identification and contact details of the data controllers, or data subject rights.

Right to access

Any natural person whose personal data is processed may request from the controller information making it possible to know and contest the processing of their personal data, communication in intelligible form of data to personal character that concerns them as well as any available information as to their origin.

Right to rectification

Any natural person may require the data controller to correct, complete, update, block, or delete personal data concerning him, which is inaccurate, incomplete, ambiguous, out of date, or irrelevant, as the case may be, and as soon as possible, or whose collection, use, disclosure, or retention is prohibited. To exercise their right of rectification or deletion, the interested party sends a request, by post or electronically, dated and signed to the controller, or his representative.

Within 45 days following receipt of the request provided for in the previous paragraph, the controller communicates the rectifications or erasures of the data made to the data subject himself as well as to the persons to whom they are inaccurate, incomplete, equivocal, outdated, irrelevant or whose collection, use, communication, or storage is prohibited, have been communicated.

Right to erasure

See section above.

Right to object / opt-out

Any natural person has the right to object, at any time, for legitimate reasons, to the processing of personal data concerning him. It has the right, on the one hand, to be informed before data concerning it is communicated for the first time to third parties or used on behalf of third parties for purposes of prospecting, in particular commercial, charitable or political, and, on the other hand, to be expressly offered the right to oppose, free of charge, said communication or use.

Right to data portability

Data subjects have the right to receive the personal data concerning them that they have provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit this data to another controller. processing without the controller to whom the personal data has been communicated obstructing it, when:

• the processing is based on consent or on a contract; and
• the processing is carried out using automated processes.

When the data subject exercises his right to data portability in application of the first paragraph, he has the right to obtain that the personal data are transmitted directly from one controller to another, when this is technically possible.

This right does not apply to processing necessary for the performance of a task of public interest or relating to the exercise of public authority vested in the controller. The right referred to in the first paragraph does not infringe the rights and freedoms of third parties.

PIPA regulates the collection and processing of personal information and applies to any individuall, entity or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.

The common law, which continues to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to misuse or threaten to misuse confidential information.  The concept of 'misuse' is a broad one, but will often include any unauthorised disclosure, examination, copying or taking of confidential information.  The precise scope of the term however will depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

There is no comprehensive privacy law, which imposes mandatory requirements or obligations related to the collection and processing of personal data. However, Supreme Decree 1391 any use of personal data (including collecting and processing personal data), regarless of purpose, requires the data subject's express and written consent.

Personal Data Protection Act BES 

Collecting and processing: any act or set of acts relating to personal data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, bringing together , as well as data blocking, erasure or destruction of data. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance with the basic principles of personal data protection.

The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and processing of personal data falling within a category of general personal data does not have to be in writing. However, at the request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.

Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as legitimate, including:

• Processing must be done in a fair and lawful way;
• The type and scope of processed data must be proportionate to the respective purpose; and
• Other principles regarding the legitimate reasons for personal data processing.

The DP Law provides an exception when a data subject's personal data may be processed without the data subject’s consent. This is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are considered the basic principles of personal data protection and are applicable to each case of personal data processing.

The legal grounds as well as the data processing requirements envisaged by the Draft Data Protection Law fully correspond to those envisaged by the GDPR.

Processing means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organization, storage, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment, or combination, blocking, erasure or destruction of such data.

Processing personal data 

Prior to undertaking the processing of personal data, data controllers are generally required to obtain written consent from the data subjects. Consent is not required in instances authorised by any written law. In addition, a data subject who has given consent for processing of personal data may at any time, in writing, revoke the consent for legitimate, reasonable, and compelling reasons at that particular time.

Alternatively to where written consent is obtained, personal data may further be processed where the processing is necessary for: 

• the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject entering into a contract;
• compliance with a legal obligation to which the data controller is subject;
• protecting the vital interests of the data subject;
• performing an activity that is carried out in the public interest or in the exercise of an official authorization vested in the data controller, or of a third party to whom the data is disclosed; or
• a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular, the right to privacy.

Where personal data is processed for historical, statistical or scientific purposes, the data controller must ensure that there are appropriate security safeguards in place in instances where the personal data may be kept for a period longer than necessary, having regard to the purpose for which it is processed or the personal data kept is not used for any decision concerning the data subject. 

In the event that processing is for direct marketing, the data controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to the processing of the personal data.  A data controller who processes the data despite the objection made by the data subject commits an offence which is punishable by fine not exceeding BWP500 000 or to imprisonment for a term not exceeding nine years, or to both.

Processing sensitive personal data 

Processing sensitive personal data is heavily restricted thereby requiring the data controller to ensure that appropriate security safeguards have been adopted. The processing of sensitive personal data is generally be prohibited save for where:

• the processing is specifically provided for under the DPA;
• the data subject has given consent in writing;
• the data subject has made the data public;
• the processing is necessary for national security, for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment, or where the processing is authorized by any other written law for any reason of substantial interest to the public; or
• the processing is necessary to protect the vital interest of a data subject and another person in a case where consent cannot be given by or on behalf of the data subject, the data controller cannot be reasonably expected to obtain consent or the consent by or on behalf of the data subject has been unreasonably withheld.

Bodies or entities, not being a commercial bodies or entities, which have political, philosophical, religious or trade union objects are allowed to process sensitive personal data relating to the political, philosophical, religious or trade union objects concerning the members of that body or entity, or any other person who the body or entity regularly exchanges information with. Such processing by an entity or body is allowed if it is done in the course of its legitimate activities and with appropriate guarantees. It should also be noted that this sensitive personal data may be provided to a third party only where the data subject has given written consent.

Furthermore, processing of sensitive personal data for health or medical purposes is allowed where the processing is done by a health professional and is necessary for preventative medicine as well as protection of public health, medical diagnosis, health care or the management of health and hospital care services.

Processing sensitive personal data is also allowed where it is for research, scientific and statistics purposes so long as the processing is compatible with specified, explicitly stated and legitimate purposes. In the case of research and scientific purposes, the Commissioner must have approved the processing on the advice of a committee responsible for research and scientific ethics, whilst in the case of statistics, the processing must be necessary for the purposes provided under the Statistics Act (Cap 17:01).

There is a general prohibition against processing genetic and biometric data for what it reveals or contains. The prohibition does not apply where such data is processed in accordance with the general requirements for processing sensitive personal data as outlined above. Where genetic and biometric data is processed for medicinal purposes and the consent of the data subject has been granted, the processing must only be effected where a unique patient identification number is given to the data subject. This patient number must be different from any other identification number possessed by the data subject.

Sensitive personal data may also be processed for legal purposes where it is necessary in connection with any legal proceedings including prospective proceedings, for the purposes of obtaining legal advice, for establishing, exercising or defending legal rights, or for the administration of justice.

With respect to a data subject’s identity card number, processing in the absence of the data subject’s consent is only allowed where the processing is clearly justifiable having regard to the purpose of the processing, the importance of a secure identification or any valid reason as may be prescribed.

During the processing operation where personal data is obtained directly from the data subject, the data controllers and data processors are required to furnish to the data subject with the following information, except where the data subject already has the information:

• The identity and habitual residence or principal place of business;
• The purpose of the processing;
• The existence of the right to object to the intended processing if the processing is for purposes of direct marketing;
• Any other additional information if it will ensure fair processing, which may include the recipient or category of recipients, whether the reply to any question posed is obligatory or voluntary and the possible consequences of failure to reply as well as the existence of the right to access, rectify, delete the data concerning the data subject; or
• Any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the data subject.

A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this amounts to an offence which is punishable by a fine not exceeding BWP 20,000 or to imprisonment for a term not exceeding one year, or to both. 

Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable by a fine not exceeding BWP 100, 000 or to imprisonment for a term not exceeding three years, or to both.

It is mandatory to safeguard the security of personal data by taking appropriate technical and organisational security measures necessary to protect the personal data from negligent or unauthorised destruction, negligent loss or the alteration, unauthorised access and any other unauthorised processing of personal data. 

When taking appropriate technical and organisational security measures necessary to protect the personal data, the person doing so must ensure an appropriate level of security by taking into account: 

• technological developments of processing personal data, and the costs for implementing the security measures; and
• the nature of the personal data to be protected and the potential risks involved.

Additionally, when outsourcing processing of personal data, the data processor to be chosen must be one who gives sufficient guarantees regarding the technical and organisational security measures in place for the processing to be done. The data controller or processer who outsources must ensure that the said measures are complied with.

Under the LGPD, collecting and processing are referred to as "data treatment", and defined as all operations carried out with personal data, such as:

• Collection
• Production
• Reception
• Classification
• Utilization
• Access
• Reproduction
• Transmission
• Distribution
• Processing
• Filing
• Storage
• Elimination
• Evaluation
• Control
• Modification
• Communication
• Transfer
• Diffusion, or
• Extraction

The processing of personal data may only be carried out based on one of the following legal bases:

• With data subject consent
• To comply with a legal or regulatory obligation by the controller
• By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
• For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
• For the regular exercise of rights in judicial, administrative or arbitration procedures
• As necessary for the protection of life or physical safety of the data subject or a third party
• For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities
• To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject, and
• For the protection of credit

Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:

• Purpose
• Suitability
• Necessity
• Free access
• Quality of the data
• Transparency
• Security
• Prevention
• Nondiscrimination, and
• Accountability

As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

• As necessary for the controller’s compliance with a legal or regulatory obligation
• Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public administration
• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
• For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure
• Where necessary for the protection of life or physical safety of the data subject or a third party
• The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authorities, or
• To prevent fraud and protect the safety of the data subject

The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

On January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022, which provides special rules on the application of the LGPD to small businesses, startups, and innovative companies, as defined by the law, except to those performing data processing activities which incur in high risks for data subjects.¹ This Regulation includes certain exemptions and flexibilities, reducing obligations under the law.  For example a simplified template of records of data processing activities, which will be made available by the ANPD.

Data controllers are responsible for compliance with certain privacy and data protection principles applicable to the personal data it processes. Data controllers are also responsible for ensuring that the principles are complied with, where personal data is processed on the data controller’s behalf (e.g., by its vendors).

Under these principles:

• a data controller shall not process personal data (other than sensitive personal data) without the express consent of the data subject, or transfer personal data outside of the British Virgin Islands without proof of adequate data protection safeguards or consent from the data subject, unless either of the Exceptions defined under the heading “Transfer” exists (the General Principle)
• a data controller must inform a data subject of: (a) the purposes for processing; (b) information as to the source of the personal data; (c) the rights to request access to and correction of the personal data; (d) how to contact the data controller; (e) the class of third parties to whom the personal data will be disclosed; and (f) whether the data is obligated to supply the personal data, and if so, the consequences of not supplying same (the Notice and Choice Principle)
• no personal data shall be disclosed without the consent of the data subject for any purposes other than the purpose for which the personal data was to be disclosed at the time of collection or to any party other than a third party of the class of third parties noted above (the Disclosure Principle)
• a data controller must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction by having regard to (a) the nature of the personal data and the harm that would result from any loss, misuse, etc.; (b) the place or location where the personal data is stored; (c) any security measures incorporated into any storage equipment; (d) the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data; and (e) the measures taken for ensuring the secure transfer of the personal data (the Security Principle)
• personal data shall not be kept longer than is necessary for the fulfillment of the purpose of processing, and data controllers must take all reasonable steps to ensure that personal data is destroyed or permanently deleted if no longer required for the purpose for which it was to be processed (the Retention Principle)
• a data controller shall take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept current (the Data Integrity Principle), and
• data subjects shall be given access to their personal data and be able to request corrections where the personal data is inaccurate, incomplete, misleading, or not current (the “Access Principle”)

At present not a regulated activity.

Under the PDPO framework set out in the Public Consultation Paper, organizations may collect, use or disclose personal data about an individual for purposes that a reasonable person would consider appropriate in the circumstance.

It is anticipated that under the PDPO organizations may collect, use or disclose personal data where:

• they have the prior consent of the individual;
• unless otherwise required or authorized by law; or
• an exception in the PDPO applies.

Where consent is required, it is anticipated that the PDPO will not specifically prescribe the manner in which consent may be given and that the PDPO will recognize that consent may be explicit or implicit through an individual’s actions or inactions, depending on the circumstances, and thereby allowing organizations flexibility as to how they obtain consent. That said, it is anticipated that the PDPO would require organizations to look to express consent as the first port of call and only rely on deemed consent or the exceptions to consent if obtaining consent is impractical or if they have otherwise failed to obtain express consent.

It is anticipated that under the PDPO consent must be validly obtained and consent would not be valid where:

• consent is obtained as a condition of providing a product or service and such consent is beyond what is reasonable to provide the product or service to the individual; the principle being that organizations should not collect more personal data than is reasonable and necessary; and
• where false or misleading information was provided in order to obtain or attempt to obtain the individual’s consent for collecting, using or disclosing his personal data.

As part of obtaining valid consent, it is anticipated that the PDPO will require organizations to provide the individual with information on:

• the purposes for the collection, use or disclosure of his personal data, on or before collecting the personal data; and
• any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use or disclosure of personal data.

Further, it is anticipated that fresh consent would be required where personal data collected is to be used for a different purpose from which the individual originally consented.

For a minor (a person below the age of 18 years) who is unable to give consent to an organisation to collect, use and disclose his personal data, the organisation will have to obtain consent from a parent or legal guardian of the minor. AITI have expressed their intentions to provide guidance on data processing activities relating to minors in the future.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained:

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Bulgaria regulation

The Personal Data Protection Act does not repeat the core provisions of the GDPR relating to collection and processing of personal data in its body. However, following the direct effect of the GDPR in all EU member states, the provisions of the regulation in this respect shall be applied in all cases of data collection and processing. The Personal Data Protection Act explicitly previews that in case the data subject provides his / her personal data to a data controller or a data processor in breach of Art. 6, para (1) (legal grounds for processing) and Art. 5 (principles for data processing) GDPR, the data controller / data processor should have to immediately return the data or delete / destroy the data within one month of becoming aware of the breach (art. 25a of the Personal Data Protection Act).

The Personal Data Protection Act also introduces additional rules relating to specific data processing situations:

• Conditions applicable to child's consent in relation to information society services – The Personal Data Protection Act introduces a lower age of the data subject, under which the consent of a parent or a guardian would be required for the lawful processing of personal data of a child, including in cases of direct provision of information society services. Under the Personal Data Protection Act if the data subject is under 14 years old, a consent by a parent exercising the parental rights or by guardian of the data subject is required for the lawful processing of the data.
• Processing of personal identification number – Under the Personal Data Protection Act, public access to personal identification number / personal identification number of a foreigner ('PIN / PINF') shall be granted only if required by law. Data controllers providing electronic services should undertake appropriate technical and organizational measures to prevent the PIN/PINF from being the sole identifier for the use of their services.
• Processing and freedom of expression and information — Where personal data is processed for the exercise of freedom of expression and information, including for journalistic purposes and for the purposes of academic, artistic or literary expression, the data controller should assess the lawfulness of such processing in each particular case. The Personal Data Protection Act sets a number of assessment criteria to be used by data controllers / processors in the assessment of the lawfulness of processing such as the type of the personal data processed, the impact of the public disclosure on the privacy of the data subject and his / her reputation etc. However, the Bulgarian Constitutional Court (Decision Nr.8 dated November 15,2019) declared the assessment criteria set forth by the Personal Data Protection Act to be unconstitutional. More particularly, the criteria were found to be unclear and therefore creating unpredictability and legal uncertainty and restricting disproportionally the freedom of expression and information. Based on this decision, the above-mentioned criteria do no longer apply. The balancing test between the freedom of expression and the right to information and the protection of personal data shall me made on a case-by-case basis taking into consideration the specific circumstances and interests in presence. Further guidance in this respect was provided in a recent decision of the Supreme Administrative Court (Decision Nr. 11636 dated November 16, 2021), which clarified how the balance between these competing rights shall be assessed in each individual case.
• Processing in the context of employment – The Personal Data Protection Act regulates explicitly certain matters related to personal data processing in the context of an employment relationship. Employers may take copy of employee's identification documents, driving license or residence document only if required by law. In addition, according to a statement by the Commission for Personal Data Protection information for the criminal background of the employees can also be processed by employers only if explicitly provided for by law. Other legal grounds, such as consent or the legitimate interest cannot be applied for the processing of criminal records information. Most recently, the Commission for Personal Data Protection has adopted several opinions concerning the processing of employee health data by employers in the context of Covid-19; in particular, the latter provide that employers:
  • cannot request information from a remote-working employee whether he / she (or any of his / her family members) has tested positive for Covid-19; such information can only be disclosed voluntarily by the employee;
  • may provide anonymized information to their employees about established Covid-19 cases in the company (i.e. without revealing the identity of the infected employee(s));
  • can order / organize Covid-19 group testing of employees, without processing or having access to the test results - since the latter contain sensitive health data, they can only be processed by competent health authorities;
  • may process only aggregated data for the vaccination status of the employees, gathered voluntary and on anonymous basis by the appointed Labour Medicine Office (a third party service provider in the field of occupational medicine, that each employer shall appoint) for the purposes of risk assessment of the health and safety conditions at the workplace.

Employers should adopt rules and procedures for:

• the use of breach reporting system;
• restrictions on the use of internal company resources;
• introduction of systems for control access, working time and labor discipline.

These rules and procedures shall contain information on the scope, obligations and methods with respect to their application. The Personal Data Protection Act recognizes that the business purpose of the employer and the nature of the related work processes shall have to be taken into account upon the adoption of the rules and procedures. The rules and procedures will have to be brought to the attention of the employees.

Employers shall further determine a retention period for the personal data collected during the recruitment process, which however may not be longer than six months, unless the candidate consented to a longer period. Where the employer has, for recruitment purposes, requested original or notarized copies of documents certifying the physical and mental fitness of the applicant, the required degree, or the length of service for the previous positions occupied, the employer should return the submitted documents within six months of the conclusion of the recruitment procedure unless otherwise provided by specific law.

• Personal data processing by way of large-scale surveillance of publicly accessible areas — Under the Personal Data Protection Act data controllers and data processors shall adopt internal rules for the processing of personal data through systematic large-scale surveillance of publicly accessible areas, including via video surveillance. These rules should put in place appropriate technical and organizational measures to ensure the protection of data subjects' rights and freedoms. The Personal Data Protection Act provides a definition for 'large-scale' — a systematic monitoring and / or processing of personal data of an unlimited number of data subjects. The rules for personal data processing through large-scale surveillance of publicly accessible areas shall define the legal grounds and objectives for the introduction of a monitoring system, the location, scope and means of monitoring / surveillance, retention periods for the information records and their deletion, the right of review by the persons being subject to surveillance, the means of informing the public about the monitoring carried out, as well as the restrictions on granting access to such information to third parties. The minimum requirements for data controllers / data processors with respect to the aforementioned obligations shall be published on the website of the Commission for Personal Data Protection.

Processing of personal data of deceased persons

The Personal Data Protection Act stipulates, that when processing the personal data of deceased persons data controllers shall have to take appropriate measures to prevent the rights and freedoms of others and the public interest from being adversely affected. In such cases, the data controller may retain the data only if there is a legal basis therefor. In addition, data controllers shall provide upon request access to the personal data of a deceased person, including a copy thereof, to his / her heirs or other persons with legal interest.

The controller shall provide information on action taken without delay and in any event within one month as of the receipt of the request. That period may be extended with two further months where necessary. In case there is a delay, the controller shall provide the reasons for the delay.

Where the request has been made by electronic form, the information shall be provided by electronic means, where possible, unless otherwise requested by the data subject.

If the controller does not act on the request, the controller shall inform without delay and at the latest within one month of receipt of the request of the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These include:

• consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the data subject;
• purpose: personal data can only be collected and processed for a specific and legitimate purpose;
• proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding the purpose and objectives of the processing;
• lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner
• data retention: a specified period of time should be determined in advance depending on the purpose of processing to ensure that personal data is not stored indefinitely;
• security and confidentiality: all responsible persons for processing personal data must not only ensure the security of data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in a file or intended to form part of the files;
• preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the nature of personal data processing, namely notify the CIL or ask his opinion or obtain approval, etc. 

Except where provided otherwise by the law, any processing of personal data shall be carried out with the express consent of the data subject(s). 

The processing of personal data can legally be carried out without the consent of the data subject(s), when it is necessary for:

• the performance of a contract to which the data subject is a party; or
• pre-contractual measures taken at the request of the data subject;
• compliance with a legal obligation to which the controller is subject and when the processing is essential to protect the life of the data subject or that of a third party;
• the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services, provided that it is carried out by a member of a health profession or by another person who, by reason of his / her duties, is bound by professional secrecy;
• the establishment of an offence, a right, or the exercise or defence of a right in a court of law and when the said processing relates to data made public by the data subject.

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller. It may require inaccurate or incomplete personal data to be corrected or completed without undue delay. 

Data subjects may request erasure of their personal data. It has the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject. 

Unless an authorisation is required, the law provides that controllers should notify all processing to the CIL. The following are exempt from the notification requirement to CIL:

• temporary copies that are made as part of the technical activities of transmission and provision of access to a digital network for the purpose of automatic intermediate and transitory storage of data for the sole purpose of allowing other recipients of the service the best possible access to the information;
• processing carried out by a natural person for the exercise of exclusively personal or domestic activities;
• disclosed to third parties and not used to support actions or decisions against an individual;
• automated processing of personal data for the purpose of research in the field of health;
• automated processing of personal data carried out on behalf of the State, a public institution, a local authority or a legal person under private law managing a public service. 

With respect to day-to-day processing of data which do not infringe on privacy or freedoms, the Law provides that the CIL establishes and publishes 'simplified norms,' which shall include certain information, including:

• the date of the declaration;
• the full name and address or the name and headquarters of the person making the request and the person who has the power to decide on the creation of the data processing (data controller) or, if he or she resides abroad, his or her representative in Burkina Faso;
• the characteristics, purpose and, if applicable, the name of the data processing operation;
• the department or departments responsible for carrying out the processing;
• the department to which the right of access is to be exercised and the measures taken to facilitate the exercise of this right
• the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the information recorded;
• the personal information processed, its origin and the length of time it is kept, as well as the recipients or categories of recipients authorized to receive this information;
• the reconciliation, interconnection or any other form of linking of this information as well as its transfer to third parties;
• the measures taken to ensure the security of data and information processing and the guarantee of secrets protected by law;
• if the data processing is intended for the dispatch of personal data between the territory of Burkina Faso and abroad in any form whatsoever, including when it is the object of operations partially carried out on the territory of Burkina Faso from operations previously carried out outside Burkina Faso. 

When processing complies with a simplified norm issued by the CIL, no authorisation or notification is required, but only a 'simplified declaration of conformity,' to the said norm is required. The simplified declaration of conformity shall be sent to the CIL. Unless otherwise decided by the CIL, a receipt is issued without delay after the simplified declaration of conformity has been sent to the CIL. As from receiving this receipt, the applicant can start carrying out the processing. 

Except in cases where they are to be authorised by law, automated processing of personal data carried out on behalf of the State, or on behalf of any public institution, local authority, or on behalf of a private legal person operating a public service, must be authorised by decree after the CIL's approval. In the case of a negative opinion by the CIL, an appeal can be lodged to the Administrative Supreme Court (Conseil d’Etat).

Most sector specific laws and regulations that impose confidentiality and data protection requirements apply to covered entities under the law or regulation, and require such entities to maintain the confidentiality of personal information during processing.

As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia that explicitly and specifically discuss the concept of collection and processing of data. Under current practice, matters pertaining to data protection and privacy generally fall under the right to privacy that is protected in broad terms under Cambodia’s Constitution, specific legal provisions under the Civil Code, the Criminal Code, and other specific laws such as the Banking Law and the E-Commerce Law. However, none of the legislations mention a consent requirement.

Under the Draft Law on Personal Data Protection, which is subject to further revisions, the term “data controller” is defined as a natural person, private legal entity, public establishment of administrative character, or public entry that determines the purpose and means of collecting, using, or disclosing personal data. On the other hand, a “data processor” is defined as a natural person, private legal entity, public establishment of administrative character, or public entry that processes personal data on behalf of a data controller or public authority.

The Draft Law on Personal Data Protection contains provisions on consent requirement for collecting, using, or disclosing personal data and further stipulates that the principles of personal data protection include:

• lawfulness, fairness, and transparency;
• purpose limitation;
• accuracy of personal data;
• retention limitation;
• security safeguards; and
• accountability.

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These include:

• Consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the data subject
• Purpose: personal data can only be collected and processed for a specific and legitimate purpose
• Proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding the purpose and objectives of the processing
• Lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner
• Data retention: a specified period of time should be determined in advance depending on the purpose of processing to ensure that personal data is not stored indefinitely.
• Security and confidentiality: all responsible persons for processing personal data must not only ensure the security of data or files to prevent their destruction, or alteration; but also prevent unauthorized access to personal data contained in a file or intended to form part of the files
• Prior formalities: the processing of personal data and any interconnection and interoperability of sensitive data files relating to minors is subject to prior authorisation from the data protection authority.

Canadian Privacy Statutes set out the overriding obligation that organizations only ‎collect, use and disclose personal information for purposes that a reasonable person ‎would consider appropriate in the circumstances.‎

Subject to exceptions prescribed in Canadian Privacy Statutes, meaningful and informed consent is generally required for the ‎collection, use and disclosure of personal information. Depending on the sensitivity of ‎the personal information, consent may need to be presented as opt-in or opt-out. Under the Quebec Private Sector Act, consent must be “clear, free and informed and be given for specific purposes”: this is generally interpreted as requiring opt-in consent in most situations, however depending on the context and sensitivity of the information, opt-out or implicit consent may, in certain specific situations, be considered valid. Organizations must limit ‎the collection of personal information to that which is necessary to fulfil the identified ‎purposes and only retain such personal information for as long as necessary to fulfil the ‎purposes for which it was collected or as otherwise required by law.‎

Each of the Canadian Privacy Statutes have both notice and openness/transparency ‎requirements.  With respect to notice, organizations are generally required to identify ‎the purposes for which personal information is collected at or before the time the ‎information is collected.  With respect to openness/transparency, generally Canadian ‎Privacy Statutes require organizations make information about their personal ‎information practices readily available.‎

All Canadian Privacy Statutes contain obligations on organizations to ensure personal ‎information in their records is accurate and complete, particularly where the information ‎is used to make a decision about the individual to whom the information relates or if the ‎information is likely to be disclosed to another organization.‎

Each of the Canadian Privacy Statutes also provides individuals with the following:‎

• A right of access to personal information held by an organization, subject to limited ‎exceptions;
• A right to correct inaccuracies in/update their personal information records; and‎
• A right to withdraw consent to the use or communication of personal information.

In addition to these rights, the Quebec Private Sector Act, as modified by Bill 64, gives individuals the right to have their personal information deindexed if the dissemination of the information contravenes the law or a court order. Quebec individuals also have a right to data portability, meaning that individuals can request that their personal information be communicated to them in a structured, commonly used technological format or that it be communicated to any person or body authorized by law to collect such information.

Finally, organizations must have policies and practices in place that give effect to the ‎requirements of the legislation and organizations must ensure that their employees are ‎made aware of and trained with respect to such policies.‎

The collection and processing of personal data is subject to the rules laid down in the Data Protection Law. As a general note, personal data processing operations may only be undertaken once one of the following requirements are met:

• consent;
• performance of a contract;
• legitimate interests;
• public interests;
• vital interests of data subject; or 
• legal duty. 

Moreover, as previously stated, there are some cases (referred to above) in which the collection and processing of personal data is subject to prior authorization from the data protection authority.

A data controller is responsible for compliance with a set of eight core principles which apply to the personal data that the data controller processes.  A data controller is also responsible for ensuring that the principles are complied with in relation to personal data processed on the data controller's behalf.

Under these principles:

• Personal data must be processed fairly, lawfully and in a transparent manner;
• Personal data must be obtained for specified lawful purposes and not further processed in any manner incompatible with those purposes;
• Personal data must be adequate, relevant and not excessive in relation to the purposes;
• Personal data must be accurate and where necessary kept up-to-date;
• Personal data must not be kept for longer than is necessary for the purposes it was collected for;
• Personal data must be processed in accordance with the rights of data subjects under the DPA;
• Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
• Personal data must not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For purposes of the first principle (fair and lawful processing), personal data will not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum, the identity of the data controller and the purpose for which the data are to be processed.  This is usually communicated in the form of a privacy notice.

In order for the processing to be considered lawful, the processing must be justified by reference to an appropriate basis.  The legal bases (also known as lawful grounds) for processing personal data are:

• The data subject has given consent to the processing (where consent must be freely given, specific, informed and unambiguous and must be capable of being withdrawn at any time);
• The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject with a view to entering into a contract;
• The processing is necessary for compliance with a legal obligation to which the data controller is subject;
• The processing is necessary to protect the vital interests of the data subject;
• The processing is necessary for the administration of justice or the exercise of a function by a public authority or conferred under law or other function of a public nature exercised in the public interest; and
• The processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party to whom the data is disclosed, except if the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Sensitive personal data

In order for the processing of sensitive personal data to be considered lawful, in addition to meeting one of the above legal bases, one of the following conditions must be met:

• The data subject has given consent to the processing (where consent must be freely given, specific, informed and unambiguous and must be capable of being withdrawn at any time);
• The processing is necessary for the purposes of exercising or performing a right or obligation conferred or imposed by law on the data controller in connection with the data subject's employment;
• The processing is necessary to protect the vital interests (i) of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject; or (ii) of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
• The processing is carried out by a not-for-profit body in certain limited circumstances;
• The information contained in the personal data has been made public as result of steps taken by the data subject;
• The processing is necessary for the purposes of legal proceedings, obtaining legal advice or otherwise establishing, exercising or defending legal rights;
• The processing is necessary for the administration of justice or the exercise of a function by a public authority or conferred under law; or
• The processing is necessary for medical purposes and is undertaken by a health professional or person who owes an equivalent duty of confidentiality.

Rights of the Data Subject

Right of access

Upon written request, a data subject is entitled to be informed by a data controller of whether their personal data are being processed by or on behalf of the data controller and, if so, to be given a description of such personal data together with prescribed information about how the data have been used by the data controller.  A data subject is also entitled, upon written request, to a copy of their personal data and any information available as to the source of such personal data.  A data controller is generally required to comply with such a request within 30 days.

Right to object to processing

A data subject is entitled, at any time by notice in writing, to require a data controller to cease processing, or not to begin processing, or to cease processing for a specified purpose or in a specified manner, the data subject's personal data.  A data controller is required to comply with such a notice as soon as practicable and in any case within 21 days, unless the processing is necessary:

• for the performance of a contract to which the data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract;
• for compliance with a legal obligation to which the data controller is subject; or
• in order to protect the vital interests of the data subject.

In addition, data subjects have an unconditional right to require a data controller at any time to cease (or not to begin) processing their personal data for the purposes of direct marketing.

Rights in relation to automated decision-making

A data subject is entitled, at any time by notice in writing, to require a data controller to ensure that no decision taken by or on behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the data subject's personal data for the purpose of evaluating the data subject's performance at work, creditworthiness, reliability, conduct or any other matters relating to the data subject.

Where a decision that significantly affects a data subject is based solely on processing by automatic means, subject to certain exceptions, the data controller is required as soon as reasonably practicable to notify the data subject that the decision was taken on that basis, and the data subject is then entitled to require the data controller to reconsider the decision.

Right to rectification

The DPA includes an indirect right for individuals to have inaccurate personal data rectified, by making such a request to the data controller.  There is no explicit obligation for a data controller to act on such a request, however data controllers are generally required under the principles to process data fairly and transparently and ensure that personal data is accurate and kept up-to-date.

Any person may make a complaint to the Ombudsman about the processing of personal data and the Ombudsman may order the data controller (among other things) to rectify, block, erase or destroy the relevant data.

Data collection and processing are subject to the following principles and requirements:

• The collection, recording, processing, storage, and transmission of personal data must be lawful, fair, and not fraudulent;
• Data must be collected for specified, explicit, and legitimate purposes;
• Data must be relevant and not excessive in relation to the purposes for which they are collected and further processed;
• Data must be kept for a period not exceeding the period necessary for the purposes for which they were collected / processed;
• The data collected must be accurate and, if necessary, updated whenever necessary;
• Data controller must inform the data subject of any personal data processing operation that involves personal data; and
• Personal data must be treated confidentially and protected. 

Rights of the data holders / subjects

• To be informed: Pursuant to Article 35 and seq. of the Act, the data controller must inform the data subject of:
  • the identity of the data controller and its representative (if any);
  • the purposes of the processing;
  • the category of data concerned;
  • the recipients or categories of recipients of the data;
  • the right to object to the collection of such data;
  • the right to access the collected data and have it edited;
  • the duration of the processing; and
  • details on any intended transfer of the data. 
• To access: Pursuant to Article 38 of the Act, data subjects have a right of access and they can obtain the following from the data controller:
  • information allowing for data subjects to be aware of and the possibly to contest the processing;
  • confirmation of whether his / her personal data forms part of the processing;
  • copy of his / her personal data as well as any available information on the origin of the data; and
  • information relating to the purposes of the processing, categories of data processed, recipients, or categories of recipients, to whom the data are disclosed, and information relating to the transfer of personal data outside the country.
• To rectification: In light of the provisions of Article 48 of the Act, any data subjects may require that the data controller rectifies their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited;
• To erasure: In light of the provisions of Article 48 of the Act, any data subjects may require that the data controller deletes their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited;
• Right to object / opt-out: Pursuant to Article 45 of the Act, any data subject has the right to object, with legitimate reasons, to the processing of his / her personal data. The data subject also has the right to be informed before his / her personal data is communicated or used by a third party and also to object the communication or the use of the personal data.

According to the PDPL, personal data may be processed in the following cases:

• With informed, prior and written consent given by the data subject
• If authorized by legal provisions
• If the personal data comes from publicly accessible sources, and the data:
  • are of financial, banking or commercial nature, or
  • are contained in lists related to a category of persons that merely indicate background information such as the individuals´ membership in that category, his/her profession or activity, educational qualifications, address or date of birth, or
  • are required for direct response commercial communications or direct marketing or sale of goods or services

• Furthermore, personal data may be processed without the data subject’s consent if they are processed by private entities for their exclusive use, or that of their associated or affiliated entities use, for statistical, pricing or other purposes of general benefit to them. In practice, this exception is not of significant importance.

Collection

Consent

In general, express, informed consent is required from the data subject before personal information can be collected, used, transferred or otherwise processed. In certain circumstances, such as collecting or processing sensitive personal information, overseas data transfers and direct marketing, separate consent (i.e. explicit consent specific to the processing activity / transfer (rather than just general consent to the privacy notice, expressed through an affirmative action) is required from the data subject. Collection from individuals under 14 years old is prohibited unless explicit consent is obtained from their legal guardians.  

In addition, the PIPL requires separate consent to be obtained for:

• processing sensitive personal information;
• overseas transfers;
• public disclosure of personal information;
• to provide data to another data controller for processing; and
• use of image or identification data collected in public through image or identification device for purposes other than maintaining public security.

Whilst there is no clear definition of what "separate consent" constitutes in practice, it appears to suggest that organisations should avoid bundled or forced consent.

The PIPL also introduced limited circumstances (i.e. lawful bases) in which personal information can be processed without consent, including:

• entering into or fulfilling a contract where the data subject is a named party;
• carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
• fulfilling legal obligations (which may be helpful in the context of regulatory investigations);
• protecting the interests of natural person during any public health emergency or otherwise responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property; 
• carrying out news reporting and public opinion monitoring for public interests; 
• the personal information being processed is already made public legally and the processing is within the reasonable scope and in accordance with the requirements of the PIPL; and
• as required by law (e.g. where required to disclose information under another PRC law).

However, in practice, it is unclear how these lawful bases could be relied upon. Consent remains the primary basis for lawful data processing, and it is anticipated this will continue in practice.

Notice

In addition to obtaining consent, a data controller (i.e. the organization who has the authority to determine the purposes, means or method of processing) should provide data subjects with a privacy policy or other form of notice, informing them of the scope and ways in which their personal information is collected, processed and disclosed, including the following information:

• the identity of the data controller, including its registered name, registered address, principal office, a telephone number and / or an e-mail address;
• a list of personal information collected for each business purpose. Where sensitive personal information is involved, relevant consent shall be explicitly marked or highlighted;
• the location of storage, retention period, means of use / processing and scope of the personal information collected; the purposes sought by the data controller, i.e. what the data controller uses the data for (for instance, supplying goods and services, creating a user account, processing payments, managing subscriptions to the newsletters, etc.). These should be as comprehensive as possible, as additional purposes will require new consent;
• circumstances under which the data controller will transfer, share, assign personal information to third party processors (including intra-group entities) or publicly disclose personal information, the types of personal information involved in these circumstances, the types of third party data recipients, and the respective security and legal responsibilities of the entities;
• circumstances under which the data controller will transfer, share or assign personal information to third party controllers, the names and contact information of third party controllers, purpose and means of processing and personal information categories;
• circumstances under which the personal information will be transferred, accessed or stored outside of the PRC, the names and contact information of overseas recipients, purpose and means of processing, personal information categories and the means and procedures for individuals to exercise their data subject rights against the overseas recipients; 
• the rights of data subjects and mechanisms for them to exercise such rights, e.g. methods to access, rectify or delete their personal information, to de-register their accounts, withdraw their consent, obtain copies of their personal information and restrict automated decision by the data system etc.;
• potential risks for providing personal information, as well as possible consequences for not providing the data; data security capabilities of, and data security protection measures to be adopted by, the data controller and, when necessary, the compliance certificates related to data security and personal information protection; and
• channels and procedures for making inquiries and lodging complaints by data subjects, as well as external dispute settlement body and contact information.

The information in the privacy policy must be true, accurate and complete. The contents of the privacy policy must be clear and easy to understand, and ambiguous language should be avoided. The privacy policy should be made available to the data subject when collecting consent, and published publicly and easily accessible, for example, through a link placed prominently on a webpage or an installation page of a mobile application. When changes occur to the information provided in the privacy policy, the data subjects should be notified of such changes and (depending on the extent of changes made) further consent may need to be obtained.

Processing

Collection and processing of personal information must be directly related to the purpose of processing specified in the privacy notice.

Excessive data collection must be avoided. Interestingly the provisions of the PIPL around data minimization appear to be targeted at apps and big data analytics. On March 1, 2022, the Administrative Provisions on Recommendation Algorithms in Internet-based Information Services came into effect, which require recommendation algorithm-based service providers to establish management systems and technical measures for data security and personal information protection.

Additional restrictions are placed on use of biometric data collected in public places.

There are prohibitions on illegal collection, use, processing, sale, disclosure and transfer of personal information.

Impact assessment and record-keeping

The PIPL requires data controllers to undertake personal information impact assessments (PIIA) and to retain the results and processing records (for three years) in the following circumstances:

• processing of sensitive personal information;
• using personal information to conduct automated decision-making;
• appointing a data processor;
• providing personal information to any third party (likely to include sharing with group companies);
• public disclosure of personal information;
• overseas transfer of personal information; and
• any other processing activities that may have "significant impact to an individual".

A PIIA should include an assessment on:

• whether the purpose of use and means of processing is legitimate, proper and necessary;
• impacts and risks to individual's interests; and
• applicability of protection measures and risk appetite.

The "Guidance for Personal Information Security Impact Assessment" (PIIA Guidelines) (published by the National Standardization Technical Committee for Information Security) came into force on June 1, 2021.

Compliance audit

The PIPL requires data controllers to conduct compliance audits of their personal information processing activities on a regular basis. In addition, if the data regulator finds significant risks involved in a data controller’s processing, or where data incidents occur, the data regulator may request the data controller to engage third party professional organizations to conduct compliance audits.

Data protection compliance audits should now be prioritized following the publication (for public consultation) of the "Draft National Standard of Data Security Technology – Personal Information Protection Compliance Audit Requirements" ("Draft Compliance Audit Standard") on July 12, 2024. This sets out comprehensive audit requirements and procedures, and includes in its Schedule C a list of 37 groups of specific processing operations that must be checked in an audit, as well as the relevant PIPL requirements.

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the Data Subject. However, this information may only be disclosed to:

• The Data Subject or authorized third parties, pursuant to the procedure established by law
• The Users of the Data
• Any judicial or jurisdictional authority upon request
• Any control or administrative authority, when an investigation is ongoing
• Data processors, with the Data Subject’s authorization, or when no authorization is needed , and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the Data Subject for the data controller to process private and semi-private personal data. For the authorization to be valid it must be obtained prior to the data processing and must be "informed", meaning that the data subject must have been made aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

• Personal data shall only be collected and processed in accordance with the purposes authorized by the Data Subject.
• Such authorization may be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

• A public or administrative entity demands the information through a judicial order or exercising its legal duties.
• It is public data.
• A medical or sanitary urgency requires the processing of personal data. 
• The data processing is authorized by law for historical, statistical or scientific purposes.
• The data is related to people’s birth certificates.

Regarding sensitive personal data, Section 6 of Decree 1377 states that the data controller shall do the following: 

• Expressly inform the Data Subject that he or she is not compelled to provide sensitive personal data
• Expressly identify what data to be collected and processed is sensitive and
• Obtain the Data Subject's express consent prior to the processing of their sensitive personal data

In any case, silence is not considered a reasonable means of obtaining authorization for personal data or sensitive personal data processing.

Furthermore, when collecting personal data of children, both the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the child's legal representative (parent or guardian) must authorize the processing of their child’s personal data.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

• Name, address, email and phone number of the data controller
• Processes and handling of data and the purpose of such processing
• Rights of the Data Subject
• Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
• Procedure to exercise the abovementioned rights, and
• Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Data collection

• Data must be collected in a lawful, fair and non-fraudulent manner Article 15 of Law 2013-450.
• Data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
• The controller must inform the data subject, at the latest at the time of collection of the data, of his identity, the purposes of the processing, the categories of data collected, the recipients, the storage period and his rights (Article 28).
• The consent of the data subject is generally required for the collection and processing of data (Article 14). This consent must be explicit, unequivocal, free, specific and informed.
• There are exceptions to consent where processing is necessary to comply with a legal obligation, to perform a task in the public interest, to perform a contract, or to safeguard the vital interests of the data subject.

Data processing

• Data processing must be carried out in accordance with established principles.
• Data must be adequate, relevant and not excessive in relation to the purposes for which it is collected.
• Data processing must be confidential and carried out exclusively by persons acting under the authority of the data controller and only on its instructions.
• The data controller must take all necessary precautions to prevent the data from being distorted, damaged or accessed by unauthorised third parties. He must also choose a processor who provides sufficient guarantees.
• Sensitive data is subject to specific rules. Their collection and processing are generally prohibited except in certain cases (explicit consent, safeguarding vital interests, etc.).
• Personal data must not be kept beyond the period necessary for the purposes for which it was collected and processed.
• The data controller must guarantee that the data can be used regardless of the technical medium used.

Data processing

• Data processing must be carried out in accordance with the established principles (Articles 14 et seq. of the 2013-450 Law).
• Data must be adequate, relevant and not excessive with regard to the purposes for which they are collected (Article 15).
• Data processing must be confidential and carried out exclusively by persons acting under the authority of the data controller and only on its instructions (Article 39).
• The data controller must take all necessary precautions to prevent the data from being distorted, damaged or accessed by unauthorised third parties. He must also choose a processor who provides sufficient guarantees (Article 40).
• Sensitive data is subject to specific rules. According to Article 13, Their collection and processing are generally prohibited except in certain cases (explicit consent, safeguarding vital interests, etc.).
• Personal data must not be kept beyond the period necessary for the purposes for which they were collected and processed (Article 16).
• The controller must ensure that the data can be used regardless of the technical medium used (Article 44).

Any company may store personal information and manage a database containing it if the following rules are respected:

• When collecting personal information, private companies and/or the government must respect the “sphere of privacy” to which all individuals are entitled

• Such companies must obtain prior, unequivocal, express and valid consent from the owner of the personal information or his or her representative. Such consent must be written (either handwritten or electronic)

• Companies that maintain personal information about others in their databases must ensure that such information is:

• Materially truthful

• Complete and

• Accurate

• Data subjects must be given access to their personal information and are entitled to dispute any erroneous or misleading information about them at any time

• Companies that manage databases containing personal information and that distribute, commercialize or widespread such personal information in any manner, must comply with Law 8968. Particularly, they must comply with the following: 

• Report and register the company and the database with PRODHAB

• Report the technical measures to secure the database

• Protect and respect confidentiality of personal information

• Secure the information contained in the databases

• Establish a proceeding to review requests filed by data subjects for the amendment of any error or mistakes in the database

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Croatia regulation

In application of the possibility left to Member States to deviate from the provisions of the GDPR, the Act provides the following obligations with regards to the collection and processing of personal data:

Processing of Genetic Data

The Act forbids any processing of genetic data for the purposes of life insurance calculations and entering into life insurance agreements. Consent given by data subjects does not validate this restriction.

Processing of Biometric Data

Public authorities and private entities may process biometric data only if such processing is defined by law and is necessary for the protection of persons, assets, classified information or professional secrets, provided that the interests of data subjects that contravene such processing do not prevail. Processing of biometric data necessary for fulfilment of international treaties related to identification of data subjects during crossing of state borders is considered as lawful.

Private entities may process biometric data for the purposes of safe identification of users of services, only based on explicit consent given by the users in accordance with the provisions of the GDPR.

Processing of biometric data (eg fingerprints, eye-scans) for the purposes of working time recording or entry/exit of working premises is allowed only on the basis of a legal obligation or if the employer has provided an alternative mechanism for such purposes (e.g. signature list) and the data subjects provided an explicit consent in accordance with the provisions of the GDPR.

Processing of Personal Data through Video Surveillance

Data controllers (or processors) must provide a clear notification to data subjects that premises (or part of it) is under video surveillance. Such notification must be visible while entering the perimeter of surveillance at the latest, and contain the information provided in Article 13 of the GDPR. Also, a clear and understandable photograph (sticker) must be attached to the notification containing:

• a notice that the object is under video surveillance
• information on the data controller, and
• contact details of the data controller for possible complaints

Records of video surveillance may be kept for 6 months, unless a special law or regulation provides a longer period.

In relation to work premises, such premises may be put under video surveillance by the employer only if the conditions under the work safety regulations have been met, and all employees have been notified in advance on the existence of video surveillance. Premises intended for rest, hygiene and changing room may not be put under video surveillance.

In relation to residential buildings, video surveillance may be installed in such buildings under the condition that 2/3 of all owners agree. However, only access to the building’s entrance and exit and common premises (eg stairways) may be put under video surveillance. Video surveillance used for the purposes to control the effectiveness of cleaners and other staff working in residential building is forbidden.

Generally, entities must obtain prior express consent from data subjects and provide prior notice to the Ministry of Communications to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by Cuba rules.

National Ordinance Personal Data Protection 

Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration. 

Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in his possession, with which a personal registration of which he is not the holder. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Cyprus regulation

Collection and procession of genetic and biometric data for the purpose of health and life insurance is prohibited.

Subject to the above, where processing of genetic and biometric data is based on consent, subsequent and separate consents should be obtained for any further processing.

Further, according to the Law, impact assessment and prior consultation with the Commissioner are required in the following instances:

• when a combination of filing systems of public authorities or certification bodies, is conducted in relation to special categories of personal data or data relating to criminal offences or penalties or will be carried out on the basis of the use of an ID number or any other identifier of general application;
• where, subject to the provisions of Article 23 of the GDPR, measures are taken by the data controller to restrict the rights referred to under Article 12, 18, 19 and 20 of the GDPR;
• where the data controller is exempted from the obligation to notify data subjects for breaches of personal data for one or more of the purposes listed in Article 23(1) of the GDPR, including inter alia, national security, defense, public security, prevention, investigation, detection or prosecution of criminal offences etc;
• where national legislation or regulations issued pursuant thereto provide for a specific action or series of processing activities; and
• where special categories of personal data will be transferred in a third country or an international organization by the controller or the processor, on the basis of a derogation for specific situations provided for under Article 49 of the GDPR.

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances.   Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorised by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

As a matter of principle, the collection and processing of personal data (whether sensitive or not) is prohibited. It can be carried out with the prior and explicit consent of the person concerned or on the request of the public prosecutor's office, provided that the consent of the person concerned can always be proven. One’s consent can be withdrawn at all times.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise, or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation, that is to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider when assessing whether the new process is compatible with the purposes for which the personal data was initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects;
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data is used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible privacy notices should therefore be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained:

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are made based on grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Denmark regulation

The GDPR differentiates between 1) Personal data, 2) Special Categories of Personal Data, 3) Data on criminal offences and 4) National identification numbers (CPR numbers). See below.

1. Personal data

Under the GDPR, data controllers may legally register and process personal data (all data except the Special Categories of Personal Data, Data on criminal offences and national identification numbers) only when at least one of the following conditions are met:

• the data subject has given his explicit consent in accordance with article 7 and 8 (children’s consent) of the GDPR;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or any other natural person;
• processing is necessary for the performance of a task carried out in the public interest or for the performance of a task carried out in the exercise of official authority vested in the data controller; or
• processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third-party to whom the data is disclosed, unless these interests are overridden by either the data subject’s fundamental rights including its civil rights or other interests of the data subject.

2. Special Categories of Personal Data

Special Categories of Personal Data (as detailed under 'Registration') may be processed only when at least one of the following conditions are met:

• the data subject has given his explicit consent to the processing of such data for one or several purposes;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of medical and health care services, and where those data are processed by a health professional subject under law to the obligation of professional secrecy;
• processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless such is carried out by a public organization.

Personal data and Special Categories of Personal Data may be processed, if such process is carried out in relation to the data subject’s employment at the data controller, if such processing is necessary for the data controller to comply with employment-related obligations or rights under applicable law or collective agreements, or if the process is necessary for the data controller or third-party’s possibility to pursue legitimate interests originating from other legislation or collective agreements as long as the civil rights and interests of the data subject precedes.

Furthermore, personal data may be processed where the processing takes place for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies. Sharing of personal data for such purposes will, however, be subject to the conditions set forth in the Danish Ministerial Order no. 1509 of 18 December 2019, according to which personal data shared for the purpose of carrying out statistical or scientific studies must, amongst other, be pseudonymised before sharing, unless direct identifications is strictly necessary.

3. Data relating to criminal convictions and offences

Data relating to criminal convictions and offences may be processed by public data controllers only if the processing is strictly necessary for the performance of regulatory and public tasks. No such data can, however, be disclosed, unless at least any of the following conditions are met:

• the data subject has given explicit consent to such disclosure;

• disclosure takes place for the purpose of safeguarding private or public interests which clearly override the interests of secrecy, including the interests of the person to whom the data relate;

• disclosure is necessary for the performance of the activities of an authority or required for a decision to be made by that authority; or

• disclosure is necessary for the performance of tasks for a public authority by a person or an enterprise.

Private data controllers may process data relating to criminal convictions and offences, if the data subject in question has given his or her explicit consent in accordance with article 7 of the GDPR, or if the processing is strictly necessary to pursue interests significantly exceeding the interests of the data subject. None of the data may be disclosed without the explicit consent of the data subject, unless such disclosure takes place for the purpose of safeguarding public or private interests, including the interests of the person concerned, which clearly override the interests of secrecy.

Both public and private actors may process personal data about criminal convictions and offences if at least one the following conditions are met:

• processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
• the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of medical and health care services, and where those data are processed by a health professional subject under law to the obligation of professional secrecy; or
• processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless such is carried out by the public organization.

4. National identification numbers

National identification numbers (in Danish ‘CPR-nummer.’) may be processed by public organizations for the purpose of identification or as reference number.

Private data controllers may process CPR-nummer when at least one of the following conditions are met:

• the process is required under statutory law;
• the data subject concerned has given his or her explicit consent in accordance with article 7 of the GDPR;
• the processing is carried out for scientific or statistic purposes (however not for publication which requires a specific consent);
• the CPR-nummer disclosed as part of the company’s natural operations and such disclosure is of significant importance to the company to ensure identification of the data subject in question or requested by a public authority;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
• the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of medical and health care services, and where those data are processed by a health professional subject under law to the obligation of professional secrecy; or
• processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless it is carried out by a public data controller.

5. Transparency requirements

The data controller must, at the time when personal data are obtained (no later than within one month after), provide the data subject with the necessary information to fulfil the duty of information, including information about:

• the identity of the data controller, his representative and the DPO (if applicable);
• the contact details of the data controller / the representative;
• the categories of data concerned;
• the purposes of the processing for which the data is intended as well as the legal basis for the processing;
• the legitimate interests pursued by the data controller, where the processing is based on article 6(1)(f) of GDPR;
• the recipients or categories of recipients of the personal data, (if any);
• (where applicable), information of transfer of data to third countries or international organizations or the intention hereof, as well as reference to the appropriate and suitable safeguards in connection with such transfers;
• The period for which the data will be stored;
• The data subject’s right to withdraw a consent at any time;
• The data subject’s rights, including to lodge a complaint, deletion, insight and correction;
• From which source the personal data originate (if applicable), and whether it came from publicly accessible sources (if applicable);
• The existence of automated decision making (if applicable).

Under the Danish Data Protection Act the above-mentioned obligations do not apply if interests of the public, other people, or the data subject itself, exceed the data subject’s interest in obtaining the information.

The general rule for the treatment of personal data under the DPL is that consent to process is a requirement. Consent is valid when there is a manifestation of free will, in an unequivocal, specific and informed manner, whereby the data subject consents to the treatment of personal data concerning him or her.

The DPL provides that the treatment and transfer of personal data is illegal when the data has not consented to such usage, unless an exception is provided by law.

For purposes of the foregoing, the DPL defines treatment as operations and procedures (electronic or otherwise), that allow for the:

• Collection
• Storage
• Organization
• Modification
• Evaluation
• Destruction
• In general, the processing of personal data, or
• Its transfer to third parties via communications, interconnections or transfers

Exceptions to the requirement to obtain consent include, among others:

• When the data is obtained from a public source
• When the data is obtained for the exercise of public duties or pursuant to a legal obligation to do so
• When the data is obtained for marketing purposes and is limited to certain basic information (eg, name, ID, passport, tax ID)
• The data derives from a commercial, employment or contractual relationship, or from a professional or scientific relationship with the data subject, and is necessary for its development or compliance

Our Personal Data Protection Law defines data processing as any operation or set of operations performed on personal data, whether by automated, partially automated or non-automated technical procedures, such as: collection, compilation, obtaining, recording, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation, processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data. 

The processing of personal data shall be legitimate and lawful if any of the following conditions are met: 

1. By consent of the owner for the treatment of his personal data, for a specific purpose or purposes.
2. That it is carried out by the data controller in compliance with a legal obligation.
3. That it is carried out by the data controller, by court order, in compliance with the principles of the present Law.
4. That the treatment of personal data is based on the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller, derived from a competence attributed by a regulation with the rank of law, subject to compliance with the international human rights standards applicable to the matter, to compliance with the principles of this Law and to the criteria of legality, proportionality, and necessity.
5. For the execution of pre-contractual measures at the request of the owner or for the fulfilment of contractual obligations pursued by the person responsible for the processing of personal data, person in charge of the processing of personal data or by a legally authorized third party.
6. To protect vital interests of the data subject or another natural person, such as his or her life, health, or integrity.
7. For the processing of personal data contained in publicly accessible databases; or
8. To satisfy a legitimate interest of the data controller or of a third party, provided that the interest or fundamental rights of the data subjects do not prevail under the provisions of this regulation. 

Personal data may be processed and communicated when there is an explicit consent of the owner to do so. The consent will be valid when the expression of will is: 

1. Free, that is, when it is absent of any consent flaws.
2. Specific, in terms of the concrete determination of the means and purposes of the data treatment.
3. Informed, so that it complies with the transparency principle.
4. Unambiguous, so that there is no doubt as to the scope of the authorization granted by the owner. 

The consent of the data owner must reflect, in an unequivocal manner, his or her acceptance in relation to the processing of personal data. Silence or inaction, by itself, does not imply the consent of the data owner.

Consent may be revoked at any time without the need for a justification, for which purpose the data controller shall establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity, as well as a simple procedure, similar to the procedure by which the consent was obtained. 

The processing carried out prior to the revocation of consent is lawful since it does not have retroactive effects. 

When the data treatment is intended to be based on the consent of the data owner for a plurality of purposes, it will be necessary to state that such consent is obtained for all of them. 

Unless proven otherwise, it shall be legitimate and lawful to process data intended to provide information on the financial or credit solvency, including information relating to the fulfilment or non-fulfilment of obligations of a commercial or credit nature that enable an assessment on the general conclusion of business, the commercial conduct or the payment capacity of the owner of the information, where such information is obtained from publicly available sources or from information provided by the creditor. Such data may be used only for the purpose of analysis and will not be communicated or disseminated, nor may they be used for any secondary purpose. 

The protection of personal credit data shall be subject to the provisions of this Law, the specialized legislation on the subject and other regulations issued by the Personal Data Protection Authority. 

Notwithstanding the foregoing, in no case may credit data relating to obligations of an economic, financial, banking or commercial nature be communicated after five years have elapsed since the obligation to which they refer has become due. 

Pursuant to the provisions of article 29 of the Organic Law on Personal Data Protection, the holders of Credit Data have the following rights: 

1. To have personal access to the information of which they are owners.
2. That the credit report allows them to know the condition of their credit history clearly and precisely; and,
3. That the sources of information update, rectify or eliminate information that is unlawful, false, inaccurate, erroneous, incomplete, or outdated. 

Regarding the right of access by the Credit Data Owner, this shall be free of charge, as many times as required, with respect to the information registered about him/herself before the credit reference service providers and through the following mechanisms: 

1. Direct observation through displays that the credit reference service providers will make available to such owners; and
2. Delivery of printed copies of the reports for the Credit Data Subject to verify the truthfulness and accuracy of their content, without being used for credit or commercial purposes. 

Regarding the rights of updating, rectification or deletion, the Data Owner may demand these rights from the information sources by means of a written request. The information sources, within fifteen days from the date the request is submitted, shall resolve it by admitting or rejecting it with reasons. The Credit Data Owner has the right to request the credit reference service providers to indicate in the credit reports they issue, while the review process continues, that the information subject to the request is being reviewed at the owner's request.

Data Protection Principles

Controllers and processors must comply with a set of rules governing the processing of personal data. Pursuant to the Law, the following conditions must be fulfilled in order to collect, process and retain personal data:

• Personal data shall be collected for legitimate and specific purposes that shall be disclosed to the data subject.
• Personal data shall be correct, valid, and secured.
• Personal data shall be processed in a legitimate manner and in compliance with the purposes for which it is being collected.
• Personal data shall not be retained for a period longer than that is necessary for the fulfilment of the purpose thereof.

Processing Conditions

Pursuant to Article (6) of the Law, the electronic processing of personal data shall be considered legitimate and legal in cases where it satisfies one of the following conditions:

• It is carried out with the data subject’s consent for the achievement of certain purpose(s);
• It is necessary and intrinsic for the performance of a contractual obligation or legal action, the execution of an agreement for the benefit of the data subject, or the undertaking of any procedure with respect to claiming or defending the data subject's legal rights;
• It is necessary for performing a legal obligation or an order issued by the competent investigation authorities or it is based upon a judicial ruling; or
• It is necessary for enabling the controller to perform its obligations or any relevant person to practice its legitimate rights unless this contradicts the data subject’s fundamental rights and freedoms.

Rights of Data Subjects

Pursuant to Article (2) of the Law, personal data may not be collected, processed, disclosed, or revealed by any means except with the explicit consent of the data subject or where otherwise permitted by law.

Further, the data subjects have a range of rights to control the processing of their personal data, which are as follows:

• To know, review and access / obtain his / her own personal data, which is in possession of any holder, controller or processor;
• To withdraw the prior consent concerning the retention or processing of his/her personal data;
• To correct, edit, erase, add or update his / her personal data;
• To limit the processing to a specified purpose;
• To be notified with any infringement to his / her personal data; and
• To object to the processing of personal data or its results whenever this contradicts the data subject’s fundamental rights and freedoms.

Obligations of the Controller and the Processor

Pursuant to chapter (3) of the Law, the controller and the processor must comply with certain conditions while collecting and processing personal data, inter alia:

• Ensure the validity, conformity and sufficiency of the personal data with the purpose of its collection;
• Not exceed the purpose and period of processing, and notify the controller, the data subject or each relevant person, as the case may be, with the period necessary for processing;
• Set the method, manner, and standards for processing pursuant to the designated purpose;
• Ensure the applicability of the specified purpose for the collection of the personal data for processing objectives;
• Refrain from undertaking any action which would result in disclosing personal data except in the cases permitted by law;
• Adopt all technical and regulatory procedures and apply the necessary standard criteria for protecting personal data and ensuring its confidentiality, and prevent any hack, damage, alteration or manipulation through any illegitimate procedure;
• Correct any error in the personal data immediately upon being notified or becoming aware of such error; and
• Avoid any direct or indirect harm to the data subject.

Collecting and Processing is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all information provided by the user of an online store/marketplace must be safely guarded. Similar requirements are established by the E-Signature Act, in regards to the information of the owners of an E-Signature.

Arts. 6 and 9 of the applicable law determines that only personal data that are adequate, accurate, truthful, complete and not excessive in relation to the scope and purpose of their collection may be used, prohibiting the collection of such data by fraudulent and unlawful means.

In this regard, an interested parties to whom personal data are requested must be previously expressly informed in a concise and unequivocal manner and must be informed about the purpose and consequences of the collection, the destination and the recipients of the information, about the mandatory or optional nature of their response to the questions asked, about the effects of the refusal to provide them, as well as the identity and address of the person responsible for the processing or its representative. 

The processing of data by third parties according the law must be subject to a contractual agreement under which a third parties must agree in writing to process the data solely and in accordance with the instructions authorised  by the owner, that is,  the data must not be used or applied for a different purpose or communicated to third parties (art.8).

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record- keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects;
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorised by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Estonia regulation

• Processing after data subject’s death. According to the PDPA the consent of the data subject is valid during the data subjects life and 10 years after the data subject’s death, unless otherwise provided by the data subject. If the data subject has died underaged, the data subject’s consent shall be valid for 20 years after his / her death. After the data subject’s death, the processing of his/her personal data is permissible upon the consent of one of the heirs of the data subject, unless:
  • 10 years have passed from the death of the data subject;
  • More than 20 years have passed from the death of an underaged data subject; or
  • Another legal basis for processing exists.

The aforementioned consent is not required when the processing includes only the data subject’s name, gender, time of birth and death, the fact of death, and the time and place of burial.

• Processing of personal data related to the breach of a contractual obligation. It is permitted to transmit personal data related to a breach of a contractual obligation to a third party, and the third party is permitted to process this personal data, with the purpose of assessing the creditworthiness of the data subject, or with another similar purpose, and only on condition that the controller or processor has checked the correctness of data, the legal basis for transmission and has registered the data transmission. Gathering data for the aforementioned purposes and transmitting it to a third person is not permissible, if:

  •  

    the data includes special categories of personal data;

  • the data refers to the fact of being a victim of or committing an offence (before the public hearing, judgement or termination of proceedings);

  • it would have a material adverse effect on the data subjects rights;

  • less than 30 days have passed from the violation of a contract; or

  • more than 5 years have passed from the end of the breach of the obligation.

• Processing for journalistic purpose – GDPR article 85. It is permissible to process personal data without the data subject’s consent for journalistic purposes (primarily make information public in media) if public interest exists and such processing is done according to the principles of journalistic ethics. Such publicizing must not cause excessive damage to the rights of a data subject.

• Processing for the purposes of academic, artistic or literary expression – GDPR article 85. It is permissible to process personal data without the data subject’s consent for the purposes of academic, artistic or literary expression (primarily publication) if it does not cause excessive damage to the rights of the data subject.

• Processing of personal data in a public space. Unless the law specifies otherwise, in case of the recording of audio or photographic material in a public space, for the purpose of publicizing it, the consent of the data subject shall be replaced with the notification of the data subject in a form which enables him / her to acknowledge the fact of recording and to prevent himself / herself from being recorded. The notification obligation does not exist in case of public events, when the recording of these events for publicizing purposes can be reasonably expected.

• Processing for the purposes of scientific or historical research purposes or for the purposes of official statistics – GDPR article 89. It is permissible to process personal data for these purposes without the data subject’s consent in pseudonymized form or in a form that ensures at least equivalent level of data protection. De-pseudonymization or other measure of changing non-identifiable personal data to identifiable personal data is only permissible for further research or official statistics. The processor must name the person, who has access to the data that enables de-pseudonymization.
  • The processing of personal data without data subject’s consent in a form that the data subject is identifiable is only permissible when:
    • Pseudonymization would make it impossible to achieve the purposes of data processing, or they would be impracticably difficult to achieve;
    • The processor believes that an overwhelming public interest exists;
    • Based upon the processed personal data, the amount of data subject’s obligations are not changed and data subject’s rights are not excessively damaged in any other way.

• Where the scientific research is based on special categories of personal data, the ethics committee or the DPI will ensure the fulfillment of these obligations.

  Analyses and researches of government institutions, done for the purposes of policy making, is also considered scientific research according to the PDPA.

• The processor or controller is entitled to limit data subjects’ rights stated in GDPR articles 15, 16, 18, 21 only to the extent that the enforcement of these rights would probably make the achievement of scientific or historical research purposes, or the purposes of official statistics, impossible or obstruct it considerably.

  • Processing for archiving purposes in the public interest – GDPR article 89. The processor or controller is entitled to limit data subjects’ rights stated in GDPR article 15, 16, 18, 19, 20, 21 only to the extent that the enforcement of these rights would probably make the achievement of the purposes of archiving in the public interest impossible or obstruct it considerably. Limiting data subjects’ rights is permissible to protect the records, their authenticity, credibility, integrity and usability.

Though Ethiopia has not enacted a specific law to address personal data collection and processing issues, the country’s scattered legislative framework is understood to require that personal data be collected and processed with due care and only for an intended lawful purpose. Obtaining express consent for collecting and processing of personal data is also a requirement under those scattered provisions.

Sections 349 and 350 of Title 21 of the FSM Code obligate telecommunications providers to ensure the confidentiality of customer information and communications.

21 F.S.M.C. 349 precludes the collection, use, maintenance or disclosure of information about a customer for any purpose without the customer’s consent and mandates application of appropriate security safeguards to prevent such collection, use, maintenance or disclosure of information without consent.

No applicable laws.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Finland regulation

Finland has used the national leeway provided in GDPR article 6(1) subsection e) as well as GDPR article 9(2) subsections b), g), h), i) and j) regarding collecting and processing personal data in certain situations.

In Finland, personal data may be processed under GDPR article 6(1) e) when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, if:

it relates to information representing a person’s position, tasks and the processing thereof in the public sector entity, business life or other equivalent activity, the purpose of processing rests on the public interest grounds and it complies with the principle of proportionality;

• it is necessary in the operation of authorities in order to perform a task in public interest and it complies with the principle of proportionality;
• it is necessary for scientific or historical research or statistical purposes and it complies with the principle of proportionality; or
• the processing of research material, material related to cultural heritage and any description information thereof for archiving purposes is necessary on public interest grounds and complies with the principle of proportionality.

The processing of special categories of personal data under GDPR article 9(2) subsections b), g), h), i) and j) may be carried out in Finland if it concerns, by way of example:

• personal data of the insured person or a claimant within the operation of an insurance company to settle its liability;
• health and medical data in connection with certain operations of healthcare and social welfare service providers; or
• processing for scientific or historical research purposes or statistical purposes.

In addition to the above-mentioned processing activities, the national leeway has also been used in the Data Protection Act with respect to processing related to criminal convictions and offences as well as processing of national identification numbers. For example in relation to national identification numbers, processing is only allowed based on data subject consent or if it is necessary to unambiguously identify the data subject for: a) a task defined in law, b) realization of the rights and responsibilities of the data subject or data controller, or c) historical or scientific research or statistical purposes. Further, national identification numbers can be processed for e.g. credit, loan, insurance, debt collection, payment service and leasing purposes, in social or healthcare services, and in connection with employment relatioships.

The Working Life Act sets additional processing requirements to employment related data that an employer collects and processes of its employees. All employee personal data processed must at all times be directly necessary for the employee’s employment relationship. This necessity requirement cannot be bypassed even with the employee’s consent.

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 legal basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

France regulation

Special category data

The Law contains specific provisions regarding the processing of special categories of personal data, in particular regarding the processing of health data (eg. see above regarding authorization requirements).

Criminal convictions and offences data

The following categories of persons can process such personal data:

• Courts, public authorities and legal persons entrusted with a public service, acting within the scope of their legal functions, as well as entities collaborating with judicial entities as listed in the Decree;

• Auxiliaries of justice, for the strict exercise of their functions;

• Individuals and private entities to prepare, bring or defend a claim in court as a victim or defendant, and to execute the court decision, for the duration strictly necessary for these purposes. It is possible to share such information with third parties under the same conditions and for the same purposes;

• Collective IP rights management organizations for the purpose of defending those rights; and

• Persons reusing public information appearing in published rulings, provided that the processing has neither the purpose or effect of allowing the re-identification of the concerned persons.

In addition, the following categories of persons are authorized by the Decree to process personal data relating to criminal convictions, offenses or related security measures:

• Victims support associations contracted by the Ministry of Justice;

• Associations of assistance to the reintegration of persons placed under the authority of justice, in the respect of their social object;

• The establishments mentioned in 2 ° of I of Article L. 312-1 of the Code of Social Action and Families as part of their mission of medico-social support;

• The establishments and services mentioned in 4 ° and 14 ° of I of Article L. 312-1 of the Code of Social Action and Families;

• The drop-in and reception centers mentioned in III of Article L. 312-1 of the Code of Social Action and Families; The medical or medico-educational establishments authorized mentioned in articles 15 and 16 of the order No. 45-174 of  2 February 1945 relating to delinquent childhood;

• The public or private educational or vocational training institutions, authorized and appropriate boarding schools for juvenile school-aged offenders mentioned in Articles 15 and 16 of the aforementioned order of  2 February 1945;

• Private legal entities exercising a public service mission or the authorized associations mentioned in Article 16 of the aforementioned order of  2 February 1945;

• The legal representatives for the protection of the adults mentioned in Article L. 471-1 of the Code of Social Action and Families.

The CNIL may issue standard regulations, prescribe additional measures to be implemented, including of a technical and organizational nature, and / or complementary warranties for processing of special categories of data, including notably criminal convictions and offences data, by public and private entities (except for processing carried out in connection with the exercise of public authority by or on behalf of the State).

In addition, processing of criminal convictions and offences data which purpose is the prevention, investigation, detection or prosecution of criminal offences, or enforcement of criminal convictions or security measures by or on behalf of the State is subject to an order of the competent Ministry.

Transparency (privacy notices)

The Law mandates data controllers to provide data subjects with information relating to their right to define directives relating to the processing of their personal data after their death (digital legacy).

In addition, where the data is collected from a data subject under 15, the data controller must provide the mandatory information provided for by Art. 13 GDPR in a clear and easily accessible language.

French data subjects should be also provided with the information relating to the processing of their personal data in French (notably in accordance with Act no. 94-665 dated 4 August 1994 related to the use of the French language and with the CNIL’s requirements as set out in deliberation No. SAN-2023-023 of 29 December 2023). 

Rights of the data subjects

The Decree describes the conditions in which the data subjects can exercise their rights (and more precisely, the conditions to check the identity of the data subject making the request).

Data subjects’ rights can be restricted notably to avoid obstructing administrative investigations, inquiries or procedures, to safeguard the prevention, investigation, detection and prosecution of criminal offences, as well as of administrative enquiries, or to protect the rights and freedoms of others.

Right of access

In 2024, as part of a coordinated action at the EU level, the CNIL has carried out a series of investigations to ensure that the right of access was properly taken into account. Based on these investigations, the CNIL has taken repressive measures against organizations that only partially responded to these requests.

Digital legacy

Data subjects have the right to give instructions regarding the storage, deletion and communication of their personal data after their death (Articles 48 and 85 of the Law). Such instructions can be either:

• General, in which case they apply to all their personal data, irrespective of who the controller is. Such instructions can be given to a trusted third party certified by the CNIL; however, the implementing decree in this respect has never been adopted since the adoption of this provision in 2016; or

• Specific to one or several services, in which case the data subject can also give his / her instructions to the relevant data controller. It is required to obtain the specific consent of the data subject, and such consent cannot derive from his / her consent to general terms and conditions.

If the data subject has not given any instructions in his / her lifetime, then his / her heirs can exercise certain rights, in particular:

• The right of access, if it is necessary for the settlement of the succession; and

• The right to close the deceased’s accounts and to cease the processing of his / her personal data or, request the update of the personal data of the deceased.

The data processor must present sufficient guarantees to ensure the security and confidentiality of personal data. This requirement does not relieve the data controller of its obligation to ensure compliance with the measure concerning security and confidentiality displayed in Articles 113 et seq. of the Personal Data Act 2023.

The obligations of data controllers include:

• Transparency: The data controller must inform the data subject of the terms of processing when the data is not collected from the data subject. In addition, the data controller must inform the data subject at least before the first communication and must also guarantee a lawful basis to carry out the processing operation;
• Confidentiality: The data controller must assure that the processing of personal data is only carried out under his authority and instructions. In addition, the data controller must guarantee that only individuals who have technical and legal knowledge regarding the integrity of data, and in this sense the data controller must ensure that the individuals dealing with personal data has signed a non-disclosure agreement;
• Security: The data controller is required to take any appropriate precautionary measures in regard to the nature of personal data, and, in particular, the data controller shall prevent personal data from being distorted, damaged, or unauthorised access by third parties. In particular, the data controller must: 
  
  • create different levels of access permissions, on a need-to-know basis depending on the position of its employees, thus avoiding unauthorised actions;
  • use encryption or pseudonymisation; 
  • keep a record of who accesses the personal data, when and why, ensuring traceability of its use; 
  • maintain backups in secondary sources to prevent accidental changes or loss of data; and
  • ensure the identity of the person who wants to access the data or the identity of the parties to whom the data will be disclosed;
• Retention: The data controller must guarantee that the data is kept for no longer than the purpose for which was collected.

The Data Protection Law expressly provides for limited data controller rights, and in practice provides data controllers with the right to: 

• process personal data in the conditions provided for by law; 
• refuse compliance with unreasonable requests and demands from data subjects; and 
• appeal any sanctioning decisions by the APDPVP before the State Counsel.

By contrast, the data subject are entitled to the following rights provided for in Articles 52 and 53 of the aforementioned Personal Data Act 2023:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• oppose, for legitimate reasons, the processing of personal data concerning them;
• oppose the processing of their personal data for prospecting purposes;
• rectify, complete, update, lock, or delete personal data concerning them, where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited; and
• not be subject to decisions made on the sole basis of an automated processing that would produce significant or detrimental legal repercussions for them.

Interconnection of personal data shall:

• not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
• ensure the use of appropriate safety measures; and
• take into account the principle of relevance (Article 169 of the Personal Data Act 2023).

Data protection principles

As per Article 4 of Data Protection Law, the following principles shall be observed during data processing:

• data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency’). The obligation to ensure the transparency of data processing will not apply to the exceptional cases established by the respective Law;
• data shall be collected / obtained for specified, explicit and legitimate purposes. Further processing of data for other purposes that are incompatible with the initial purposes shall be inadmissible (Secondary Purpose);
• data shall be processed only to the extent necessary to achieve the respective legitimate purpose. The data shall be proportionate to the purpose for which they are processed;
• data shall be valid and accurate and, where necessary, kept up to date. Having regard to the purposes of data processing, inaccurate data shall be rectified, erased or destroyed without undue delay;
• data may be stored only for a period which is necessary for achieving the legitimate purpose for which the data are processed. Once the purpose for which the data was processed has been achieved, the data shall be erased, destroyed or stored in a depersonalized form, unless the processing of data is required by law and / or a subordinate normative legal act issued in accordance with law, and the storing of data is a necessary and proportionate measure in a democratic society to safeguard overriding interests;
• to ensure the security of data, technical and organizational measures shall be taken during the processing of data to ensure appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction and / or damage.

The controller shall be responsible for, and demonstrate compliance with, the described principles when processing data.

Processing for a further purpose

If data are to be processed for purposes other than those for which they have been collected / obtained (Secondary Purpose), and the processing is not based on the consent of the data subject or on law, the controller shall, in order to decide whether the data were processed for purposes other than those for which they have been collected / obtained, take into account:

• any link between the initial purpose for which the data have been collected / obtained and the intended further purpose;
• the nature of the relationship between the controller and the data subject in the context of collecting / obtaining data;
• whether the data subject has reasonable expectations as to the further processing of data concerning him / her;
• whether special categories of data are processed;
• possible consequences for the data subject that may accompany further data processing;
• the existence of technical and organizational safeguards. 

Data collected by a law enforcement agency in the course of its activities may be processed for the purpose of general analysis of criminal activity and to establish the relationship between the various offences detected. The further processing of data by the controller for the purposes of crime prevention (including the conduct of appropriate analytical research), investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, ensuring the placement of a person in a temporary detention cell, combating illegal migration, the implementation of international protection, responding to administrative offences, ensuring public and fire safety, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law (including the conduct of criminological research by a relevant law enforcement body or a court), shall not be considered to be incompatible with initial purposes if the processing of data is required by law, or a law and a subordinate normative act issued on the basis thereof. 

Furthermore, the further processing of data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with initial purposes. Long-term storage of data for the purposes referred to herein shall be permitted if appropriate technical and organizational measures are in place to protect the rights of the data subject. 

The controller shall be responsible for, and demonstrate compliance with, the described principles when processing data.

Grounds for data processing

Data processing is admissible where one of the following grounds exists:

• the data subject has given consent to the processing of data concerning him / her for one or more specific purposes;
• data processing is necessary for the performance of a contract entered into with the data subject or to enter into a contract at the request of the data subject;
• data processing is provided for by law;
• data processing is necessary for the controller to perform his / her statutory duties;
• according to law, the data are publicly available or the data subject has made them publicly available;
• data processing is necessary to protect the vital interests of the data subject or another person, including to monitor epidemics and / or prevent their spread, or manage humanitarian crises and natural and man-made disasters;
• data processing is necessary to protect substantial public interests;
• data processing is necessary to perform tasks falling within the scope of public interest as defined by the legislation of Georgia, including for the purposes of crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law, including information security and cyber security;
• data processing is necessary to protect important legitimate interests pursued by the controller or a third party, unless there is an overriding interest in protecting the rights of the data subject (including a minor);
• data processing is necessary to review an application submitted by the data subject (to provide services to him / her). 

Processing of special categories of data

The processing of special categories of data is permitted only if the controller provides safeguards for the rights and interests of the data subject as provided for by the Data Protection Law and if one of the following grounds exists:

• the data subject has given consent to the processing of the special category data for one or more specified purposes;
• the processing of special categories of data is expressly and specifically regulated by law, and their processing is a necessary and proportionate measure in a democratic society;
• the processing of special categories of data is necessary to protect the vital interests of the data subject or another person and the data subject is physically or legally incapable of giving consent to the processing of special categories of data;
• the processing of special categories of data is necessary in the area of health care for the purposes of preventive, prophylactic, diagnostic, therapeutic, rehabilitative and palliative care, and for the management of services, medical equipment and the quality and safety of products, public health and the health care system, in accordance with the legislation of Georgia or a contract with a health professional (if these data are processed by a person who has an obligation to protect professional secrets);
• the processing of special categories of data is necessary for the purposes of performing the statutory duties of the controller or exercising the specific rights of the data subject in the field of social security and social protection, including for the management of the social security system and services;
• the processing of special categories of data is necessary for the purposes of crime prevention (including the conduct of appropriate analytical research), investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, ensuring the placement of a person in a temporary detention cell, combating illegal migration, the implementation of international protection, responding to administrative offences, ensuring public and fire safety, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law (including the conduct of criminological research by a relevant law enforcement body or a court), and the processing of such data is required by law, or a law and a subordinate normative act issued on the basis thereof;
• special categories of data are processed to ensure information security and cyber security;
• the processing of special categories of data is necessary because of the nature of labor obligations and relations, including for making decisions on employment and assessing the working capacity of the employee;
• the data subject has made his / her data publicly available without an explicit prohibition of their use;
• the processing of special categories of data is necessary to protect substantial public interests;
• special categories of data are processed by political or professional associations, and organizations with religious or non-religious philosophical aims, for their legitimate activities. In this case, the processing of such data may relate solely to the members or former members of this association / organization or persons who have regular contact with this association / organization in connection with its purposes, on condition that these data are not disclosed to a third party without the consent of the data subjects;
• the processing of special categories of data is necessary for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes if the law provides for the implementation of appropriate and specific measures to protect the rights and interests of the data subject. This ground for the processing of special categories data shall not apply if a special law expressly provides for the restriction of the processing of such data under additional and different conditions;
• special categories of data are processed for the purpose of the functioning of the Unified Migration Analytical System;
• special categories of data are processed for the purposes of exercising the right to education of persons with disabilities and persons with special educational needs;
• special categories of data are processed for the purposes of reviewing the issue within the ambit of the Law of Georgia on the Elimination of Violence against Women and / or Domestic Violence, and the Protection and Support of Victims of Such Violence;
• special categories of data are processed for the purpose of the re-socialization and rehabilitation of convicted persons and former prisoners, and for the coordination of the process of the referral of minors;
• special categories of data are processed for the purposes of issuing and publishing as public information, in accordance with the Organic Law of Georgia on General Courts, a judicial act adopted as a result of open court hearings;
• special categories of data are processed in cases expressly provided for by the Law of Georgia on Public Procurement;
• special categories of data are processed for the functioning of the institutional inter-agency coordination mechanism – for the purposes of identifying and / or managing cases involving harm or anticipated risks to the life, health or safety of the child and / or to the best interests of the child or to his / her rights, and ensuring, within the limits of these purposes, coordination between competent bodies (agencies) as designated by the Government of Georgia in the cases provided for by the Code on the Rights of the Child.

Specific processing activities

Procedure and conditions for giving consent to the processing of data relating to a minor

The processing of data relating to a minor is permitted on the basis of his / her consent if he / she has attained the age of 16, and the processing of data relating to a minor under the age of 16 is permitted with the consent of his / her parent or other legal representative, except in cases expressly provided for by law, including where the consent of a minor between the ages of 16 and 18 and his / her parent or other legal representative is required for the processing of data.

The controller is obliged to take reasonable and adequate measures to confirm the existence of the consent of the parent or other legal representative of a minor under the age of 16. In addition to that, the processing of special categories of data relating to a minor is permitted only on the basis of the written consent of the minor’s parent or other legal representative, except in cases expressly provided for by law.

When processing data relating to a minor, the controller is obliged to take into account and protect the best interests of the minor. Furthermore, the consent of a minor, his / her parents or other legal representative to the processing of data will not be considered valid if the processing of the data jeopardizes or harms the best interests of the minor. 

Protection of data of a deceased person

After a data subject dies, the processing of data concerning him / her is permitted: 

• on the grounds specified above (general grounds and grounds for specific categories of data, as above outlined);
• unless the processing of such data has been prohibited by the data subject’s parent, child, grandchild or spouse (except in cases where the data subject has prohibited in writing the processing of data concerning him / her after his / her death);
• if 30 years have passed since the death of the data subject;
• if this is necessary to exercise an inheritance right.

The processing of the name, surname, sex, date of birth and date of death of a deceased person is permitted irrespective of the circumstances and grounds as provided for above. 

Processing of biometric data

Biometric data may be processed only if this is necessary for the purposes of carrying out activities, security, protection of property and prevention of the disclosure of secret information, and these purposes cannot be achieved by other means or involve disproportionate effort, as well as for the purposes of issuing an identity document in accordance with law, identifying a person crossing the state border, combating illegal migration, implementation of international protection, crime prevention, investigation, prosecution, administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, the re-socialization and rehabilitation of convicted persons and former prisoners, the coordination of the process of the referral of minors, the conduct of operative and investigative activities, and ensuring information security and cyber security and in other cases expressly provided for by law.

The controller is obliged, in accordance with the principles provided for by the Law (as stated above), to determine in writing, prior to processing, the purpose and amount of biometric data to be processed, the period of storage of these data, the procedure and conditions for their storage and destruction, and the mechanisms for the protection of the rights of the data subject.

Video monitoring

Video monitoring is permitted for the purposes of crime prevention, crime detection, public safety, the protection of personal safety and property, the protection of minors (including from harmful influence), the protection of secret information, examination / testing, and for the performance of tasks related to public and / or other legitimate interests, provided that the video monitoring is adequate and proportionate to the purpose of data processing.

To carry out video monitoring, the controller is obliged, in accordance with the principles provided for the Law (as outlined above), to determine in writing the purpose and amount of video monitoring, the duration of the video monitoring and the period of storage of the video recording, the procedure and conditions for accessing, storing and destroying the video recording, and the mechanism for the protection of the rights of the data subject, except in cases where a natural person carries out video monitoring in a residential building.

Video monitoring of the work process / area of an employee is only permitted in exceptional cases where the purposes referred to right above cannot be achieved by other means or involve disproportionate effort. Video monitoring is not permitted in changing rooms, hygiene facilities or other places where a data subject has a reasonable expectation of privacy and / or where video monitoring is contrary to generally accepted moral standards.

A video monitoring system and video recordings should be protected from unlawful encroachment and use. The controller shall ensure that any access to the video recordings is recorded, including the time of access and the user name that allow the identification of the person who accessed the video recording.

In a residential building, the video monitoring of a common entrance to a residential building and of a common space in a residential building shall be permitted with the written consent of more than half of the owners (if an owner cannot be identified, the consent of a possessor may be obtained), unless the controller / the processor carries out video monitoring to perform his / her statutory duties and the area of video monitoring includes the common entrance and common space of the residential building. Furthermore, the video monitoring of an entrance to an individual property in a residential building shall be permitted only by a decision of the owner / possessor or with his / her written consent, in such a manner that the video monitoring does not harm the legitimate interests of other persons (including those lawfully using the owner’s property).

The controller / processor should place a warning sign indicating that video monitoring is being carried out in a visible place and also warn the employee in writing of the specific purpose(s) of the video monitoring. Where the respective requirements are met, the data subject shall be deemed to be informed of the processing of data concerning him / her.

A warning sign indicating that video monitoring is being carried out should have an appropriate inscription, a clearly visible image of video monitoring in progress, and the name and contact details of the controller.

Audio monitoring

Audio monitoring is permitted:

• with the consent of the data subject;
• to make a record;
• to protect important legitimate interests pursued by the controller, provided that appropriate and specific measures are in place to safeguard the rights and interests of the data subject;
• in other cases expressly provided for by the legislation of Georgia.

To carry out audio monitoring, the controller is obliged, in accordance with the principles provided for by Law (as outlined above), to determine in writing and in advance, the purpose and amount of audio monitoring, the duration of the audio monitoring, the procedure and conditions for accessing, storing and destroying the audio recording, and the mechanism for the protection of the rights of the data subject.

Also, the controller should warn the data subject, prior to or upon starting audio monitoring, about the carrying out of audio monitoring, and explain to him / her his / her right to object (if any). The burden of proof of informing the data subject lies with the controller / processor.

If the data subject is informed of audio monitoring by means of a warning sign, the warning sign shall have an appropriate inscription, a clearly visible image of audio monitoring in progress, and the name and contact details of the controller. 

Communicating with a data subject (privacy notices)

Where data are collected directly from the data subject, the controller is obliged to provide the data subject with at least the following information before or at the beginning of the collection:

• the identity / name and the contact details of the controller, his / her representative and / or the processor (if any);
• the purposes and the legal basis of the processing of the data;
• whether the provision of the data is mandatory, and where the provision of the data is mandatory, the legal consequences of refusal to provide them, as well as the information that the collection / obtaining of the data is required by the legislation of Georgia or is a necessary condition for entering into a contract (if such information exists);
• the important legitimate interests pursued by the controller or of a third party;
• the identity and the contact details of the personal data protection officer (if any);
• the identity of the recipients or categories of recipients of the data (if any);
• the planned transfer of data and the existence of appropriate safeguards for the protection of the data, including authorization to transfer the data (if any) if the controller plans to transfer the data to another state or an international organization;
• the period for which the data will be stored and, if no specific period can be determined, the criteria used to determine that period;
• the right of the data subject as provided for by this chapter.

The provision of the information referred to right above is not mandatory if it is reasonably foreseeable that the data subject already has such information. 

The controller is obligated to provide the described information to the data subject, especially if the data subject is a minor, in simple and understandable language. This information may be provided orally or in writing (including electronically), unless the data subject requests the provision of the information in writing.

Where data are not collected directly from the data subject, the collector is obliged to provide the data subject with the information referred to right above (in case data are collected from data subject), as well as information as to which data concerning him / her are being processed, and the source of the data, including whether the data have been obtained from a publicly accessible source. The controller shall provide the data subject with the respective information within a reasonable period, or if the data are used to communicate with the data subject, at the time of the first communication with the data subject, or if the disclosure of the data is envisaged, before the data are disclosed, but not later than 10 working day after obtaining the data.

The obligation to provide the information shall not apply to the controller and / or the processor if: the data subject already has the described information; the collection or disclosure of the data is established by law or required for the performance of statutory duties; the information cannot be provided or involves disproportionate effort, or the fulfilment of the respective obligation would seriously impair or render impossible the achievement of the legitimate purpose(s) of the processing. In such cases, the controller shall take appropriate measures to protect the rights and legitimate interests of the data subject, including by making general information about the collection of data publicly available / publishing general information about the collection of data in an easily accessible form.

Consent reception or / and withdrawal

If a controller plans to obtain written consent from a data subject with a document that also covers other matters, the controller is obliged to formulate the wording of the consent in the document in a clear, simple and understandable language and to separate it from other parts of the document.

If the consent of a data subject is given within the scope of a contract or service, when determining whether or not the consent was given on a voluntary basis, among other circumstances, it shall be assessed whether the consent is a required term of the contract or service, and whether it is possible to receive the relevant service / enter into the relevant contract without such consent.

Before obtaining consent from a data subject, a controller shall ensure that the data subject is informed of his / her right to withdraw the consent.

A controller is obliged to immediately terminate the data processing and delete or destroy the processed data if a data subject withdraws his / her consent, unless otherwise provided for by the Law.

The withdrawal of consent by a data subject shall not lead to the cancellation of legal consequences arising before the withdrawal of the consent and within the scope of the consent.

On the basis of a request of a data subject or in the event that this results in legal, financial or other significant consequences for the data subject, a controller is obliged to provide the data subject, prior to the withdrawal of consent by the data subject, with information on the consequences of the withdrawal of consent.

A controller is obliged to provide a free, simple and accessible mechanism for withdrawing consent, including the possibility of withdrawing consent in the same form in which the consent was given.

In the event of a dispute regarding the existence of a data subject’s consent to data processing, a controller shall bear the burden of proving the fact of the existence of the data subject’s consent.

Rights of data subjects

Right of data subjects to receive information on the processing of data

The data subject shall have the right to obtain from the controller confirmation as to whether or not data concerning him / her are being processed and, if requested by the data subject, the following information free of charge:

• which data concerning him / her are being processed, as well as the grounds for and the purpose of the processing;
• the source from which the data were collected / obtained;
• the period for which the data will be stored and, if no specific period can be determined, the criteria used to determine that period;
• the rights of the data subject as provided for by the Law;
• the legal basis and purposes of the data transfer, as well as the appropriate data protection safeguards if the data are transferred to another state or an international organization;
• the identity of the recipients or the categories of recipients, including information on the ground for and purpose of the transfer, if the data are transferred to a third party;
• the decision made as a result of automated processing, including profiling, and the logic involved in making such a decision, as well as its impact on the processing and the expected results of the processing.

The data subject has the right to receive the information referred to right above not later than 10 working days after the request. This period may, in special cases and upon appropriate justification, be extended by no more than 10 working days, of which the data subject shall be notified immediately.

The controller shall have the right to provide the data subject with any information necessary to ensure transparent processing in accordance with transparency principle, unless the disclosure of the information is contrary to the law. Unless otherwise provided by the legislation of Georgia, the data subject has the right to choose the form of the provision of information described above. In addition, if the data subject does not request the information in another form, the information shall be provided in the same form in which it was requested.

Right to access and to obtain a copy

The data subject shall have the right to access personal data concerning him / her and to obtain copies of such data from the controller free of charge, except in cases where in order to access and / or issue the copies of data:

1. a fee is required under the legislation of Georgia;
2. a reasonable fee is established by the controller because of the resources spent on issuing them in a form other than the data are stored, and / or frequent requests.

The data subject shall have the right to access the data referred to above and / or to obtain copies thereof not later than 10 working days after the request, unless different time limits are set by the legislation of Georgia. The period may be extended in special cases and upon appropriate justification by no more than 10 working days, of which the data subject shall be notified immediately.

The data subject has the right to access the described data and / or to obtain copies thereof in a form in which they are kept by the controller and / or processor. The data subject shall also have the right to obtain copies of data concerning him / her in another form in return for a reasonable fee established by the controller and where technically feasible.

The fee shall not exceed the amount of resources actually spent by the controller. The burden of establishing a fee and of proving that its amount is reasonable shall lie with the controller.

Right to the rectification, update and completion of data

The data subject shall have the right to request the controller to rectify, update and / or complete erroneous, inaccurate and / or incomplete data concerning him / her. Within not later than 10 working days after the data subject has made such a request, the data shall be rectified, updated and / or completed, or the grounds on which the request was refused shall be notified, and the procedure for appealing against the refusal shall be explained, to the data subject.

If the controller, independently of the data subject, discovers that the data available to him / her are erroneous, inaccurate and / or incomplete, the controller shall rectify, update and / or complete the data within a reasonable period of time and inform the data subject thereof within 10 working days after the rectification of the data. The controller shall not be obliged to inform the data if the rectification, update and / or completion of the data is related to the correction / removal of a technical error. If there are objective circumstances that make it impossible to fulfil the obligation to inform the data subject within the said period, the controller shall inform the data subject of the change made at the time of the first communication to the data subject.

The collector shall inform all the recipients and all respective controllers and processors, to whom the controller transferred the same data, of the update and completion of the data, unless this information cannot be provided due to a large number of controllers / processors or recipients, and / or disproportionately high costs. The persons shall rectify, update and / or complete the data within a reasonable period after receiving the respective information.

Right to the termination of the processing, erasure or destruction of data

The data subject shall have the right to request the controller to terminate the processing of (including profiling), erase or destroy data concerning him / her. Within not later than 10 working days after the data subject has made such a request, the processing of the data shall be terminated, and / or the data shall be erased or destroyed, or the grounds on which the request was refused shall be notified and the procedure for appealing against the refusal shall be explained to the data subject. The controller shall have the right to refuse the request if:

• one of the grounds provided for above exists (general ground and / or ground for special category of data);
• data are processed for the purposes of substantiating a legal claim or a statement of defense;
• the processing of data is necessary for the exercise of the right of freedom of expression or information;
• data are processed for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes, and the exercise of the right to the termination of the processing, erasure or destruction of the data would render impossible or substantially impair the achievement of the purposes of the processing.

Where any of the described grounds exists, the controller shall have an obligation to justify the respective ground.

Furthermore, the data subject has the right to be informed of the termination of the processing, erasure or destruction of the data once the respective action has been taken, without delay and at the latest within 10 working days, also, where the data concerning him / her are processed in a publicly available form, to also request the controller to restrict access to the data and / or erase copies of or any internet links to the data.

The collector shall inform all the recipients and all respective controllers and processors, to whom the controller transferred the same data, of the termination of the processing, erasure and destruction of the data, unless this information cannot be provided due to a large number of controllers / processors or recipients, and / or disproportionately high costs. The respective persons shall, after the receipt of the respective information, terminate the processing of the data and erase or destroy the data.

Right to the blocking of data

The data subject has the right to request the controller to block data if any of the following circumstances exists:

• the authenticity or accuracy of the data is contested by the data subject;
• the processing of the data is unlawful, although the data subject opposes the erasure of the data and requests their blocking;
• the data are no longer needed for the purposes of the processing, but they are required by the data subject to lodge a complaint / claim;
• the data subject requests the termination of the processing, erasure or destruction of the data and this request is being considered;
• there is a need to retain the data for use as evidence.

The controller is obliged to block the data upon the request of the data subject if one of the circumstances provided for above applies, unless blocking the data could jeopardize one of the following:

• the fulfilment by the controller of the duties assigned to him / her by law and / or a law and a subordinate normative act issued on the basis thereof;
• the performance of tasks falling within the scope of public interest in accordance with law and the exercise by the controller of the powers conferred on him / her under the legislation of Georgia;
• the legitimate interests of the controller or a third party, unless there is an overriding interest in protecting the rights of a data subject, in particular a minor;
• the protection of interests of a data subject or a third party, or for the purposes of the security and defense of the State.

After the decision to block the data has been made, the controller may decide to unblock the data if any of the grounds provided for right above exists.

The data shall be blocked for the period that the reason for blocking them exists, and during this period, if technically feasible, the decision to block the data shall be attached to the relevant data. The data subject has the right to be informed of a decision to block the data or of the grounds for refusing to block the data once the decision has been made, without delay and at the latest within 3 working days after the request. Where data are blocked the data may be processed otherwise than by storage in the following cases:

• with the consent of the data subject;
• to substantiate a legal claim or a statement of defense;
• to protect the interests of the controller or a third party;
• to protect public interests in accordance with law.

Right to the transmission of data (data portability)

In the case of the automated processing of data on the grounds provided for by Article 5(1)(a) and (b) (Consent and / or Fulfillment of the Contractual Obligation) and Article 6(1)(a) (Consent) of the Data Protection Law, if technically feasible, the data subject shall have the right to receive from the controller data concerning him / her which he / she has provided to the controller in a structured, commonly used and machine-readable format, or to require that the data be transmitted to another controller.

Automated individual decision-making and related rights

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similarly significant effects concerning him / her, except where a decision based on profiling is:

• based on the data subject’s explicit consent;
• necessary for entering into, or performing, a contract between the data subject and a controller;
• provided for by law or by a subordinate normative act issued within the powers delegated on the basis of the law.

Where there is a respective request from the data subject, the controller shall take appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests, including by involving human resources in the decision-making and by giving the right to the data subject to express his / her point of view and to contest the decision.

The use of special categories of data in the decision-making shall be permitted only in the cases provided for by Article 6(1)(a), (f) and (j) (Consent and / or during Investigations and / or Public Interest) of the Data Protection Law, provided that appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Right to withdraw consent

A data subject has the right to withdraw his / her consent at any time and without explanation. In such case, the processing of the data shall be terminated, and / or the processed data shall be erased or destroyed, according to the request of the data subject, within not later than 10 working days after the request, provided that no other ground for the processing exists. Furthermore, the data subject has the right to withdraw his / her consent in the same form in which it was given. Also, before withdrawing consent, the data subject has the right to request and receive from the controller information on the possible consequences of withdrawing the consent.

Restriction of the rights of data subjects

The rights of the data subject described above may be restricted if this is expressly provided for by the legislation of Georgia, does not violate fundamental human rights and freedoms, and is a necessary and proportionate measure in a democratic society, and the exercise of these rights may jeopardize:

• national security, information security and cyber security and / or defense interests;
• public safety interests;
• crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, and the conduct of operative and investigative activities;
• interests relating to financial or economic (including monetary, budgetary and taxation), public health and social protection issues of importance to the country;
• the detection of the data subject’s violations of professional ethical standards, including those of a regulated profession, and the imposition of liability on the data subject;
• the exercise of the functions and powers of regulatory and / or supervisory bodies in the respective areas;
• the protection of the rights and freedoms, including freedom of expression, of the data subject and others;
• the protection of state, commercial, professional and other secrets provided for by law;
• the substantiation of a legal claim or a statement of defense.

A described measure may be applied only to the extent necessary to achieve the purpose of the restriction. If the grounds listed above exist, the decision of the controller to restrict, or to refuse the exercise of, the rights of the data subject shall be notified to the data subject, except where the provision of the information would jeopardize the purpose (purposes) of the restriction of the right.

The exercise by the data subject of the rights elucidated above is free of charge, subject to the exceptions established by the Data Protection Law. Where the data subject makes an unreasonable number of requests, the controller may refuse to comply with the request, in which case he / she shall immediately inform the data subject in writing and explain to him / her his / her right to appeal.

Where the rights of the data subject are restricted and his / her request is refused, the burden of proof shall lie with the controller.

Right to appeal

If the rights as provided for and the rules established by the Data Protection Law are violated, the data subject has the right to apply to the Personal Data Protection Service, to a court and / or a superior administrative body in accordance with procedures established by law. In addition to that, the data subject has the right to request the Personal Data Protection Service to make a decision to block the data until a decision is made to complete the consideration of the application. Also, the data subject has the right to appeal the decision of the Personal Data Protection Service to a court, in compliance with the conditions and time limits established by the legislation of Georgia.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when the European Union’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Germany regulation

The BDSG has additional rules regarding processing of special categories of personal data. Contrary to Article 9 (1) GDPR, processing of such data is permitted by public and private bodies in some cases which are based on the exceptions in Article 9 (2) GDPR, see Section 22 (1), 26 (3) BDSG. Also, Section 24 BDSG determines cases in which controllers are permitted to process data for a purpose other than the one for which the data were collected.

Section 4 BDSG provides a special rule for video surveillance of publicly accessible areas. According to the German data protection supervisory authorities as well as the German Federal Administrative Court (Bundesverwaltungsgericht – "BVerwG") and the near unanimous opinion in German legal literature, the provision is not compliant with the GDPR insofar as it regulates surveillance by private bodies (Section 4 (1) Nos. 2, 3 BDSG). This is based on the argument that the GDPR does not contain any opening clause on which these deviations from Article 6 (1) GDPR could be based.

Furthermore, the BDSG provides special rules regarding processing for employment-related purposes in Section 26 BDSG. The German legislator has made very broad use of the opening clause in Article 88 (1) GDPR and has basically established a specific employee data protection regime, that mostly only repeats the general legal bases of performance of contract respectively “carrying out the obligations and exercising specific rights… in the field of employment and social security and social protection law” (Art. 9(2)(b) GDPR). Due to this, the European Court of Justice ruled that a provision in German state data protection law (which applies to the public sector) that corresponds with the “performance of the employment contract” legal basis in Section 26 BDSG is invalid (Judgment of the CJEU in Case C-34/21). This is because the law failed to establish specific provisions, although this is a requirement pursuant Article 88(1) GDPR for national legal bases. Due to this decision, it is widely assumed (including by the German supervisory authorities that (some) of the respective German legal bases for the processing of employee personal data in the BDSG are invalid.

Employers should therefore rely (alternatively or additionally) on the GDPR legal bases for the processing of employee and candidate personal data for the establishment or the performance of the employment contract (Article 6(1)(b) GDPR) respectively on Article 9(2)(b) GDPR. In particular when determining what is “necessary” for the performance of the employment contract, employers also need to comply with the case law of the German Federal Labour Court (Bundesarbeitsgericht – "BAG").

In addition, there is a legal basis specifically for the investigation of criminal offences against employees which likely is still valid.

Furthermore, processing of employee personal data for purposes that are not specifically related to employment as such can still be based on Article 6 (1) GDPR. In particular, controllers that are part of a group of companies may be able to base transfers of data within the group for internal administrative purposes on their legitimate interests in accordance with to Article 6 (1) f) (as stated by Recital 48 of the GDPR).

The processing of personal data in the context of the provision of telecommunication services is subject to Section 9 et seqq. TDDDG. Furthermore, both the content of telecommunications and its detailed circumstances, in particular the fact whether someone is or was involved in a telecommunications process, is subject to the secrecy of telecommunications, Section 3 TDDDG. Violations of the secrecy of telecommunications constitutes a criminal offence under the German Criminal Code (Strafgesetzbuch – "StGB").

The processing of personal data in the context of the provision of digital services (like for example a website or a social network) is subject to specific limitations contained in Section 19 et seqq. TDDDG. There are, inter alia, specific requirements regarding the provision of inventory data, passwords or usage data to public authorities in Section 22 et seqq. TDDDG.

The following German specific rules for the processing of personal data in the employment context likely are still valid:

• Employees’ personal data may be processed to detect criminal offenses only if there is a documented reason to believe the data subject has committed such an offense while employed, the processing of such data is necessary to investigate the offense and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason (Section 26 (1) sentence 2 BDSG) (this blocks investigation based on legitimate interests pursuant Article 6(1) f GDPR);
• The processing is based on a works council agreement which complies with the requirements set out in Article 88 (2) GDPR (Section 26 (4) BDSG);
• The processing is based on the employee’s consent in written or electronic form. A derogation from this form can apply if a different form is appropriate because of special circumstances (but this derogation will rarely apply in practice). Moreover, the utilization of consent as basis for the processing is particularly problematic in Germany as Section 26 (2) BDSG stipulates requirements in addition to Article 7 GDPR. If personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. The German data protection supervisory authorities interpret this provision in a way that employee consent cannot be used for processing of personal data which directly relates to the employment relationship, but only to supplementary services offered by the employer (e.g. private use of company cars or IT equipment, occupational health management or birthday lists).

Collection

A person shall collect data directly from the data subject unless:

• the data is contained in a public record;
• the data subject has deliberately made the data public;
• the data subject has consented to the collection of the information from another source;
• the collection of the data from another source is unlikely to prejudice a legitimate interest of the data subject;
• the collection of the data from another source is necessary for a number of expressly designated purposes (for example the detection or punishment of an offence or breach of law);
• compliance would prejudice a lawful purpose for the collection;
• compliance is not reasonably practicable.

A data controller must also ensure that the data subject is aware of:

• the nature of the data being collected;
• the name and address of the person responsible for the collection;
• the purpose for which the data is required for collection;
• whether or not the supply of the data by the data subject is discretionary or mandatory;
• the consequences of failure to provide the data;
• the authorized requirement for the collection of the information or the requirement by law for its collection;
• the recipient of the data;
• the nature or category of the data;
• the existence of the right of access to and the right to request rectification of the data collected before the collection.

Where collection is carried out by a third party on behalf of the data controller, the third party must ensure that the data subject has the information listed above.

Processing

A person who processes personal data shall ensure that the personal data is processed:

• without infringing the privacy rights of the data subject;
• in a lawful manner; and
• in a reasonable manner.

Under the Data Protection Act, a data controller or is required to ensure that personal data in respect of foreign data subjects is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to Ghana for processing.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the Gibraltar GDPR. Organisations must not only comply with the Gibraltar GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Gibraltar law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Schedule 1 to the DPA04  supplements the requirements for processing special categories of personal data, and also provides for a number of ‘substantial public interest’ grounds that can be relied upon to process special categories of personal data in specific contexts which are deemed to be in the public interest.  Many of these grounds are familiar from the previous UK law, whilst other are new. Important examples include:

• processing required for employment law;
• heath and social care;
• equal opportunity monitoring;
• public interest journalism;
• fraud prevention;
• preventing / detecting unlawful acts (e.g. money laundering / terrorist financing);
• insurance; and
• occupational pensions.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by domestic law (Article 10). Part 3 of Schedule 1 of the DPA authorises a controller to process criminal conviction or offences data where the processing is necessary for a purpose which meets one of the conditions in Parts 2 of Schedule 1 (this covers the conditions noted above other than processing for employment law, health and social care), as well as number of other specific conditions:

• consent;
• the protection of a data subject's vital interests; and
• the establishment, exercising or defence of legal rights, the obtaining of legal advice and the conduct of legal proceedings

Appropriate policy and additional safeguards

In any case where a controller wishes to rely on one of the DPA04 conditions to lawfully process special category, criminal conviction or offences data, the DPA04 imposes a separate requirement to have an appropriate policy document in place and apply additional safeguards to justify the processing activity. The purpose of the policy document is to set out how the controller intends to comply with each of the data protection principles in Article 5 of the Gibraltar GDPR in relation to this more sensitive processing data activity.

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The Gibraltar GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects;
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation.

Transparency (Privacy Notices)

The Gibraltar GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of Gibraltar GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, replicating those in the EU GDPR. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject]… or similarly significantly affects him or her" is only permitted where: 

• necessary for entering into or performing a contract;
• authorised by Gibraltar law; or 
• the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

Child's consent to information society services (Article 8)

Article 8(1) of the Gibraltar GDPR stipulates that a child may only provide their own consent to processing in respect of information society (primarily, online) services, where that child is over 16 years of age, unless Gibraltar applies a lower age. The DPA04 reduces the age of consent for these purposes to 13 years for Gibraltar.

---

Gibraltar regulation

Automated Decision Making (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject]… or similarly significantly affects him or her" is only permitted where:

• necessary for entering into or performing a contract;
• authorised by Gibraltar law; or
• the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view. Further safeguards for automated decisions that are necessary for entering into or performing a contract or which are authorised by Gibraltar  law are set out in section 17 of the DPA04.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Greece regulation

• The Greek Data Protection Law establishes additional purposes in relation to which further processing is allowed.
• With regard to public bodies, processing of personal data for a purpose other than that for which they were collected shall be permitted where such processing is necessary for the performance of the tasks assigned to them and provided that it is necessary:
  • for the verification of the information provided by the data subject because there are reasonable grounds for believing that such information is incorrect;
  • for the prevention of risks to national security, defense or public security, or for securing tax and customs revenue;
  • for the prosecution of criminal offences;
  • for the prevention of serious harm to the rights of another person;
  • for the production of official statistics.
• With regard to private bodies, processing of personal data by private bodies for a purpose other than that for which they have been collected shall be permitted, where necessary:
  • for the prevention of threats to national or public security at the request of a public body; or
  • for the prosecution of criminal offences; or
  • for the establishment, exercise or defense of legal claims, unless the interests of the data subject override the grounds for the processing of those data.
• Data Processing in the Employment context: Βy virtue of the right conferred by Article 88 of the GDPR, the Greek Data Protection Law lays down detailed sector specific rules in respect for data processing in the context of the employment relationship.

Employee’s personal data can be processed for purposes related to recruitment or the performance of the employment agreement.

Processing of special categories of personal data for employment-related purposes is allowed (i) if necessary to exercise rights or comply with legal obligations derived from labor law or social security and social protection law and (ii) the data controller has no reason to believe that the data subject has an overriding legitimate interest.

Data processing may only exceptionally be based on employee’s consent. Consent may be considered as informed, if the employer has informed the employee about the processing purpose and the right to revoke his / her consent. To assess whether consent is freely given due attention should be paid to the level of dependency of the employee and the conditions under which consent was granted. Consent can be given also by electronic means and should not be tied to the employment agreement. Consent to processing of specific categories of data should be given in relation to said data.

The processing of personal data is also permitted on the basis of collective labor agreements.

Data controllers must take appropriate measures to ensure compliance with the processing principles set forth in Article 5 of the GDPR when processing employees’ data.

Video Surveillance by means of CCTV systems in the workplace is permitted only for reasons of safety and security, provided that employees have been previously informed thereabout. Such data cannot be used for evaluation purposes.

Processing sensitive personal data / consent

• Collection and processing of genetic data for health and life insurance purposes is prohibited under Article 23 of the Greek Data Protection Law.

• By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data within the meaning of Article 9 para. 1 of the GDPR by public and private bodies shall be allowed, if necessary: (a) for the purpose of exercising the rights arising from the right to social security and social protection, and for fulfilling the obligations arising therefrom; (b) for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or the management of health or social care systems or pursuant to a contract with a health professional or other person who is subject to a duty of professional secrecy or supervised by him/her; or (c) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, in addition to the measures referred to in the second subparagraph of paragraph 3, the provisions ensuring professional secrecy provided for in a law or code of conduct must in particular be complied with. It goes without saying that the processing of special categories of personal data shall be accompanied by the implementation of the appropriate technical and organisational measures.

• By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data by public bodies within the meaning of Article 9 para. 1 of the GDPR shall be allowed, where it is: (a) strictly necessary for reasons of essential public interest; (b) necessary for the prevention of major threats to national or public security; or (c) necessary for taking humanitarian action, in which case the interests in the processing override the interests of the data subject.

Further Processing

• With regard, in particular, to public bodies, the processing of special categories of personal data, as referred to in Article 9 para. 1 of the GDPR, for a purpose other than that for which they have been collected, shall be permitted provided that the conditions set out in the paragraph 1 of Art. 24 of Greek Data Protection Law are fulfilled and one of the exemptions provided for in Article 9 para. 2 of the GDPR or Article 22 of the Greek Data Protection Law applies.

  As far as private bodies is concerned, the processing of special categories of personal data, as referred to in Article 9 para. 1 of the GDPR, for a purpose other than that for which they have been collected, shall be permitted, provided that the conditions set out in the paragraph 1 of Art. 25 of the Greek Data Protection Law  are fulfilled and one of the exemptions provided for in Article 9 para. 2 of the GDPR or Article 22 of the Greek Data Protection Law applies.

• Processing and Freedom of Expression and Information: Exercising the discretion under Article 85 GDPR, the Greek Data Protection Law sets the conditions for data processing that is necessary to uphold the right to freedom of expression and information and precludes in this case the application of the majority of data controller’s obligations. 

  To the extent necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression, the processing of personal data is allowed where: (a) the data subject has given his or her explicit consent, (b) it relates to personal data which are manifestly made public by the data subject, (c) the right to freedom of expression and the right to information override the right to the protection of the data subject’s personal data, in particular on matters of general interest or where it relates to personal data of public figures, and (d) where it is limited to what is necessary to ensure freedom of expression and the right to information, in particular with regard to special categories of personal data, criminal proceedings, convictions and related security measures, taking into account the right of the data subject to his or her private and family life.

  To the extent necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression, the following shall not apply: (a) Chapter II of the GDPR (principles), except for Article 5, (b) Chapter III of the GDPR (rights of the data subject), c) Chapter IV of the GDPR (controller and processor), except for Articles 28, 29 and 32, (d) Chapter V of the GDPR (transfer of personal data to third countries or international organisations), (e) Chapter VII of the GDPR (cooperation and consistency) and f) Chapter IX of the GDPR (specific data processing situations)” (Article 28 para. 2 of the Greek Data Protection Law).

• Processing for Archiving, Scientific or Historical Research or Statistical Purposes: Having regard to the margin of discretion under Article 89 of the GDPR, the Greek Data Protection Law stipulates the security requirements for processing data for archiving, scientific or historical research or statistical purposes and restricts the scope of data subject’s rights.

  1. By way of derogation from Article 9 para. 1 of the GDPR, special categories of personal data within the meaning of Article 9 para. 1 of the GDPR shall be processed where it is necessary for archiving purposes in the public interest. The controller shall have the obligation to take suitable and specific measures to protect the data subject's legitimate interests.

  In derogation from the provisions of Article 15 of the GDPR the access right of the data subject can be restricted in whole or in part to data related to it, if exercise of the right could possibly hinder the fulfillment of archiving purposes in the public interest (as provided in Art. 29 para. 1 of the Greek Data Protection Law), especially in the case that the archiving material is not kept in relation to the data subject's name and the exercise of the right would require disproportionate efforts (Article 29 para. 2 of the Greek Data Protection Law).

  In derogation from the provisions of Article 16 of the GDPR the data subject does not have the right of rectification of inaccurate data, if its exercise could possibly hinder the fulfillment of archiving purposes in the public interest or the exercise of third parties’ rights (Article 29 para. 3 of the Greek Data Protection Law).

  In derogation from the provisions of Articles 18 para. 1 (a) (b) and (d), 20 and 21 of the GDPR, the data subject’s rights shall be restricted, if these rights could possibly hinder the fulfillment of the specific archiving purposes in the public interest (as provided in Art. 29 para. 1 of the Greek Data Protection Law) and such limitations are considered as necessary for the fulfillment of those purposes (Article 29 para. 4 of  the Greek Data Protection Law).

  2. By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data, within the meaning of Article 9 para. 1 of the GDPR, shall be allowed without the consent of the data subject where the processing is necessary for scientific or historical research purposes, or for the collection and maintenance of statistical information, and the interest of the controller is overriding the interest of the data subject in not having his or her personal data processed. The controller shall have the obligation to take suitable and specific measures to protect the data subject's legitimate interests.

  By way of derogation from the provisions of Articles 15, 16, 18 and 21 of the GDPR, the rights of the data subject shall be limited where their exercise is likely to render impossible or seriously impair the achievement of the objectives referred to in paragraph 1 and where such limitations are deemed to be necessary for their achievement. For the same reason, the data subject’s right of access provided for in Article 15 of the GDPR shall not apply where personal data are necessary for scientific purposes and the provision of information would entail a disproportionate effort (Article 30 para. 2 of the Greek Data Protection Law).

  In addition to what is referred to in paragraph 1, special categories of personal data, where processed for the purposes of paragraph 1 shall, unless it is contrary to the legitimate interest of the data subject, be anonymised as soon as the scientific or statistical purposes allow. Until then, the characteristics that can be used to match individual details associated with personal or real situations of an identified or identifiable person must be stored separately. These characteristics can only be combined with individual details if required for research or statistical purposes (Article 30 para. 3 of the Greek Data Protection Law).

  The controller may publish personal data processed in the context of research, if the data subjects have given their consent in writing or the publication is necessary for the presentation of the results of the research. In the latter case, the results shall undergo pseudonymisation prior to being published (Article 30 para. 4 of the Greek Data Protection Law).

  Confidentiality and data protection measures as regards Whistleblowing channels

  Any processing activity conducted on data collected from whistleblowers shall be carried out in accordance with the GDPR and the Greek Data Protection Law , and shall rely on the legal basis of ensuring compliance with a legal obligation to which the controller is subject (Article 6 (1)(c) of the GDPR), in this case being the establishment of reporting channels and the implementation of the measures necessary for the monitoring of those channels.

  Further, companies shall implement the appropriate technical and organizational measures, such as pseudonymisation measures, both at the time of report follow-ups as well as during communication with the competent authorities.

  Access to public documents and data protection 

  According to Article 59 of Law 5143/2024, access to public documents (that is, documents kept by public authorities even when created by individuals and private entities) is permitted as long as the applicant has reasonable interest to get access to them (instead of ‘legitimate interest’ of the previous text) without prejudice to the specific requirements set by GDPR and national law for the processing of the special categories of personal data and IP rights.

  Τhe right to access is lifted in cases where obligations of secrecy / confidentiality apply, which are stipulated in sector - specific legislation, such as the secrecy of national defence and foreign policy, public trust and currency, national security and public order as well as medical, commercial, professional, banking or industrial secrecy; or when disclosure is likely to substantially impede an investigation by judicial, administrative, police or military authorities.

  This new provision replaced the previous rule of the Administrative Code of Administrative Procedure (Article 5 of Law 2690/1999) and repealed i) the restriction on the applicant’s access to documents referring to the private and family life of a third person and ii) the requirement for the applicant’s specific legitimate interest when access to documents created by individuals or private entities is requested.

Collection and Processing of personal data is not regulated, however Art. 33 of the Law on Access to Public Information refers files and information systems and Art. 39 refers to electronic or digital records.  According to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.  Art. 32 of the Law prohibits the creation of data banks or files containing sensitive data and sensitive personal data, unless such information is for the service and attention of the public institution creating the data bank.

Principles

Data controllers must comply with the data protection principles set out under Section 6(2) DPL 2017 ("Principles"). 

The Principles comprise:

1. Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data
2. Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and, once collected, not further processed in a manner incompatible with those purposes
3. Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4. Accuracy: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
5. Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed
6. Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
7. Accountability: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles described under paragraphs (a) – (f) above.

Lawful basis

Data controllers are required to ensure that they have a lawful basis for processing personal data. The DPL 2017 sets out a number of conditions which may be relied upon to legitimise the processing of personal data and special category data.

The most common conditions for controllers to rely on are that:

• the data subject consents to the processing
• the processing is necessary for the performance of a contract to which the data subject is a party  or between a controller and a third party in the interests of a data subject, or is in order to take steps at the data subject’s request with a view to entering into a contract
• the processing is necessary for the controller to exercise any right or power, or perform or comply with a duty imposed on it by law, otherwise than an obligation imposed by an enactment, an order, or a judgment of a court or tribunal having the force of the law in the Bailiwick
• the processing is necessary in order to protect the vital interests of the data subject
• the processing is necessary for legitimate interests of the controller or third party except where the processing is exercised by a public authority
• the processing is necessary for the exercise or performance by a public authority of a function that is of a public nature or a task carried out in the public interest.

It is interesting to note that processing in the public interest is only available to public authorities whereas the equivalent provision in the GDPR is much broader than this.

In addition to these conditions, controllers may also rely on one or more of a restrictive set of conditions in order legitimise either personal data or special category data.  These include (but are not limited to):

• the data subject providing explicit consent to the processing
• processing which is necessary for compliance with a legal right or power or duty imposed on a controller by an enactment
• processing which is made public as a result of steps deliberately taken by the data subject
• processing which is necessary for the purpose of or in connection with legal proceedings, the discharge of any functions of a court or tribunal, obtaining legal advice or establishing, exercising or defending legal rights
• processing which is for the administration of justice of the exercise of any function of the Crown, the States of Guernsey or a public committee
• processing which is necessary for a historical or scientific purpose
• processing is necessary for the vital interests of a data subject.

Additional bases

In addition to the above, further secondary legislation has been adopted which sets out a number of additional lawful bases which are intended to be applied in limited circumstances.

These bases include (but are not limited to):

• the processing of health or criminal data for insurance business purposes
• special category data which is required in order to perform or comply with a duty conferred by law on a controller in connection with employment
• special category data for the prevention, detection or investigation of an unlawful act.

The additional bases will need to be considered on a case-by-case basis and may not always be straightforward to apply. If there were concerns regarding the legitimacy of such processing, we would recommend that you seek Guernsey law advice.  

Consent

For the purposes of Section 10 DPL 2017, where a controller seeks to rely on consent, the controller must comply with more stringent requirements than under the DPL 2001 in order to ensure that such consent is valid.

'Valid' consent involves (amongst other characteristics) a "specific, informed and unambiguous indication of the data subject's wishes by which a data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data". In this regard, the DPL 2017 sets the same high standards for consent as the GDPR.

Furthermore, the ODPA guidance confirms that, in addition to the ingredients required to achieve valid consent, explicit consent must be expressly confirmed in words, rather than a positive action. These requirements are summarised in a checklist for controllers setting out what controllers need to do when relying on consent.

Finally in relation to  consent, Section 10(2)(f) DPL 2017 stipulates that a child may only provide their own consent to processing in respect of the information society (primarily, online) services, where that child is over 13 years of age.  Otherwise, a parent (or other responsible adult) must give it on their behalf.

Transparency

Requirements of transparency under the DPL 2017 closely align with the GDPR. Therefore, the DPL 2017 requires that certain specified information must be supplied as part of a 'fair processing notice' (Schedule 3 DPL 2017), namely:

• the identity and contact details of the controller, and (where applicable), the controller’s representative
• the contact details of the data protection officer (if any)
• confirmation of whether any of the personal data is special category data
• where the personal data is not obtained directly from the data subject: confirmation of the source of the personal data and (if applicable) confirmation of whether the personal data was obtained from a publicly available source and, if so, confirmation of that source
• the purposes for which the data is intended to be processed and the legal basis for the processing
• an explanation of the legitimate interests pursued by the controller or by a third party, if the processing is based on those interests
• the recipients or categories of recipients of the personal data (if any)
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and whether or not there is an adequate level of protection for the rights and freedoms of data subjects
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
• information concerning the rights of data subjects
• where the processing is based on consent, the existence of the right to withdraw consent
• a statement of the right to complain to the Authority
• the existence of any automated decision-making, meaningful information about the logic involved in such decision-making and the significance of any such decision making for the data subject
• any further information that is necessary, having regard to the specific circumstances in which the data is or is to be processed, to enable the processing in respect of the data subject to be fair.

Rights of the data subject

The DPL 2017 has strengthened the rights of data subjects in line with the GDPR (Part III DPL 2017).

Controllers must respond to a request "as soon as practicable" and in any event within one month following:

• the day on which the controller has received the request,
• the day on which the controller receives the information necessary to confirm the identity of the requestor, or
• the day on which a fee or charge is paid to the controller.  

These provisions represent a change to the position as last stated in August 2019 by the UK ICO.

The following rights are available to data subjects:

• Right to information for personal data collected about the data subject either directly or indirectly (Sections 12-13DPL 2017): Where personal data has been collected from a source other than the data subject, certain exceptions are available
• Right to data portability (Section 14 DPL 2017): a data subject has the right to have certain relevant personal data (being personal data relating to that person which has been provided to the original controller directly or via a processor) ported to a new controller, where:
  
  • that relevant personal data is being processed based on consent; or
  • processing necessary for the conclusion or performance of a contract.

Where the right applies, the original controller must ensure that any personal data transmitted is provided in a structured, commonly used and machine-readable format. The right is subject to certain exceptions set out under Section 16 DPL 2017

• Right of access (Section 15 DPL 2017): a data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about how the data has been used by the controller. Section 16 DPL 2017 provides for certain exceptions, including where a request cannot be complied with without disclosing information about another individual¹, balancing the rights of the requestor with significant interests of the other individual. The DPL 2017 sets out further detail in respect of the factors which should be taken into consideration when making this determination.
• Right to object to processing (Section 17 – 19 DPL 2017): data subjects have the right to object to processing for: (a) direct marketing purposes, (b) on public interest grounds, and (c) where the processing is for historical or scientific purposes

Whilst the right to object in respect of paragraph (a) is unconditional, the rights to object under paragraphs (b) and (c) are qualified and subject to a public interest test

• Right to rectification (Section 20 DPL 2017): a data subject has a right to request that any inaccurate or incomplete personal data may be corrected or that a statement is provided on the controller's file noting that the data subject disputes the accuracy or completeness of the personal data
• Right to erasure (Section 21 DPL 2017): data subjects may request erasure of their personal data. The right is not absolute; it only arises in a relatively narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or following the successful exercise by the data subject of their right to object or if the data subject withdraws their consent
• Right to restriction of processing (Section 22 DPL 2017): a data subject may request that the processing of their personal data is restricted in certain limited circumstances.  Examples include: where the accuracy of the personal data is contested; where the processing is unlawful; or, where the data is no longer required (save for legal claims or for the purposes of obtaining legal advice or establishing / exercising or defending legal rights)
• Right to notified of restriction, erasure or rectification (Section 23 DPL 2017): the controller must not only notify the data subject concerned but, unless it is impracticable or involves disproportionate effort, notify any other person whose personal data has been disclosed
• Right not to be subject to decisions based on automated processing (Section 24 DPL 2017): a data subject has a right not to be subjected to a decision reached through an automated process, and a controller is prohibited from causing or permitting a data subject to be subjected to an automatic decision unless Section 24(2) DPL applies.

Section 24(2) permits automated processing where: the data subject has given their explicit consent, or  the processing has been authorised by the States of Guernsey or via an enactment; or, the automated processing is necessary for the vital interests of the data subject or another person or for the performance of a contract. 

Additional restrictions apply for the automated processing of special category data. A controller must ensure that appropriate safeguards are in place where automated processing has been conducted in accordance with Section 24(2) DPL (including allowing the data subject to appeal or seek a review of the decision)

• Right to make a complaint to ODPA (Section 67 DPL 2017): a data subject may also complain in writing to the ODPA if they consider that a controller or processor has breached or is likely to breach the DPL 2017 and that breach involves or affects (or is likely to involve or affect) personal data relating to the individual or any data subject right of the individual; and
• Right to bring a civil action against a controller or processor for breach duty (Section 79 DPL 2017): where a controller or processor breaches an operative provision under the DPL 2017 that causes damage to another person, the injured party may bring a claim in tort against the controller or processor for breach of statutory duty. The court may award damages, impose an injunction to restrain an actual or anticipated breach of duty and / or make a declaration that the controller or processor has committed or will commit a breach if its current course of action subsists. Individuals may also claim compensation for distress, inconvenience or other adverse effect suffered by an injured party even if it does not result from any physical or financial loss or damage. Group (or 'class') actions may also be brought against an organisation (Section 97 DPL 2017).

Law on Cybersecurity and Personal Data Protection exempts the processing of personal data from the formalities of declaration, notably in the case of: 

• Processing of data used by a natural person exclusively in the course of his or her personal, domestic or family activities;
• Processing of data concerning a natural person, the publication of which is prescribed by a legal or regulatory provision;
• Processing of data whose sole purpose is the keeping of a register which is intended for exclusively private use; etc. 

Furthermore, it is also provided that certain matters or actions are subject to prior authorisation by the competent authority before being implemented, these include: 

• Processing of personal data relating to genetic and medical data and scientific research in these fields;
• Processing of personal data relating to offences, convictions and security measures pronounced by the competent courts;
• Processing of personal data relating to a national identification number or any other identifier of the same kind, in particular telephone numbers;
• Processing of personal data containing biometric data;
• Processing of personal data for reasons of public interest, in particular for historical, statistical or scientific purposes;
• The proposed transfer of personal data to a third country. 

Requests for processing shall be submitted by the controller or his/her legal representative. However, the authorisation does not exempt its holder (data controller) or his representative from their responsibility towards third parties.

Articles 587 to 593 of the 2020 Penal Code address offenses related to automated data systems and their associated penalties. Unauthorized access or fraudulent maintenance in these systems is penalized by imprisonment ranging from 1 to 2 years and fines between 25,000 to 50,000 gourdes, with heightened penalties of 2 to 3 years of imprisonment and fines of 50,000 to 100,000 gourdes if it results in system dysfunction or data alteration (2020 Penal Code, Article 587). Disrupting or falsifying system operations carries penalties of 1 to 3 years of imprisonment and fines from 50,000 to 100,000 gourdes (2020 Penal Code, Article 588). The fraudulent introduction, alteration, or deletion of data incurs 3 to 5 years of imprisonment and fines ranging from 75,000 to 100,000 gourdes (2020 Penal Code, Article 589). Possessing, distributing, or using tools to commit such offenses is subject to the same penalties as the primary offenses (2020 Penal Code, Article 590). Unauthorized interception of non-public transmissions and intentional, unauthorized data alterations are similarly punishable by 3 to 5 years of imprisonment and fines between 75,000 and 150,000 gourdes (2020 Penal Code, Articles 592 and 593).

Individuals, companies, and / or Obligated Entities that collect personal data may not use sensitive personal data or confidential information without the consent of the person to whom such information relates.

However, consent is not required to use or transfer personal data in the following cases:

• If the information is used for statistical or scientific needs, but only if the personal data is provided in a way that it cannot be associated with the individual to whom it relates 
• If the information is transmitted between Obligated Entities, only if the data is used in furtherance of the authorised functions of those entities 
• If ordered by a Court 
• If the data is needed for the purpose it was provided to the individual or company to perform a service. Such third parties may not use personal information for purposes other than those for which it was transferred to them 
• In other cases established by law

A "data user" (which is akin to a "data controller" under GDPR) may collect personal data from a data subject if:

• the personal data is collected for a lawful purpose directly related to a function or activity of the data user;
• the collection is necessary for or directly related to that purpose;
• the data to be collected is adequate but not excessive; and
• all practical steps have been taken to ensure that the data subject has been informed, on or before collection of the data, of the following:
  • whether the supply of personal data by the data subject is obligatory or voluntary and, if obligatory, the consequences of not supplying the data;
  • the purposes for which the data will be used;
  • the persons to whom the data may be transferred;
  • the data subject's rights to request for access to and correction of their personal data; and
  • the name or job title, and address, of the individual to whom requests for access or correction should be sent.

Separately, additional notice requirements apply to direct marketing (see below).

Data users may only collect, use and transfer personal data for purposes notified to the data subject on collection (see above), unless a limited exemption set out in the Ordinance applies. Any usage or transfer of personal data for new purposes requires the prescribed consent of the data subject.

Data users are also required to take all practicable steps to ensure the accuracy and security of the personal data; to ensure it is not kept longer than necessary for the fulfilment of the purposes for which it is to be used (including any directly related purposes); and to keep and make generally available their policies and practices in relation to personal data.

While the Ordinance currently does not regulate data processors, this was proposed in the January 2020 Consultation Paper, and also referred to as an amendment direction in the PCPD’s Report issued in February 2023 and Panel Meeting Summary published in February 2024.

In October 2018, the PCPD published a “New Ethical Accountability framework” Under the framework, the PCPD is effectively urging businesses operating in Hong Kong to undertake privacy impact assessments – referred to as “Ethical Data Impact Assessments”, which are already required to some extent under a number of other laws, such as China, the Philippines as well as GDPR.

The "Artificial Intelligence: Model Personal Data Protection Framework" (AI Model Framework) was published in June 2024 to provide AI-related organizations with recommendations and best practices to help AI-related organizations comply with the PDPO and values & principles under the AI Guide when dealing with personal data.

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Iceland regulation

Criminal convictions and offences data (Article 10)

According to Article 12 of the DPA, processing of personal data relating to criminal convictions and offences is subject to certain conditions and the processing must be based on one of the legal basis in Article 9 of the DPA, cf. Article 6(1) of the GDPR.

According to Article 12(1) of the DPA, authorities may not process data relating to criminal convictions and offences unless it is necessary for the purpose of their statutory tasks.

According to Article 12(2) of the DPA, the data cannot be disclosed unless:

• the data subject has explicitly given its consent for the disclosure;
• disclosure is necessary for the legitimate interests of the public or private sector which obviously outweigh the interests of the confidentiality of the data, including the interests of the data subject; or
• the disclosure is necessary for the legitimate tasks of the relevant authority or for the authority’s decision or disclosure is necessary for public-sector projects that have been legally assigned to private parties.

Private entities cannot process information on criminal convictions and offences unless the data subject has given its explicit consent or the processing is necessary for legitimate interests which obviously outweigh the interest of the data subject.

Use of personal identification numbers

According to Article 13 of the DPA, the use of a personal identification number is authorised if its purpose is objective and necessary to ensure secure personal identification. The Data Protection Authority may prohibit or order the use of a personal identification number.

Children's consent to information society services (Article 8)

Article 8(1) of the GDPR stipulates that a child may only provide their own consent to processing in respect of information society (primarily, online) services, where that child is over 16 years of age, unless member state law applies a lower age. The DPA reduces the age of consent for these purposes to 13 years for Iceland, cf. Article 10(5).

Data subject’s rights

The data subject has the right to be informed about the processing of his personal data, however, Article 17 of the DPA implements certain restrictions from these rights.

According to Article 17(3) of the DPA, Articles 13(1)-(3), 14(1)-(4) and 15 of the GDPR regarding the data subjects’ rights do not apply if the interests of individuals linked to the personal data, including the interests of the data subject itself, outweigh the interests of the data subject.

The rights granted to the data subject in Articles 13 – 15 of the GDPR can be restricted with a legislative measure if such a limitation of fundamental rights and freedoms constitutes necessary and proportionate measure in a democratic society to safeguard:

• national security;
• national defense;
• public security;
• the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security;
• other important objectives of general public interest, in particular those of economic or financial interest including monetary, budgetary and taxation matters, public health and social security;
• the protection of the data subject, the vital interests of the public or the fundamental rights of others;
• the enforcement of civil law claims; and
• legal obligation of professional secrecy.

The right to restrict the data subjects right also applies to personal data in working documents used in preparation for the controllers’ decisions if it has not been distributed to others, to the extent necessary to ensure the preparation of the proceedings.

Information regarding cases that are being processed by authorities may be exempted from access according to Article 15(1) of the GDPR to the same extent as applies according to the Information Act no. 140/2012 and the Administrative Procedures Act no. 37/1993.

Rules No. 50/2023 on Electronic Surveillance

Rules No. 50/2023 on Electronic Surveillance apply to electronic monitoring in public places, as well as in workplaces, schools and other areas where a limited group of people usually moves around, i.e. in the common area of apartment buildings or on a common lot. The rules apply regardless of what type of equipment is used, such as surveillance cameras, web cameras, tachographs, positioning equipment or telemonitoring equipment. The rules set out requirements for the collection, distribution and storage of data collected by means of electronic surveillance. All processing of personal data must meet the requirements of GDPR on the basis of the provisions of the rules.

Legal Basis for Processing Personal Data

Under the DPDP Act, a Data Fiduciary can only process personal data for a lawful purpose and, barring limited exceptions as prescribed, is required to do so either on the basis of consent of a Data Principal or for certain ‘legitimate uses.’

Consent and notice

The DPDP Act requires Data Fiduciaries to provide notice and obtain consent from Data Principals on or before processing personal data. At the time of collecting the consent, a notice is required to be given to the Data Principal, conveying the following information:

• the personal data intended for processing and the purpose for such processing;
• the manner in which Data Principals can exercise their rights under the DPDP Act;
• the manner for filing a complaint with the Board; and
• the contact details of the Data Protection Officer or any other person responsible for responding to a Data Principal’s requests to exercise their rights under the DPDP Act.

Data Fiduciaries are required to give an option to Data Principals to access the request for consent and the notice in English or any of the twenty-two (22) languages specified in the Eighth Schedule to the Constitution of India. The Government of India will prescribe the manner and form of the notice in subsequent legislations.

Under the DPDP Act, Data Fiduciaries may process personal data based on consent from Data Principals which is required to be:

• free, specific, informed, unconditional, and unambiguous;
• provided through clear affirmative action; and
• limited to the personal data that is necessary for the specified purpose.

The Draft Rules require that the notice given by a Data Fiduciary to the Data Principal be:

• be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;
• give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum:
  • an itemised description of such personal data; and
  • the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing;
• the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may:
  • withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
  • exercise her rights under the DPDP Act; and
  • make a complaint to the Board.

Where a Data Principal has given consent to processing of their personal data prior to the commencement of the DPDP Act, the Data Fiduciary is required to provide notice containing the above details “as soon as it is reasonably practicable”. The express timeline is yet to be prescribed.

Legitimate uses

The DPDP Act permits the processing of personal data for certain legitimate uses and in such cases, Data Fiduciaries are not required to provide prior or post-facto notice to or obtain consent from the Data Principals. The legitimate uses are as follows:

• where a Data Principal voluntarily provides their personal data to a Data Fiduciary and has not indicated to the Data Fiduciary that they do not consent to the use of their personal data;
• for the State or any of its instrumentalities to provide or issue benefits or services to Data Principals where:
  • the Data Principals have previously consented to the processing of their personal data for availing any benefits or services from the State or any of its instrumentalities; or
  • such personal data is available in digital form or in non-digital form and digitized subsequently from any database, register, book or other document maintained by the State or any of its instrumentalities;
• for the performance of any function by the State or any of its instrumentalities under any law currently in force in India or in the interest of sovereignty and integrity of India or security of the State;
• for compliance with any judgment or order issued under the law in force in India, or any judgement or order relating to contractual claims of a civil nature under any law in force outside India;
• responding to a medical emergency involving threat to life or immediate threat to health;
• for taking measures to ensure safety of, or provide assistance or services to, any individual during disaster, or any breakdown of public order; and
• for purposes relating to employment or those related to safeguarding the employer from loss or liability.

Retention of personal data

Data Fiduciaries are required to cease to retain personal data as soon as:

• it is reasonable to assume that the purpose for which personal data was collected is no longer being served;
• the Data Principal withdraws their consent; or
• upon a request for erasure by the Data Principal, unless retention of personal data is necessary under any other laws.

The Draft Rules prescribe specific data erasure requirements for certain classes of Data Fiduciaries: e-commerce entities or social media intermediaries having 2,000,000 registered users in India or more and online gaming intermediaries with 50,00,000 registered users in India or more.

Processing of personal data of certain classes of individuals

The DPDP Act imposes additional obligations and responsibilities on Data Fiduciaries when they are processing the personal data of children and individuals with guardians. Data Fiduciaries, before processing the personal data of children or persons with disabilities, are required to obtain verifiable consent from a parent or legal guardian, as may be applicable.

The DPDP Act explicitly defines a child as an individual below the age of eighteen years. The Draft Rules define a person with disability as an individual who (i) has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders their full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and (ii)  an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability.

Specifically for children’s data, a Data Fiduciary is required to refrain from:

• undertaking any processing that is likely to have a detrimental effect on the well-being of a child; and
• tracking, monitoring the behaviour of, or directing targeted advertisements at children.

Under the Draft Rules, Data Fiduciaries in obtaining verifiable consent of a parent or from an individual identifying themselves as the lawful guardian of a person with disability are required to verify that the person is the child’s parent or person with disability’s legal guardian, and that the parent or guardian is identifiable. For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details.

These obligations related to children’s data may be exempted by the Government under certain circumstances for prescribed purposes, class of Data Fiduciaries and for certain prescribed ages (further detailed in the section on Exemptions).

The Draft Rules prescribe that the obligation to obtain verifiable consent of a parent or guardian and to not undertake tracking or behavioural monitoring or targeted advertising at children does not apply to the processing of the data of a child by (for certain prescribed purposes) clinical establishments, mental health establishments, healthcare professionals, allied healthcare professionals, educational institutions, an individual in whose case infants and children in a creche or child day care centres are entrusted and persons engaged by an educational institution, crèche or child care centre for transport of children enrolled with such institution, crèche or centre and generally, to all Data Fiduciaries where the purposes of processing is for inter alia, creating a user account for communicating by email, for ensuring information likely to cause any detrimental effect on the well being of a child is not accessible to them, for confirmation that the Data Principal is not a child, etc. 

With respect to the processing of an employee’s personal data, the DPDP Act considers it as a legitimate use wherein an employer will not have to obtain express consent in order to process personal data as long as the processing is carried out for employment purposes, or to protect employers from loss or liability, or to provide a benefit to an employee.

Obligations of Data Fiduciaries

The DPDP Act prescribes certain obligations on  Data Fiduciaries in collecting and processing personal data:

• complying with the DPDP Act in respect of any processing undertaken by a Data Fiduciary or on their behalf by a Data Processor, irrespective of any agreement to the contrary or failure of the Data Principal to carry out their duties provided under the DPDP Act;
• engaging a Data Processor to process personal data on its behalf only under a valid contract;
• implementing appropriate technical and organizational measures to ensure effective adherence with the provisions of the DPDP Act and any rules which may be notified;
• ensuring accuracy, completeness and consistency of the personal data when such personal data is processed to make a decision that affects the Data Principal or if the personal data is likely to be disclosed to another Data Fiduciary;
• protecting all personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach;
• in the event of a personal data breach, notifying the Board and each affected Data Principal;
• publishing the business contact information of the Data Protection Officer in the case of Significant Data Fiduciary, or the contact person who is able to answer Data Principals’ questions regarding processing of their personal data;
• subject to compliance with other laws, deleting personal data by itself and ensuring such deletion by the Data Processor (if applicable), either when the Data Principal withdraws their consent or when it is reasonably assumed that the specified purpose is no longer being served, whichever is earlier; and
• establishing an effective grievance redressal mechanism to redress Data Principals’ grievances.

Obligations of Significant Data Fiduciaries

The Government of India may classify a Data Fiduciary, or a class of Data Fiduciaries as a Significant Data Fiduciary (SDF) based on certain factors like the volume and sensitivity of personal data processed, the risk posed to the rights of a Data Principal, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, security of the State, and public order. Upon being notified as an SDF, entities are required to follow additional obligations:

• to designate a Data Protection Officer situated in India to serve as the SDF’s representative for compliance with the DPDP Act and the primary point of contact for addressing grievances. The appointed person should be an individual responsible to the board of directors or a similar governing body of the SDFs.
• to appoint an independent data auditor to assess the SDF's compliance with the DPDP Act. The subordinate legislations under the DPDP Act will specify the periodicity for conducting such audits, and the technical and operational qualifying criteria for auditors.
• to undertake Data Protection Impact Assessments, periodic audits, and other measures that will be prescribed by the Government of India.

The Draft Rules further require SDFs to (once, in a period of 12 months from the date of being notified as an SDF), undertake a Data Protection Impact Assessment and an audit to ensure it is observing the provisions of the DPDP Act. The person carrying out the Data Protection Impact Assessment and the audit is required, under the Draft Rules, to furnish a report to the Board containing significant observations in the Data Protection Impact Assessment and the audit.

In addition, the Draft Rules require that SDFs:

• observe due diligence in verifying that the algorithmic software deployed by it for hosting, displaying, uploading modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
• undertake measures to ensure that personal data specified by the Central Government is processed in a manner such that the personal data and the traffic data pertaining to its flow is not transferred outside India.

Rights and Duties of Data Principals

Under the DPDP Act, Data Principals have been given certain rights which include:

• Right to access information about personal data: A Data Principal has the right to request a Data Fiduciary for a summary of their personal data being processed and the processing activities being undertaken by the Data Fiduciary. A Data Principal also has the right to request the Data Fiduciary for the identities of other Data Fiduciaries and Data Processors with whom their personal data is being shared and a description of the personal data being shared. The Government of India may prescribe any other information which a Data Principal has the right to request from a Data Fiduciary in subsequent legislations.
• Right to correction of personal data: A Data Principal has the right to request for correction of personal data that may be inaccurate or misleading, completion of personal data that is incomplete and updating of their personal data.
• Right to erasure: A Data Principal has the right to request for erasure of their personal data, the processing of which was previously consented to, unless retention is necessary for compliance with any laws.
• Right to withdraw consent: A Data Principal has the right to withdraw consent from processing of their personal data at any time after they have provided their consent to a Data Fiduciary.
• Right of grievance redressal: A Data Principal has the right to grievance redressal provided by a Data Fiduciary or a Consent Manager, which is exercisable in respect to a Data Fiduciary’s obligations and a Data Principal’s rights under the DPDP Act. The time period within which a Data Fiduciary or Consent Manager is required to respond to the grievances will be prescribed in subsequent legislations.
• Right to nominate: A Data Principal has the right to nominate any other individual to exercise the rights of a Data Principal on their behalf, in the event of their death or incapacity.

The right to access information, correction and erasure will apply only in cases where the Data Principal has given consent or voluntarily provided their personal data to a Data Fiduciary for processing. These rights will not be available where personal data is being processed under the grounds of legitimate use. The manner in which these rights are to be exercised by a Data Principal will be prescribed by the Government of India.

The Draft Rules require Data Fiduciaries and Consent Managers to publish on their websites / apps the following:

• the details of the means using which a Data Principal may make a request for the exercise of their rights;
• the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service; and
• the period under its grievance redressal system for responding to the grievances of Data Principals.

Under the DPDP Act, certain duties have also been assigned to Data Principals, which include:

• complying with all applicable laws while exercising their rights under the DPDP Act;
• prohibition of impersonation of others while providing their personal data for a specified purpose;
• not suppressing any material information while providing their personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
• not registering false or frivolous grievances or complaints with a Data Fiduciary or the Board; and
• furnishing information that is verifiably authentic while exercising the right to correction or erasure.

Based on the PDP Law,  processing of personal data includes:

1. obtaining and collection;
2. processing and analyzing;
3. storing;
4. correction and updates;
5. displaying, announcing, transferring / transmitting, distributing or disclosure / providing access to; and / or
6. deletion or removal.

The PDP Law further mandates that personal data controllers are required to record all processing activities, which will commonly be referred to as the Records of Processing Activities (“ROPA”). There is no model template published by the relevant authority yet. However, some associations such as the Indonesian Association of Personal Data Protection Practitioners (Asosiasi Praktisi Pelindungan Data Pribadi Indonesia (APPDI)), the Indonesian Employers' Association (Asosiasi Pengusaha Indonesia (APINDO)), and the ISACA Indonesia Chapter, have collaborated in creating a ROPA template which may in the meantime serve as a guideline for personal data controllers to ensure compliance with their obligations under the PDP Law.

With the enactment of the PDP Law, the lawfulness of processing personal data has been extended and is largely similar with the GDPR, which is currently as follows:

• consent: the data subject has given explicit consent to the processing of his / her personal data for one or more specific purposes as have been conveyed by the data controller to the data subject;
• contractual obligation: processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject upon entering into a contract;
• legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
• vital interest: processing is necessary in order to protect the vital interests of the data subject ("vital interest of the data subject" relates to the survival of the data subject such as when the processing is necessary for serious medical treatment);
• public interest: processing is necessary for the performance of a task carried out in the public interest, public service or the exercise of official authority vested in the data controller in accordance with prevailing laws and regulations; and / or
• legitimate interest: processing is necessary for the purposes of other legitimate interests with due regard to the purpose, needs and balance of interest of rights of the data controller and the data subject.

The current Draft Implementing Regulation to PDP Law (version of August 31st, 2023) suggests some further guidance containing the criteria and / or restrictions with regard to each lawful basis.

The PDP Law also re-emphasizes the principles of personal data protection that are set out in the General Data Protection Regulations, which include:

• personal data collection shall be conducted in a limited and specific manner, and be legally valid and transparent;
• personal data processing shall be conducted in accordance with its purpose;
• personal data processing shall be conducted by guaranteeing the rights of the personal data subject (such as the right to be informed, right to rectification, right of access, right to erasure, right to withdraw consent, right to object to automated decision, right to restrict processing and right to data portability);
• personal data processing shall be conducted accurately, completely, not misleading, up to date, can be accounted for, and by taking into account the purpose of processing of the personal data;
• personal data processing shall be conducted by protecting the security of personal data from loss, misuse, unauthorized access and disclosure, as well as the alteration or destruction of personal data;
• personal data processing shall be conducted by notifying the purpose of collection, processing activities, and failure of personal data protection;
• personal data processing shall be destroyed and / or deleted except if it is still in the retention period in accordance with the necessity based on the laws and regulations; and
• processing of personal data shall be carried out responsibly and shall be verifiable in a clear manner.

There are, however, partial exemptions for some provisions in the PDP Law, mostly with regard to a data subject's rights and data controller’s obligations in relation to the application of a data subject’s rights (such as: rectification, providing access, maintaining confidentiality, termination, erasure, destruction, breach notification), which can be deviated from if the purpose of the data processing is: 

1. for the interests of national defence and security;
2. for the interest of law enforcement processes (such as investigation or prosecution);
3. for the public interest in the context of state administration (citizenship administration, social security, taxation, customs and e-licensing); 
4. for the interests of supervision of the financial services sector, monetary sector, payment system sector, and financial system stability sector (namely those that fall under the supervision of the Indonesian Central Bank / BI, the Indonesian Finansial Services Authority / OJK, and Indonesia's Deposit Insurance Agency / LPS); or
5. for statistical purposes and scientific research,

and provided that those exemptions are only undertaken in the framework of implementing a law / legislative requirement.

Data collection and processing, including publication, is subject to data subject consent, provided that the “data message” is otherwise in accordance with Iranian law. 

The collection and processing of personal "data messages" via electronic means is subject to the following conditions: 

• the purpose of collection and processing must be specified and clearly described
• data may only be collected to the extent necessary to achieve its purported purpose
• “data messages” must be correct and up-to-date
• data subjects must be provided with access to computer files that contain “data messages” that concern the data subject
• data subjects must be provided with the ability to delete or rectify “data messages,” in accordance with relevant regulations (Article 59, E-Commerce Law)  

Unless otherwise provided by law, the following is prohibited: searching, collecting, processing, using or disclosing personal data. This prohibition also applies to other mail and telecommunications, including telephone communications, faxes, wireless and private internet communications.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Ireland regulation

Part 3 of the DP Act sets out a range of national derogations as provided for in GDPR. Some of the notable provision include the following.

Processing for purpose other than purpose for which data collected

Section 41 of the DP Act permits the processing of personal data or special categories of personal data for purposes other than for which it was collected where necessary and proportionate for the purposes of: (a) preventing threats to national security, defence or public security; (b) preventing detecting, investigating or prosecuting crime; (c) providing / obtaining legal advice; (d) in connection with legal claims or prospective claims; or (e) establishing, exercising or defending legal rights.

Special category data

Chapter 2 of Part 3 governs the processing of special category personal data. The DP Act permits the processing of special category in certain circumstances including:

• for employment / social welfare law purposes;
• in relation to legal advice and proceedings;
• in the course of electoral activities;
• for the purposes of the administration of justice;
• for certain insurance or pension purposes as well as in relation to the mortgaging of a property;
• for reasons of substantial public interest;
• by health care workers for medical, health and social care purposes;
• in the interests of public health; and
• for archiving, scientific, historic or statistical purposes.

In most such cases, the DP Act requires enhanced “suitable and specific” measures to be implemented in order to protect the rights and freedoms of data subjects. The DPC has the right to request evidence of such measures, which can include:

• explicit consent of the data subject;
• limitations on access to the personal data;
• strict time limits for erasure of the personal data;
• specific training for those processing the personal data;
• various enhanced technical and organisational measures such as encryption and pseudonymisation; and
• processes and procedures for risk assessment purposes.

Health research regulations

The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 came into force in August 2018. The Health Research Regulations introduced material changes to the rules governing how health research can be conducted in Ireland and include:

• a new statutory definition of “health research”;
• a prescribed list of mandatory “suitable and specific measures” that must be adopted when processing personal data for health research purposes, including a general requirement that “explicit consent” be obtained from data subjects; and
• a list of exceptional circumstances in which the explicit consent requirement is not required and a detailed process to be followed in such cases.

Article 10 (criminal records) data

The DP Act expands the definition of Article 10 data to include personal data relating to the alleged commission of an offence and any proceedings relating to such offence. Section 55 of the DP Act provides for Article 10 (i.e. criminal records) data to be lawfully processed in a number of limited circumstances including:

• where the data subject has given explicit consent;
• where necessary and proportionate for the performance of a contract to which the data subject is party;
• where necessary for providing / obtaining legal advice or in connection with legal claims or prospective claims;
• where necessary for establishing, exercising or defending legal rights; or
• where necessary to prevent injury or damage or otherwise to protect vital interests.

The DP Act also requires enhanced “suitable and specific” measures to be taken to safeguard the rights and freedoms of data subjects in all of the above circumstances.

Children & child's consent to information society services

The DP Act defines a "child" as a person under 18 (this is relevant for example in assessing whether or not a data protection impact assessment may be required).

The DP Act provides that the digital age of consent in Ireland is 16 years old. This means that in order for any personal data pertaining to a child below the age of 16 to be processed in relation to an information society service, the consent of a parent or guardian is also required. The DPC ran two public consultations in 2019 on the processing of children’s personal data and the rights of children as data subjects and published the “Fundamentals for a Child-Oriented Approach to Data Processing” in December 2021. The DPC also has a statutory function, under section 32 of the DP Act, to encourage the drawing up of codes of conduct for the protection of children.

Section 33 of the DP Act provides a specific right of erasure for children in connection with personal data collected in relation to the offer of information society services.

The DP Act includes a prohibition on the processing of children's personal data for the purposes of direct marketing, profiling and micro-targeting. Section 30 has however not been commenced due to concerns that enacting it would place Ireland in breach of EU law. 

Automated decision making

Section 57 of the DP Act provides for a derogation whereby the right under GDPR not to be subject to a decision based solely on automated decision-making including profiling where the decision is authorised or required under an enactment and either (1) the effect of the decision is to grant a request of the data subject, or (2) adequate steps have been taken to safeguard the legitimate interests of the data subject.

Rights of data subjects

Section 60 of the DP Act sets out the circumstances in which data subject rights may be restricted. These include where such restrictions are necessary and proportionate:

• to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international relations of the State;
• for the prevention, detection, investigation and prosecution of criminal offences;
• for the administration of taxes or duties;
• for the establishment, exercise or defence of, a legal claim or prospective legal claim; 
• for the enforcement of civil law claims; or
• for the purposes of estimating the amount of the liability of a controller on foot of a claim.

Section 60 also restricts data subject rights to the extent that the personal data relating to the data subject is an expression or opinion by another person given in confidence, or on the understanding that it would be treated as confidential. The person in receipt of the information must have a legitimate interest in receiving the information.

Data subject rights can also be restricted in relation to information which is subject to legal privilege.

The collection, processing or use of Personal Data is permitted subject to obtaining the informed consent of the data subjects. Such consent should adhere to purpose, proportionality and transparency limitations. As such, consent should be obtained for specific purposes of use, the processing and use of Personal Data should be proportionate to those purposes, and data subjects should have the right to inspect and correct their personal information. The data subject's consent must be reobtained for any change in the purpose of use.

Any request for consent from a data subject to have his or her Personal Data stored and used within a database must be accompanied by a notice indicating:

• whether there is a legal requirement to provide the information;
• the purpose for which the information is requested;
• the recipients of the data;
• the purpose(s) of use of the data;

• the consequences of refusing the collection and processing of the data (added in Amendment 13);

• controller's name and contact information (added in Amendment 13); and

• the data subject's right to access and rectify the data (added in Amendment 13).

Retaining outsourcing services for the processing of personally identifiable information is subject to the IPA's Guidelines on the Use of Outsourcing Services of Processing Personal Information (Guideline 2/2011) dated 10 June 2012 ('Outsourcing Guidelines'). The Outsourcing Guidelines include, inter olio, factors to be taken into consideration when deciding to use outsourcing services, specific provisions to be included within the data transfer agreement and data security requirements. Processing of personally identifiable information in certain sectors is subject to additional outsourcing requirements.

Furthermore, the Outsourcing Guidelines also require compliance with the Data Security Regs.

Entities subject to separate outsourcing guidelines are for example entities supervised by the Commissioner of the Capital Market, Insurance and Savings and entities supervised by the Banking Supervision Department of the Bank of Israel. On 10 September 2014, the Banking Supervision Department of the Bank of Israel issued draft guidelines regarding risk management in cloud computing services used by Israeli banking corporations. Among other various restrictions, the draft guidelines set forth an obligation on supervised entities to receive the approval of the Supervisor of Banks prior to using cloud computing services. The general issue of privacy consideration in the use of surveillance cameras is governed by the IPA Use of Surveillance Cameras and the Footage Obtained Therein Guidelines (no. 4/2012). In 2017, the IPA published Use of Surveillance Cameras in the Workplace and in Working Relationships Guidelines (no. 5/17) specifically referring to the use of surveillance cameras in the workplace. The guidelines state that the employer's prerogative to use surveillance means in the workplace is subject to fulfillment of principals such as legitimacy, transparency, proportionality, good faith and fairness. These principles apply also to businesses required by law enforcement to place surveillance cameras on their premises. The guidelines specify the manner in which these principles should be implemented, derivative requirements and possible implications.

On December 27, 2018. The Camera Installation Law for the Protection of Toddlers in Day Care Centers for Toddlers (5779 - 2018) was published and became effective on September 1, 2020. The said law provides that the operator of a daycare center for toddlers is required (unless it falls under the exceptions under the law) to install cameras that will record during the time of which the toddlers are present, without sound. It is forbidden to view the videos, to copy them, to transfer them to another person and to make any use of them without a court order (except for the Police and the Ministry of Welfare officials for the purpose of preventing harm to toddlers that are in the daycare). No real-time viewing of the footage is permitted, and it must be deleted withing 30 days from the date of filming.

On July 8, 2023, the Israeli Ministry of Justice published: Amendment to Installation of Cameras for the Protection of Toddlers in Daycare Centers for Toddlers (Amendment No. 1), 5779 -2017, which intends to strike a balance between the need to protect toddlers and the need to reduce as much as possible the harm to the privacy of the toddlers and the daycare staff, usually from photographing and viewing the photographs. The draft bill has been placed on the table of the Israel Knesset and for their preliminary discussion.

On October 16, 2023, The IPA published Publication: Protecting the Privacy of Students in Distance Learning, which presents a number of emphases and recommendations for proper conduct and protection of privacy and Personal Information as part of students' use of online distance learning applications.

Furthermore, on March 29, 2020 its Recommendations: Privacy Aspects of Use of Drones which, recommends that the drone user take into account alternatives that will not violate the privacy of others and to activate the drone proportionately in order to minimize the scope of Personal Data collected, processed and stored. The period in which the Personal Data is retained should be limited as much as possible and for as long as the Personal Data is stored on the drone, the drone is to be kept in a physically safe location; ensure privacy by design and compliance with the PPA requirements in respect of privacy by notification, transparency and deletion of data.

On August 31, 2021, the IPA published Draft Guidelines: Collection of Employee Location Data Using Dedicated Apps and Vehicle Location Systems. The guidelines emphasize that such a use shall only be made in the absence of an alternative. The employer must further determine in advance the purpose, the specific range of hours Personal Data collection, and the duration for which the information will be retained.

On May 22, 2023, the IPA published Publication: Privacy Related Aspects of Monitoring Remote Working Employees, which includes certain standards required for employers that monitor their employees working remotely in order to avoid breach of their privacy rights (including without limitation compliance with proportionality and legitimacy standards such as limiting surveillance solely to work hours; employers must inform their employees that they are using technological means to monitor their behavior when working remotely, including the purpose for which the monitoring is done).

On July 26, 2023, the IPA published Opinion: Collecting Location Data of Employees Using Applications and In-Vehicle Tracking Systems, which determines guidelines on how to collect such data from employees in their vehicles provided by the employer.

On February 28, 2024, the IPA published Guideline: Collection and Use of Biometric Information in the Workplace. Employers who use biometric systems to monitor employees' attendance can do so provided that they appropriately address and respect the employees’ right to privacy, in accordance with notice and consent requirements and adherence to proportionality, transparency, purpose limitation, security and data minimization principles.

On March 25, 2021, the IPA published Policies of Data Minimization, which require database owners to: ensure that the information collected is and will be required to achieve the purpose of for which it was collected and is deleted thereafter; check annually if they possess data that is irrelevant etc.

On December 12, 2022, the IPA published Guidelines: What are ‘Data’ and ‘Information on a Person’s Private Affairs’ according to the PPL, which clarifies the meaning of the terms Data and Information on a Person's Private Affairs.

On July 31, 2022, the IPA published Obligation to Notify as Part of Collection and Use of Personal Information Guideline. The guideline requires notification to data subjects which their Personal Data is collected and used by systems for making algorithm-based or artificial intelligence decisions.

---

On January 8, 2024, the Knesset committee approved in its second and third reading the Amendment to the Police Order (No. 40) (Biometric Photographic System) 5783- 2023, which regulates aspects of placing systems that capture biometric photos in public spaces by the police. The photo systems include the capabilities to process the photos of people and compare them to identifiable information entered into the system, in a way that may allow indemnification.

On June 6, 2023, Inclusion of Biometric Identification Means and Biometric Identification Data in Identification Documents and in the Database (Amendment and Temporary Order), 5777-2017, came into effect, which allows the collection of fingerprints for the police's public biometric database, until June 30, 2024.

On November 15, 2023, The IPA published publication: Privacy in Home IoT Products and Smart Homes, which includes recommendations to companies that provide IoT (Internet of Things) services and products in the home space, as part of transforming homes into "smart homes" and to such users, as the smart home devices collects and processes a large amount of Personal Data and Sensitive Data and introduction of surveillance systems into the areas of the individual's private and intimate space.

On July 11, 2024, the IPA published Recommendations: Use of Tracking Tags, which includes recommendations for safe use of tracking tags while maintaining user privacy.

On August 22, 2023, the IPA published Publication: Disclosure of Personal Information Regarding Male and Female Students on The Websites of Higher Education Institutions, which includes guidelines as to manner of such disclosure.

On December 11, 2023, the government published Memorandum of Law: Israel Security Agency (Amendment No...), 2023 open to comments by the public, which purpose is to regulate certain aspects including cyber and computers and to grant GSS rights to receive, collect and transmit information, including from databases, subject to certain approvals, supervision and control mechanisms. Which is in addition to the publication by the Israeli Ministry of Justice published on February 28, 2021 the draft bill Memorandum: "The Cyber Defense Law and the National Cyber System (Authorities for the Purpose of Strengthening Protection) (Temporary Order), 5781-2021", which states that the National Cyber System and the GSS will be permitted to give instructions to private and public organizations in Israel on how to prepare for and defend against a cyber-attack and addresses compliance issues.

On December 29, 2022, the IPA published Recommendations for Proper Conduct When Using Applications (Apps) to Pay and Validate Public Transportation, including without limitation recommendations in respect of privacy policies, app information security, deletion of Personal Data and other.

On February 22, 2024, the IPA published: Recommendations for the Public while Using Charging Stations for Electric Vehicles, including recommendations for safe and balanced use of electric vehicles charging stations, while preserving the privacy of the users.

On January 24, 2023, the Israeli Ministry of Justice published Memorandum: "Health Information Mobility Law, 5783-2023", to regulate patient's access to their health information in connection with provision of health services while protecting their privacy and data security.

On March 5, 2024, the IPA published Policy: Protection of Patients' Privacy in the Transmission of Medical Information Through Digital Means which includes recommendations for organizations, medical professionals, and healthcare institutions on transfer of medical information such as: limiting the use of non-specialized software for transmitting medical information, omitting medical data, ensuring proper security, and establishing a clear organizational policy. 

On August 8, 2023 the IPA published: The Right of Inspection Regarding the Databases of Entities Listed in Section 13(e) of The PPL, which grants individuals the right of inspection in respect of the databases of the entities listed in Section 13(e) of the PPL (such as security authorities, prison service, tax authority, Minister of Justice, and other).

On March 17, 2024, the IPA published Opinion: Collection of ID Numbers and Photographs of IDs, which outlines how and when a company may collect ID Numbers and photographs of IDs from consumers.

On September 18, 2024, the IPA published Guidance: Guiding Principles in Emergency Situations, which empathizes the balance between urgency and efficient actions during an emergency (e.g. war, natural disasters (earthquakes, floods), terrorist events on a large scale, and epidemics) and the obligation to protect privacy rights and infringement thereof. The IPA states that there is an obligation to respect privacy rights and to avoid unnecessary violations whenever possible.

On September 24, 2024, the IPA published Recommendations: Use of Tourist Applications, which include recommendations for proper conduct when using travel applications.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects;
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances.   Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

• necessary for entering into or performing a contract;
• authorised by EU or Member State law; or 
• the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

The Data Act

The Regulation on harmonized rules on fair access to and use of data (Data Act) has been approved on January 11th 2024. This regulation puts obligations on manufacturers and service providers to let their users, both companies and individuals, access and reuse data generated by the use of their products or services and share such data to third parties. It also improves data portability in all economic sectors.

---

Italy regulation

Article 2-ter of the Privacy Code (as amended by Law Decree 139/2021) provides that, in case of processing of personal data for reasons of public interest or in connection with the exercise of public powers, the legal basis may also derive from a general administrative act. In such cases where it is necessary to disseminate or communicate personal data to other subjects for reasons of public interest or in connection with the exercise of public powers, it will be required to notify the Garante at least 10 days before the start of the communication or dissemination.

Furthermore, since Law Decree 139/2021 repealed Article 2-quinquiesdecies, the Garante is no longer entitled to prescribe the data controller to adopt measures and precautions to safeguard the data subjects for data processing that pose a high risk for the same, in case of processing of personal data performed for reasons of public interest or in connection with the exercise of public powers.

Article 2-sexies of the Privacy Code specifies that the processing of special category data necessary for the performance of a task carried out in the public interest is allowed insofar as the processing is provided for by European or domestic legislation, or, as recently introduced by the Law Decree 139/2021, by a general administrative act. This legislation must identify the reasons of public interest for which the processing is carried out, the types of data that can be processed, the operations that can be performed and the appropriate and specific measures protecting the fundamental rights and interests of the data subjects. In this context, the Privacy Code underlines that processing of genetic data, biometric data or data concerning health shall comply with additional requirements to be identified by the Garante by means of specific measures establishing further conditions in which the data processing is permitted.

With regard to personal data relating to criminal convictions and offences, Article 2-octies of the Privacy Code provides that the processing can be carried out only if a specific legal provision authorizes the processing, also identifying the applicable security measures, otherwise processing activities have to be carried out under the control of a public authority.

With regard to individuals’ rights, Art. 2-undecies of the Privacy Code provides several restrictions on data subjects’ rights for reasons of justice. In particular, data subjects rights may be exercised within the limits established in the law and regulations on the proceeding and procedures before the courts. The exercise of such rights may be delayed, limited or excluded for as long as and to the extent that it is a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject. Finally, the Privacy Code sets out data protection rights of deceased persons. Indeed, the rights provided for in Articles 15 through 22 of the GDPR referring to personal data concerning deceased persons may be exercised by those having an interest of their own, or act to protect the data subject, as her / his delegate, or for family reasons worthy of protection. The exercise of such rights is not permitted when provided for by the law or when, specifically limited to the offer of information society services, the data subject expressly prohibited it in writing by way of a declaration sent to the data controller. The data subject may withdraw or modify such declaration at any time.

Law 193/2023 introduced in Italy the "right to be forgotten for cancer survivors". According to the provisions, banks, insurance companies, and employers – both in the public and private sectors – cannot ask for information about oncological diseases from which a person has recovered, provided that treatment ended more than ten years ago (or five years if the illness occurred before the age of 21) and there have been no recurrences. For employers this prohibition applies both during the hiring process and throughout the employment relationship. The goal is to prevent discrimination that could negatively affect the employment or financial conditions of those who have recovered. Moreover, banks, credit institutions, insurance companies, and financial and insurance intermediaries have to provide clear and adequate information regarding the right to be forgotten for cancer survivors. This obligation includes explicitly mentioning this right in the forms and documents specifically prepared and used for establishing and renewing contracts.

With reference to processing of personal data in the workplace environment, in 2024 the Garante issued Guidelines regarding the management of email programs and services within the workplace, specifically addressing employees’ email metadata processing. According to the Garante, employers are prohibited from retaining email metadata pertaining to the date, time, sender, recipient, subject, and size of employees' emails for more than 21 days, extensions beyond this period, would be permissible where there is a proven and documented need justifying the extension. Should organizations seek to extend the retention period beyond the specified limit, they are required to enter into an agreement with Trade Unions or obtain authorization from the Local Labour Office as well as implement other privacy-related measures, including (i) update the privacy information notice for employees, specifically setting out the applicable data retention period; (ii) carry out a data protection impact assessment (DPIA); (iii) perform a legitimate interest assessment (LIA); and (iv) update the data retention policy.

Specifying the Purpose of Use

When handling Personal Information, a business operator must specify to the fullest extent possible the purpose of use of the Personal Information ("Purpose of Use"). Once a business operator has specified the Purpose of Use, it must not then make any changes to the said purpose which could reasonably be considered to be beyond the scope of what is duly related to the original Purpose of Use. In addition, when handling Personal Information, a business operator shall not handle the information beyond the scope that is necessary for the achievement of the Purpose of Use without a prior consent of the individual. In other words, the use of the information must be consistent with the stated Purpose of Use.

Public Announcement of the Purpose of Use

The Purpose of Use must be made known to the data subjects when Personal Information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business operator's website). When Personal Information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic format, or any other method not recognizable to human senses), the business operator must expressly state the Purpose of Use prior to the collection.

A business operator must 'publicly announce or 'expressly show the Purpose of Use in a reasonable and appropriate way. According to the guidelines issued by the PPC, the appropriate method for a website to publicly announce the Purpose of Use of information collected, is a one click access on the homepage so that the data subject can easily find the Purpose of Use before submitting the Personal Information.

Controllers are responsible for compliance with a set of core principles that apply to all processing of personal data. Under these principles, personal data must be (Article 8(1) DPJL):

• Processed lawfully, fairly and in a transparent manner in relation to the data (‘lawfulness, fairness and transparency’)
• Collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes (‘purpose limitation’)
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)
• Accurate and, where necessary, kept up-to-date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (‘storage limitation’) and
• Processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)

Additionally, the controller is responsible for and must be able to demonstrate compliance with the above principles (‘accountability’) (Article 6(1)(a) DPJL).

Accountability is a core theme of the DPJL. Organizations must not only comply with the DPJL, but also be able to demonstrate compliance, perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving (and being able to demonstrate) accountability.

Legal Basis for Processing

The DPJL works slightly differently to the GDPR in terms of establishing a legal basis for processing.

Data controllers may collect and process personal data when any of a number of conditions are met (Article 9 and Schedule 2 DPJL). The most frequently relied upon are as follows:

• The consent of the data subject
• The processing is necessary for:
  • The performance of a contract to which the data subject is a party, or
  • The taking of steps at the request of the data subject with a view to entering into a contract
• The processing is necessary to comply with a data controller’s legal obligations (other than one imposed by contract)
• The processing is necessary to protect the data controller’s vital interests
• The processing is necessary for:
  • The administration of justice
  • The exercise of any functions conferred on any person by or under any enactment
  • The processing is necessary for taking legal advice or the establishment, exercise or defense of legal claims
• The exercise of any functions of the Crown, the States or any public authority, or
• The exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is subject and exercised in the public interest by any person
• The processing is necessary for the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, unless:
  • The processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject, in particular where the subject is a child, or
  • The controller is a public authority, or
• The processing is necessary for reasons of substantial public interest provided for by law and is subject to appropriate protections to protect the rights and interests of the data subject

Special Categories of Data

Where special category personal data is processed, at least one of a more restrictive list of conditions than those for personal data must be satisfied (Article 9 and Schedule 2 Part 2 DPJL). Unlike the GDPR, personal data may also be processed on the basis of the conditions for processing special category data. The most frequently relied upon bases for processing special category data are as follows:

• The explicit consent of the data subject
• The processing is necessary to comply with a data controller’s legal obligations (other than one imposed by contract)
• The processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred or imposed by law on the controller in connection with employment, social security, social services or social care
• The processing is necessary for taking legal advice or the establishment, exercise or defense of legal claims
• The processing is necessary for reasons of substantial public interest provided for by law and is subject to appropriate protections to protect the rights and interests of the data subject
• The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
• The processing relates to personal data which are manifestly made public by the data subject
• The processing is necessary for archiving or research
• The processing is necessary for the prevention of unlawful acts (or malpractice / mismanagement)
• The processing is necessary for certain insurance-based purposes, or
• The processing is necessary for medical purposes and is undertaken by a health professional

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data (ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected). This is potentially in conflict with the core principle of purpose limitation, which aims to ensure that the rights of data subjects are protected. The DPJL sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 13 DPJL)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are, it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects, and
• The existence of appropriate safeguards

Transparency

The data controller must provide the data subject with “fair processing information” (Article 12 DPJL), which includes:

• The identity and contact details of the controller, and where applicable, the controller’s representative
• The contact details of the data protection officer (if any)
• The purposes for which the data are intended to be processed and the legal basis for the processing
• An explanation of the legitimate interests pursued by the controller or by a third party, if the processing is based on those interests
• The recipients or categories of recipients of the personal data (if any)
• Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and whether or not there is an adequate level of protection for the rights and freedoms of data subjects in that country or organization
• The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
• Information concerning the rights of data subjects
• Where the processing is based on consent, the existence of the right to withdraw consent
• The existence of any automated decision-making and any meaningful information about the logic involved in such decision-making and the significance of any such decision-making for the data subject
• A statement of the right to complain to the Information Commissioner
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failing to provide such data
• Where the personal data are not obtained directly from the data subject, information identifying the source of the data
• Any further information that is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in limited circumstances. Controllers must provide information on action taken in response to requests within four weeks as a default, with a limited right for the controller to extend this period a further eight weeks where the request is onerous. These periods are slightly shorter than those set out in the GDPR.

Right of access (Article 28 DPJL)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 31 DPJL)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 32 DPJL)

Data subjects may request erasure of their personal data.

The right is not absolute; it only arises in a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 33 DPJL)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed other than for legal claims of the data subject or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 34 DPJL)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format.

Right to object (Article 21 DPJL)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is for a public function. Controllers will then have to suspend processing of the data until such time as they demonstrate ‘compelling legitimate grounds’ for processing that override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time (Article 36 DPJL). 

The right not to be subject to automated decision taking, including profiling (Article 38 DPJL)

Automated decision-making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by Jersey law or by the law of another jurisdiction in the British Isles or by EU or member state law, or 
3. The data subject has given their explicit consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including the right to obtain human intervention on the part of the controller, so that the data subject can express his or her point of view and contest the decision.

Children’s consent to information society services (Article 11(4))

Article 11(4) of the DPJL stipulates that a child may only provide his or her own consent to processing in respect of information society (primarily, online) services, where that child is over 13 years of age. Otherwise, a parent (or other responsible adult) must provide consent on the child’s behalf.

Processing agreements

The rules on agreements (or other legally binding instruments) between controllers and processors have been significantly enhanced.

The controller must appoint the processor in the form of a binding written agreement that sets out:

• The subject matter and duration of the processing
• The nature and purpose of the processing
• The type of personal data and categories of data subjects, and
• The obligations and rights of the controller

The agreement must also provide that the processor must:

• Only act on the controller's documented instructions (unless legally obliged to do otherwise)
• Impose confidentiality obligations on all personnel who process the relevant data
• Ensure the security of the personal data that it processes
• Abide by the rules regarding appointment of sub-processors
• Implement measures to assist the controller in complying with the rights of data subjects
• Assist the controller in:
• Complying with its data security obligations
• Complying with its personal data breach obligations (both to a supervisory authority and individual data subjects), and
• Completing Data Protection Impact Assessments and obtaining approvals from Supervisory Authorities where required
• At the controller's election, either return or destroy the personal data at the end of the relationship (except as required by law), and
• Provide the controller with all information necessary to demonstrate compliance with the DPJL, which, in practice, means complying with an audit/inspection regime

The legislations in Jordan are silent in this regard, however see details on the draft law.

Kazakh law requires to carry out collection and processing of personal data with the consent of a personal data subject or his / her legal representative. Such consent should be given in writing, via the state service, non-state service or other method that allows to confirm the receipt of consent. The consent should be given via the state service when collecting and / or processing personal data contained in the databases of the state bodies and / or state legal entities.

As a general rule, personal data subjects or their representatives may revoke their consent. However, the consent may not be revoked in cases where such revocation contradicts requirements of Kazakh law or there are any unfulfilled obligations.

Consent to the collection and processing of personal data should include:

• full name, business identification number (individual identification number) of the personal data database operator;
• full name of the personal data subject;
• the term and period during which the consent is effective;
• information on whether the operator may transfer the personal data to third parties or not;
• information on whether there is a cross-border transfer of personal date in the process of its processing or not;
• information on dissemination of personal data in public resources;
• list of data being collected on the personal data subject;
• other information as determined by the owner and / or operator.

Kazakh law allows the collection and processing of personal data without the consent of a personal data subject or his / her legal representative in cases explicitly prescribed by Kazakh law. Such cases may include, inter alia:

• implementation of activities of law enforcement bodies and courts;
• implementation of state statistical activities;
• use of depersonalised personal data by the state authorities for statistical purposes;
• implementation of international treaties ratified by Kazakhstan;
• protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his / her legal representative is impossible;
• carrying out legal professional activities of a journalist, carrying out tv-channel, radio-channel, news agency, mass media, online media, scientific, literary or other creative activities, subject to compliance with requirements of Kazakh law;
• publication of personal data in accordance with Kazakh law, including personal data of candidates for elective public offices;
• failure by a personal data subject to fulfil its obligation to provide personal data in accordance with Kazakh law;
• receipt by the state authority regulating, controlling and supervising financial market and financial organisations of information from individuals and legal entities in accordance with Kazakh law;
• receipt by the state revenue authorities of information from individuals and legal entities for purposes of tax administering and control;
• storage of a backup copy of electronic information resources containing limited access personal data to a national backupplatform for storing electronic information resources in cases provided for by Kazakh law;
• the use of personal data of entrepreneurs related directly to their business activities to form a register of business partners, subject to compliance with the requirements of Kazakh law;
• the use of personal data of a Kazakhstani national for the purposes of bankruptcy procedure.

Under the Law, processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed. Personal data, the content and volume of which is excessive in relation to the purposes of its processing, should not be processed.

Under Kazakh law, access to personal data is determined by the terms of consent for collection and processing of personal data, unless otherwise provided by Kazakh law. A person should be denied access to personal data if he / she refuses to assume obligations to ensure compliance with the requirements of the Law or may not ensure it.

Persons having access to limited access personal data should ensure its confidentiality.

Under Kazakh law, accumulation of personal data is carried out by collecting personal data that is necessary and sufficient to fulfil the tasks performed by an owner and / or an operator of a database containing personal data and by a third-party having access to such database.

Personal data should be stored in databases located in Kazakhstan.

The period for retention of personal data is determined by the date of fulfilment of the purpose(s) for collection and processing of the personal data, unless otherwise provided by Kazakh law.

Kazakh law provides for additional requirements in respect of electronic resources containing personal data and integration between personal data databases of private entities and the personal data databases of state bodies and state legal entities via the state service.

Section 25 of the Act

The processing of personal data must comply with the principles prescribed in this part. It must be:

• processed in accordance with the right to privacy of the data subject;
• processed lawfully, fairly and in a transparent manner in relation to any data subject;
• collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
• adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
• collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
• accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
• kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
• not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Section 30 of the Act

The Act recommends personal data to be collected and processed lawfully. The lawful reasons for processing include:

1. consent of the data subject; or
2. the processing is necessary:
   • for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
   • for compliance with any legal obligation to which the controller is subject;
   • in order to protect the vital interests of the data subject or another natural person;
   • for the performance of a task carried out in the public interest or in the exercise of
     
     • official authority vested in the controller;
     • the performance of any task carried out by a public authority;
   • for the exercise, by any person in the public interest, of any other functions of a public nature;
   • for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
   • for the purpose of historical, statistical, journalistic, literature and art or scientific research.

It is an offence to process personal data without a lawful reason.

Under the Regulations civil registration entities must ensure that they collect only personal data permitted by the data subject and that the appropriate steps are taken to ensure the quality and security of the personal data. 

Where the registries intend to use such data for another purpose, they must either ensure that the purpose is compatible with the initial purpose or, where that is not the case, seek fresh consent.

The General Regulations elaborate in more detail restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, conduct of data protection impact assessment and other general provisions.

LPPD adopts a wide definition of processing. Namely, processing includes any operation or set of operations performed to personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 3(1)(2)). 

For the purposes of LPPD, data controller is defined as any natural or legal person, public authority or other body which, alone or jointly with others, determines the purpose and means of personal data processing (Article 3(1) (11)), whereas the processor is defined as a natural or legal person, from public or private sector which processes personal data for and on behalf of the data controller (Article 3(1) (14)). 

When collecting and processing of personal data, Controllers must abide to the basic principles of data processing set forth in the LPPD. Namely, personal data must be collected and processed based on the following principles (Article 4):

• Principle of lawfulness, justice and transparency: personal data must be collected and processed in an impartial, lawful and transparent manner, without infringing the dignity of the data subjects.
• Principle of purpose of limitation: personal data must be collected and processed only for the specified, explicit and legitimate purposes and cannot be further processed in a manner which is incompatible with the stated purposes. However, in cases of further processing for archival purposes in the public interest, scientific or historical research, as well as statistical purposes, will not be considered to be incompatible with the initial purpose.
• Principle of data minimisation: the personal data should be adequate, relevant and limited to the purpose for which they are further collected or processed.
• Principle of accuracy: personal data should be kept accurate at all times, and kept up to date. In this line, every reasonable measure should be taken to ensure that inaccurate personal data are rectified or erased without delay.
• Principle of storage limitation: personal data may be stored insofar as necessary to achieve the purpose for which they are processed or collected; after which, the personal data should be erased, deleted, destroyed, blocked or anonymised, unless otherwise foreseen by another relevant law.
• Principle of integrity and confidentiality: personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical and organisational measures;  
• Principle of accountability: the controller is responsible for, and be able to demonstrate compliance with all the principles mentioned above. 

Legal basis for processing of personal data (Article 5) 

With reference to the list above, processing of personal data shall be considered lawful if one of the following criteria is met:

• The data subject has given consent for the processing of his/her personal data for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the data subject is a contracting party or in order to take steps at the request of the data subject, prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation to which the controller is subjected;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. This provision does not apply in cases where the processing is carried out by public authorities in the performance of their tasks. 

Where the legal basis for processing is not based on the consent of the data subject or on the relevant legislation in force, in order to comply with the LPPD and lawfulness principle when processing personal data for purposes different from the initial purpose of the data collection, the following should be considered (Article 5(2)): 

• Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
• The context in which the personal data have been collected, in particular regarding the relationship between the data subjects and the controller;
• The nature of personal data being processed, especially in cases of processing of sensitive personal data or data related to criminal convictions;
• Possible consequences for the data subjects of the intended further processing;
• The existence of appropriate safeguards, which may include encryption or anonymisation. 

Conditions for consent (Article 6) 

Where the collection and processing of personal data is based on the consent of the data subject, the Controller must be able to demonstrate that the data subject has consented to process his/her personal data. In this line, when consent is given as a written declaration, the latter must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language (Article 6(2)). 

Processing of special categories of personal data (Article 8) 

As a principle, LPPD prohibits the processing of special categories of personal data. Special categories of personal data within the meaning of the LPPD are used synonymously with sensitive categories of personal data.

Notwithstanding the above, exemptions to prohibition of processing of sensitive personal data include the following circumstances (Article 6(3)):

• The data subject has given his/her explicit consent to the processing of those personal data for one or more specific purposes, except where the relevant legislation in force provides that the general prohibition on processing of sensitive personal data cannot be lifted by the data subject;
• Processing is necessary for the purpose of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, in so far as it is authorised by the relevant legislation in force or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• Processing is necessary to protect the vital interests of the data subjects or other natural persons, where the data subject is physically or legally incapable of giving consent;
• If the data subject has made the sensitive personal data public, without limiting their use, in an evidenced or clear manner;
  processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity;
• Processing is necessary for reasons of substantial public interest, on the basis of the relevant legislation;
• Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of relevant legislation or pursuant to contracts with a health professional when such data are processed by a professional or under his/her responsibility subject to the obligation of professional secrecy pursuant to respective legislation, established rules by national competent bodies or by another person subjected to professional secrecy;
• Processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health, or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of the relevant legislation;
• Processing is necessary for archiving purposes in the public interest, as well as scientific or historical research purposes, or statistical purposes. 

Except in cases where the data subject has made his/her sensitive personal data public, special categories of personal data should be protected in a special manner and be classified for the purpose of preventing unauthorised access or use (Article 8(4)). Classification of sensitive personal data refers to marking of personal data to indicate their sensitive nature (Article 3(1) (4)).

The Regulation requires that prior to the provision of service, the service providers must:

• Provide all the information about the services to be provided and the terms of service in easy language both in English and Arabic;
• Clarify the purpose of collecting, and method of use of such data to the requester of service; and
• Obtain consent  of the requester of service for collection and processing of data and his knowledge and acceptance of all conditions, obligations and provisions for data collection and processing. 

Beside the Regulation, the E-Commerce Law includes a general obligation prohibiting Kuwaiti governmental bodies, agencies, public institutions, companies, non-governmental bodies, or employees thereof from collecting or processing any information in an illegal manner without the consent of the concerned person or his or her representative.

Additionally, The entities and individuals subject to the E-Commerce Law are obligated to regularly verify and update the accuracy of personal data and to implement appropriate measures to protect collected or stored personal data. electronic records, including personal information, must be retained in their original form and stored in accordance with the policies and agreements governing electronic transactions, which specify the storage duration. These entities must also restrict employee access to electronic records based on business requirements, ensuring adherence to personal data protection standards.

One of the basic principles of dealing with personal data is that personal data must be collected for accurately pre-defined, stated and legal purposes and must not be further processed in any manner incompatible with those purposes.

Processing of personal data is permitted in the following cases:

• The data subject has given its consent;
• If it is necessary for public authorities, local authorities within their competence established by laws of the Kyrgyz Republic;
• If it is necessary to achieve the legitimate interests of Holders (Owners);
• When implementation of these interests does not preclude the exercise of rights and freedoms of data subjects with regard to the processing of personal data;
• When it is necessary to protect the interests of the data subject;
• If personal data are processed solely for the purposes of journalism or for the purpose of artistic or literary works.

The collection of information is defined under the Instructions on the Implementation of the Law on Electronic Data Protection as “the compiling of information in a database...for the convenience of access, monitoring, and use...”.

The Law on Electronic Data Protection speaks literally of “administration” of data. Administration of electronic data refers to the management and arrangement of data, which includes the collection, copying, submission, receipt, maintenance, and destruction of electronic data. This administration of data is carried out by the Data Administrator, which is defined as an “individual, legal entity, or organization which has the duty to administrate electronic data, such as: a Ministry, an Internet Data Center, a Telecommunications Service Provider, an Internet Service Provider, or a Bank.” Apart from this definition, and the examples provided in the law, the Lao regulatory framework does not provide official guidance on who may or may not fall under the definition of Data Administrator.

By law, all data, general or sensitive, requires consent from the Information Owner to be collected. However, there is no information on how this consent may be collected.

Information Owner is defined as the individual, legal entity, or organization who / which is the owner of the electronic data. In this regard, the law does not necessarily identify the Information Owner as an individual only, or an individual who may be identified according to personal data that relates to him / her. The law only provides that the Information Owner is the entity that “owns” the information.

Sensitive data is more regulated as it requires the approval from the Information Owner for the access, use, and disclosure of sensitive data. At the time of the collection, the Information Owner must be informed of:

• the identity of the Data Administrator;
• the purpose of the collection of the information;
• the type of information that will be collected;
• the rights of the Information Owner, which include:
  • the right to amend the information provided;
  • the right to stop the sending or transfer of information to third parties;
  • the right to delete the information collected per request, or at the time that the purpose of the collection of the information expires.

Also, the Data Administrator and the Information Owner have the duty to ensure that the information provided is correct — it does not contravene local regulations, and does not affect the country’s socio-economic development, national stability, or social order.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
• Accurate and where necessary kept up-to-date (accuracy principle)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymization

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by EU or Member State law
3. The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Latvia regulation

The Personal Data Processing Law contains provisions on specific treatment related to the exercise of other fundamental rights of the individual, providing derogations relating to the data processing for archiving purposes, scientific or historical research purposes, statistical purposes, and the processing of national classified data.

The Personal Data Processing Law provides specific rules and exceptions regarding the journalistic, academic, artistic and literary processing of personal data. When processing data for these purposes, it is necessary to assess the balance between the right to privacy and freedom of expression.

The Personal Data Processing Law also provides for specific rules regarding the processing of data in the official publication. It states that the data published in the official publication is deleted by the publisher on the basis of a decision of the DSI or a decision confirming that such publication does not comply with the provisions of the GDPR.

The consent of a child for the use of information society services is deemed lawful where the child is at least 13 years old, meaning that Latvia has chosen the lowest threshold regarding the age of the child. Where the child is below the age of 13 years, such consent will be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

Processing of Personal Data is defined as any action or set of actions performed on the data regardless of the medium used, including data collection, recording, organization, storage, adaptation, modification, extraction, reading, use, transmission, copy, dissemination, deletion, destruction or otherwise disposing of it. 

The Law states that personal data shall be collected faithfully and for legitimate, specific, and explicit purposes. In addition, the data must: be appropriate; not exceed the set purposes; be correct and complete; and remain on a daily basis as relevant as possible. 

Data controllers, or their representatives, have an obligation to inform data subjects of the following:

• the identity of the data controller or the identity of its representative;
• the purposes of the processing;
• the mandatory or optional nature of the raised questions;
• the consequences of non-response;
• the persons to whom the data is to be sent; and
• the right to access and correct information, as well as the means provided for the same.

The DP Act defines processing as an operation or activity or any set of operations, whether or not by automatic means relating to any of the following:

• The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use

• Dissemination by means of transmission, distribution or making available in any other form

• Merging, linking, as well as blocking, degradation, erasure, or destruction, of information

Under the DP Act (section 15(2)), personal information may only be processed where one of the following applies:

• The data subject provides explicit consent to the processing

• Processing is necessary for the conclusion or performance of a contract to which the data subject is a party

• Processing is necessary for compliance with a legal obligation to which the data controller is subject

• Processing is necessary to protect the legitimate interests of the data subject

• Processing is necessary for the proper performance of public law duty by a public body

• Processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied

Regarding the collection of data, the DP Act requires that a person shall collect personal information directly from the data subject, except where:

• The information is contained in a public record or has deliberately been made public by the data subject

• The data subject has consented to the collection of the information from another source

• Collection of the information from another source would not prejudice a legitimate interest of the data subject

• Collection of the information from another source is necessary:

• To avoid prejudice to the maintenance or enforcement of the law and order

• For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated

• In the legitimate interests of national security

• To maintain the legitimate interests of the data controller or of a third party to whom the information is supplied

• Compliance would prejudice a lawful purpose of the collection

• Compliance is not reasonably practicable in the circumstances of the particular case

Section 5.15.1 of the National Information and Communications Technology Policy of 2019 regulates the lawful processing of personal data. Its states that:

1. Personal data will be processed fairly and lawfully;
2. Personal data will be obtained only for one or more specified and lawful purposes, and will not be further processed in any manner incompatible with their purpose or those purposes;
3. Personal data will be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
4. Personal data will be accurate and where necessary, kept up to date;
5. Personal data processed for any lawful purpose or purposes will not be kept for longer than is necessary for that purpose or those purposes;
6. Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing of personal data and the protection of children;
7. Data collectors will be required to disclose use of personal data to consumers.
8. Collected personal data will be rigorously protected from unauthorized access by any Parties.

Section 51(5) of the Telecommunication Act states that “Service providers shall ensure that customer information and customer communications are protected by security safeguards that are appropriate to their sensitivity”.

Section 3.1.1 of the 2017 AML / CFT Regulations for Financial Institutions in Liberia states that “financial institutions shall obtain and maintain documentary records for each client or customer to verify by reliable and independent source documents (such as a passport, a driver’s license, or national identification documents)”.

Section 3.1.7 of the 2017 AML / CFT Regulations for Financial Institutions in Liberia provides that the required KYC information must be collected before financial institutions establish any relationship with a person. That is, prior to opening a bank account or performing walk in transactional services for non-account holders

In Law no. 6/2022 regarding Electronic Transactions, there are provisions relating to data collection and processing which are as follows:

Article 73

Any public entity and any authentication service provider may collect personal data directly from the person whom the data is collected about or from someone else, only after the explicit consent of this person and only for the purposes of issuing, maintaining, or facilitating a certificate.

Data may not be collected, processed, or used for any other purpose without the explicit consent of the person from whom the data was collected.

Article 74

Except for the previous article, obtaining, disclosing, providing, or processing personal data is legitimate if it is:

• Necessary for the purpose of preventing or detecting a crime based on an official request from investigative bodies.
• Required or permitted under law or a court decision.
• For the assessment or collection of any tax or fee.
• To protect a vital urgent interest of the person whose data was collected.

Article 75

Taking into account the previous article, the authentication service provider must follow appropriate procedures to ensure the confidentiality of the personal data in his custody while performing his duties. He may not disclose, transfer, declare, or publish such data for any purpose whatsoever without prior consent from the person whose data was collected.

Article 76

Any person who controls personal data by virtue of his work in electronic transactions must, before processing such data, inform the person from whom the data was collected by a special notification of the procedures he follows to protect personal data. These procedures must include identifying the person responsible for the processing, the nature of the data, the purpose of its processing, methods and locations of processing, and all the necessary information to ensure secure data processing.

Article 77

The authentication service provider must enable the person from whom personal data has been collected to access and update it. This right includes access to all personal data sites related to the person from whom the data was collected. Therefore, he must provide appropriate technological means to enable electronic access.’

Additionally, there are some articles in Law No. 4/1990 on the National System for Information and Documentation, which governs the government’s collection of personal data for conducting research for social and economic reasons. This Law provides some provisions which require government entities to take some steps to protect the collected data, such as prohibiting the government from forcing individuals to give their data in order to conduct its research. However, these articles do not provide protection to personal data when individuals process their data. Also, the Central Bank of Libya regulated general criteria for protecting personal data which is available online. However, this is applicable to only Libyan banks.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle);
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle);
• Accurate and where necessary kept up-to-date (accuracy principle);
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle);
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle).

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time);
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject;
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• In limited circumstances by certain not-for-profit bodies;
• Where processing relates to the personal data which are manifestly made public by the data subject;
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices;
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose;
• The context in which the data have been collected;
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• The possible consequences of the new processing for the data subjects;
• The existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller;
• The data protection officer's contact details (if there is one);
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• The recipients or categories of recipients of the personal data;
• Details of international transfers;
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• The consequences of failing to provide data necessary to enter into a contract;
• The existence of any automated decision making and profiling and the consequences for the data subject;
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate compelling legitimate grounds for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract;
2. Authorized by EU or Member State law;
3. The data subject has given their explicit (ie. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Lithuania regulation

The Data Protection Law contains provisions on specific conditions related to the processing of national identification number.

Article 3 of the Data Protection Law determines particularities of the processing of the personal code:

• Personal code can be processed if there is at least one of the conditions for the lawfulness of the processing of personal data referred to in Article 6(1) of Regulation (EU) 2016/679;
• It is forbidden to disseminate the personal code;
• It is forbidden to process personal code for direct marketing purposes.

The Data Protection Law provides specific rules and exceptions regarding processing of personal data for journalistic, academic, artistic and literary purposes. When processing data for these purposes, Articles 8, 12-23, 25, 30, 33-39, 41-50 and 88-91 of the GDPR shall not be applicable.

The Data Protection Law also provides specific rules regarding processing of personal data in the employment context:

1. The processing of personal data relating to convictions and criminal offences of a candidate and of an employee is lawful only if and to the extent that at least one of the following conditions applies: (1) the processing is necessary for the fulfilment of the legal obligation imposed on the data controller to verify whether the person fulfils the requirements laid down by law and (or) implementing legislation; (2) the processing is necessary for the legitimate interests of the employer, except where the interests or fundamental rights and freedoms of the candidate or of the employee, override those interests, in particular where the data subject is a child;
2. Personal data relating to criminal convictions and criminal offences of a candidate and of an employee may be processed based on the legitimate interest only if the GDPR requirements are fulfilled and the following safeguards to protect the rights and freedoms of data subjects are implemented:
3. • the employer carries out an assessment of its legitimate interest in processing the personal data relating to convictions and criminal offences of the applicant for the post or job function and of the employee and draws up a written report on that assessment. The assessment shall take into account the specific features of the duties or functions of the job, the risks to the employer that a person with a criminal conviction may incur in the performance of the duties or functions of the job, the reasonableness and proportionality of the requirement that the person be free from criminal convictions, the fundamental rights and freedoms of the candidate and of the employee and any other relevant considerations. The Data Protection Officer shall be consulted in the course of this assessment, if appointed in accordance with the GDPR;
   • the employer has adopted and published on its website, if available, a list of the positions or job functions for which the requirement not to have been convicted of certain criminal offences applies. That list shall include the offences for which the person concerned must be free of criminal convictions. Only the personal data on convictions and criminal offences of those candidates and employees whose intended or current position or job function is included in the list can be processed;
   • the information on convictions and criminal offences can only be provided to the employer by a candidate or by an employee themselves.
4. The data controller may collect personal data relating to qualifications, professional skills and business characteristics of a candidate applying for job from a former employer by duly informing the candidate, and from the existing employer by receiving consent of the candidate.
5. The processing of video or audio data in the workplace and at the data controller's premises or in the areas where employees work, in the processing of personal data relating to the monitoring of employees' behavior, employees must be informed of such processing of their personal data in writing or by any other means which allow to prove the fact that the information referred to in Article 13(1) and (2) of Regulation (EU) 2016/679 has been provided.

The consent of a child for the use of information society services is deemed lawful where the child is at least 14 years old. Where the child is below the age of 14 years, such consent will be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
• Accurate and where necessary kept up-to-date (accuracy principle)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymization

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by EU or Member State law
3. The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Luxembourg regulation

The Law of August 1, 2018 on the organization of the National Data Protection Commission provides specific regulations concerning the processing of personal data for the purposes of the surveillance of employees at the workplace by the employer (thus modifying Article L. 261-1(1) of the Labor Code). In this respect, the employer must comply with a certain set of obligations, in addition to its general obligations as a data controller under the GDPR.

Notably, the employer must inform certain employee representation bodies of the contemplated processing of personal data. This information must contain a detailed description of the purposes of the contemplated processing, the means of implementation of the surveillance, and the retention policy for the personal data concerned.

When employees or their representation bodies are informed that their personal data may be processed for surveillance purposes, they may ask the CNPD for a preliminary opinion on the compliance of such surveillance project with applicable data protection legislation. The employer may not begin surveillance until the CNPD hands out its decision.

When surveillance has already been put it place by the employer, employees have a right to file a complaint with the CNPD if they believe that processing does not comply with applicable data protection legislation. Filing such complaint may not be held as a grounds for dismissal.

Finally, the Law of August, 1 2018 on the organization of the National Data Protection Commission provides three specific provisions complementing the GDPR in matters left to Member State discretion.

1. Processing of personal data for the sole purpose of journalism, university research, art or literature

This processing is not subject to:

• Prohibitions on processing special categories of personal data set out under Article 9(1) GDPR
• Limitations applicable to processing of personal data relating to criminal convictions and offences (Article 10, GDPR):
• Provided such processing concerns data made publicly available (in an obvious fashion) by the data subject
• If the data are directly connected to the public life of the data subject
• If the data are directly connected to an event in which the data subject has willingly become involved
• Obligations imposed on the data controller in case of a transfer of personal data to third countries or international organizations (Chapter V, GDPR)
• The obligation of the data controller to provide information to the data subject where personal data are collected from the data subject (Article 13, GDPR), when providing such information would jeopardize the collection of personal data from such data subject
• The obligation of the data controller to provide information to the data subject where personal data have not been obtained from the data subject (Article 14, GDPR), when providing such information would jeopardize either the collection of personal data, a publication project, making such personal data available to the public in any way whatsoever or would provide indications as to the source of information
• The obligation to provide the data subject with the right of access to his or her personal data. Such right is postponed and limited, in that it cannot enable the data subject to identify the source of information. This right may be exercised only through the CNPD and in the presence of the President of the Press Council or his or her representative

2. Processing of personal data for scientific or historical research purposes, for statistical purposes, or for archiving purposes in the public interest

When personal data is processed for scientific or historical research purposes or for statistical purposes, the rights of the data subject specified under articles 15, 16, 18 and 21 GDPR may be limited provided that such rights would make impossible or seriously impede the accomplishment of the specific concerned purposes.

Such limitation on data subject rights may only be applied where the data controller puts in place an extensive set of additional appropriate safeguard measures for the rights and freedom of the data subject (Article 65 of the Law of August 1, 2018 on the organization of the National Data Protection Commission), such as, in particular:

• The appointment of a DPO
• Performing an impact assessment of the contemplated processing on the protection of personal data
• Anonymizing the data processed

In any event, the additional safeguard measures must be put in place in accordance with the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of the relevant data subjects. In this regard, if the data controller elects not to put in place one of the measures listed in Article 65 of the Law of August 1, 2018 on the organization of the National Data Protection Commission, it must then formally document and justify why it chose not to do so.

Finally, processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 9(2)(j), GDPR) is allowed under the same conditions (ie, putting in place additional appropriate safeguard measures as defined under Article 65 of the Law of August 1, 2018 on the organization of the National Data Protection Commission).

3. Processing of special categories of personal data

Genetic data may not be processed for purposes of exercising the controller's own rights in the field of employment and insurance law.

Personal data may be processed only if the data subject has given his or her unequivocal consent or if processing is deemed necessary:

• Execution of an agreement where the data subject is a party, or, at the data subject’s request, negotiation in relation to such an agreement;
• Compliance with a legal obligation to which the data controller is subject;
• Protection of vital interests of the data subject if he or she is physically or legally unable to give his or her consent;
• Performance of a public interest assignment or exercise of public authority powers vested in the data controller or in a third party to whom the personal data is disclosed; or
• Pursuing a data controller's legitimate interest (or the legitimate interest of a third party to whom the data is disclosed), provided that the data subject’s interests or rights, liberties and guarantees do not prevail.

The data subject must be provided with all relevant processing information, including the identification of the data controller, the purpose of processing, and the means and forms available to the data subject for accessing, amending and deleting his or her personal data. Moreover, if applicable, the data subject should also be informed of the possibility of their data being transferred to a jurisdiction outside of Macau.

The following principles must be satisfied when personal data is collected and processed:

• All personal data must be processed fairly and lawfully for specific, explicit and legitimate purposes and subsequently processed in accordance with these purposes;

• All personal data collected must be adequate, relevant and non-excessive in view of the purposes for which it is collected;

• All personal data must be accurate and comprehensive and when necessary, kept up to date;

• All personal data must be retained no longer than is necessary for the purposes for which it is processed.

The processing of personal data must receive the data subject's prior consent or fulfill one of the following conditions:

• Compliance with a legal obligation of the data controller;

• The purpose of the processing is to protect the individual's life;

• The purpose of the processing is to carry out a public service;

• The processing relates to the performance of a contract to which the concerned individual is a party, or pre-contractual measures requested by that individual;

• Processing relates to the realisation of the legitimate interest of the data controller or the data recipient, subject to the interest and fundamental rights and liberties of the concerned individual.

The conditions for processing of sensitive personal data include most of the above conditions, but contain an additional list of more restrictive conditions that must also be satisfied such as requirement to obtain prior consent of the data subject, or in the absence of consent where the processing is undertaken to carry out a public service and is required by law or priorly authorised by the CMIL.

Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user.

Pursuant to PC01/2020, the Commissioner has sought feedback on its proposal to amend the General Principle provision to add clarity to the data subject's consent, whether it should be in a specific provision and the impact of having a default consent. However, there is no amendment to the General Principle provision under the Amending Act.

Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties.

The Standards set out the Commission’s minimum requirements for processing personal data. The Standards include the following:

• Security Standard For Personal Data Processed Electronically
• Security Standard For Personal Data Processed Non-Electronically
• Retention Standard For Personal Data Processed Electronically And Non-Electronically
• Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically

However, the Commissioner has issued the Public Consultation Paper No. 04/2024: Personal Data Protection Standards (“PCP No. 04/2024”) on October 01, 2024 to seek feedback from the public on the revision of the above minimum requirements. The proposed revisions under the PCP No. 04/2024 include:

1. Replacing “black and white” rules (i.e. prescriptive and specific instructions or measures that data controllers must comply with) with requirements that are outcome based;
2. Removing the differentiation between personal data processed electronically or physically and provide the security standards which applies to personal data generally; and
3. The role of certification schemes to demonstrate compliance with the Standards.

The revised Standards are expected to be issued by early 2025, likely before April 2025, as the amendments to the Security Principle under the Amending Act are set to come into force on April 01, 2025.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
• Accurate and where necessary kept up-to-date (accuracy principle)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymization

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision taking, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by EU or Member State law
3. The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Malta regulation

The position under the Maltese Data Protection Act, 2018

The Act states that controllers and processors may derogate from the provisions of Articles 15, 16, 18 and 21 of the GDPR for the processing of personal data for scientific or historical research purposes or official statistics insofar as the exercise of the rights set out in those Articles:

1. Is likely to render impossible or seriously impair the achievement of those purposes, and
2. The data controller reasonably believes that such derogations are necessary for the fulfilment of those purposes.

Controllers and processors may also derogate from the obligations of Articles 15, 16, 18, 19, 20 and 21 of the GDPR for archiving purposes in the public interest. The same criteria ((1) and (2) above) must subsist for this derogation to apply.

Article 8 of the Act stipulates that an identity document shall only be processed when such processing is justified having regards to the purpose of processing and (1) the importance of a secure identification; or (2) any other valid reason as may be provided by law.

Personal data being processed for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purpose of academic, artistic or literary expression, is exempt from compliance with the provisions of the GDPR (listed below), where, having regard to the right of freedom of expression and information in a democratic society, compliance with the following provisions would be incompatible with such processing purposes:

a. Chapter II (Principles)

• Article 5(1)(a) to (e) (principles relating to processing)
• Article 6 (lawfulness)
• Article 7 (conditions for consent)
• Article 10 (data relating to criminal convictions, etc.)
• Article 11(2) (processing not requiring identification)

b. Chapter III (rights of the data subject)

• Article 13(1) to (3) (personal data collected from data subject: information to be provided)
• Article 14(1) to (4) (personal data collected other than from the data subject)
• Article 15(1) to (3) (access to data and safeguards for third country transfers)
• Article 17(1) and (2) (right to erasure)
• Article 18(1)(a), (b) and (d) (restriction of processing)
• Article 20(1) and (2) (right to data portability)
• Article 21(1) (objections to processing)

c. Chapter IV (controller and processor)

• Article 25 (data protection by design and by default)
• Article 27 (representatives of controllers or processors not established in the Union)
• Article 30 (records of processing activities)
• Article 33 (notification of personal data breach to supervisory authority)
• Article 34 (communication of personal data breach to the data subject)
• Article 42 (certification)
• Article 43 (certification bodies)

d. Chapter VII (co-operation and consistency)

• Articles 60 to 62 (co-operation)
• Articles 63 to 67 (consistency)

Important note regarding age of consent: The processing of personal data of a child in relation to information society services has been lowered from eighteen (18) to thirteen (13) years of age by means of the ‘Processing of Children’s Personal Data in Relation to the Offer of Information Society Services Regulations’ (Subsidiary Legislation 586.11 issued under the Data Protection Act 2018). It is important to note that the age of consent for valid contract formation in Malta remains 18 years of age. This grey area is still subject to local authoritative interpretation. We are not aware of any such interpretations at time of writing.

Finally, in certain circumstances, the collection and processing of personal data are further regulated by local sector-specific regulations. By way of example, medical data relating to students can only be processed under specific conditions.

Subject to exceptions provided under the Act, a controller cannot collect personal data unless the collection (a) is for a lawful purpose connected with a function or activity of the data controller, and (b) the collection is necessary for that purpose.

Where the data controller collects personal data directly from the data subject, the data controller shall at the time of collecting personal data ensure that the data subject concerned is informed of:

• The identity and contact details of the controller and, where applicable, its representative and any data protection officer;
• The purpose for which the data are being collected;
• The intended recipients of the data;
• Whether or not the supply of the data by that data subject is voluntary or mandatory;
• The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• The existence of the right to request from the controller access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing;
• The existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
• The period for which the personal data shall be stored;
• The right to lodge a complaint with the Commissioner;
• Where applicable, that the controller intends to transfer personal data to another country and on the level of suitable protection afforded by that country;
• Any further information necessary to guarantee fair processing in respect of the data subject's personal data, having regard to the specific circumstances in which the data are collected.

Where data is not collected directly from the data subject concerned, the data controller or any person acting on his behalf shall ensure that the data subject is informed of the matters set out above.

There are six principles relating to the processing of personal data which are enumerated in the Act. Accordingly, every controller or processor need to ensure that personal data are:

• Processed lawfully, fairly and in a transparent manner in relation to any data subject;
• Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay;
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• Processed in accordance with the rights of data subjects.

For processing of data to be lawful, it must have a legal basis. One of the legal basis is consent. According to the DPA 2017, no person shall process personal data unless the data subject consents to the processing for one or more specified purposes. Consent is defined under the Act as any freely given, specific, informed and an unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.

Processing shall also be lawful, when the processing is necessary for any of the following:

• The performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
• Compliance with any legal obligation to which the controller is subject;
• In order to protect the vital interests of the data subject or another person;
• The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• The performance of any task carried out by a public authority;
• The exercise, by any person in the public interest, of any other functions of a public nature;
• The legitimate interests pursued by the controller or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject;
• The purpose of historical, statistical or scientific research.

Special categories of personal data

Special categories of personal data, as defined above, cannot be processed unless the processing is based on one of the legal basis as described above and the processing is carried out in the course of the controller's / processor's legitimate activities with appropriate safeguards.

It is also possible to process special categories of personal data when:

• Processing relates to personal data which are manifestly made public by the data subject;
• Processing is conducted in the course of its lawful activities by a not-for-profit body with political, philosophical, religious, or trade union aims, ensuring that it applies only to members, former members, or regular contacts, and personal data is not shared externally without the data subjects' consent; or
• Processing is necessary for:
  • the establishment, exercise or defence of a legal claim;
  • the purpose of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to a contract with a health professional subject to the obligation of professional secrecy;
  • the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject; or
  • protecting the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent.

Principles and obligations 

In processing personal data, data controllers must observe the principles of legality, information, consent, notice, quality, purpose, loyalty, proportionality and accountability.

Pursuant to these principles:

• Personal data must be collected and processed fairly (and not through deceptive or fraudulent means) and lawfully
• Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes.
• Consent must be obtained, unless an exception applies.
• Processing of personal data must be adequate, relevant and not excessive in relation to the purposes for which it is collected. or further processed
• Personal data must be accurate and, if necessary, updated; every reasonable step must be taken to ensure that data that is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified., and
• Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.
• Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data. In addition, personal data must be processed as agreed upon by the parties (in a privacy notice or otherwise) and in compliance with the Law.
• A privacy notice (Aviso de Privacidad) must be made available to data subjects prior to the processing of their personal data.

Required information for privacy notices

To legally process personal data, data controllers must provide a privacy notice (Aviso de Privacidad), which must be made available to a data subject prior to the processing of his or her personal data. The privacy notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.

Controllers are required to notify data subjects of the main characteristics of the processing to which their personal data will be subject. This obligation is complied with through the privacy notice. Therefore, any data controller is required to prepare and make available to data subjects the relevant privacy notice(s) corresponding to their personal data. Controllers will have to make available distinct privacy notices for different categories of data subjects, such as personnel and customers.

The Guidelines permit the following three forms of privacy notice, depending on whether the personal data is obtained directly or indirectly from the data subject, and the context and space in which the personal data is collected:

• Comprehensive privacy notice: required to be provided when the personal data is obtained in-person from the data subject, for example, in a face-to-face interview.
• Simplified privacy notice: required to be provided when the data is obtained directly from the data subject, for example, when registering for an account on website or during a customer service call.
• Short form privacy notice: may be provided when the space for the privacy notice is limited and the Personal Data collected is minimum, for example, at an ATM, in a SMS, on a raffle ticket

Each of these forms must meet specific disclosure requirements, as described below, and the simplified and short-form notices must link to, or provide information about how to obtain, the comprehensive notice.

A comprehensive privacy notice must at least contain:

• The identity and address of the data controller
• A description of the personal data that will be processed
• Identification of any sensitive personal data that will be processed, and an affirmative statement that such data will be processed (if applicable)
• The purposes of the data processing, including the primary and any secondary purposes
• The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes
• The means by which data subjects can revoke their consent
• The means for exercising rights of access, rectification, cancellation or objection (ARCO rights)
• Where appropriate, the types of data transfers to be made, including the purposes of such transfers and the identification of any third parties (not including processors) to whom personal data is transferred
• The procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice, and Identification of any sensitive personal data that will be processed

A simplified privacy notice must include, at least, the following information:

• The identity and address of the Controller
• The purposes of the data processing, including the primary and any secondary purposes
• The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes
• How to access or obtain the comprehensive privacy notice

The short form privacy notice must include, at least, the following information:

• The identity and address of the Controller
• The purposes of the data processing, without distinguishing any secondary purposes
• The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes

In addition to the required information, a privacy notice must be clear and in a comprehensible language, and with an easy structure and design, which means it should among other things, the privacy notice should not use inappropriate, ambiguous, or vague sentences, or refer to texts and documents that are not available for the data subject to review.

The data controller has the burden of proof to show that the privacy notice was provided to the data subjects prior to the processing of their personal data (unless an exception applies). However, controllers are not required to provide a privacy notice where:

• personal data is obtained indirectly and it is intended for historical, statistical, or scientific purposes
• where the personal data collected is not subject to Mexican Privacy Laws (eg, certain business-to-business data as described previously)

Consent to processing

Except as otherwise provided by the Law, some form of consent is required for all processing of personal data; depending upon the circumstances consent may be implicit, express, or express and written:

Implicit (or tacit) consent applies to the processing of personal data generally, except where the Law requires express or express written consent (or where consent is not required):

• Implicit consent is obtained where the data subject has been informed of the privacy notice and has not objected to or refused the processing of personal data as described in the privacy notice.
• Express consent (notice and opt-in) is required for o the processing of financial or asset data.
• Express consent may be obtained verbally, in writing, or via any technology or other unmistakable indication. Express and written consent is required for the processing of sensitive personal data. Express written consent may be obtained through the data subject’s written signature, electronic signature, or any other authentication mechanism.

In addition to the above, express or express written consent must be obtained where otherwise specifically required pursuant to an applicable law.

On the other hand, consent from the data subject is not required (but a privacy notice must still be made available) for the processing of personal data where any of the following apply:

• The processing is required pursuant to an applicable Mexican law
• The data is contained in publicly available sources
• The identity of the data subject has been disassociated from the data (ie, the data subject is no longer identifiable)
• Where the processing is for the purpose of fulfilling obligations pursuant to a legal relationship between the data subject and the data controller
• There is an emergency situation that could potentially harm an individual with regard to his or her person or property
• Processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation, or
• Pursuant to a resolution issued by a competent authority

Personal data shall be processed with the consent of the personal data subject, unless an exception applies. 

The consent of the data subjects is not necessary where the processing is necessary for:

• performance of a contract to which the personal data subject is party, or implementation of pre-contractual measures, taken at the data subject’s request;
• carrying out an obligation of the controller, under the law;
• protection of the life, physical integrity or health of the personal data subject;
• performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the controller or in a third party to whom the personal data is disclosed;
• the purposes of legitimate interest pursued by the controller or by the third party to whom personal data is disclosed, except where such interest is overridden by the interests for fundamental rights and freedoms of the personal data subject;
• conducting the external public audit;
• statistical, historical or scientific-research purposes, provided that the personal data remains anonymous throughout the processing;
• data exchange, performed in accordance with the applicable legislation on data exchange and interoperability.

Processing of special categories of personal data shall be prohibited, except for cases provided by the Law. Furthermore, Law on Personal Data Protection currently expressly establishes special rules for processing the following: personal data concerning health, data concerning criminal convictions and offences or related security measures, data comprising the national identification number.

Personal data undergoing processing must be:

• processed fairly and lawfully;
• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
• adequate, relevant and not excessive in relation to the purposes for which they are collected and / or further processed;
• accurate and, where necessary, kept up to date;
• kept in a form which permits the identification of personal data subjects for no longer than is necessary for the purposes for which the data was collected and further processed. 

The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the personal data, shall not disclose any information to a third party without the prior consent of the data subject unless one of the following exclusions applies:

• processing relates to data which is voluntary and manifestly made public by the personal data subject;
• the personal data is rendered anonymous. 

The controller must implement appropriate technical and organizational measures to protect personal data against destruction, alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data.

Data processing must be justified by at least one of the following bases:

• The data subject’s consent;
• A legal duty imposed to the data controller;
• A public purpose;
• The performance of a contract entered into between the data controller and the data subject;
• The data controller’s legitimate interests, unless the data subject’s fundamental rights and liberties outweigh the controller’s legitimate interests.

If sensitive personal data is processed, at least one of the above bases must be met plus one from an additional list of more stringent conditions (determined in Article 12 of DPL).

Additionally, the data controller must provide the data subject with fair processing information. This includes information about the identity of the data controller, the purposes of processing, the identity of recipients, the right to oppose, access and amend their data and any other information needed under the circumstances to ensure that the processing is fair.

In accordance with Chapter 2 of the Data Protection Law, state authorities, individuals, legal entities and other natural persons may collect, process and use (i) Personal Data and (ii) Sensitive Personal Data on the grounds provided by law and with the permission of the Data Owner.

The Data Protection Law mainly divides the collection and processing of Personal and Sensitive Personal Data as follows:

• Collection and processing of Personal Data;
• Collection and processing of Sensitive Personal Data;
• Collection and processing of Genetics and Biometric data (types of Sensitive Personal Data); and
• Collection and processing of Personal Data after death of the Data Owner.

State authorities can collect and process Personal Data if:

• permitted to by the Data Owner or permitted by law;
• execution and enforcement of contractual obligations;
• exercising the rights and obligations by the Data Controller during the employment relations;
• enforcement of obligations under the international treaties to which Mongolia is a party to; or
• enforcement actions by authorities as provided under applicable laws without interfering with the legitimate interests and rights of the Data Owner.

Legal entity and any persons other than the state authority can collect and process Personal Data if:

• permitted by the Data Owner or permitted by law;
• execution and enforcement of contractual obligations;
• exercising the rights and obligations by the Data Controller during the employment relations;
• Personal Data became legally available to the public; or
• making historical, scientific, artistic and literary works by maintaining the anonymity of the Data Owner.

Unless otherwise provided under relevant laws, the Data Controller must obtain digital / electronic or written permission from the Data Owner upon presenting the following terms and conditions to the Data Owner:

• Definitive purpose of collecting, processing and using the Personal Data;
• Name and contact information of the Data Controller;
• List of Personal Data to be collected, processed, and used;
• Period of processing and using Personal Data;
• Whether to make the Personal Data publicly available;
• Whether to transfer Personal Data to other persons together with the name of recipient and list of Personal Data to be transferred; and
• Form of cancelling the permission.

The collection, processing and use of Sensitive Personal Data is prohibited except as follows:

• State authorities and other persons as permitted by the Data Owner;
• Health worker to exercise their rights and responsibilities under applicable laws in order to protect the health of an individual; or
• In the process of providing explanations, declarations and evidence in accordance with the law on claims of citizens or legal entities.

Genetic and Biometric data can only be collected and used by the following state authorities in accordance with applicable laws:

• Non-overlapping data of the human body (fingerprints) by the state registration authority for the purposes of civil registration and overseeing the voter registration;
• Biometric data by the border protection authority for the purpose of identifying and verifying a foreign citizen crossing the state border;
• Genetic and biometric information by the competent authorities specified in the law for the purpose of combating, preventing and investigating crimes and violations;
• Genetic and biometric data by court forensic organisation for forensic examination of criminal, civil, administrative and other cases and dispute proceedings;
• Biometric information of the Parliament member for the purposes of attendance and voting; and an employer may, with the employee's permission, use biometric data other than non-identifiable human data (fingerprints) to facilitate the identification and verification of employees in accordance with the internal employment regulations established in accordance with the Labour Law.

Also, Personal Data and Sensitive Personal Data may be collected, processed and used for (i) journalistic purposes or (ii) for the purpose of creating historical, scientific, artistic and literary works and preparing statistical information based on the permission from the Data Owner.

In addition, the Data Protection Law provides that unless otherwise provided by law, (i) if the Data Owner has died or is considered dead, the relevant data shall be collected, processed and used with the written permission of the successor, his / her family member or legal representative and (ii) permission to collect, process or use Sensitive Personal Data is not required 70 years after the death of the Data Owner.

A prerequisite for the legitimate processing of personal data is to obtain the data subject’s valid, informed consent. The consent requirements are explicitly described in the DP Law (e.g. data subjects have to be informed about the purpose and legal basis for the respective processing). The processing of personal data without consent is only allowed under the exceptions listed in the DP Law, (e.g. if the processing is necessary to meet the data controller's statutory obligations under the law or for the protection of life and other vital interests of the data subject who is not capable to personally consent).

As a general matter, in order to comply with the provisions under the DP Law, the processing has to be done in a fair and lawful manner, the type and scope of processed data must be proportionate to the purpose of the respective processing, the data should not be retained longer than necessary in order to meet the defined purpose, and the data has to be accurate, complete and up-to-date.

The personal data must be processed in accordance with the following principles:

• Treated fairly and lawfully;
• Collected for specific, explicit and legitimate purposes;
• Adequate, relevant and not excessive;
• Accurate and necessary and kept up-to-date;
• Kept in a form enabling the person concerned to be identified.

As a general rule, the processing of a personal data must be subject to the prior consent of the relevant data subject.

While the applicable regulations provide that the processing of personal data can be performed without the consent of the relevant data subject in some specific instances, the Moroccan Data Protection Commission rarely accepts that the data controllers process personal data without the consent of the relevant data subject.

Under the Constitution of the Republic of Mozambique, individually identifiable information, concerning political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy may not be stored or processed in a database.

The UA Convention states that the processing of personal data for the purposes of interconnection of files, data processing involving biometric data shall be undertaken after authorization by the national protection authority.

Under the Electronic Transaction Law, any electronic collection, processing, or disclosure of personal data by a data controller must be precise, complete, and updated, without prejudice of its confidentiality.  The data processor is required to indicate beforehand the reasons for the data processing and must describe the type of retained personal information by the organization, including a general report of its use.

Processing information containing personal data requires prior notification to INTIC.

By implication from relevant laws, collection and processing of personal data requires consent.

There are no restrictions on the collection and processing of personal data.

Collection

The collection of data by any public body or body corporate is allowed with the consent of the concerned person. In addition to this, the Privacy Act provides an exclusive provision in the context of the collection of data. It provides that no one except the official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person. Officer authorized under the law means those officials who have been authorized by other laws to collect the information such as investigating authority, collection of prescribed information by the civil service officer. 

Processing

Privacy Act prohibits to process the sensitive information. However, the sensitive information can also be processed in following circumstances:

• in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
• if the concerned person has published the information himself or herself.

The revised Draft Information Technology and Cyber Security Bill, 2024 (“IT Bill”), which is yet to be passed and made into law by the Parliament, has also added provisions relating to privacy (Section 80). It states that personal details collected from an individual in an information technology system shall not be used, disseminated, or exchanged for any purposes other than the disclosed purpose without the consent of the data subject. It also stipulates that personal information collected and stored for a specific purpose shall be destroyed, with assurance to the data subject, within 30 days after fulfillment of that purpose. The applicable punishment for violation of this provision will result in fine of up to NPR 5,00,000 or three years of imprisonment or both.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
• Accurate and where necessary kept up-to-date (accuracy principle)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymization

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision taking, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by EU or Member State law
3. The data subject has given their explicit (i.e. opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Netherlands regulation

Special categories of personal data (Article 9)

Article 9(2) of the GDPR provides for a number of exceptions under which special categories of personal data may lawfully be processed. Certain of these exceptions require a basis in Member State law.

Division 3.1 of the Implementation Act provides for various exceptions for the processing of different types of special categories of personal data, subject to stringent conditions. Important examples include exceptions for:

• Scientific or historical research or statistical purposes
• The processing of personal data revealing racial or ethnic origin
• The processing of personal data revealing political opinions for the performance of public duties
• The processing of personal data revealing religious or philosophical beliefs for spiritual care
• Genetic, biometric and health data

Criminal convictions and offences data (Article 10)

The processing of criminal conviction or offences data is prohibited by Article 10 of the GDPR, except where specifically authorized under relevant Member State law.

Division 3.2 of the Implementation Act provides several exceptions for the processing of criminal convictions and offences data.

The following general grounds for exemptions for processing criminal convictions and offences data apply:

• Explicit consent by the data subject
• Protection of a data subject's vital interests
• Processing related to personal data manifestly made public by the data subject
• Processing necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity
• Processing necessary for reasons of substantial public interest
• Processing necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, and the conditions referred to in Section 24(b) to (d) of the Implementation Act have been met

Specific exceptions may apply on the basis of Article 33 of the Implementation Act, eg, where the processing is carried out by bodies that are responsible pursuant to law for applying criminal law, or where the processing is necessary in order to assess a request from the data subject to take a decision on him or her or to provide a service to him or her.

Child's consent to information society services (Article 8)

The Netherlands did not make use of the option to provide for a lower age limit for the processing of personal data of a child on the basis of Article 8, GDPR.

Automated Decision Making (Article 22)

The Netherlands has made use of the possibility provided by Article 22(2)(b) GDPR, and has implemented exceptions from the prohibition on automated individual decision-making. Article 40 of the Implementation Act sets out that Article 22(1) of the GDPR does not apply if the automated individual decision-making, other than based on profiling, is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out for reasons of public interest. Examples provided by the Explanatory Memorandum to the Implementation Act concern situations where there may be automated individual decision making on the basis of strictly individual characteristics, eg, in the case of awarding certain allowances (eg, study allowances, child allowances), where there is no reason to require human intervention. In such cases, the controller must take suitable measures to safeguard the data subject's rights, freedoms and legitimate interests. Such suitable measures will in any case have been taken if the right to obtain human intervention, the data subject’s right to express his or her point of view and the right to contest the decision, have been safeguarded.

Processing of national identification number (Article 87)

Article 87 of the GDPR sets out that Member States may further determine the specific conditions for the processing of a national identification number. The Netherlands has made use of this possibility: Article 46 of the Implementation Act sets out that a national identification number may only be processed where explicitly allowed by law, and only for those purposes stipulated by the relevant law.

Subject to specific exceptions, agencies may collect, store and process personal information in accordance with the 13 IPPs summarised below.

IPP 1 – Purpose of collection of personal information

An agency must not collect personal information other than for a lawful purpose connected to the agency's functions, and only if the collection of the information is necessary for that purpose.

IPP 2 – Source of personal information

An agency must collect information directly from the relevant individual, unless one of the specified exceptions applies, which include if collection from the individual is not practical in the circumstances, if collection from a third party would not prejudice the interests of the individual, or if the information is publicly available.

IPP 3 – Collection of personal information from subject

Before collecting personal information, an agency has to make the relevant individual aware of certain things, such as the fact that information is being collected, the purposes for which it will be used, and the right to access and request correction of personal information. This is typically done by way of a privacy policy. There are several exceptions where the person collecting information would not need to comply with IPP 3, including where compliance is not reasonably practicable in the circumstances.

IPP 4 – Manner of collection of personal information

Agencies cannot collect personal information by unlawful or unfair means, or in a manner that intrudes to an unreasonable extent upon the personal affairs of the individual concerned. Particular care must be taken when collecting personal information from children or young persons.

IPP 5 – Storage and security of personal information

Agencies must ensure personal information is protected by reasonable security safeguards against loss and unauthorised access, use, modification or disclosure or other misuse. If it is necessary to give personal information to another person (e.g. a service provider), an agency must do everything reasonably within its power to prevent unauthorised use or disclosure of that information.

IPP 6 – Access to personal information

Where an agency holds personal information about an individual, subject to certain exceptions, if requested by the individual, the agency must confirm whether it holds the information and grant the individual access to it. The exceptions include where the information is not readily retrievable or:

• the refusal is for the protection of the health, safety or similar of an individual;
• in an employment context, the information is evaluative (e.g. compiled for the purpose of determining the suitability of an individual for employment) and disclosure would breach an implied promise that was made to the person who supplied the information;
• the information needs protecting because it would involve disclosure of a trade secret or be likely to unreasonably prejudice the commercial position of the person who supplied the information, unless the public interest in disclosure outweighs the withholding of the information;
• the information does not exist or cannot be found;
• the disclosure would involve the unwarranted disclosure of the affairs of another individual;
• the disclosure would breach legal professional privilege; or
• the request is frivolous or vexatious, or the information requested is trivial.

IPP 7 – Correction of personal information

An individual can request an agency to correct information the agency holds about the individual, or attach a statement of a correction sought but not made. If an agency has corrected personal information or attached a statement of a correction sought but not made, if reasonably practicable, it will inform each person or entity to whom it has disclosed that information of that correction or statement. The agency must inform the individual of any action taken as a result of the individuals request.

IPP 8 – Accuracy of personal information to be checked before use or disclosure

Agencies must take reasonable steps to ensure personal information they hold is accurate, up to date, complete, relevant, and not misleading.

IPP 9 – Agency not to keep personal information for longer than necessary

Agencies must not keep personal information for longer than is required for the purposes for which the information may lawfully be used.

IPP 10 – Limits on use of personal information

Agencies must not use personal information obtained in connection with one purpose for any other purpose unless the agency reasonably believes:

• the source of the information is publicly available and it would not be unfair or unreasonable to use that information;
• the use of the information for the other purpose is authorised by the relevant individual;
• non–compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency:
  • for the enforcement of a law imposing a pecuniary penalty;
  • for the protection of public revenue; or
  • for the conduct of proceedings before a court or tribunal;
• the use of the information for the other purpose is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of an individual;
• the other purpose is directly related to the purpose for which the information was obtained, or the information is used in a form where the individual is not identified, or is used for statistical or research purposes and will not be published in a form where the individual could reasonably be expected to be identified.

IPP 11 – Limits on disclosure of personal information

Agencies must not disclose personal information for any purpose other than the purpose for which it was collected or a purpose directly related to the purpose for which it was collected unless the agency reasonably believes:

• the source of the information is publicly available and it would not be unfair or unreasonable to disclose that information;
• the disclosure is to the relevant individual;
• the disclosure is authorised by the relevant individual;
• non-compliance is necessary:
  • to avoid prejudice to the maintenance of the law by any public sector agency;
  • for the enforcement of a law imposing a pecuniary penalty;
  • for the protection of public revenue; or
  • for the conduct of proceedings before a court or tribunal;
• the disclosure of the information is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of an individual;
• the disclosure is necessary to enable an intelligence and security agency to perform any of its functions;
• the disclosure is necessary to facilitate the sale or other disposition of a business as a going concern; or
• the information is to be used in a form where the individual is not identified, or is used for statistical or research purposes and will not be published in a form where the individual could reasonably be expected to be identified.

IPP 12 – Disclosure to an overseas person

Agencies must not disclose personal information to a foreign person or entity unless the agency reasonably believes:

• the relevant individual authorises the disclosure after being informed by the agency that the foreign person or entity may not be required to protect the information in a way that provides comparable safeguards to those in the Act;
• the foreign person or entity is carrying on business in New Zealand and the agency reasonably believes that, in relation to the information being disclosed, the foreign person or entity is subject to the Act;
• the foreign person or entity is subject to privacy laws that provide comparable safeguards to those in the Act;
• the foreign person or entity is a participant in a prescribed binding scheme;
• the foreign person or entity is subject to privacy laws of a prescribed country; or
• the foreign person or entity is required to protect the information in a way that provides comparable safeguards to those in the Act (for example, pursuant to contractual clauses). New Zealand's Privacy Commissioner has released model contractual clauses that can be used to satisfy these exceptions, but it is not mandatory to use these exact provisions.

IPP 13 – Unique identifiers

Agencies can only assign 'unique identifiers' to an individual if it is necessary to enable the agency to carry out one or more of its functions efficiently. The agency must not assign an individual a unique identifier that it knows has been assigned to that individual by another agency unless the unique identifier is being used for statistical or research purposes only. Additionally, the agency must take reasonable steps to ensure that unique identifiers are only assigned to individuals whose identities are clearly established and that the risk of the unique identifiers being misused is minimised. An agency must not require an individual to disclose any unique identifier assigned to them unless the disclosure is one of the purposes, or directly related to one of the purposes, for which that unique identifier was assigned.

The law defines data processing as those systematic operations and procedures, automated or not, that allow the collection, registration, recording, conservation, ordering, storage, modification, updating, evaluation, blocking, destruction, deletion, use and cancellation, as well as the transfer of personal data resulting from communications, consultations, interconnections and transfers. 

Personal data may only be processed, when they are adequate, proportional and necessary in relation to the scope and specific, explicit and legitimate purposes for which they have been requested. 

The purpose of processing the personal data of the user should be to facilitate the improvement, expansion, sale, billing, management, provision of services and acquisition of goods.

In accordance with Article 37 of the Personal Data Act 2022 referred to above, Any processing of personal data can only take place if the person concerned, the data subject, has expressed his consent in a free, specific, informed, and unambiguous manner. The processing of personal data is considered legitimate if the data subject gives his / her prior express consent.

Article 37 also waives the requirement for prior consent where the controller is duly authorised and the processing is necessary for:

• the performance of a contract to which the data subject is party or in order to take pre-contractual measures at his request;
• complying with a legal obligation to which the controller is subject to;
• protecting the interests or fundamental rights and freedoms of the data subject; and
• the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.

The collection and processing of personal data must comply with the principles provided for in articles 39, 40 and 41 of the aforementioned 2022 law on personal data, namely:

• The principles of lawfulness, fairness and transparency: Data must be processed fairly, lawfully, and transparently. The lawfulness of the processing refers to its legal basis (legal obligation, contractual obligation, etc.). Fairness of processing refers to the manner in which the data are collected. This principle refers to the individual's right to information. Data must not have been collected and must not be processed without the knowledge of the data subject. This principle also requires providing data subjects with several pieces of information (on the processing of their data, but also on their rights);
• The principle of proportionality: Data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and further processed. The data controller must not collect more data than it actually needs. Thus, only data strictly necessary for the achievement of the specified purpose must be collected;
• The principle of accuracy: The data must also be accurate and, where necessary, updated. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they are collected and further processed, are erased or rectified.

The obligations of the Data controller include among other things:

• data is collected and processed fairly and lawfully;
• data is collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is compatible with such purposes;
• data is adequate, relevant and not excessive in relation to the purposes for which it was collected;
• collected data is accurate, complete;
• collected data is retained in a form that allows the identification of the data subjects for a period that is no longer than necessary for the purposes for which it was collected;
• data subjects are informed of the data processing;
• data subjects have given their consents to the data processing;
• data subjects have the right to access the data and request amendments or deletions;
• persons with access to the system can only access the data they are allowed to;
• non-authorised persons cannot read, copy, modify, destroy, or move data;
• all data introduced in the system is authorised;
• non-authorised persons will not use data transmission facilities to enter into the data processing system;
• the identities of third parties having access to personal data will be checked;
• data is backed up with security copies; and
• data is renewed and converted to preserve it.

In accordance with the provisions of the Personal Data Act 2022, the processing of personal data is subject to a prior notification to the HAPDP. The notification must include an undertaking that the processing meets the requirements of the Law.

However, for certain types of personal data processing, the prior authorisation of the HAPDP is required. This is particularly the case for the processing of personal data relating to genetic, medical data, and scientific research

By contrast, the Data subject is entitled to an number of rights of which some are listed below:

Right of information

Pursuant to Article 68 of the Personal Data Act 2022, the data controller must inform the data subject of:

• the identity and, where applicable, that of its duly authorised representative;
• the specific purposes of the processing for which the data is intended;
• the categories of data concerned;
• the recipient(s) to whom the data may be communicated;
• the possibility of refusing to appear on the file;
• the existence of a right of access to data concerning the person and a right to rectify this data; and
• the possibility of any data transfer to a third party.

Right of access

Pursuant to Article 69 of the Personal Data Act 2022 , the data subjects can obtain from the data controller the following:

• information allowing to know and dispute the processing of personal data;
• confirmation of whether his / her personal data forms part of the processing;
• a copy of the data subject's personal data, as well as any available information on the data's origin; and
• information relating to the purposes of the processing, the categories of personal data processed and the recipients or categories of recipients to whom the data are communicated.

Right to rectification

Under the provisions of Article 71 of the Personal Data Act 2022 , any natural person who can prove his or her identity may require the data controller to rectify, complete, update, block, or delete, as the case may be, any personal data concerning him or her that is inaccurate, incomplete, ambiguous, out of date, or whose collection, use, communication, or storage is prohibited.

Right to erasure

Under the provisions of Article 73 of the Personal Data Act 2022 , the data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her and the cessation of the dissemination of such data, in particular with regard to personal data which the data subject made available when he / she was a minor, or for one of the following reasons:

• the data is no longer necessary for the purposes for which they were collected or processed;
• the data subject has withdrawn the consent on which the processing is based or where the authorised retention period has expired and there are no other legal grounds for processing the data;
• the data subject objects to the processing of personal data relating to him or her where there is no legal ground for such processing;
• the data processing does not comply with the provisions of this Law; or
  for any other legitimate reason.

Right to object

In light of Article of the Personal Data Act 2022 , any data subject has the right to:

• oppose the processing of their personal data;
• oppose the processing of their personal data for prospecting purposes; and
• be informed before his / her personal data is communicated to third parties.

Interconnection of personal data shall: 

• not discriminate against or limit the fundamental rights, freedoms, and guarantees of data holders; 
• ensure the use of appropriate safety measures; and 
• take into account the principle of relevance (Article of the Personal Data Act 2022).

Collection

Personal Data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the Data Subject:

• Prior to Personal Data collection, Controllers must provide Data Subjects with relevant information, including the identity and contact details of the Controller, contact details of its Data Protection Officer and the intended purpose and legal basis for Personal Data processing;
• The legitimate interests pursued by the Controller or third party must be stated;
• The recipients or categories of recipients of the Personal Data, if any;
• Where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization, and the existence or absence of an adequacy decision by the Agency, the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
• Data subjects must be provided with notice of their right to:
  1. request access to and rectification of Personal Data maintained by the Controller;
  2. withdraw consent for further processing by the Controller at any time; and
  3. lodge a complaint with the relevant authority; and
• Where the Controller intends to process Personal Data for a purpose other than for which it was collected, the
  Controller must provide Data Subjects with any relevant information on the additional purpose prior to further processing.

Processing

Personal Data Processing is lawful if at least one of the following applies:

• The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes and the data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach;
• Processing is necessary for compliance with a legal obligation to which the Controller is subject under;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a contract to which the Data Subject is party to or in order to take steps at the request of the Data Subject prior to entering into a contract;

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor; or

• For the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed. Interest in processing personal data can only be legitimate if:

  1. they do not override the fundamental rights, freedoms and the interests of the data subject;

  2. they are compatible with other lawful basis of processing above with the exception of consent;

  3. the data subject would have a reasonable expectation that the personal data would be processed in the manner envisaged. 

Data processing by a third party is governed by a written contract between the third party and the authorised Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure compliance with the Nigerian Data Protection Act 2023.

The DP Law operates on the basis of the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability.

The requirement of carrying out the data processing lawfully means that, amongst other, it should be based upon adequate legal ground. Such legal ground is either a data subject's consent (relating to specified, explicit and legitimate purpose/-s) or one of the remaining grounds explicitly prescribed by the DP Law which include:

• necessity of a particular processing for the performance of a contract to which a data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• necessity for compliance with a legal obligation to which the data controller is subject;
• necessity for the protection of the vital interests of the data subject or of another natural person;
• necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, and
• necessity for realization of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The processing of special categories of personal data is prohibited, unless an exception prescribed with the DP Law applies.

Data subjects are entitled to a range of rights under the DP Law, including right of access, right to rectify, right to erasure (‘right to be forgotten’), right to restriction of processing, right to data portability, right to object, right not to be subject to automated decision making, including profiling.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up-to-date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose
• the context in which the data have been collected
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances.   Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorized by EU or Member State law; or 
3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Norway regulation

Scope

The PDA and GDPR does not apply to processing activities by physical persons for purely private or family purposes or for processing activities within the justice administration sector. For processing activities for journalistic purposes or academic, artistic or literary expressions, only GDPR articles 24, 26, 28, 29, 32 and 40-43 applies, as well as PDA chapter 6 on supervision and complaints and chapter 7 on sanctions and coercive fines.

Age limit to consent to information society services

According to the PDA section 5, the age limit to consent to information society services is 13 years.

Processing of special categories of personal data

Processing of special categories of personal data is allowed when necessary to perform rights or obligations within the field of employment law.

The Norwegian Data Protection Authority may authorize the processing of sensitive personal data where the processing is in the public interest.

The Norwegian Data Protection Authority can also issue specific regulations allowing for the processing of special categories of data.

Processing of information relating to criminal offences

According to the PDA, the processing of information about criminal offences is subject to the regulations as GDPR article 9(2)(a), (c) and (f) as well as the PDA sections 6, 7 and 9, i.e. the same provisions as the processing of special categories of personal data.

Use of personal ID numbers

Personal ID numbers unique identifiers may only be processed where there are reasonable grounds to require proper identification and the use of personal ID numbers is necessary for such identification.

Specific rules on consent

The PDA contains provisions relating to processing of special categories of personal data for e.g., scientific purposes without the consent of the data subject provided that the processing is covered by necessary warranties in accordance with the GDPR Article 89(1). There is no specific general regulation as regards safeguards according to GDPR Article 89, paragraph 1.

Before processing special categories of data, the data controller should consult and seek advice from the Data Protection Officer ("DPO") in accordance with GDPR Article 37.

The above-mentioned advice from the DPO must consider whether the processing will meet the requirements of GDPR and other provisions laid down in the Norwegian Implementation Act. The consultation obligation with the DPO does not apply if an assessment has been made of privacy implications according to GDPR Article 35.

The duty to consult with a DPO also applies to the extent that processing of special categories of data for statistics of scientific purposes is based on consent.

Exemption to data subject rights to access and information

The PDA contains some exemption to the right to access and information according to GDPR Article 13-15 to if the information:

1. is of relevance for Norwegian foreign policy or national security;
2. must be kept secret in order to prevent, investigate, disclose and prosecute criminal acts;
3. that is considered that inadvisable that the data subject obtains due to the health situation of the relevant person or the relationship to close relationships of such persons;
4. subject to duty of confidentiality by law;
5. which only is found in text prepared for internal purposes and not disclosed to others;
6. where disclosure would be in breach of obvious and fundamental private or public interests.

Any denial of access according to the above shall be provided by way of a written explanation.

The right of access according to GDPR Article 15 does not apply to the processing of personal data for archival purposes in the public interest, purpose related to scientific or historical research or statistical purposes in accordance with GDPR Article 89. No. 1 so far as:

1. it will require a disproportionate effort to give access; or
2. the right of access will make it impossible or seriously impair the achievement of the specific purposes.

The right to rectification and restriction in accordance with GDPR Article 16 and 18 does not apply to processing for archival purposes in the public domain interest, purposes related to scientific or historical research or statistical purposes in accordance with GDPR Article 89 No. 1 as far as it is likely that the rights make it impossible or seriously impair the achievement of the specific purposes.

The above exemptions do not apply if the processing has legal effects or directly has factual effects for the data subject.

Access to employee email

A separate regulation (FOR-2018-07-02-1108) issued under the Working Environmental Act (LOV-2005-06-17-62) contains the conditions and procedures that have to be followed for accessing employee emails by an employer. Access to employee email can only take place if there is a legitimate interest or if it is necessary to secure daily operations or if there is a suspicion that the email has been used in such a manner that it is a clear violation of the working relationship or could lead to dismissal or termination of employment.

The employee shall, as far as possible, be given notice and be able to participate when access to email is made.

CCTV surveillance in the workplace

A separate regulation (FOR-2018-07-02-1107) has also been adopted under the Working Environmental Act and contains provisions on the legality of CCTV surveillance in the workplace, notification and deletion obligations, as well as the legality of transfer of CCTV recordings. CCTV monitoring in the workplace may only take place where it is needed to prevent dangerous situations from arising and to safeguard the safety of employees or others, or where there otherwise is a special need for the monitoring. The regulation also applies to dummy cameras.

Section 16(1) of PECA 2016 (“Section 16(1)”), reproduced below for ease of reference, puts restriction on the collection and procession of personal data without the consent of the person whose personal data is being collected and processed:

“Whoever obtains, sells, possesses, transmits or uses another person’s identity information without authorization shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to five million rupees, or with both.”

The PDPB, in addition, provides for the imposition of an obligation upon the data controller to notifythe data subject, in writing, regarding the following: the collection of personal data pertaining to the data subject, along with its description; the legal basis of such data collection and data processing; the retention period; the purpose for such data collection and data processing; information relating to the source of such personal data; information regarding cross border transfer of data; informing the data subject of their rights under the PDPB, including the right to request access to the personal data collected and processed, right to request correction of personal data collected and processed, and provide contact information of the data controller; the choices and means of restricting the processing of personal data;the third parties to whom the personal data may be disclosed; the mandatory or voluntary nature of data collection and data processing; and the consequences of failing to supply mandatory personal data. As per the PDPB, where the processing pertains to critical personal data, the PDPB shall (if implemented in its current form) require the same to be processed in a server or digital infrastructure within Pakistan.

It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the draft.

In Panama, personal information is protected at the constitutional level. The Constitution provides that every person has a right of access to his / her personal information contained in data banks or public or private registries and to request their correction and protection, as well as their deletion in accordance with the provisions of the law. It also states that such information may only be collected for specific purposes, subject to the consent of the person in question, or by order of a competent authority based on the provisions of the law. The disclosure of personal information without consent is also prohibited by the Panamanian Criminal Code. Criminal penalties apply to the disclosure of personal information where the disclosure causes harm to the affected individual. 

As per the Data Protection Law, the data subject must consent to the processing of his data and be duly informed of the proposed use of his personal data. Prior to obtaining consent, the data controller must provide the data subject with certain basic information, such as for example: the data controller’s identity and contact information, the proposed use of the data, the data subject's right to revoke consent, recipients of the personal data where the data will be transferred abroad, how long the data will be kept. The consent must be obtained in such a way that allows its traceability with documentation, whether electronic or by any other means that are suitable to the medium of the particular case and can be revoked, without retroactive effect. If the consent of the data subject is given in the context of a sworn statement that also refers to other matters, the consent request will be presented in such a way that it is clearly distinguished from the others, in a comprehensible and easily accessible manner, using a clear and simple language, which will not be binding in any part of the declaration that constitutes an infraction of the Law and its regulation.

The Data Protection Law allows processing of personal data without the data subject's consent, if at least one of the following conditions is met: 

• If necessary within an established contrctual relationship
• If needed to fullfil a legal obligation
• If authorized by a sectorial law or regulation
• If necessary to protect the vital interests of the data subject or another individual
• If required by a public entity within the exercise of the functions of the Public Administration in the field of their competences
• If necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests do not prevail over the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a minor or a person with a disability
• If the personal data is derived or collected from public domain sources or accessible in public media
• If the personal data is contained in lists related to a category of people that is limited to genera background, such as the participation of a natural person to an organization, their profession or activity, their educational titles, address or date of birth
• If the processing of personal data by private organizations is for the exclusive use of their associates and the entities to which they are affiliated, for statistical purposes, for pricing or others of general benefit to them
• If the processing of information is authorized by law for historical, statistical or scientific purposes

Under the current legal regime, it is prohibited to publicize or diffuse sensitive data of people that are explicitly identified or identifiable (Art. 4 of Personal Credit Data Protection Law).

The current regulatory regime allows for private use the collection, storage and processing of personal information when it is lawful, exact, complete, true and updated for the specific purpose for which the data was collected (Art. 7 of the Law).  However, the data subject has to give consent to the collection and use of their personal information, to that effect, the data subject has to be informed, clearly and expressly, about the purposes their collected personal data will be processed for. The data subject’s consent may be revoked at any time under the same conditions as it was granted (Art. 6 of the Personal Credit Data Protection Law).

The Personal Credit Data Protection Law specifically regulates personal credit data collection and processing by Credit Data Bureaus. Such bureaus have to be fully authorized and registered by the Central Bank in order to be able render credit reference services (ie, provision of data related to personal credit information of persons or entities) and may only provide services to specific users (eg, financial entities, banks, credit agencies, etc.) (Arts. 3, 12, 13 and 14 of the Law).

Furthermore, the Personal Credit Data Protection Law establishes that a Credit Data Bureau may process personal data related to financial solvency and credit of persons or entities provided that:

• the data was provided by the data subject; or
• the data subject provided express and written consent; or
• the information is related to information that private or governmental entities have the duty to publish; or
• the information is public (Art. 13 of the Law).

The Personal Credit Data Protection Law also establishes a duty to the person/entity responsible for collecting and/or storing the data, to permanently update (when necessary) any personal information regarding the financial situation, solvency and/or the fulfilment of commercial and financial obligations (Arts. 9 and 11 of the Law). It also provides that the users of Credit Data Bureaus have the obligation to regularly provide to them, updated data on their credit portfolio clients, especially information related to the compliance with credit obligations, which must be notified within twenty four (24) hours of its cancellation (Art. 14 of the Law).

In addition, the Law establishes that Personal Credit Data which may affect a data subject cannot be stored (and/or publicized) for more than five (5) years from the date of the recorded event (Art. 9 of the Law).

A data subject has the right to:

• access the information and data about themselves, their dependents and/or property;
• know the use and purpose of such data; and 
• where data is incorrect, inexact or misleading, request access, prompt correction, rectification, to withdraw consent and object to the processing (Art. 5 of Personal Credit Data Protection Law). 

In addition, the Regulatory Decree of the Electronic Commerce Law establishes that the data subject’s express consent is required in order to obtain any personal information (Art. 13).  Accordingly, electronic collection, storage and processing data companies (and other companies that render services via electronic means who collect personal data), have the duty to inform to the data subject about:

• the purposes for which the personal data are collected; and
• how the personal data colelcted will be processed.

The collection and processing of personal data requires the data subject’s prior, informed, express and unequivocal consent. The consent may be expressed through electronic means.

The collection and processing of sensitive personal data requires the data subject’s prior, informed, express and unequivocal consent, and must be expressed in writing.

The data subject’s consent is not necessary if any of the following are true:

• The data are compiled or transferred for the fulfillment of governmental agency duties
• The data are contained or destined to be contained in a publicly available source
• The data are related to credit standing and financial solvency, as governed by applicable law (Law Nº 27489)
• A law is enacted to promote competition in regulated markets, under the powers afforded by the Framework Law for Regulatory Bodies of Private Investmenton Public Services (Law Nº 27332), provided that the information supplied does not breach the user’s privacy
• The data are necessary for a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship
• The data are needed to protect the health of the data subject, and data processing is necessary, in circumstances of risk, for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy
• The data are needed for public interest reasons declared by law or public health reasons (both must be declared as such by the Ministry of Health) or to conduct epidemiological studies or the like, as long as dissociation procedures are applied
• The data are dissociated or anonymized
• The data are used by a nonprofit organization with a political, religious, ortrade union purpose, and refer to the data of its members within the scope of the organization´s activities
• The data are necessary to safeguard the legitimate interest of the data subject orthe data handler
• The data are being processed for purposes linked to money laundering and terrorist financing or others that respond to a legal mandate
• In the case of economic groups made up of companies that are considered subjects obliged to inform, the data is processed in accordance with the rules that regulate the Financial Intelligence Unit, so that they may share information with each other about their respective clients to prevent money laundering and financing of terrorism (as well as in other instances of regulatory compliance, establishing adequate safeguards on the confidentiality and use of the information exchanged)
• When the treatment is carried out in a constitutionally valid exercise of the fundamental right to freedom of information
• Others expressly established by law

If the data controller outsources the processing of the personal data to a third party (ie, a processor), such party must also comply with the relevant requirements of the PDLP (eg, to maintain personal data as confidential and to use the personal data only for the purposes authorized and modify inaccurate information).

Upon termination or expiration of the outsourcing agreement, the personal data processed must be deleted, unless the data subject provides express consent to do otherwise.

The processing of personal data by cloud services, applications and infrastructure is permitted, provided compliance with the provisions of the PDPL and its Regulation is guaranteed.

The collection and processing of Personal Information must comply with the general principle that Personal Information must be:

• collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only; 
• processed fairly and lawfully; 
• accurate, relevant and, where necessary for purposes for which it is to be used the processing of Personal Information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted; 
• adequate and not excessive in relation to the purposes for which they are collected and processed; 
• retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and 
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed:
  • provided that Personal Information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods, and
  • provided, further, that adequate safeguards are guaranteed by said laws authorizing their processing.

In addition, the processing of Personal Information must meet the following criteria, otherwise, such processing becomes prohibited:

• the data subject has given his or her consent; 
• the processing of Personal Information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; 
• the processing is necessary for compliance with a legal obligation to which the PIC is subject; 
• the processing is necessary to protect vitally important interests of the data subject, including life and health; 
• the processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or 
• the processing is necessary for the purposes of the legitimate interests pursued by the PIC or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

The processing of Sensitive Personal Information is prohibited, except in the following cases:

• the data subject has given his or her specific consent prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; 
• the processing is provided for by existing laws and regulations, provided that such regulatory enactments guarantee the protection of the Sensitive Personal Information and the privileged information, and the consent of the data subjects is not required by law or regulation permitting the processing of the Sensitive Personal Information or the privileged information; 
• the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; 
• the processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations, provided:
  
  • such processing is only confined and related to the bona fide members of these organizations or their associations; 
  • the Sensitive Personal Data are not transferred to third parties; and 
  • the consent of the data subject was obtained prior to processing. 
• the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of Personal Information is ensured; or 
• the processing concerns such Personal Information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

In August 2024, the NPC issued guidelines on the processing of Sensitive Personal Information on the basis of being necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority. In its Advisory, the NPC states that said processing of Sensitive Personal Information and privileged information is proper when any of the following requisites are met:

• the processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings; 
• the processing is necessary for the establishment, exercise or defense of legal claims; or
• the processing entails providing government or public authorities with personal data for the protection of lawful rights and interests in court proceedings or the establishment, exercise or defense of legal claims in relation to their constitutional or statutory mandate. Such instances may include providing information that supports the investigation of a law enforcement or regulatory agency.

In December 2024, the NPC likewise issued guidelines on the applicability of the DPA, its implementing rules and regulations, and the issuance of the Commission to Artificial Intelligence systems processing Personal Data.

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle);
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle);
• Accurate and where necessary kept up-to-date (accuracy principle);
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle);
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle).

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time);
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject;
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• In limited circumstances by certain not-for-profit bodies;
• Where processing relates to the personal data which are manifestly made public by the data subject;
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices;
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organizations wish to re-purpose personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose;
• The context in which the data have been collected;
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• The possible consequences of the new processing for the data subjects;
• The existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller;
• The data protection officer's contact details (if there is one);
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• The recipients or categories of recipients of the personal data;
• Details of international transfers;
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• The consequences of failing to provide data necessary to enter into a contract;
• The existence of any automated decision making and profiling and the consequences for the data subject;
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

• The right of access does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
• In addition, controllers performing public tasks are exempted from the obligation under Article 15 of the GDPR if it serves the performance of a public task, if it is necessary for the purposes referred to in Article 23(1) of the GDPR, and if the performance of these obligations would prevent or significantly impede the proper performance of the public task (where the interest or fundamental rights or freedoms of the data subject are not overridden by the interest resulting from the performance of that public task) or if it would violate the protection of classified information.
• The right of access is also limited due to the need for the proper performance of the public task. Data controllers who have received personal data from an entity carrying out a public task do not fulfill this obligation where the entity providing the personal data has made a request in this regard due to the necessity for the proper performance of a public task aimed, for example, at: the prevention of crime, the detection or prosecution of criminal acts or the execution of penalties, including the protection against and prevention of threats to public safety, or the protection of the economic and financial interests of the state. However, the controller must respond to a person's request in a way that makes it impossible to determine that the controller is processing personal data received from an entity performing a public task.
• The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of access, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to rectify (Article 16)

• The right to rectify does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
• The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right of rectification, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to erasure ('right to be forgotten') (Article 17)

• The right to erasure is subject to limitation under the Labor Code. The employer must keep employee documentation a period of 10 years after the termination of employment, which excludes the earlier deletion of such data at the request of a former employee. In addition, the Act on Accounting imposes an obligation to keep accounting records (e.g. employee pay slips, books of account) for at least 5 years.

Right to restriction of processing (Article 18)

• The right to restriction of processing does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
• The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to restriction of processing, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

Right to data portability (Article 20)

• The right to data portability does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.

Right to object (Article 21)

• The right to object does not apply to the activity of editing, creating or publishing press materials, as well as to literary and artistic activities.
• The Act on Clinical Trials has provided the possibility to restrict certain rights of data subjects, such as the right to objection, if their exercise prevents or seriously obstructs achieving the objectives of the clinical trial and if such restriction is necessary to achieve the objectives of the trial.

---

Poland regulation

The new PDPA includes some derogations from the GDPR. However, the draft of the Implementation act is likely to introduce more provisions which elaborate on the provisions of the GDPR on the collection and processing of personal data. It is important to note that the Polish legislator has decided to include derogations regarding labour law both in the new PDPA and in the Implementation act.

The new PDPA contains provisions amending, among others, the Labour Code. These provisions provide for circumstances under which the employer can carry out video surveillance, email monitoring and other employee monitoring activities. Video surveillance may be implemented if it is necessary to ensure the safety of employees or the protection of property or production control or to keep information, the disclosure of which could cause damage to the employer, confidential. Monitoring of work emails may be implemented if it is necessary to ensure maximum work efficiency and the proper use of work tools made available to the employees. The scope, means and purposes of the employee monitoring must be provided to the employees via workplace regulations or other, exhaustively listed, means at least two weeks before the monitoring starts. The legality of a particular monitoring scheme should be assessed on a case-by-case basis.

The new PDPA also prescribes the maximum retention period of the information obtained from video monitoring (it must not be stored indefinitely). The mater can be retained for three months after the recording took place, unless the recording constitutes (or may constitute) evidence in legal proceedings. In this case, the material may be stored until the final decision in the proceedings is issued. In relation to the retention period of information obtained via any other form of employee monitoring, the general rules of the GDPR apply - the material can be retained as long as is reasonably needed for the purposes for which it was collected. The remaining changes to the Labour Code are included in the Implementation act.

For example, the employer may process the personal data of its employees or job applicants referred to in Article 9(1) with consent however only if the data was given on the data subject's own initiative. Another significant amendment is to the scope of data requested when applying for a job. Although address as well as parents' names are no longer needed, contact details should be provided. Changes in video surveillance would allow an employer to locate cameras in sanitary areas upon prior consent from the enterprise trade union or the employee representative who has been chosen in the way prescribed by an employer. However, the monitoring shall not cover the premises made available to the enterprise trade union.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
• Accurate and where necessary kept up-to-date (accuracy principle)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (storage limitation principle)
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to re-purpose personal data – ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymization

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision taking, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. Necessary for entering into or performing a contract
2. Authorized by EU or Member State law
3. The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Portugal regulation

Personal data may only be processed if any of the GDPR lawful bases apply.

Moreover, the data controller must provide the data subject with all the relevant processing information under the GDPR.

In accordance with Law no 58/2019 of 8 August, the processing of children’s personal data based on consent in the scope of the direct provision of information of society services is only allowed where children are 13 years of age or above. Below 13 years, legal representatives’ consent is required.

Regarding the processing of health and genetic data, such data may only be processed on a need to know basis.  In the cases provided for by Article 9(2)(h) and (i) GDPR (ie, where the processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care of treatment or the management of health or social care systems or for reasons of public interest in the area of public health), the processing must be carried out by or under the responsibility of a professional who is subject to the obligation of secrecy or by other person bound by a confidentiality obligation, and appropriate information security measures must be ensured. The access to health and genetic data is exclusively made through electronic means unless in case of technical impossibility or under express instructions  contrary from the data subject, not being allowed the subsequent transfer or disclosure.

Without prejudice of specific laws and regulations stating the mandatory implementation of video surveillance systems, under Law no 58/2019 of 8 August, the same shall only be implemented for purposes of people and goods protection and for compliance with the legal requirements provided in Law no. 34/2013 of 16, may as well as in Law no 58/2019 of 8 August.

The Personal data retention period is provided by law or regulation or, in case there is no specific law or regulation, it will correspond to the period in which the personal data is  needed in view of the purposes of processing. In case the personal data is needed for purposes of evidence of contractual obligations or of other nature, personal data shall only be retained until the limitation period of the respective rights has not elapsed.

Specific legal provisions apply in the scope of employment relationships, notably in relation to video surveillance systems and processing of biometric data.

As concerns data subjects' rights, these shall follow GDPR requirements, establishing Law no 58/2019 of 8 August that the right to data portability provided for in Article 20 of the GDPR only comprises the personal data provided by the respective data subjects and shall be provided, wherever possible, in an open format.

Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed necessary for a lawful purpose of the controller, or the third party to whom the personal data is sent.

Lawful purpose is defined in the Data Protection Law as "the purpose for which the personal data of the data subject is being processed in accordance with the law," which includes cases where a data controller is processing personal data for legitimate interests and specific purposes set forth under Data Protection Law as described below.

Prior to processing personal data, the data controller must notify the data subject of the following information:

• The details of the data controller or another party who processes the data on behalf of the data controller;
• The lawful purpose for which the data controller or any third party wants to process the personal data;
• A comprehensive and accurate description of the processing activities and the degrees of disclosure of personal data for the lawful purpose; and
• Any other information deemed necessary and required for the satisfaction of personal data processing.

The data controller is free to process data without the consent of the data subject or a lawful purpose in the following circumstances:

• The data processing is in the public interest. A data controller would process personal data in the public interest if it is conducting a specific task in the public interest pursuant to applicable law or is exercising "official authority" (e.g. a public body's tasks, functions or duties) pursuant to applicable law;
• The data processing is required to meet a legal obligation. A data controller would be considered processing personal data to meet a legal obligation where it is required to do so by virtue of the law or court order;
• The data processing is required to protect the data subject's vital interests. What constitutes as "vital interests" is applied very narrowly to cases of "life and death" and on the basis of humanitarian grounds such as in relation to a pandemic / epidemic. Further, this exemption is likely to arise in cases where data related health is being processed which is a category of sensitive personal data (explored further below) and in which case, this exemption would only apply if the data subject is physically or legally incapable of providing consent and as such, explicit consent may be more appropriate in the circumstances;
• The data processing is required for scientific research being conducted in the public interest. Cases involving the processing of personal data for "scientific research in the public interests" should be interpreted broadly and would include processing activities to further technological development or privately funded research; or
• The data processing is required to investigate a crime, if officially requested by the investigating authorities.

Sensitive personal data may not be processed except after obtaining authorization from the NCGAA. There is a high threshold for processing this data and, amongst other things, a data controller would be required to:

• Identify a permitted reason for processing sensitive personal data and an "additional condition" for processing activities and these "additional conditions" include, but are not limited to, (i) processing with the data subject's explicit consent or parental consent (as may be relevant), (ii) the personal data is made public by the data subject; or (iii) the processing is necessary in an employment context and would enable the data controller to fulfil their obligations as an employer;
• Complete a data protection impact assessment to identify, inter alia, the purpose and permitted reason for processing, the potential damage / harm that can be caused to the data subject as a result of the processing activities and the risks to the processing and methods / actions to mitigate such risks; and
• Obtain permission from the NCGAA to process such personal data which may be conditioned on, inter alia, the data controller evidencing to the NCGAAthat it has the appropriate administrative, technical and financial precautions in place to protect such special personal data.

Conditions for consent

Data controllers must be able to show that the data subject's consent complies with the DPL where they are using consent as a basis for their processing activities.

Consent by a data subject must be:

• Freely given;
• Specific;
• Informed; and
• Unambiguous.

Where consent is given in a document that also concerns other matters then the consent must be:

• Clearly distinguishable;
• Intelligible and easily accessible; and
• Use clear, unambiguous and plain language.

Processing personal data

Data controllers may process personal data when any of the following conditions are met:

• The data subject has given his / her consent to the processing of that personal data;
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for compliance with an obligation to which the data controller is subject to by law;
• Processing is necessary in order to protect the vital interests of the data subject or another individual;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the QFC Authority, the QFC Regulatory Authority, QFC Civil and Commercial Court, the QFC Regulatory Tribunal or a QFC Institution;
• Processing is necessary for the purposes of the legitimate interests of the data controller or another person to whom the personal data is disclosed, except where such interests are overridden by legitimate interests of the data subject which require the data to be protected.

Processing sensitive personal data

Data controllers may process sensitive personal data when any of the following conditions are met:

• The data subject has given his / her explicit written consent to the processing;
• Processing is necessary for the purposes of carrying out the obligations and the exercise of specific rights of the data controller or the data processor in the field of employment law;
• Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his / her consent;
• Processing is carried out by an insurance firm for the purposes of providing a life or health insurance policy;
• Processing is carried out by a non-for-profit body in the course of its legitimate activities with appropriate guarantees that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed to a third party without the consent of the data;
• Processing relates to personal data which is manifestly made public by the data subject;
• Processing is necessary to establish, pursue or defend a legal claim or when a court is acting in its judicial capacity;
• Processing is necessary for compliance with an obligation to which the data controller is subject to by law;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the QFC Authority, the QFC Regulatory Authority, QFC Civil and Commercial Court, the QFC Regulatory Tribunal or a QFC Institution;
• Processing is necessary for substantial public interest reasons that are proportionate to the aim or aims pursued, respect the principles relating to the processing of personal data and provide suitable and specific measures to safeguard the rights of the data subject;
• Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where that personal data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

The collection and processing of personal data can only be carried out with the prior and explicit consent of the person concerned. Some exceptions apply when the processing is for valid legal reasons, in the public interest, for the performance of an agreement or to protect the fundamental rights of the person concerned.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be:

• Processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle")
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle")
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• Accurate and where necessary kept up to date (the "accuracy principle")
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle")
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle")

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance for potentially years after a particular decision relating to processing personal data was rendered. Record-keeping, auditing and appropriate governance will all play a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous," and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited, except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law. 

Processing for a Secondary Purpose

Increasingly, organisations wish to re-purpose personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected. These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymisation

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, that is, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language.

The following information must be provided at the time the data are obtained: 

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access 

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify 

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') 

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object 

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

• Necessary for entering into or performing a contract
• Authorized by EU or Member State law
• The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of first or third grounds above, the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Romania regulation

1. Processing  genetic data, biometric data or health data

The processing of genetic, biometric or health data for the purpose of achieving an automated decision-making process or for profiling purposes is permitted only with the explicit consent of the data subject or if the processing is performed based on express legal requirements, with the obligation to implement adequate measures for the protection of the rights, freedoms and legitimate interests of the data subject. Law no. 190/2018 does not specify or provide any examples with respect to what type of measures should be implemented in view of the processing.

Law no. 190/2018 expressly allows the processing of health data for the purpose of public health, as defined under Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work. However, subsequent processing of such data may not be performed for other purposes  by third parties.

2. Processing a national identification number 

Law no. 190/2018 provides that processing  a national identification number, including by collecting or disclosing any documents enclosing such national identification number, may be carried out in the situations provided for in Article 6 (1) of the GDPR. However, where processing is based on the legitimate interests pursued by the controller or by a third party (i.e. Article 6 (1) (f) of the GDPR), the processing activities may be carried out only if the following guarantees have been implemented by the controller:

• Adequate technical and organizational measures to observe, in particular, the principle of data minimization and to ensure the security and confidentiality of personal data processing, according to the provisions of art. 32 of the GDPR;

• The appointment of a DPO;

• Establishment of  retention terms in accordance with the nature of the personal data and the purpose of the processing, as well as specific deadlines in which personal data must be deleted or revised in order to be deleted;

• Regular training of the personnel processing personal data under the direct authority of the controller or processor.

3. Processing  personal data in the context of employment relationships

The electronic monitoring and / or video surveillance systems of employees at the workplace based on the legitimate interests of the employer is / are permitted only if the following apply:

• The legitimate interests pursued by the employer are thoroughly justified and prevail over the interests or rights and freedoms of the data subjects;
• The employer has made the compulsory, complete and explicit prior information to the employees;
• The employer consulted the relevant trade union or, where applicable, the employees' representatives prior to the introduction of the monitoring systems;
• Other less intrusive forms and ways to achieve the goal pursued by the employer have not previously proved their effectiveness;
• The retention duration of personal data is proportional to the purpose of processing, but not more than 30 days, except for situations expressly governed by law or in duly justified cases.

4. Processing of personal data for journalistic purposes or for the purpose of academic, artistic or literary expression

According to Law no. 190/2018, in view of ensuring a balance between the right to personal data protection, freedom of expression and the right to information, processing of personal data for journalistic purposes, or for the purposes of academic, artistic or literary expression may be performed if such processing refers to personal data which were manifestly made public by the data subject or which are strongly connected to the quality of public person of the data subject or to the public nature of the facts in which the data subject is involved, by derogation from the following chapters of the GDPR:

1. Chapter II – Principles
2. Chapter III – Rights of the data subject
3. Chapter IV – Controller and processor
4. Chapter V – Transfers of personal data to third countries or international organizations
5. Chapter VI – Independent supervisory authorities
6. Chapter VII – Cooperation and consistency
7. Chapter IX – Provisions relating to specific processing situations

5. Processing of personal data for scientific or historical research purposes, statistical purposes or archiving in the public interest purposes

According to Law no. 190/2018 Articles 15, 16, 18 and 21 of the GDPR do not apply in case personal data are processed for scientific or historical research purposes or statistical purposes, to the extent the rights mentioned in these Articles are likely to render impossible or seriously impair the achievement of the objectives of the processing, and such derogations are necessary for achieving such objectives. These derogations are applied only with respect to archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and not with respect to other purposes for which the personal data may be used. Articles 15, 16, 18, 19, 20 and 21 GDPR do not apply in cases where personal data is processed for archiving purposes in the public interest to the extent that the rights mentioned in those Articles are likely to render impossible or seriously impair the achievement of the objectives of the processing, and such derogations are necessary for achieving such objectives. These derogations are applicable only with respect to scientific or historical research purposes and for archiving in the public interest purposes, and not with respect to other purposes for which the personal data may be used. Both these derogations are applicable only if appropriate safeguards for the rights and freedoms of data subjects are implemented, in accordance with Article 89(1) GDPR. 

6. Processing of personal data and special categories of personal data by political parties, national minorities organisations and non-governmental organisations for the purpose of fulfilling their objectives

Processing of personal data and special categories of personal data by political parties, national minorities organisations and non-governmental organisations for the purpose of fulfilling their objectives can be done without the explicit consent of the personal data but with the application of the following:

• The information of data subjects on the processing of personal data;
• Guaranteeing the transparency of the information, of the communications and of the manner in which data subjects can exercise their rights;
• Guaranteeing the right to rectification and the right to erasure.  

Data operators may collect and process personal data where any of the following conditions are met:

• The data subject consents;
• The processing is required by law or under an international treaty;
• The processing is required for administration of justice, execution of a court order or any other statements of public officers to be executed;
• The processing is required for provision of state or municipal services;
• The data operator needs to process the data to perform or conclude a contract to which the data subject is a party, a beneficiary party or guarantor;
• The processing is carried out for statistical or scientific purposes (except where processing is used also for advertising purposes), provided that it is depersonalized;
• The processing protects the data subject’s vital interests and it is impossible to obtain the data subject’s consent;
• The processing is required for execution of the data operator’s or third parties’ rights or for purposes important for the community, provided the data subject’s rights are not infringed;
• The processing is carried out by a journalist or media organization as a part of its professional activities or for the purposes of scientific, literary or other creative activities, except if the processing would infringe upon the data subject’s rights;
• The personal data is subject to publication or mandatory disclosure under law; or
• The personal data that is processed by participants under the conditions set forth in an experimental regulatory regime (sometimes referred to as a “regulatory sandbox") in depersonalized form.

Consent by the data subject is by far the most common legal basis for data processing in Russia.  In most cases, consent may be given in any form, but it must be in some tangible format, as the data operator bears the burden of proof to show that consent was given, so, it is important to keep careful records of consents.

In some cases, however, DPA requires an explicit written consent:

• where the personal data is allowed by the data subject for dissemination;
• where sensitive or biometrical data is processed;
• where a legally binding decision is made solely on the grounds of the automated processing of personal data; or
• where employee personal data is transferred to third parties.

Consent is deemed to have been given in writing where it is signed by hand or in electronic form with a digital signature.

Written consent (except personal data allowed by the personal data subject for dissemination – there are special rules for this) must contain the following information:

• The identity of the data subject, (which can be made by reference to residential address and passport details);
• Identification of a data representative (if any);
• The identity and address of the data operator or the entity that processes personal data on behalf of the data operator (if any);
• The purpose of the processing;
• The list of personal data which may be collected and processed;
• The authorized types of processing;
• The term for which the consent remains valid;
• Means for revocation of consent; and
• The data subject’s signature.

For personal data allowed by the personal data subject for dissemination there must be a separate form of consent containing following information:

• Full name of the data subject;
• Contact information for the data subject (telephone number, e-mail address or postal address);
• Information on the data operator, including name, registered address, taxpayer identification number, and state registration number (if known to the data subject);
• Information about the information resources of the data operator, through which the processing of the personal data and access to the data will be provided, including identification of the protocol (http or https), server (www), domain, the directory on the server and file name of the web page;
• Purpose(s) of personal data processing;
• Descriptions of the personal data for which the consent is given, including “standard” personal data, any special categories of personal data, and any biometric data;
• Categories and list of personal data, for which the data subject establishes conditions and prohibitions;
• Conditions under which the personal data may be transmitted by the operator only through its internal network, providing access to information only for strictly defined employees, or using information and telecommunication networks, or without transmitting the personal data (to be filled in at the request of the personal data subject);
• The period of validity of the consent.

Consent in any case may be revoked at any time.

A key feature of Russian personal data law involves what is often referred to as the “Data Localization Rule” instituted in 2015. The Data Localization Rule requires all data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data and fines up to ₽6 000 000 and up to ₽18 000 000 for repeated violations.

According to DPA, storing and processing of personal data of Russian individuals outside of Russia can still be compliant with the law as long as the primary (often interpreted as initial) storage and other processing activities prescribed by DPA is done in Russia. As one can imagine, compliance with the Data Localization Rule can be complicated for international data operators.

The DC is required to only collect personal data for a lawful purpose connected to its the activity and when the data is necessary for that purpose (article 42). 

When collecting personal data, the DC is required to inform the data subject of the following: 

• identity and contact details;
• purposes for which personal data are collected;
• recipients of such personal data;
• whether the data subject had the right to provide personal data voluntarily or mandatorily;
• the existence of the right to withdraw consent at any time and that such withdrawal does not affect the lawfulness of the processing of personal data based on consent before its withdrawal;
• the existence of the right to request from the DC access and ratification, restriction or erasure of personal data concerning the data subject or to object to the processing of the data;
• the existence of automated decision-making including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing personal data for the data subject;
• the period for which personal data will be stored;
• the right to appeal to the supervisory authority;
• where applicable, that the DC can transfer personal data outside of Rwanda and assures the data subject of the personal data security;
• any further information likely to guarantee fair processing of the personal data, having regard to the specific circumstances in which the data are collected. 

The DC is not subject to the above disclosure requirements if: 

• the data subject already has the information;
• the provision of such information proves impossible or involves a disproportionate effort; or
• the recording or disclosure of the personal data is required by the Data Protection Law. 

The DC or DP must handle personal data for lawful purposes which include the following (article 46): 

• the data subject’s consent to process their personal data for purpose explained to them;
• processing is necessary:
  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • for the execution a legal obligation to which the DC is subject;
  • for the protection of vital interests of the data subject or any other person;
  • for the performance of a duty carried out in the public interests or in the exercise of official authority vested in the DC;
  • for the performance of duties of a public entity;
• the processing is intended for legitimate interests pursued by the DC or by a third party to whom the personal data are disclosed, unless the processing is unwarranted in any particular case having regard to the prejudice to the rights and freedoms or legitimate interests pursued by the data subject;
• the processing is carried out for research purposes upon authorization by relevant institution. 

The Data Protection Law also provides for requirements relating to the processing of personal data of a child under the age of 16 years which include the following (article 9): 

• processing of the child’s personal data is subject to obtaining the consent of the holder of parental responsibility over the child;
• the consent obtained on behalf of the child must be given in the child’s interest to be acceptable;
• the consent is not required if it is necessary for protecting the vital interest of the child. 

The DC or DP must store personal data in Rwanda. Storage of personal data outside of Rwanda is only permitted if the DC or DP holds a valid registration certificate authorising them to transfer or store personal data outside Rwanda (article 50).

The PDPL applies to any processing of personal data related to individuals that takes place in KSA by any means, including the processing of personal data related to individuals residing in KSA by any means by any entity outside KSA.

Under the PDPL, the primary legal basis for processing of personal data is consent of the data subject. However, the PDPL also provides for circumstances where consent is not required for processing of personal data.

Processing is any operation performed on personal data. The most common are collection, operation, management, retention or transfer, copying, and to some extent, interconnection.¹

The controller of personal data is defined as the natural or legal person, public or moral; any other body or association which alone or jointly with others, makes the decision to collect and process  personal data and determine the purposes.²

The provisions of Article 34 of the aforementioned law requires the person in charge of the procedure to treat personal data lawfully, fairly and not fraudulently. The collection and processing of personal data can not be done freely. The law speaks of a collection for legitimate purposes, for specific explicit purposes.

Personal data must be treated confidentially and be protected, especially if the processing involves data transmissions in a network.³

The collection and further processing of personal data has to be legitimate and legally grounded, meaning pursuant to the data subject's consent or as specifically provided by law.

Under the DP Law (substantially the same as under the GDPR), there are a few instances where a data subject's personal data may be processed without the data subject’s consent, as follows:

1. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
2. processing is necessary for compliance with a legal obligation to which the data controller is subject;
3. processing is necessary to protect the vital interests of the data subject or of another natural person;
4. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; and
5. processing is necessary for the purposes of the legitimate interest pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor (i.e. an individual under the age of 18) (“Specific Cases”).

Apart from the Specific Cases, prior informed consent from data subjects is generally required to collect and process personal data, meaning that any request for consent has to contain all the information on the particular processing which is explicitly prescribed by the DP Law (for example, the data subject must be notified of the purpose and legal grounds for the processing, information on other recipients of the data in cases when the data is disclosed to entities other than the data controller and information on the statutory rights of the data subjects in relation to the respective processing, etc.).

Although consent is necessary (when none of the Specific Cases is applicable), it does not automatically mean that any processing, to which a data subject has consented will be regarded by the DPA as compliant with the DP Law. There are also other conditions which must be met under the DP Law (e.g. the purpose must be legitimate and clearly determined and the type and scope of processed data must be proportionate to the respective purpose).

In addition to written consent, the DP Law explicitly introduces other forms of consent, such as online consent, oral consent or consent by other clear affirmative action provided that the controller is able to demonstrate that the data subject has indeed consented.

The conditions for obtaining consent have become much stricter under the DP Law than compared to the previous legislation. Similar to the GDPR, consent must be freely given, specific, informed and unambiguous. For example the request for consent — when presented in a written document — must be clearly distinguishable from all other matters, using clear and plain language (meaning catch-all clauses will not be valid). Further, consent will not be considered freely given if the performance of a contract is conditional on the consent to the processing of personal data that is not necessary for its performance.

In addition, one important novelty introduced by the DP Law (and similar to the GDPR), is that it does not apply only to the processing of data carried out by Serbian controllers and processors, but also to the processing of data by controllers and processors based outside of Serbia whose processing activities relate to the offering of goods or services (even if offered for free) or monitoring the behavior of Serbian data subjects within Serbia. As a result, a number of these controllers and processors will need to appoint representatives in Serbia for correspondence with the DPA and the data subjects on all issues related to processing.

The data protection principles set out in the Act apply to personal data held by data users. Those data protection principles are as follows:

• the information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully

• personal data shall be held only for one or more specified and lawful purposes

• personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes

• personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes

• personal data shall be accurate and, where necessary, kept up to date

• personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

• an individual shall be entitled:
  • at reasonable intervals, and without undue delay or expenses to be informed by any data user whether he holds personal data of which that individual is the subject
  • to access to any such data held by a data user, and
  • where appropriate, to have such data corrected or erased.

Organizations may only collect, use or disclose personal data in the following scenarios:

• They obtain express consent from the individual prior to the collection, use, or disclosure of the personal data (and such consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or service; and must not be obtained through the provision of false or misleading information or through deceptive or misleading practices), and have also provided the relevant data protection notice (notifying purposes of collection, use and disclosure) to the individual before, or at the time when they are collecting, using or disclosing the personal data. It is also possible to obtain the deemed consent of the individual to the collection, use, or disclosure of the personal data in accordance with the relevant conditions of the Act (see the Personal Data Protection Regulations 2021).
• Where the limited specific exclusions prescribed in the Act apply (if no consent or deemed consent is given). Such exclusions include vital interests of individuals, matters affecting public, legitimate interests, business asset transactions, business improvement purposes and other additional bases.

The Act currently in force expanded the concept of “deemed consent” to cover circumstances where: (i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) (a) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out, and (b) the organization has conducted an assessment on the likely adverse effect on such individuals, and identified and put in place reasonable measures to eliminate, reduce the likelihood of or mitigate any such adverse effect.

An individual may at any time withdraw any consent given, or deemed given under the Act, upon giving reasonable notice to the organization.

Further, any collection, use or disclosure of the personal data must only be for the purposes that a reasonable person would consider appropriate in the circumstances, and for purposes to which the individual has been notified of. Such notification must be made in accordance with the requirements of the Act.

An organization must also do all of the following:

• Make information about its data protection policies, practices and complaints process publicly available.
• Cease to retain personal data or anonymize it where it is no longer necessary for any business or legal purpose. Ensure personal data collected is accurate and complete if likely to be used to make a decision about the individual or disclosed.
• Respond to requests by data subjects under their statutory rights, including a new right of data portability (this right is expected to come into force soon).

Data intermediaries that process personal data on behalf of another organization (i.e. data controller) pursuant to a written contract are exempt from most of the data protection obligations under the PDPA. However, data intermediaries are directly liable under two specific obligations relating to the retention (see above) and protection (see Security) of personal data.

Data protection management program (“DPMP”) and data protection impact assessment (“DPIA”) guides were published by the Commission in November 2017 and updated in September 2021.

National Ordinance Personal Data Protection 

Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration. 

Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in his possession, with which a personal registration of which he is not the holder. 

GDPR

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be:

• Processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle")
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle")
• Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• Accurate and where necessary kept up to date (the "accuracy principle")
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle")
• Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle")

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance for potentially years after a particular decision relating to processing personal data was rendered. Record-keeping, auditing and appropriate governance will all play a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• With the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time)
• Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract
• Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
• Where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies)
• Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
• Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• With the explicit consent of the data subject
• Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
• Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
• In limited circumstances by certain not-for-profit bodies
• Where processing relates to the personal data which are manifestly made public by the data subject
• Where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity
• Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
• Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
• Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
• Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law. (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to re-purpose personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• Any link between the original purpose and the new purpose
• The context in which the data have been collected
• The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• The possible consequences of the new processing for the data subjects
• The existence of appropriate safeguards, which may include encryption or pseudonymisation

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained:

• The identity and contact details of the controller
• The data protection officer's contact details (if there is one)
• Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
• The recipients or categories of recipients of the personal data
• Details of international transfers
• The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
• The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability
• Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
• The consequences of failing to provide data necessary to enter into a contract
• The existence of any automated decision making and profiling and the consequences for the data subject
• In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

The Court of Justice of the European Union delivered two judgments on 24 September 2019 in case of 'Right to be forgotten'.

The first decision of the CJEU provides important explanations on the conditions under which persons may delete a link found in a search result if the linked page contains information related to sensitive information (such as their religion, their political opinion or the existence of a conviction for crime). It also provides useful information about the public's interest in accessing information that has become incomplete or outdated due to the passage of time (Judgment of the CJEU in Case C-136/17).

In its second decision, the CJEU decided on the geographical scope of the right to remove links from search results after entering the first name and last name. The CJEU limits the effect of the right of removal from search results to results from European territory only - in other words, removing results in the EU but not worldwide. Search results will therefore remain accessible based on searches conducted outside the European Union. (Judgment of the CJEU in Case C-507/17).

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:

1. Necessary for entering into or performing a contract
2. Authorised by EU or Member State law
3. The data subject has given their explicit (ie, opt-in) consent

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Slovak Republic regulation

Collection and processing of personal data is governed by the GDPR.

However, there is specific regulation in this respect in the fourth part of the Slovak Data Protection Act. Pursuant to Section 78 of the Slovak Data Protection Act, these specific situations are as follows:

• A controller may process personal data without the consent of a data subject if the processing of personal data is necessary for academic, artistic or for literary purposes;
• A controller may process personal data without the consent of a data subject if the processing of personal data is necessary for the purposes of informing the public by means of mass media and if the personal data are processed by a controller which is authorised to do such business activity;
• A controller who is the employer of a data subject is authorized to provide his / her personal data or to make public his / her personal data in the scope of academic title, name, surname, position, personal employee´s number, department, place of work performance, telephone number, fax number, work email address and the identification details of employer, if this is necessary in connection with the performance of the employment duties of a data subject. Such provision of personal data or making them public shall not interfere with the reputability, dignity and security of a data subject;
• In the processing of personal data, a birth number may be used for the purpose of identifying a natural person only if its use is necessary for the purpose of processing. A data subject shall grant the explicit consent. Processing of a birth number on the legal basis of consent of a data subject shall not be excluded by a special regulation. Making public a birth number is prohibited; this does not apply if a data subject makes public a birth number;
• A controller may process genetic, biometric and health-related data on the legal basis of a special regulation or an international treaty to which the Slovak Republic is bound;
• Personal data on the data subject may be obtained from another natural person and processed in the information system with the prior written consent of data subject only; this does not apply if another natural person by providing personal data about the data subject to the information system, protects his own rights or legally protected interests, reports the facts that justify the application of legal liability of the data subject or personal data are processed on the basis of a special act. Upon request of Office, the person who processes such personal data must be able to prove to the Office that he / she has obtained personal data in accordance with this act.
• If a data subject is dead, the consent required may be given by a close person. The consent is not valid if at least one close person has disagreed in writing.
• If a data subject is dead, the consent required may be given by a close person. The consent is not valid if at least one close person has disagreed in writing.
• When processing personal data for archiving, scientific purposes, historical research or statistical purposes, the controller and the intermediary are obliged to accept adequate guarantees for the rights of the data subject. These guarantees shall include the establishment of adequate and effective technical and organizational measures, in particular to ensure compliance with the principles of data minimization and pseudonymisation. This does not apply to the processing of personal data of deceased persons.

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5 GDPR):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant, and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1) GDPR):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9 GDPR), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to Article 6 GDPR basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
• social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
• incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1) GDPR.

ZVOP-2 includes further conditions and limitations for processing with regard to processing genetic data, biometric data and data related to ethnicity and race. Part 13 of Patients’ Rights Act sets forth further limitations with regard to processing health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10 GDPR).

In accordance with Article 10(2) ZVOP-2, processing of personal data relating to criminal convictions and offences is only allowed if it so prescribed by the law, including:

• further specification of the purpose of such processing, which must be in the public interest;
• types of data which can be processed;
• data subjects;
• entities / individuals to whom such data can be disclosed;
• specification of purpose of disclosure including its limitations;
• data retention limits; and
• measures ensuring lawful and fair processing.

Processing for a Secondary Purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider ascertaining whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4) GDPR). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
• the possible consequences of the new processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Additionally, in accordance with Article 7 ZVOP-2 processing of personal data for secondary purposes is only possible if the processing is:

• in public interest;
• done by authorities in the public sector, when carrying out their legal obligations;
• allowed based on the law; and
• done in accordance with Article 6(4) GDPR.

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent, and easily accessible form, using clear and plain language (Article 12(1) GDPR).

The following information must be provided (Article 13 GDPR) at the time the data are obtained:

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14 GDPR) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15 GDPR)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16 GDPR)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17 GDPR)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18 GDPR)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20 GDPR)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21 GDPR)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.

The right not to be subject to automated decision making, including profiling (Article 22 GDPR)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:

1. necessary for entering into or performing a contract;
2. authorised by EU or Member State law; or
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

ZVOP-2 adds only specifications to the general processing requirements. The age for consent of children for the purposes of Article 8(1) GDPR is 15 years, unless general terms and conditions of the processor set forth a higher age limit. If consent is given by children under age 15, it is only valid if it is approved by the child’s parent or legal guardian.

ZVOP-2 sets forth further requirements regarding special areas of personal data processing:

1. processing of personal data for the purposes of scientific research, statistical research and for historic / archival purposes;
   
   For such purposes, processing of personal data (including special categories of personal data) is allowed by organizations and / or researchers if in the course of their activities they apply ethical principles and methodology in accordance with their field of research.
   
   Processing is permitted if:
   • it is permitted by law; or
   • the data subject has not prohibited processing of his / her personal data for such research purposes; or
   • the data subject has given written consent for the processing of his / her personal data if personal data means professional secrecy.
     
     Furthermore, research organizations and / or researchers can access certain types of personal data if they fulfil specific conditions and requirements.
2. processing of personal data in the context of exercising freedom of speech;
   
   Under certain circumstances, especially if personal data has already been publicly disclosed, if individuals cannot expect protection of his / her privacy or the public interest exists, personal data can be published and processed when exercising freedom of speech.
3. video surveillance;
   
   If authorized persons want to introduce video surveillance, they must publish a notification. Apart from requirements provided for in Article 13(1) GDPR, the controller must publish some additional information either on the site or on websites. If such notification is published, it can be subsumed that the individual has been informed about video surveillance. Videos can be stored in accordance with Article 5 GDPR for up to 1 year since the video has been made.
   
   In any case, video surveillance is prohibited in elevators, toilets, hotel rooms, changing rooms and any premises in which the individual expects higher level of protection of his / her privacy.
   
   Some further conditions and requirements are set forth for video surveillance in workplaces, business premises, public transport, or public places.
4. processing of biometric and genetic data;
   
   Processing of biometric and genetic data is very restricted and is only allowed if certain conditions / circumstances in accordance with ZVOP-2 are met.
5. evidence of entrance and exists in business premises;
6. publicly available databases;
7. data processing of contact data and personal documents of employees and / or other individuals who are key contacts for conducting a business (both in the private and public sector).

"Processing" of information is defined in POPIA as any operation or activity or any set of operations, whether or not by automatic means,concerning personal information, including:

• The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
• Dissemination by means of transmission, distribution or making available in any other form; and
• Merging, linking, as well as blocking, degradation, erasure or destruction of information.

POPIA prescribes the following eight conditions for lawful processing of personal information:

• Accountability: The responsible party must comply with all the conditions for lawful processing.
• Purpose specification: Personal information must only be collected for a specific, explicitly defined lawful purpose related to a function or activity of the responsible party.
• Processing limitation: Processing must be justified on a ground recognized under POPIA (e.g. consent / legitimate interests of the data subject, responsible party or the third party to whom the information is supplied).
• Further processing limitation: Processing must be in accordance with or compatible with the purpose for which it was initially collected subject to limited exceptions.
• Information quality: Steps must be taken to ensure that the information is complete, accurate, not misleading and updated where necessary.
• Openness: Notification requirements must be complied with when collecting personal information.
• Security safeguards: Appropriate, reasonable technical and organizational measures must be implemented and maintained to prevent loss of, damage to or unauthorized destruction of or unlawful access to personal information.
• Data subject participation: Data subjects have the right to request details of the personal information that a responsible party holds about them and, in certain circumstances, request access to such information.

Under the PIPA, there must be a specific legitimate basis for collection and use of personal information, with the most representative basis being the data subject's consent. As a result, in principle, the explicit consent of data subjects must be obtained before processing their personal information. However, the data subjects' consent is not required in cases where the processing of personal information is prescribed by a statute or where it is necessary for an entity to process personal information in order to comply with its legal obligations.

Exceptions to the general rule above which are applicable to personal data controller are as follows:

• where special provisions exist in other statutes or it is unavoidable due to obligations under statutes or regulations;
• where it is unavoidable for a public institution’s performance of work under its jurisdiction as prescribed by statutes or regulations, etc.;
• where it is necessary to perform an agreement entered into with a data subject or to take measures as requested by a data subject in the course of executing such agreement;
• where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
• where it is necessary to attain the legitimate interests of a personal data controller, the interest of which is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal information controller and does not go beyond a reasonable scope;
• where it is urgently necessary for public safety and security, public health, etc.

While one consent form may be used, separate consents must be obtained respectively for each type of processing activity (e.g. collection and use, third party provision) and for different types of personal information (e.g. unique identification information and sensitive information).

Under the PIPA, data subjects must be informed of, and provide their consent to, the following matters before their personal information is collected and / or used:

• the purpose of the collection and use;
• the items of personal information that will be collected;
• the duration of the possession and use of the personal information; and
• the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to any such refusal.

The processing of the RRN (which is a type of unique identification information) is prohibited even with the consent of the data subject unless the processing is explicitly required or permitted under a statute.

If the data subject is under the age of 14, the consent of their legal guardian must be obtained.

EU regulation

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data. 

Indeed, NLOPD has done so in a very intense manner. In 2023, the Spanish AEPD confirmed a new and stricter approach regarding the use of biometric data for monitoring access to offices / workplaces, that should be allowed for the future only in very exceptional circumstances.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10). 

The NLOPD has confirmed this prohibition in very strict terms, with only very extraordinary exceptions (e.g. activities of lawyers and court representatives acting on behalf of their clients, verification imposed by AML law, verification imposed by child-protection law).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data – i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xls / .xlsx).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorised by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Spain regulation

Data protection principles

The NLOPD foresees certain scenarios where the controller shall not be responsible for inaccurate data (provided it has taken all reasonable measures to ensure deletion or rectification without delay).

Criminal Convictions and Offences data

Article 10 of the NLOPD allows lawyers and procedural representatives to process the information provided by their clients related to criminal convictions and offences for the purposes of rendering the corresponding legal services. There are also other isolated exceptions if and when endorsed by the law (e.g. verification imposed by AML law, verification imposed by child protection law).

Processing of administrative offence or penalties

The processing of personal data related to administrative offences or penalties is permitted if it is carried out by the relevant public bodies having sanctioning powers over such offenses, and only to the extent necessary for achieving their legitimate purposes. If those requirements are not met, the processing shall be allowed by an specific law, or be based on the data subject’s consent.

Please note that lawyers and procedural representatives are also allowed to process the information provided by their clients related to administrative offenses or penalties for the purposes of rendering the corresponding legal services.

Credit Solvency Databases

The NLOPD sets out stringent requirements for including personal data on credit solvency databases. In this regard, the information to be provided to data subjects as well as the particularities of the debt are, among others, key aspects to be taken into account.

CCTV Processing

Under the NLOPD, the processing of images through CCTV is only permitted for security purposes, provided that (i) the data obtained is duly deleted within the corresponding period of time (unless it is relevant for evidence purposes), and (ii) the mandatory notice requirements are met. Additional detailed requirements do apply. 

Whistleblowing

The processing of personal data relating to whistleblowing (including anonymous reporting) is permitted provided that (i) employees are duly informed ,(ii) whistleblowing databases are only accessed by the necessary persons to carry out internal control purposes or to initiate the relevant disciplinary proceedings, and (iii) the data obtained is duly deleted within the mandatory period of time. Additional detailed requirements do apply. 

Unfair competition

The NLOPD generates a new catalogue of “unfair competition practices” linked to personal data.

Data processing for electoral purposes

Political parties, coalitions and electoral groups can use personal data obtained from websites and other public sources to carry out political activities during an election period. Likewise, sending electoral propaganda by electronic means, as well as contracting any such propaganda on social or similar networks will not be deemed a commercial activity.

Transparency (Privacy Notices)

The NLOPD allows (Article11) provision of the information required by Articles 13 and 14 of the GDPR in layers. In this sense, a first layer should include the “basic information” of the relevant processing as well as an immediate and easily accessible form (i.e. a link) to the second layer, where the rest of information to be provided under Articles 13 and 14 of the GDPR shall be included. Please note that the content of the before-mentioned “basic information” depends on each case, but most of the times includes (i) the identity of the controller, (ii) the purpose of the processing, and (iii) the rights under Article 15 – 22 of the GDPR.

Rights of the data subject

Under the NLOPD, a data subject’s right of access is deemed granted when the controller provides him/her with a means that permanently guarantees remote, direct and secure access to his / her personal data. In addition, the NLOPD indicates that more than one right of access request within six months shall be considered repetitive for the purposes of Article 12(5) of the GDPR unless the relevant requests are based on a legitimate reason.

Under the NLOPD, controllers must clearly indicate in their internal information systems the cases where the processing of personal data is restricted.

Blocking right / Blocking duty (NLOPD)

The NLOPD states that following the exercise of rectification or erasure, controllers shall "block" the personal data so that it shall remain available to the relevant public authorities in very specific situations. The NLOPD also offers other alternatives in case the “blocking” of personal data is not feasible or involves a disproportionate effort.

Rights of the deceased

The NLOPD recognizes the right to digital testament. Moreover, the heirs of the deceased are entitled to exercise the rights of access, erasure and rectification of data unless the deceased person would had prohibited it (or if it is not in line with applicable law).

Special category data

The NLOPD deviates from GDPR mainstream approach on special category data. Most of this type of data cannot be processed relying on the consent of the data subject (health, biometric and genetic data being the exception to this ban, but relying on consent may be also not permitted for the latter and even standard data in employment and other contexts). 

Location data

The overall position in Spain is that it may be acceptable provided that:

• users are informed at all times on whether the location system is active and retain full control on the system, freely deciding when to switch it on or off;
• the purposes of the processing are legitimate and proportionate and do not harm in an unfair manner the constitutional rights of the data subjects;
• users have been clearly informed on the circumstances under which they can be located and the purposes of such processing;
• users have the option (especially when being off-duty if the location data is used in an employment context) to turn off the system; and
• if in an employment context, Works Council / representatives of the employees, have been informed in advance about the collection of this type of information and the purposes of the processing (which shall remain within the limits of the authority of the employer to direct, control and monitor workers’ professional activities) 

One of the main originalities of the NLOPD when compared with the GDPR is that it accepts new “digital rights”, including, i.e. Internet neutrality, universal access to Internet, security of online communications, digital education, protection of minors on the Internet, amendment / update of non-accurate information on the Internet, a right to be forgotten-like right not to be found by search engines on the Internet and social networks. 

On top of this, certain provisions of the NLOPD may have an impact on the relationship between a company and its employees (i.e. monitoring of digital devices, digital disconnection of the employees outside working hours, privacy at the workplace).

Similar to the GDPR, the PDPA enshrines certain principles governing the collection and processing of personal data. Each controller must ensure that personal data is processed in compliance with such principles, which are as follows.

• process lawfully;
• process for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes;
• process personal data which is adequate, relevant and limited to the purpose;
• ensure that personal data is accurate and where necessary kept up to date;
• keep personal data in a form which permits identification of data subjects for no longer than is necessary, for the purpose(s) for which the data are processed;
• process in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures;
• process in a transparent manner, providing information on such processing to data subjects; and
• ensure accountability in processing by the implementation of internal controls and procedures that are able to demonstrate compliance with the PDPA, identified as the “Data Protection Management Programme”.

Legal Basis

In order to ensure that processing is ‘lawful’ whenever personal data is processed, such processing should be based on the most appropriate legal basis out of the following grounds provided under the PDPA:

• consent of the data subject (consent should be freely given, specific, informed and unambiguous indication in writing or by affirmative action and capable of being withdrawn at any time);
• necessary for the performance of a contract with the data subject in order to take steps at the request of a data subject to enter into a contract with such data subject;
• necessary for compliance with a legal obligation to which the controller / processor is subject to under Sri Lanka law;
• necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person;
• necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions or duties imposed under Sri Lanka law; or
• necessary for the purposes of legitimate interests of the controller or a third party (subject to an assessment where the interests of the controller should be balanced against the rights of the data subjects and accordingly, must not override the interests of the data subject, especially when the data subject is a child).

Special Categories of Personal Data

In addition to the aforesaid lawful grounds, if processing special categories of personal data, a controller is required to satisfy one of the following additional conditions, on the objective basis of being most appropriate:

• consent of the data subject, which in the case of a child will mean the consent of the parent or legal guardian;
• processing is necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security including pension and for public health purposes in so far as it is provided for in Sri Lanka Law, providing for appropriate safeguards for rights of the data subject;
• processing is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person who is incapable of giving consent;
• relates to personal data which is manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims;
• processing is necessary for any purpose as provided for under any written law in Sri Lanka or public interest;
• processing is necessary for medical purposes and where such data is processed by a health professional licensed under or authorized by any written law in Sri Lanka; or
• processing is necessary for archiving purposes in the public interest, scientific, historical research or statistical purposes in accordance with law.

Criminal Investigations

The PDPA provides for the processing of personal data in relation to criminal investigations, only where such processing is carried out in accordance with written laws in Sri Lanka, whilst providing for appropriate safeguards for the rights and freedoms of data subjects, which may be prescribed in the future upon the PDPA becoming operative.

Transparency of Data Processing

Transparency is an important principle enshrined in the PDPA and, as stated above, it aims to ensure that data subjects are aware of how their personal data is processed and understand their rights pertaining to such data.

Accordingly, the PDPA requires controllers to provide detailed information to data subjects in a concise, transparent, intelligible and easily accessible form. Therefore, providing the following information to data subjects at the point of collection of their personal data is imperative, which can be fulfilled by the provision of a privacy notice:

• identity and contact details of the controller;
• contact details of the data protection officer (where there is a DPO);
• intended purpose for collecting personal data and the legal basis for the processing;
• legitimate interest pursued by the controller (where applicable);
• categories of personal data collected;
• right of data subjects to withdraw consent for processing and method of withdrawing such consent (if processing is based on consent);
• recipients and third parties with whom personal data will be shared;
• details of cross border data transfer;
• period of data retention;
• rights of data subjects with regard to their personal data and how such rights may be exercised;
• right to file a complaint with the Data Protection Authority (“Authority”);
• whether the provision of personal data is a statutory or contractual requirement and the consequences of failing to provide such personal data;
• the existence of automated individual decision-making including profiling and the consequences for the data subject.

In addition, when a controller intends to process personal data for a new purpose, a data subject must be informed of such further processing, providing them with the information set out above.

If in any event personal data is collected via means other than direct collection from the data subject, the above information should be provided to the data subject within one month or at the time of the first communication to that data subject or when the personal data is first disclosed to another recipient, whichever event occurs first.

Rights of Data Subjects

The PDPA provides a series of rights for data subjects, largely similar to that of the GDPR. A controller must respond to any written request made by a data subject pertaining to his rights within 21 working days of receiving the request. 

Right to access personal data: data subjects have the right to access their personal data, be provided with confirmation as to whether such personal data has been processed and be provided a copy of such personal data by submitting a written request.

Right to withdraw consent: if processing is based on consent, the data subject has the right to withdraw such consent at any time and the right to request a controller to refrain from further processing of the data subject’s personal data, provided the processing was based on the data subject’s consent.

Right to object to processing: data subjects have the right to object to further processing beyond the original purpose for which it was collected where such processing is based on the grounds of legitimate interests or public interest.

Right to rectification or completion: data subjects have the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete.

Right to request a review of automated decisions: a data subject has the right to request for a review of a decision made by a controller based solely on automated processing which is likely to create “an irreversible and continuous impact on the rights and freedoms of the data subject” under Sri Lankan law, unless such automated processing is:

• authorized by Sri Lanka law;
• authorized in a manner determined by the Authority;
• based on the data subject’s consent; or
• necessary for entering into a performance of a contract between the data subject and the controller.

Right to erasure: the data subject may, under a limited set of circumstances, request the controller to erase their personal data. This includes when a controller is in contravention of its obligations and when the erasure is mandated by a written law of Sri Lanka or order of a competent court.

A controller is permitted to refuse to a request of a data subject based on the above rights only in limited instances, having regard to the following:

• national security;
• public order;
• any inquiry, investigation or procedure carried out under Sri Lanka law;
• the prevention, investigation and prosecution of criminal offences;
• the execution of criminal penalties;
• the protection of the rights and fundamental freedoms of persons under Sri Lanka law;
• where the controller is unable to establish the identity of a data subject;
• the requirement to process personal data under any other law in Sri Lanka.

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

• processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
• adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimisation principle");
• accurate and where necessary kept up to date (the "accuracy principle");
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organisational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

• with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
• where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
• where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
• where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
• where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
• where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

• with the explicit consent of the data subject;
• where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
• where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
• in limited circumstances by certain not-for-profit bodies;
• where processing relates to the personal data which are manifestly made public by the data subject;
• where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
• where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
• where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
• where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

• any link between the original purpose and the new purpose;
• the context in which the data have been collected;
• the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible);
• the possible consequences of the new processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

• the identity and contact details of the controller;
• the data protection officer's contact details (if there is one);
• both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
• the recipients or categories of recipients of the personal data;
• details of international transfers;
• the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
• the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
• where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
• the consequences of failing to provide data necessary to enter into a contract;
• the existence of any automated decision making and profiling and the consequences for the data subject; and
• in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

1. necessary for entering into or performing a contract;
2. authorised by EU or Member State law; or 
3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

---

Sweden regulation

Personal identity numbers

In Sweden, personal identity numbers may be processed without consent only where manifestly justified with regard to the purpose of the processing, the importance of secure identification or some other substantial reason.

Personal data relating to criminal convictions and offences

Personal data relating to criminal convictions and offences (Article 10 of the GDPR) may be processed by other parties than public authorities if the processing is necessary to (i) establish, exercise or defend legal claims or (ii) to fulfil a legal obligation under law or regulation. Furthermore, the Swedish Authority for Privacy Protection may upon application in an individual case grant a permit to process personal data relating to criminal convictions and offences.

Rights of the data subject

Swedish law may prohibit controllers to disclose certain data to data subjects. This applies to the rights in Articles 13-15 of the GDPR.

For personal data in running text which has not  taken on its final form when the request was made (e.g. drafts) or that is a note or similar, the right under Article 15 of the GDPR does not apply. This exemption may however not be relied on by a data controller if such personal data (i) has been disclosed to a third party, (ii) is processed solely for archiving purposes in the public interest or for statistical purposes, or (iii) has been processed over a period of more than one year in running text that has not taken on its final form.

Other derogations for specific processing situations or sectors

Furthermore, in regards to data subjects' rights, there are a number of sector specific derogations (e.g. healthcare and credit reference agencies, etc.).

Data Processing Principles and Duties

The following principles apply to the collection and processing of personal data:

• Personal data may only be processed lawfully, in good faith and in accordance with the principle of proportionality.
• The collection of personal data and, in particular, the purpose of its processing must be evident to the data subject. In addition, the FADP imposes the following duties on controllers:
  • a duty to inform the data subject about the collection of personal data similar as under the GDPR, with the list of minimum information being shorter, but drafted more openly and in a non-exhaustive manner (however, the FADP goes beyond the GDPR in that it requires the controller to specify all countries to which personal data is transferred, or from which it is accessed, and to provide some additional information in this context);
  • under certain circumstances a duty to inform the data subject about decisions based solely on automated processing that have legal consequences or significant impact on the data subject (automated individual decision).

Wilful violations of the information duty may be subject to sanctions (see here).

• Personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, and/or provided for by law.
• The controller and any processor must ensure that the data processed is accurate.
• Personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered (see here).
• The controller must design the processing in technical and organisational terms to comply with data protection law, in particular the (other) data processing principles (privacy by design). Furthermore, the controller is obliged to ensure by means of suitable default settings that the processing is limited to the minimum required for the respective purpose (privacy by default).
• Personal data must be protected from unlawful and unauthorized processing by appropriate technical and organisational measures.
• Personal data must not be processed against the explicit will of the data subject, unless this is justified by:
  • an overriding private or public interest; or
• Sensitive personal data must not be disclosed to a third party, unless this is justified by:
  • the consent of the data subject (which must be given expressly in addition to being voluntary and based on adequate information);
  • an overriding private or public interest; or
• Personal data shall be destroyed or anonymized as soon as it is no longer required for the respective processing purpose.

The FADP imposes on the controller a duty to conduct a data protection impact assessment if the processing may constitute a high risk for the personality or the fundamental rights of the data subject (particularly when new technologies are used) and also defines specific cases where a data protection impact assessment may be necessary, including in the event of processing sensitive personal data on a large scale and systematic surveillance of extensive public areas. The FDPIC generally needs to be consulted if the data protection impact assessment shows that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller.

Rights of the Data Subject

Data subjects enjoy certain rights to control the processing of their personal data:

Right of access

A data subject is generally entitled to request access to, and obtain a copy of, his or her personal data that is  being processed (i.e. the personal data as such), together with prescribed information on the identity and contact details of the controller, the purpose of processing, as well as the period of storage of the personal data (or the criteria used to determine the period) and the available information about the source of the personal data, if it has not been collected from the data subject. If applicable, the data subject is also entitled to be informed about the existence of an automated individual decision and the logic on which this decision is based as well as the recipients (or categories of recipients) to which the personal data is disclosed. In case of cross-border data transfer, the destination country and the implemented guarantee (if applicable) shall also be provided to the data subject. There are certain exceptions, e.g. a data controller may invoke its own overriding interests, however, only if it does not disclose the personal data to third parties (whereby companies controlled by the same legal entity are not considered third parties).

Wilful violations of data subject access rights by giving incomplete or wrong information are subject to sanctions (see here).

Right to rectify / Right to erasure / Right to restriction of processing / Right to object

The data subject may request that inaccurate personal data concerning him or her be corrected. Taking into account the purpose of the processing, he or she may also request that incomplete personal data be completed. This right is, however, restricted to the extent that a legal provision prohibits the modification or the personal data is processed for archival purposes in the public interest.

If the personal data is processed unlawfully and there is no justification (i.e. consent, overriding private or public interest or legal basis), the personal data must be deleted or destroyed. Under such circumstances, the data subjects may also request that the data processing be prohibited or restricted or they may object to the processing in question.

Right to data portability

Data subjects may request the controller to deliver the personal data that they have disclosed to it in a conventional electronic format if the controller is carrying out automated processing of the data and if the personal data is being processed with the consent of the data subject or in direct connection with the conclusion or the performance of a contract between the controller and the data subject. In addition, the data subject may request the controller to transfer the personal data to another controller if the aforementioned requirements are met and no disproportionate effort is required. There are certain exceptions, e.g. a data controller may invoke its own overriding interests, however, only if it does not disclose the personal data to third parties.

Under the PDPA, in order to collect, process and use personal data, the data collector is required to give the data subject a privacy notice at the time the data subject’s personal data is first collected. Such privacy notice is required, inter alia, to contain:

• the name of the data collector;
• the purpose of collection;
• classification of personal data to be collected;
• time period for the use, geographical area of the use, recipients of the data and the manner of using personal data;
• the rights of the data subject to request to review his / her personal data, to make copies of such personal data, to supplement or correct such personal data, to discontinue collection, processing or use of personal data or to delete such personal data, together with the manner in which the data subject makes such requests; and
• the impact on the data subject’s rights and interests if the data subject chooses not to provide his / her personal data. 

As long as the privacy notice is given when the personal data is first collected, and the privacy notice meets the content requirements set out in the PDPA, the privacy notice is by itself considered sufficient (i.e. consent is not required). This is unless sensitive personal data is collected, in which case the data subject’s consent is required.

PDPL provides the following definitions of collection and processing of personal data:

• Collection of personal data is an action aimed at receiving personal data
• Processing of personal data are actions aimed at:
  • Recording
  • Systemization
  • Storage
  • Amendment
  • Replenishment
  • Extraction
  • Usage
  • Spread
  • Impersonation
  • Blocking, and
  • Destruction of personal data

Collection and processing of personal data is allowed when the following conditions are met:

• The data subject’s consent or that of his / her legal representatives
• The processed and collected information is in compliance with the lawful aims of the data controller
• The processed and collected information is accurate and complete
• The data subject has access to the processed and collected data relating to him / her and has the right to require rectification of the relevant information
• The data collector has duly certified all the relevant equipments and facilities designated for processing and collection of data with the Regulator

Article 12 of the PDPL entitles the data collector to process personal data without receiving the data subject’s consent, if it is necessary for governmental authorities to carry out their functions or for the purpose of protecting the constitution rights and freedom of the citizens.

The PDPA requires the data controllers to collect personal data directly from the data subject concerned.¹ The exception is where:

• the personal data is already in the public domain;
• the data subject has consented to the collection of his personal data from another person;
• compliance is not reasonably practicable in the current circumstances;
• non-compliance is necessary for compliance with other written laws; or
• compliance would prejudice the lawful purpose for which the collection is sought.

Prior to collecting personal data, the controller must ensure that the data subject is aware:

• of the purpose for which the personal data is being collected;
• of the fact that the collection of personal data is for authorised purposes; and
• any intended recipients of the personal data.²

Further, the controller or processor must ensure the data subject understands what they have consented to and must be afforded a simplified means to withdraw their consent.³

Personal data collected must only be used for the intended purpose.⁴ Where a data controller collects personal data for any particular purpose, he cannot use such data for a different purpose unless:

• the data subject has consented to the use of his personal data for such purpose;
• the use of the data for such purpose is authorised or required by law;
• there is a direct correlation between the purpose for which the personal data is used and that for which the data was collected;
• the information is used in a manner which does not identify the data subject or for statistical or research purposes and is not published in a manner that could reasonably be expected to identify the data subject; and
• the data controller believes on reasonable grounds that the use of such personal data for the other purpose is necessary to prevent or lessen a serious and imminent threat to the health or life of the data subject or another person or to public health or safety; or
• the use of such personal data for that other purpose is necessary for complying with the law.⁵

Legal bases for collection and processing

The collection, use or disclosure of Personal Data requires consent of the data subject unless other legal bases for processing apply. These include, among other things, the performance of contract or legal obligations, or by legitimate interest of the Data Controller. The legal bases of processing Personal Data and Sensitive Personal Data are different. Due to the sensitive nature of Sensitive Personal Data, explicit consent is required for its collection, use and disclosure without relying on the other legal bases set out in the PDPA (such as vital interest, public health interest and preventive medicine where consent cannot be obtained).

The request for consent must be: (i) explicitly made in writing or via electronic means; (ii) clearly separated from other messages;  (iii) delivered in a format which is easily accessible and understandable using language that is easy to understand; and (iv) the message should not be misleading or cause data subjects to misunderstand the purpose of collection. The Data Controller must also ensure that the consent is freely given and not conditional on entering into a contract. The Regulator can "require the Data Controllers to request consent from the data subject in accordance with the form and statement prescribed by the Committee". However, in practice, requiring compliance through a prescribed form may prove challenging, given that Data Controllers may develop their own mechanisms for gaining and assessing consent.

In addition to the above consent requirement, the official guideline on data subject consent issued by the Regulator further prescribed that the consent given by the data subject must indicate a clear affirmative action that the data subject consents to the specific purposes. The examples given under the guideline include data subjects clicking the checkbox, double clicking screen, or screen swiping to affirm their intention to give consent.

Data subjects also have the right to refuse to consent, and the right to withdraw any consent they have given, at any time. Following any such refusal or withdrawal of consent, Data Controllers should be wary of proceeding with the proposed data processing activity.

Notice

Data Controllers must give notice to the data subjects that Personal Data or Sensitive Personal Data is being collected, prior to or at the time of collection, regardless of whether consent or other legal bases of processing apply. The privacy notice must contain particulars prescribed by the PDPA, including categories of persons or entities to whom the collected Personal Data may be disclosed to and the purpose of collection.

The official guideline on privacy notice issued by the Regulator further prescribes that the privacy notice may be given by electronic means, such as a URL link or QR code, and that the language used in a privacy notice should be clear and easily understandable.

None.

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection must be made in accordance with the purpose identified by the organization collecting the personal information.

Sensitive personal information may not be processed except as specifically permitted by law.

The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. Nevertheless, they are presented below.

Public Bodies

Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met: the collection of that information is expressly authorized by law and

• The information is collected for the purpose of law enforcement
• The information relates directly to and is necessary for an operating program or activity of the public body when the collection of personal information is collected directly from the individual:
  • Another method of collection is authorized by the individual, Information Commissioner or law
  • The information is necessary for medical treatment
  • The information is required for determining the suitability of an award
  • The information is collected for judicial proceedings
  • The information is required for the collection of a debt or fine, or
  • It is required for law enforcement purposes
• The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection

Private Bodies

Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and the General Privacy Principles (which are currently in force).

Sensitive Information

Sensitive personal information may not be processed by public bodies and private organizations without the consent of the individual unless:

• It is necessary for the healthcare of the individual
• The individual has made the information public
• It is for research or statistical analysis
• It is by law enforcement
• It is for the purpose of determining access to social services, or
• As otherwise authorized by law

The following principles generally apply to the processing of personal data:

• Personal data must be collected directly from the data subject;
• Personal data collected from third parties are permitted whenever the data subject, his heirs or his agent have provided their consent;
• The processing of personal data must respect human dignity, privacy and public liberties, and whatever its origin or its methods, it shall not harm the human rights protected by the laws and the rules in force. In every case, it is forbidden to use personal data with the aim of infringing people's rights or damaging their reputation;
• The collecting of personal data shall be exclusively carried out for lawful and clear purposes, and within the limits of the declared purposes. Any subsequent change of purpose must be the subject of a new declaration and a new consent from the person concerned; and
• Among the main prerequisites for the legitimate processing of personal data is the informed consent of the data subject, which means that the processing of personal data cannot be carried out without the express and written consent of the data subject. This consent shall be governed by the general rules of law if the data subject is incompetent or unauthorized or incompetent to sign.

The data subject or his agent is allowed to withdraw his consent, at any time during the processing.

Additionally, and in the spirit of child protection, Tunisian law has provided extra protection to personal data relating to children as this kind of data cannot be carried out without the consent of the child’s agent and after authorization of the juvenile and family court judge.

Finally, the consent provided for the processing of personal data under a specific given shall not apply to other forms or purposes.

Also, the data subject has the right of access, which means the right to consult all the personal data related to him as well as the right to correct, complete, rectify, update, modify, clarify or delete it, when it has been proved that it is inaccurate, equivocal or prohibited for processing by law, and also, the right to obtain a copy of the personal data in clear language, in accordance with the content of the recordings and in an understandable way in the case of automatic processing.

And finally, at anytime, the data subject, his heirs or his tutor has the right to object to the processing of personal data related to him for good, legitimate and serious reasons, except when the processing is scheduled by law or is required by the nature of the commitment. Furthermore, the data subject, his heirs or his tutor have the right to object to the communication to third parties of personal data related to him, in order to exploit it for promotional purpose. The objection immediately suspends the processing.

Pursuant to the LPPD, it is mandatory to comply with certain principles while collecting and processing personal data. In light of such principles collected personal data must be all of the following:

• Processed fairly and lawfully;
• Accurate and up-to-date;
• Processed for specific, explicit and legitimate purposes;
• Relevant, adequate and not excessive;
• Kept for a term necessary for purposes or for a term prescribed in relevant laws for which the data have been processed.

Further, in principle, personal data cannot be processed without being collected and processed with explicit consent of the data subject. However, the LPPD stipulates certain exceptions where consent is not required. These are:

• Processing is expressly permitted by law;
• Processing is necessary for protection of the life or physical integrity of the data subject or a third party, where the data subject is not physically or legally capable of giving consent;
• Processing personal data of the contractual parties is necessary for the conclusion or the performance of a contract;
• Processing is mandatory for the data controller to perform his / her legal obligation(s);
• Personal data has been made public by the data subject;
• Processing is necessary in order to assign, use or protect a right;
• Processing is necessary for the legitimate interests of data processor and this does not damage the rights of the data subject.

Pursuant to Article 10 of the LPPD, data controllers or their authorized persons have an obligation to inform data subjects during the collection of the personal data. The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform published in the Official Gazette dated March 10, 2018, numbered 30356 sets forth the principles and procedures on the obligation to inform. As part of the collection of data from the data subject the controller is obliged to provide the data subject with the following information:

• Identity of the controller and of its representative, if any;
• Purposes of the processing for which the data is intended;
• Recipients of the data and the reasons for transfer;
• Process of collecting data and the legal grounds; and
• Rights of the data subject.

Where the data has not been obtained from the data subject, the controller shall provide the data subject with the above stated information as well as details of the categories of data concerned. According to the relevant Communiqué, the obligation to inform should be fulfilled within a reasonable time after collecting the personal data, or during the first contact if the personal data is obtained for communication purposes with the relevant persons, or at the very latest the time of the initial transfer if the personal data is to be transferred.

Under the LPPD, data controllers need to take adequate measures required for the processing of sensitive personal data and comply with the decisions and guides of the Personal Data Protection Board designating such adequate measures. See also Personal Data Protection Board Decision dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data. 

Accordingly, the special categories of personal data shall only be processed, provided that:

• Explicit consent of the data subject is obtained; 
• It is explicitly stipulated by law;
• Processing is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• Processing relates to personal data made public by the data subject and is in accordance with the will of the data subject to make it public;
• Processing is necessary for the establishment, exercise or protection of a right;
• Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations;
• Processing is necessary for carrying out legal obligations in the field of employment, occupational health and safety, social security, social services and social assistance; or
• Processing is carried for current or former members of or for persons who are in regular contact with the foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity and not disclosed to third parties.

Deletion, destruction or anonymization of personal data

The Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation on Deletion of Personal Data") was published in the Official Gazette dated October 28, 2017, and entered into force on January 1, 2018. This Regulation is crucially important for data controllers in terms of time limitations regarding deletion, destruction or anonymization of personal data.

Pursuant to the Regulation on Deletion of Personal Data, data controllers are required to prepare a personal data processing inventory and a personal data storage and destruction policy (Policy). Data controllers are also required to take measures to safeguard the data that they are processing, identify persons working in personal data storage and destruction processes, categorize personal data, store and destroy these data, and determine periodic destruction processes.

If the prerequisites for processing personal data provided under LPPD are not met, then the personal data must be deleted, destroyed or anonymized by the data controller (of its own accord or upon the application of related person). All actions related to the execution of this process must be recorded and these records shall be kept for at least three years.

In addition, if a data controller ceases to continue to meet the above conditions for processing personal data, then they must carry out a process of periodic destruction. Periodic destruction is the deletion, destruction or anonymization of personal data at recurring intervals specified in the relevant data controller's Policy. This period cannot exceed six months.

Owner of personal data shall give consent on collection and processing of its personal data. Such consent can be delivered in written or electronic form or by virtue of any other secured means in compliance with Turkmen law.

 Any such consent shall include the following information:

• Name (surname, name), address, ID document of an owner of personal data
• Name (surname, name) and the address of the data operator
• Purpose of collecting and processing personal data
• List of personal data to be collected and processed by the data operator
• List of actions related to personal data for the purpose of which the consent is given, a general description of the methods used to collect and process personal data
• Term of the given consent, as well as the procedure for its withdrawal 

No consent is required for collection and processing of personal data for the following purposes:

• Investigatory activity
• Statistical analysis
• Life and health protection, protection of constitutional rights
• Implementation of international agreements of Turkmenistan, etc

Data Controllers may Process Personal Data when any of the following conditions are met, as per Section 5(1) DPR:

• the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes. There are detailed conditions for consent set out under Section 6 DPLs;
• Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
• Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
• Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law (as defined under the DPR);
• Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.

Data Controllers may Process Special Categories of Personal Data when any of the following conditions are met:

• the Data Subject has given explicit Consent to the Processing of their Special Categories of Personal Data for one or more specified purposes;

• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment law, provided that when the Processing is carried out, the Controller has an appropriate policy document in place in accordance with Section 7(3) DPR;

• Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;

• Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional provided that Processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality;

• Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;

• Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;

• Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body including religious, cultural, educational, social or fraternal purposes or for other charitable purposes and on condition that the Processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the Consent of the Data Subjects;

• Processing relates to Personal Data which is intentionally made public by the Data Subject;

• Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

• Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or

• Processing is necessary for reasons of substantial public interest, provided that (unless specified otherwise) the Controller has, when the Processing is carried out, an appropriate policy document in place in accordance with Section 7(3), where it is necessary for:

  • the exercise of a function or requirement conferred on a person by Applicable Law;

  • the exercise of a function of the Board, Abu Dhabi or United Arab Emirate government;

  • the administration of justice;

  • equality of opportunity or treatment provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual; and it does not relate to an individual who has given written notice to the Controller not to Process their Personal Data;

  • diversity at senior levels of organisations, where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject and is not aware of the Data Subject withholding Consent provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual;

  • the prevention or detection of an unlawful act or omission where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose; and if the Processing relates to the disclosure of Personal Data to a relevant public authority an appropriate policy document in accordance with Section 7(3) need not be in place for the Processing to be lawful under these Regulations;

  • the protection of the members of the public against dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a company, body or association, or failures in services provided by a company, body or association where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose;

  • compliance with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act or omission, or been involved in dishonesty, malpractice or other seriously improper conduct where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject to the Processing;

  • the prevention of fraud in connection with Processing of Personal Data as a member of, or in accordance with arrangements made by, an antifraud organisation;

  • the disclosure in good faith to an appropriate public authority regarding suspected terrorist financing, to identify terrorist property or in relation to suspected money laundering, in accordance with Applicable Law; or

  • the publication of a judgment or other decision of a court or tribunal or if the Processing is necessary for the purposes of publishing such a judgment or decision.

Data Controllers may collect and Process Personal Data when any of the following conditions are met (set out under Article 10 DPL):

• a Data Subject has given consent, which complies with the comprehensive consent requirements set out under Article 12 of the DPL, to the Processing of that Personal Data for specific purposes;
• Processing is necessary for the performance of a contract to which a Data Subject is a party, or in order to take steps at the request of a Data Subject prior to entering into such contract;
• Processing is necessary for compliance with applicable law that a Controller is subject to;
• Processing is necessary in order to protect the vital interests of a Data Subject or of another natural person;
• Processing is necessary for:
  
  • performance of a task carried out by a DIFC Body in the interests of the DIFC;
  • exercise of a DIFC Body’s powers and functions; or
  • the exercise of powers or functions vested by a DIFC Body in a Third Party to whom Personal Data is disclosed by the DIFC Body; or
• Processing is necessary for the purpose of legitimate interests pursued by a Controller (or a third party to whom the Personal Data has been made available, subject to Article 13 of the DPL which sets out certain restrictions on the ability to rely upon legitimate interests), except where such interests are overridden by the interests or rights of a Data Subject.

Data controllers may collect and Process Special Categories of Personal Data when any of the following conditions are met (as per Article 11 DPL), in addition to establishing one of the legal bases under Article 10, set out above:

• a Data Subject has given explicit consent, which complies with the comprehensive consent requirements set out under Article 12 of the DPL, to the Processing of those Special Categories of Personal Data for one (1) or more specified purposes;
• Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or a Data Subject in the context of the Data Subject's employment, including but not limited to recruitment, visa or work permit Processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme;
• Processing is necessary to protect the vital interests of a Data Subject or of another natural person, where the Data Subject is physically or legally incapable of giving consent;
• Processing is carried out by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities, subject to appropriate assurances and provided that the Processing relates:
  
  • solely to the members or former members of such an entity, or to other persons who have regular contact with such a body in connection with its purpose; and
  • the Personal Data is not disclosed to a Third Party without the consent of a Data Subject;
• Processing relates to Personal Data that has been made public by a Data Subject;
• Processing is necessary for the establishment, exercise or defence of legal claims (including, without limitation, arbitration and other structured and commonly recognised alternative dispute resolution procedures, such as mediation) or is performed by the Court acting in its judicial capacity;
• Processing is necessary for compliance with a specific requirement of Applicable Law to which a Controller is subject, and in such circumstances the Controller must provide a Data Subject with clear notice of such Processing as soon as reasonably practicable unless the obligation in question prohibits such notice being given;
• Processing is necessary to comply with Applicable Law that applies to a Controller in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime;
• Processing is required for the purposes of preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems and services, provided that the Personal Data is Processed by or under the responsibility of a health professional subject to an obligation of professional secrecy under applicable law or by another person also subject to an obligation of secrecy under applicable law;
• Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other improper conduct of persons providing banking, insurance, investment, management consultancy, information technology services, accounting or other services or commercial activities (either in person or indirectly by means of outsourcing), including any resulting financial loss; or
• Processing is proportional and necessary to protect a Data Subject from potential bias or inaccurate decision making, where such risk would be increased regardless of whether Special Category Personal Data is Processed.
• Processing is necessary for Substantial Public Interest reasons that are proportionate to the aim(s) pursued, respect the principles of data protection and provide for suitable and specific measures to safeguard the rights of the Data Subject.

Information Provision

Controllers are required to provide Data Subjects with certain information around how their Personal Data is processed in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information required to be provided is set out in detail under Part 5 of the DPL.

Where the Controller collects the Personal Data from the Data Subject, the information must be provided at the time of collection. (Article 29 DPL)

Where the Controller does not collect the Personal Data from the Data Subject, the Controller must provide the information:

• no longer than one (1) month from obtaining the Personal Data; or
• if the Personal Data is used for communicating with the Data Subject, no later than the first communication; or
• if a disclosure (including the making available for Processing) to a Processor or a third party is envisaged, no later than the time when the Personal Data is first disclosed. 

(Article 30 DPL)

Patient Health Information is not permitted to be collected by any Licensee, unless it is for a lawful purpose, and the collection is necessary for that purpose (article 27 HDPR). However, the meaning of lawful purpose is not defined in the HDPR.

The Patient Health Information should be collected from the patient directly, unless the Licensee believes on reasonable grounds that:

• the Patient concerned authorizes Collection of the information from someone else having been made aware of the matters set out in section 29(1);
• the Patient is unable to give his authority, and the Licensee having made the Patient’s Representative aware of the matters set out in section 29(1) Collects the Patient Health Information from the Representative or the Representative authorizes Collection from someone else;
• compliance would prejudice the:
  • interests of the Patient; or
  • purposes of collection; or
  • safety of any individual;
• compliance is not reasonably practicable in the circumstances of the particular case;
• the Collection is for the purpose of assembling a family or genetic history of a Patient and is collected directly from that Patient and / or the Patient’s Representative;
• the Patient Health Information is Publicly Available Information;
• the Patient Health Information:
  • shall not be used in a form in which the Patient is identified;
  • shall be used for statistical purposes and shall not be published in a form that could reasonably be expected to identify the Patient; or
  • shall be used for research purposes (for which approval by an ethics committee, if required, has been given) and shall not be published in a form that could reasonably be expected to identify the Patient; or
• non-compliance is necessary:
  • to avoid prejudice to the maintenance of the law including the prevention, detection, investigation, prosecution, and punishment of offences;
  • for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation) (section 28 HDPR).

Data Protection Controls (Article 5)

Under the PDPL, Personal Data must be processed according to the following controls:

• Processing must be made in a fair, transparent and lawful manner;
• Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected;
• Personal Data must be sufficient for and limited to the purpose for which the Processing is made;
• Personal Data must be accurate and correct and must be updated whenever necessary;
• Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data;
• Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard;
• Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature;
• Any other controls set by the Executive Regulations of this Decree Law.

Legal Bases for Processing (Article 4)

The PDPL prohibits Processing Personal Data without the consent of the Data Subject, except in the following cases:

• if the Processing is necessary for the Controller or Data Subject to fulfill his / her obligations and exercise his / her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws;
• if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract;
• if the Processing is necessary to protect the interests of the Data Subject;
• if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject;
• if the Processing is necessary to protect the public interest;
• if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures;
• if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State;
• if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State;
• if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State;
• if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers;
• any other cases set by the Executive Regulations.

Processing of Sensitive Personal Data

Unlike the GDPR, the PDPL does not impose more stringent controls around processing of Sensitive Personal Data, however if a Controller or Processor is Processing that involves a systematic and comprehensive assessment of Sensitive Personal Data, including profiling and automated processing, or if the Processing will be made on a large amount of Sensitive Personal Data, then the Controller or Processor must appoint a Data Protection Officer (Article 10).

Article 21 also requires that DPIAs be conducted before Processing that will use any of the modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of the Data Subject, if the Processing will be made on a large amount of Sensitive Personal Data (Article 21).

Transparency (Privacy Notices)

The PDPL contains a broad obligation to process personal data in a transparent manner. This obligation is not placed specifically on either Controllers or Processors, so it can be assumed that it is intended to apply to both. Under other data protection laws, the general transparency obligation is often tied to a clear obligation to provide a privacy notice to Data Subjects which meets prescriptive content requirements. The PDPL does (yet) not have an express provision regarding this (although it is possible that the Executive Regulations may do). However, the PDPL does give Data Subjects a detailed right of access (without charge) to the types of information which would ordinarily be contained in a privacy notice. Moreover, per Article 13 of the PDPL, the Controller is required to, in all cases and prior to the commencement of processing, provide Data Subjects with information regarding:

• the purposes of the processing;
• the targeted sectors or establishments with whom the personal data will be shared, both within and outside the UAE; and
• the protection measures for cross-border processing.

Therefore, in practice, Controllers may ultimately consider publishing privacy notices that contain, at least in broad terms, the information that the Data Subject is entitled to seek under the PDPL.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data replicating those in the EU GDPR. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous. 

Right to obtain information (‘data access’) (Article 13)

A Data Subject is entitled to request access to and obtain the following information without charge:

• the types of his / her Personal Data that is processed;
• purposes of Processing;
• decisions made based on Automated Processing, including Profiling;
• targeted sectors or establishments with which his / her Personal Data is to be shared, whether inside or outside the State;
• controls and standards for the periods of storing and keeping his / her Personal Data;
• procedures for correcting, erasing or limiting the Processing and objection to his / her personal data;
• protection measures for Cross-Border Processing;
• procedures to be taken in the event of a breach or infringement of his / her Personal Data, especially if the breach or infringement poses a direct and serious threat to the privacy and confidentiality of his / her Personal Data;
• the process of filing complaints with the Data Office.

Right to request Personal Data transfer (‘data portability’) (Article 14)

The Data Subject has the right to obtain his / her Personal Data provided to the Controller for Processing in a structured and machine-readable manner, so long as the Processing is based on the Consent of the Data Subject or is necessary for the fulfillment of a contractual obligation and is made by automated means.

The Data Subject has the right to request the transfer of his / her Personal Data to another Controller whenever this is technically feasible.

Right to correction or erasure ('right to be forgotten') (Article 15)

The Data Subject has the right to request the correction or completion of his / her inaccurate Personal Data held with the Controller, and has the right to request the erasure of his / her Personal Data held with the Controller in any of the following cases:

• if his / her Personal Data is no longer required for the purposes for which it is collected or processed;
• if the Data Subject withdraws his / her Consent on which the Processing is based;
• if the Data Subject objects to the Processing or if there are no legitimate reasons for the Controller to continue the Processing;
• if his / her Personal Data is processed in violation of the provisions hereof and the legislation in force, and the erasure process is necessary to comply with the applicable legislation and approved standards in this regard.

Right to restriction of Processing (Article 16)

The Data Subject has the right to oblige the Controller to restrict and stop Processing in any of the following cases:

• if the Data Subject objects to the accuracy of his / her Personal Data, in which case the Processing shall be restricted to a specific period allowing the Controller to verify accuracy of the data;
• if the Data Subject objects to the Processing of his / her Personal Data in violation of the agreed purposes;
• if the Processing is made in violation of the provisions hereof and the legislation in force.

The Data Subject has the right to request the Controller to continue to keep his / her Personal Data after fulfillment of the purposes of Processing, if such data is necessary to complete procedures related to claiming or defending rights and legal proceedings.

Right to stop Processing (Article 17)

The Data Subject has the right to object to and stop the Processing of his / her Personal Data in any of the following cases:

• if the Processing is for direct marketing purposes, including Profiling related to direct marketing;
• if the Processing is for the purposes of conducting statistical surveys, unless the Processing is necessary to achieve the public interest;
• if the Processing is in violation the controls referred to in Article 5 (referred to above)

The right not to be subject to automated decision making, including profiling (Article 18)

The Data Subject has the right to object to decisions issued with respect to Automated Processing that have legal consequences or seriously affect the Data Subject, including Profiling. However, the Data Subject may not object to the decisions issued with respect to Automated Processing in the following cases:

• if the Automated Processing is included in the terms of the contract entered into between the Data Subject and Controller;
• if the Automated Processing is necessary according to other legislation in force in the State;
• if the Data Subject has given his / her prior Consent on the Automated Processing.

Restrictions on the collection or processing of the personal data

There are a number of restrictions under the Data Protection and Privacy Act which ought to be complied with in the collection and processing of personal data. These include but are not limited to the following:

• The informed consent of the data subject must be obtained prior to collection or processing of personal data;
• The data subject must be informed of all the recipients of their personal data, including any third parties with whom such data will or may be shared;
• The collection or processing of personal data relating to a child is prohibited unless:
  1. done with the prior consent of the parent / guardian;
  2. necessary for compliance with the law; or
  3. the collection or processing is for research or statistical purposes;
• Special personal data should not be collected or processed unless specifically permitted by the law;
• Personal data should be collected directly from the data subject;
• Personal data shall only be collected for a lawful and specific purpose which relates to the functions or activity of the data collector or data controller;
• A data collector, data processor or data controller is obligated to ensure that the data is complete, accurate, up to-date and not misleading;
• Further processing of personal data shall only be for the specific purpose in connection with which the personal data was collected;
• Personal data shall not be retained for a period longer than is necessary to achieve the purpose for which the data is collected and processed unless specifically authorised by the Act;
• A personal data record should be destroyed or de-identified after the expiry of the retention period in a manner that prevents reconstruction of the personal data in an intelligible form.