Processing of personal data

Does the GDPR entail that from now on we have to request/obtain the consent of each person every time we wish to process data concerning that person?

Many people are asking this question about the new rules of the GDPR. The answer to this question is short:  No, you do not need explicit consent in order to process personal data.

Personal data

The aim is to protect the privacy of citizens better and to lay down uniform rules for the entire EU in that respect.  Citizens get more control over how their personal data are used. Furthermore, the GDPR creates a clear legal structure, a standard that applies in all of Europe, so that companies know how they have to act to guarantee privacy.

Processing of personal data    

The GDPR speaks of the “processing of personal data.”  Personal data means “any information relating to an identified or identified natural person (‘data subject’);  an identifiable natural person is one who can be identified directly or indirectly.” These are data such as name, identification number, location data, telephone numbers, e-mail addresses and online identifiers (e.g. information obtained by tracking cookies).

The list of possible data is longer of course.  Data relating to the physical, genetic, mental, cultural, or social identity of a natural person fall under the GDPR Regulation, but they are little if at all applicable to our sector.

Important remark: it is best to check which data you keep about your employees and which you share with your social secretariat.  The same applies to data that you may keep on people who apply to work in your company.

Rules of thumb for processing

Apart from the fact of whether a data subject has given his or her consent for the processing of his or her data, there are a number of requirements that must be complied with AT ALL TIMES:

Consent of the party concerned and equivalents thereof

Consent

The most elementary rule is that the processing is lawful insofar as the person concerned has given his or her consent for his or her data to be processed. Contrary to previous practice, such consent must stem from a clearly active action by the person concerned.

Example: you collect data of your customers including the e-mail address, and use that address to send a monthly mailing with an overview of services and promotional offers.

Exceptions

Do we always need the customer’s consent now?  Need I explicitly request whether I may use his or her data to send him or her an invoice for services that s/he has ordered from me?

The answer is no.  Fortunately, there are several logical exceptions.  Moreover the GDPR finds nothing new here because these exceptions already exist in the current privacy legislation.

Contractual obligation

The most important exception is perhaps that the consent is not needed when the processing is required to perform an agreement to which the person concerned is party.

When a customer purchases services from you, a contractual cooperation comes into being. You provide the service, and the customer remunerates you for it. The customer has to be able to pay you. This is done by sending an invoice (on paper or electronically) which contains a number of necessary data.  If you process the customer’s data in order to draw up the invoice, you do so to perform the contract concluded with the customer. In such a case you do not need the customer’s consent.

When you work with a network of resellers, then you probably keep a lot of contact addresses of people who work for these resellers. If you then contact these people to settle a number of practical matters, then in theory you do not need any consent for that processing, provided that this is needed for the task.

Legal obligation

Another exception concerns the existence of a legal obligation for the processing.

Another example: You collect a number of data from your employees, keep them in a file, and then pass them on to the social secretariat.  Do you need their express consent for that purpose?  No, because your social secretariat needs these data to draw up the payslips and to pay your employees. Furthermore, the social secretariats provide copies of the pay documents to the government.  Inland revenue is fully aware of your salary and users of Tax-on-Web will have already noticed it. In this example, there is clearly a matter of a legal obligation that has to be met which is equivalent to the consent of the person concerned.

Other exceptions

Finally, there are 3 other exceptions which we shall broach briefly:

  • The processing is necessary to protect the vital interests of the person concerned and another natural person;
  • The processing is necessary to perform a task in the general interest;
  • The processing is necessary to defend the legitimate interests of the controller or a third party.

These last 3 exceptions are somewhat more vague and will undoubtedly lay bare bones of contention in the future. What is a legitimate interest?  Am I allowed to keep all transaction data of my customers because they may one day be required for a judicial investigation?

WHOIS

At DNS Belgium we have a very clear case that falls under this category, namely the request for whois data of private registrants. We have for years provided no contact data of private registrants (other than the e-mail address).  

This does not mean that these data are under lock and key for eternity. A web form can be used to submit a request to DNS Belgium for the contact data of the registrant.
This request must of course be sufficiently reasoned and will be granted only after it has been checked by the legal department. Suppose that a private registrant registers a domain name that corresponds to a brand of a company.  The company wants to oppose the (potential) infringement of its trademark rights and wants to engage in dialogue with the registrant.  The problem is that the company does not have the registrant’s contact data. The company’s counsel can use the web form to submit a justified request to DNS Belgium to obtain the registrant’s contact data.
This is clearly a case where the protection of vital or justified interests of a third party requires the processing of personal data.

The foregoing cases therefore clearly show that the consent of the person concerned is not always needed in order to process his or her data.

 

WHOIS

Look-up which gives information about the registrant of the domain name, his registrar, the name server and also some information about the domain status. 

registrant

Domain owner, person who holds a domain name.

SPAM

Collective term used for unwanted e-mail messages.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa.