Legally justified purpose of personal data processing
The processing of personal data will be legal if their administrator meets one of the conditions set out in Article 6 of the GDPR Regulation. Among these premises, the legislator mentions the legally justified purpose pursued by the data controller or the data recipient. What is behind this concept?
When are personal data processed?
In order to answer the question of what the legitimate purpose of personal data processing is, first of all, it is necessary to explain what personal data are and what the data processing itself may involve.
Personal data, in accordance with art. 4 of the Regulation is all information relating to an identified or identifiable natural person. A person will be identifiable if his identity can be identified directly or indirectly, in particular by reference to an identification number or to one or more specific factors relating to his physical, physiological, mental, economic, cultural or social characteristics. Information is not considered to enable the identification of a person if it would require excessive costs, time or activities. This means that if we are able to identify a person on the basis of some data without excessive costs or actions, we are dealing with personal data.
The definition of the processing of personal data is explained in Art. 4 point 2 of the Regulation:
Art.4 point 2.
'"Processing" means an operation or set of operations performed on personal data or sets of personal data by automated or non-automated means, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or other types of sharing, matching or combining, limiting, deleting or destroying'
Therefore, data processing will be everything related to the performance of any operations on personal data (it will be both data collection, storage, and deletion). It is safe to say that if we come into possession of any personal data, we will process it from then on.
Principles of personal data processing
In order to process personal data legally, you must adhere to the principles set out in the provisions on the protection of personal data. Pursuant to Art. 6 GDPR:
Data processing is only allowed if:
1) the data subject consents to it, unless it concerns the deletion of data relating to him;
2) it is necessary to exercise the right or fulfill an obligation resulting from a legal provision;
3) it is necessary for the performance of the contract when the data subject is a party to it or when it is necessary to take action before concluding the contract at the request of the data subject;
4) it is necessary to perform tasks specified by law for the public good;
5) it is necessary to fulfill legally justified purposes carried out by data controllers or data recipients, and the processing does not violate the rights and freedoms of the data subject.
The aforementioned premises are equal (however, this does not mean that it is irrelevant on the basis of which the data is processed, as the legal consequences for each of them are different) and it does not matter whether only one or several premises will be met at the same time. Thus, the processing of personal data will be legal if we obtain consent, when we are allowed to do so by a right or obligation resulting from legal provisions, when it is necessary for the performance of the contract, and the data subject is a party to this contract, when it is necessary for the performance of tasks specified by law for the public good (e.g. NIK inspectors may rely on this premise when they demand disclosure of data necessary to conduct an inspection), and when it is necessary to fulfill legally justified purposes.
Legally justified purpose - definition
As a legally justified purpose, we can understand the purpose justified by the activities of the data controller (e.g. entrepreneurs) or data recipients, but this purpose does not have to result directly from any legal act, but also cannot be inconsistent with any act, rules of social coexistence or morality. (e.g. you cannot process personal data for the purpose of blackmail, but you can process it for scientific purposes). Hence, a legally justified goal may be, for example, direct marketing of own products or pursuing claims for business activity.
Necessity of data processing
In addition, data processing must be necessary. This means that you can only use the data that is necessary to achieve the designated purpose. This goal must be clear and precise. It is not legal to collect (process) data for backup, exceeding the assumed purpose. It should also be emphasized that this purpose must be justified, which means that the processing of data for the implementation of this purpose is necessary and the purpose cannot be achieved in any other way, only thanks to the processing of this data. It should be emphasized that the data controller is responsible for proving that the purpose of data processing is legally justified and that the processing of data for this purpose is necessary. It must be remembered that the person whose data is processed has the right to obtain information about the purpose, scope and method of data processing (Article 32 (1) of the Act).
Prohibition of violating the rights and freedoms of data subjects
In addition, it should be remembered that the processing of data for a legitimate purpose may not violate the rights and freedoms of the data subject. In order to process personal data in accordance with this premise, two conditions must actually be met (legitimate purpose and non-violation of the rights of the data subject). This leads to a situation where the interest of the data subject will always come first, even if objectively the interest of the data controller will be more important. According to this provision, it cannot be assessed whose interest is priority. Therefore, there is always a risk that the actions of the data controller who relies on the premise of a legitimate purpose, and this purpose is in fact justified, may turn out to be illegal if the person whose data is processed raises an objection that the administrator's actions violate his rights and freedoms. . Moreover, the treatment of the above-mentioned a ban in a literal and indisputable manner may completely exclude the possibility of data controllers relying on this premise. Therefore, many representatives of the doctrine strongly oppose such a literal interpretation of this provision and placing the interest of the person whose data is processed above all else.
Direct marketing and redress
The most common legally justified purpose is direct marketing of own products or services of the data controller or pursuing claims for business activity. However, the data controller may provide a different purpose that will be considered legally justified.
Direct marketing of own products or services is not defined in the regulations, however, according to the doctrine, it is recognized that it consists in individual contacts with a selected client using various advertising media, while messages addressed to the client are addressed directly to him. These messages, which should be emphasized, may only refer to the data controller's own products or services - so you cannot promote someone else's. Therefore, if the data controller has obtained someone's personal data (e.g. the customer has already used the services offered by the controller), it may process this data for marketing purposes, with the reservation that it will only advertise its own products or services.
When it comes to pursuing claims for business activity, it should be understood as the right to process by an entrepreneur the personal data of a debtor who is in default and fails to fulfill his obligations. The entrepreneur will therefore act for a legally justified purpose, when he will process the personal data of the debtor without his consent in order to be able to pursue his claims. As indicated above, theoretically, the debtor has the right to try to defend himself, arguing that the entrepreneur's actions, consisting in processing the debtor's data in order to pursue claims, violate the rights and freedoms of the debtor. However, the jurisprudence of administrative courts deems such argumentation unjustified, as it would collide with such a good as the entrepreneur's right to pursue his claims.
You can also process personal data in order to pursue your claims not only related to running a business. An example may be the processing of the plaintiff's personal data by the defendant who believes that the civil action brought against him was unfounded and harms his good name, therefore he decides to bring a case against the plaintiff for false accusations. In such a situation, he has the right to obtain and process the plaintiff's personal data in order to be able to bring his own action. In this case, we will be dealing with the use of data to implement the constitutional right to claim one's rights through a court trial. In such a situation, it will not be possible to speak of a violation of the rights and freedoms of data subjects.
Start a free 30-day trial period with no strings attached!
Right to object
It should be remembered that the data subject has not only the right to control the processing of his data, but also the right to object:
Art. 21 GDPR
1. The data subject has the right to object at any time - for reasons related to his particular situation - to the processing of his personal data based on art. 6 sec. 1 lit. e) or f), including profiling based on these provisions. The administrator is no longer allowed to process this personal data, unless he demonstrates the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or the grounds for establishing, investigating or defending claims.
2.If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his personal data for such marketing purposes, including profiling, to the extent that the processing is related to such marketing. direct marketing.
3. If the data subject objects to the processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
4. At the latest on the first communication with the data subject, he shall be clearly informed of the right referred to in paragraph 1. 1 and 2, and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and without prejudice to Directive 2002/58 / EC, the data subject may exercise his right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. 1, the data subject has the right to object - for reasons related to his particular situation - to the processing of his personal data, unless the processing is necessary to perform a task carried out in the public interest
Point 1 refers to the objection to data processing if the data controller processes it for marketing purposes or transfers it to another data controller. Raising an objection results in an absolute obligation to stop processing the data. It is worth noting here that the processing of data for direct marketing purposes does not require the consent of the person concerned, because direct marketing may result from legitimate purposes. However, the person concerned always has the right to object to such use of his data.
There is also an objection to the transfer of data to another data controller. This means that it does not entrust data processing to another entity that does not have the status of a data controller.