Since GDPR entered into force a lot has been said and written about the way organisations can collect and then process personal data they have. In my opinion though, not much attention has been devoted to re-using personal data that already are in companies’ databases.
Under the GDPR any processing of personal data is possible subject to fulfilment of several principles and conditions. One of them (and in my opinion one of the most important) is the purpose limitation principle.
Organisations subject to the GDPR regime are not only required to specify the purpose for which they want to process personal data, but also the adequate legal basis under which the processing is carried out. This must also be clearly communicated to data subjects as for the fulfilment of the transparency obligations.
What about processing of data for other purposes that have not initially been communicated to the data subjects?
Back in 2013 WP 29 issued the Opinion 203 on Purpose Limitation. Under that guidance, however, this principle and underlying requirements are considered as an open norm and there are no clear-cut answers nor information on the practical application of these norms.
Let’s start with the basics: from Art. 5(1)(b) GDPR it clearly stems that processing that is incompatible with the initial purposes for which personal data were collected is not allowed. In practice this means that, prior to the intended further processing, a secondary purpose that is compatible with the initial purpose for which data were collected must be found.
The legislator has foreseen two or even three situations where secondary use of data could indeed be feasible. Let us look at them in turn.
The presumption of compatibility
The first candidate to legitimise the secondary processing of personal data is the presumption of compatibility, known to some as the ‘compatibility check’. The overall idea is that further processing is permissible if the secondary purposes are compatible with the primary purposes for which data were collected. The application of this presumption means that no new legal basis is required for the secondary use of data. Unfortunately though, it is not that simple.
The lawful application of the presumption of compatibility requires considering the following items (as per art. 6.4 GDPR):
A caveat here is that if data were collected based on an individual’s consent or following a legal requirement, no further processing beyond what was covered by the initial consent or the legal provision can take place. Further processing would require obtaining a new consent or finding a new separate legal basis.
The factors above must all be taken into account at the same time. A balancing act must be performed as shortcomings of some of them could potentially be compensated by the rest. I can’t imagine that some sort of scoring could be used but rather a case-by-case analysis, aided by an experienced privacy professional seems more appropriate. The reasoning followed during the balancing act is to be documented in due regard to the accountability principle.
Another option worth exploring are the exemptions from art. 5.1. GDPR which lays down the general prohibition against secondary processing of personal data. If an organisation wants to process data initially collected for -let’s say- conducting a survey among its customers, it could use such data for another purpose. Under GDPR such purposes would be archiving data in the public interest as well as statistical, scientific or historical research purposes. In this sense, Art. 89.1 GDPR establishes that some conditions must be fulfilled for such secondary use of data to be lawful. I will elaborate on that further in the article.
Also, mind that Member States were given some discretion in terms of providing derogations from some of the rights granted to data subjects by GDPR (e.g. right of access, rectification, restriction of processing or the right to object) (art. 89.2 GDPR). For example, the UK decided to make use of this option and enshrine this rule in its Data Protection Act 2018 schedule 2 part 6. Indeed, in the UK when data are processed for research or statistical purposes, data subjects have limited rights to the extent that exercising these rights would impair the achievement of the purposes in question. On the other hand, the Polish legislator did not make use of this possibility.
A new legal basis
Lastly, there is always an option of simply finding a new legal basis for processing, such as consent. It would obviously work in a different manner that the other two possibilities mentioned above, but maybe in certain circumstances worth considering. Especially if uncertainty regarding the use of the other two arises.
However, it must be kept in mind that consent can be tricky and burdensome on controllers who do not only need to obtain it, keep records of consents and be mindful that it can be withdrawn at any time. In reality many perceive it as the easiest way to lawfully process personal data (also for secondary purposes) and the other options are often put aside. As opposed to consent though, the compatibility check gives more room for interpretation for controllers, but it puts data subjects in a much weaker position.
How does it work in practice?
Now that we have an overview of the available options for legitimising further processing of personal data, we can think of what steps are required to achieve it. Let’s assume that an organisation decides it is going to try to re-use the personal data that already are in its database. The subsequent steps will depend on the exemption that applies to the non-further-processing rule.
Reliance on the presumption of compatibility requires organisations to do a balancing test and take into account all the relevant factors mentioned in art. 6.4 GDPR.
Below are some examples linked to the respective factor of the compatibility test (based on WP 29 Opinion 203) that could help organisations to assess whether compatibility between secondary and initial purposes does exist:
All the above points have to be taken into consideration as all are equally important. However, if one is not fulfilled then it does not automatically mean that the presumption of compatibility cannot be leveraged in a particular instance – these factors can balance each other’s shortcomings. All factors and case-by-case analysis must be done and surely it is one of those situations when DPO input would be crucial.
Using data for scientific, archiving or historical research purposes (so relying on art. 5.1. exemption form the general prohibition) mainly requires applying safeguards such as technical and organisational measures keeping in mind that data minimisation is of utmost importance. The legislator gives an example of pseudonymisation and encryption as potential measures.
Let’s look at clinical trials and personal data collected as part of them as an example. It would seem logical that such data collected for a purpose of performing a clinical trial could be used further for scientific research. Such data have a high value and could help scientists and companies from the health sector. Not even mentioning the societal benefits that such research could bring both to an individual himself and the society as a whole by means of finding, for instance, new treatments.
Now, how would an organisation make sure that personal data are safe and protected? An essential part of the answer to that question is encryption, which should always be considered as there is always a chance that data (any data) could be intercepted in a malicious attack either from outside or even inside the organisation.
A fine addition to the encryption practices would be pseudonymising personal data by removing access to data attributes that would enable identification of an individual. Making personal data pseudonymous does not relieve an organisation from its GDPR compliance but it protects individuals not only from potential data leaks but any other misuses that could cause issues to them.
To conclude, the European legislator gave data controllers a few viable options allowing them to use data beyond what was initially agreed with the data subject. Companies shouldn’t be scared to make use of these possibilities – they should just make sure they do proper research and analysis each time they want proceed with further data processing. This is to ensure compliance with the law and protect individuals’ rights.