Non-compliance with general data processing under GDPR

Article 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (2), (3) GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR Non-compliance with general data processing 

Article 5(1)(a)- Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency);

Now the question in our mind is what is lawful, so there be six grounds to be lawful given in article 6(1)

What are the grounds?

Article 6(1)

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Example- An example of how Article 6(1)(a) of the GDPR may apply in practice is as follows:

A customer visits an online store and creates an account to purchase products. During the account registration process, the customer consents to the processing of their personal data for the purpose of completing the transaction and delivering the products to them. This processing includes collecting the customer's name, address, email address, and payment information.

Under Article 6(1)(a) of the GDPR, the legal basis for processing the customer's personal data in this case is their explicit consent. The customer has provided their consent by actively agreeing to the processing of their personal data for a specific purpose, i.e., completing the transaction and delivering the products.

To ensure that the processing of the customer's personal data is lawful and compliant with the GDPR, the online store must ensure that the consent obtained from the customer is freely given, specific, informed, and unambiguous. This means that the customer must have been presented with clear and understandable information about the processing of their personal data, including the purposes of the processing, the categories of personal data being processed, the recipients of the personal data, and the customer's rights in relation to the processing.

The online store must also ensure that the customer's consent can be withdrawn at any time, without detriment to the customer. This means that the online store must provide the customer with a clear and easy way to withdraw their consent and must honor the customer's request promptly.

By obtaining explicit and informed consent from the customer, the online store is complying with its obligations under Article 6(1)(a) of the GDPR to ensure that the processing of personal data is lawful, fair, and transparent. This helps to protect the rights and freedoms of the customer and builds trust between the customer and the online store.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract

Example : (1) An individual applies for a loan with a financial institution. The institution needs to process the individual's personal data, such as their financial information and credit history, to assess their loan eligibility. The processing of personal data is necessary for the institution to take steps at the request of the data subject prior to entering into a contract for the loan.

(2) when an individual signs up for a subscription service with a company. The company needs to process the individual's personal data, such as their name, address, and payment information, in order to provide the subscription service. The processing of the personal data is necessary for the performance of the contract between the individual and the company.

In both examples, the processing of personal data is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract, and therefore falls under Article 6(1)(b) of the GDPR as a lawful basis for processing.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Example - An example of Article 6(1)(c) GDPR in action could be when a company is required by law to collect and process certain personal data from its employees, such as tax information, social security numbers, and work permits. The company processes this personal data to comply with legal obligations, such as tax and employment regulations

(d) Vital interests: the processing is necessary to protect someone’s life.

Example- when a hospital processes personal data of an unconscious patient who has been admitted with life-threatening injuries. The hospital processes the patient's personal data, such as their medical history, in order to provide the necessary medical treatment to protect the patient's vital interests.

when an emergency services provider processes personal data of a person who has called for assistance due to a life-threatening situation, such as a heart attack or a car accident. The provider processes the person's personal data, such as their name and location, in order to respond to the emergency situation and protect the person's vital interests

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Example : An example of Article 6(1)(e) GDPR in action could be when a government agency collects personal data from its citizens for the purpose of providing public services, such as healthcare, education, or social welfare. The agency processes the personal data in order to carry out its public tasks and obligations, which are in the public interest.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Example- 

An example of Article 6(1)(f) GDPR in action could be when a company processes personal data of its customers in order to improve its products or services, such as by conducting surveys or analyzing purchase history. The company processes the personal data in pursuit of its legitimate interests to improve its business and customer satisfaction, while taking into account the privacy and data protection rights of the customers.

Another example could be when a social media platform processes personal data of its users to personalize their experience and serve relevant ads, based on their interests and online behavior. The platform processes the personal data in pursuit of its legitimate interests to provide a valuable service to its users and advertisers, while balancing their privacy and data protection rights

In both examples, the processing of personal data is necessary for the purposes of legitimate interests pursued by the controller or a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subjects. Therefore, the processing falls under Article 6(1)(f) of the GDPR as a lawful basis for processing. However, it is important to note that the controller must conduct a legitimate interests assessment and take appropriate measures to ensure that the privacy and data protection rights of the data subjects are adequately protected.

What is fairness? 

Personal data shall be processed fairly. This means that personal data should be processed without cheating or unbiased, 'decent' way and should be acceptable as per established standards and norms in our society so that it should at least fit 'common sense'

What is transparency?’

Personal data shall be processed fairly and in a transparent manner. This transparency principle means that at least from the perspective of a data subject, whatever the data controller is doing, it should be visible to the data subject or at least the data subject should know what the data controller is processing. The personal data should be accessible, and last but not least, relating to the processing of those personal data, it should be 'easily understood' by the data subjects what the data controller is doing: in a clear and plain language.

Transparency is fundamentally linked with fairness. The transparent processing is about to being clear, open and honest with people from the start about “Who you are” and how you use their personal data.

Transparency is always important but especially in those situations where individual has right to choose about whether he wants to enter into a relationship with you.

If individuals know at first, what will you use their information, so that the individual can take decision that he should enter into relationship with them or not      .

Article 7 - Conditions for consent

Article 7 of the General Data Protection Regulation (GDPR) sets out the conditions for obtaining and demonstrating valid consent for the processing of personal data. Here is a summary of each of the four paragraphs of this article:

(1) The controller must be able to demonstrate that the data subject has consented to the processing of their personal data. This means that the burden of proof is on the controller to show that valid consent was obtained.

(2) If consent is given as part of a written declaration that also covers other matters, the request for consent must be presented in a way that is clearly distinguishable from the other matters, using clear and plain language. Any part of the declaration that does not comply with GDPR requirements will not be binding.

(3) Data subjects have the right to withdraw their consent at any time, and it must be as easy to withdraw as it was to give consent. The withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal, and data subjects must be informed of this right prior to giving their consent.

(4) When assessing whether consent is freely given, account must be taken of whether the performance of a contract or provision of a service is conditional on consent to process personal data that is not necessary for the performance of the contract. This means that if the controller is requiring consent for data processing that is not essential for providing the contracted service, consent may not be considered to have been freely given.

For example, let's say that a company collects personal data from customers in order to send them marketing emails. When customers sign up for the email list, they are asked to give their consent to the processing of their personal data for this purpose. If a customer later decides that they no longer want to receive these emails, they can exercise their right to withdraw their consent under Article 7(1) of the GDPR. To do this, the customer can contact the company and request that their personal data be removed from the email list. The company must then stop processing the customer's personal data for this purpose and remove their information from the email list.

It's important to note that withdrawing consent does not affect the lawfulness of any processing that was carried out before the withdrawal. This means that if a company has already processed a customer's personal data before they withdrew their consent, that processing remains lawful.

Article 12 

Article 12 of the General Data Protection Regulation (GDPR) outlines the requirements for controllers to provide transparent information and communication to data subjects about their personal data. Here is a summary of each of the three paragraphs of this article:

Article 12(1) of the GDPR requires controllers to provide transparent information and communication to data subjects about the processing of their personal data. This means that the controller must inform the data subject about how their personal data is being collected, processed, and used. The information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information should be presented in a manner that is easy for the data subject to understand, and that does not require a legal or technical background to comprehend.

The information that must be provided to data subjects includes any information referred to in Articles 13 and 14, which set out the information that must be provided to data subjects at the time their personal data is collected. This includes information about the identity of the controller, the purposes for which the personal data will be processed, the legal basis for processing, the recipients or categories of recipients of the personal data, the retention period for the personal data, and the data subject’s rights in relation to the personal data.

The controller must also provide any communication under Articles 15 to 22 and 34, which relate to data subject rights. These articles provide data subjects with the right to access, rectify, erase, restrict processing, object to processing, data portability, and not be subject to automated decision making. The controller must provide information about these rights and how they can be exercised by the data subject.

When providing information to data subjects, the controller must take into account the specific needs of children. Any information that is addressed specifically to a child must be presented in a way that is easy for a child to understand.

The information can be provided in writing or by other means, including electronic means. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

In addition to providing information, the controller must also facilitate the exercise of data subject rights under Articles 15 to 22. This means that the controller must make it easy for data subjects to exercise their rights, and cannot refuse to act on requests unless they are unable to identify the data subject.

Overall, Article 12(1) is intended to ensure that data subjects are fully informed about how their personal data is being used, and that they are able to exercise their rights under the GDPR. By providing transparent information and communication, controllers can build trust with data subjects and ensure that they are meeting their obligations under the GDPR.

Example – 

Example of Article 12(1) of the GDPR

An example of Article 12(1) of the GDPR would be if a company collects personal data from its customers, it must provide a privacy notice in a concise, transparent, intelligible and easily accessible form using clear and plain language. The privacy notice should explain what data is being collected, how it will be used, who it will be shared with, how long it will be kept, and what rights the data subject has. If the company processes the personal data for multiple purposes, it should provide separate information about each purpose.

For instance, let's say that an e-commerce website collects personal data such as name, address, email address, and credit card information from its customers. The website must provide a privacy notice that explains the purpose of the data processing, who the data will be shared with, how long it will be kept, and what rights the data subject has. The website must ensure that the privacy notice is easily accessible and understandable by its customers. If a customer requests information about their personal data, the website must provide the requested information without undue delay and in a clear and concise manner.

Article 12(2)

Article 12(2) of the GDPR requires that the controller provides the data subject with information about any action taken in response to their request to exercise their rights under Articles 15 to 22 of the GDPR. The controller must provide this information without undue delay, and in any event, within one month of receiving the request.

If the request is particularly complex or if the controller has received a large number of requests, they may extend the response time by two additional months. However, they must inform the data subject of this extension, together with the reasons for it, within one month of receiving the request.

If the data subject has made the request electronically, then the information should be provided electronically, unless the data subject requests otherwise. Additionally, the controller must ensure that they facilitate the exercise of the data subject's rights under Articles 15 to 22 of the GDPR.

Furthermore, if the controller decides not to act on the data subject's request, they must inform the data subject without delay, and at the latest within one month of receiving the request, explaining the reasons for not taking action. They must also inform the data subject of their right to complain to a supervisory authority or seek a judicial remedy.

Overall, Article 12(2) ensures that the data subject is kept informed of any action taken in response to their requests under Articles 15 to 22 of the GDPR, and that they have the ability to enforce their rights if necessary.

What is given in Article 15 to 22 of the GDPR.

Article 15- Right of access by the data subject

Article 16 - Right to rectification

Article 17 - Right to erasure (‘right to be forgotten’)

Article 18 - Right to restriction of processing

Article 19 - Notification obligation regarding rectification or erasure of personal

data or restriction of processing

Article 20 - Right to data portability

Article 21 - Right to object

Article 22 - Automated individual decision-making, including profiling

Article 12(3)

Article 12(3) of the General Data Protection Regulation (GDPR) requires that if a data subject makes a request to a controller (the entity that determines the purposes and means of processing personal data) to exercise their rights under the GDPR, and the controller does not take action on the request, then the controller must inform the data subject of the reasons for not taking action without delay and at the latest within one month of receipt of the request.

The controller must also inform the data subject of their right to lodge a complaint with a supervisory authority (such as a national data protection authority) and to seek a judicial remedy. This information must be provided to the data subject in a clear and understandable manner.

In other words, if a data subject requests to exercise their GDPR rights (such as the right to access, rectify, erase, restrict or object to the processing of their personal data) and the controller fails to act on the request, the controller must inform the data subject of their reasons for not taking action and of their right to seek recourse through a supervisory authority or a judicial remedy. This requirement is intended to ensure that data subjects are aware of their options for seeking redress if their rights are not respected.

ARTICLE 21(2) 

Article 21(2) of the General Data Protection Regulation (GDPR) gives data subjects the right to object to the processing of their personal data for direct marketing purposes, including profiling that is related to such direct marketing. This means that if a company is using personal data to send marketing communications to an individual, that person has the right to object to the processing of their data for this purpose at any time.

The right to object to direct marketing is an important protection for data subjects, as it allows them to have greater control over how their personal data is used by companies. It also helps to ensure that marketing communications are only sent to those who have consented to receive them or who have a genuine interest in the products or services being offered.

If a data subject exercises their right to object to the processing of their personal data for direct marketing purposes under Article 21(2), the controller must stop processing the data for this purpose without undue delay. The controller must also inform the data subject of their right to object, in a clear and understandable manner, and free of charge. The data subject must be informed of their right to object at the time of the first communication with them and in every subsequent communication.

If the controller fails to comply with the data subject's objection, the data subject may be entitled to seek recourse through a supervisory authority or a judicial remedy.

Article 24

Article 24 of the General Data Protection Regulation (GDPR) outlines the responsibility of the controller in ensuring that processing of personal data is carried out in accordance with the regulation. The article includes the following provisions:

(1) The controller must implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. This should take into account the nature, scope, context, and purpose of processing, as well as the risks to the rights and freedoms of data subjects. The measures must be reviewed and updated where necessary.

(2) Where proportionate to the processing activities, the controller must implement appropriate data protection policies.

(3) The controller may use adherence to approved codes of conduct or certification mechanisms as an element to demonstrate compliance with GDPR obligations.

In essence, Article 24 places a duty on the controller to take proactive steps to ensure that they are complying with GDPR requirements. This includes implementing appropriate technical and organizational measures to ensure data protection, such as data encryption and access controls, and developing data protection policies. The controller must also regularly review and update these measures to ensure ongoing compliance.

In addition, adherence to approved codes of conduct or certification mechanisms can be used as a means of demonstrating compliance with GDPR obligations. This can provide assurance to data subjects, supervisory authorities, and other stakeholders that the controller is committed to protecting personal data and complying with GDPR requirements.

Case Law 

Violation of Non-compliance with general data processing 

Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (2), (3) GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR

The Italian Data Protection Authority (DPA) has fined Edison Energia S.p.A. EUR 4.9 million for violating the General Data Protection Regulation (GDPR) by engaging in unlawful marketing activities. The DPA received complaints from several individuals regarding the company's marketing practices, which led to an investigation.

During the investigation, the DPA found that Edison Energia had contacted individuals by telephone for marketing purposes without their consent. The company had obtained contact lists from third parties, but in many cases, these lists did not contain the required consent from users for the disclosure of their personal data.

Furthermore, the DPA found that Edison Energia did not provide an easy and direct way for individuals to exercise their right to object to the processing of their personal data. Additionally, the company did not respond to data subject requests in a timely manner.

The DPA also found that Edison Energia's app and website users were asked to consent to the use of their data for both marketing and profiling purposes. However, the DPA determined that this consent did not meet the standards of voluntary and specific consent for different purposes.

Finally, the DPA found that Edison Energia did not provide transparent information to data subjects about how their personal data would be processed.

As a result of these violations, Edison Energia was fined EUR 4.9 million. This case serves as a reminder to companies that they must comply with the GDPR's requirements for obtaining valid consent, providing transparency, and responding to data subject requests in a timely manner.