Guest lecture 11 - Dr. Marinos Papadopoulos' presentation for his lecture to students of Edith Cowan University, School of Business & Law (Perth, Australia) on all the key principles providing the basis for the protection of personal data in consideration of the GDPR Regulation in Europe and on the lawful processing principle.
Key principles for data protection & lawful protection in GDPR
1. Key-principles for data protection & lawful protection in GDPR
Dr. Marinos Papadopoulos
Attorney-at-Law
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
1
2. Key-principles for data protection
Article 5 of GDPR lays down all the key principles for data protection. These are:
1. Lawfulness, Fairness & Transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity & Confidentiality
7. Accountability
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
2
3. Lawfulness, Fairness & Transparency (art.5(1)(a) GDPR)
Lawful processing: only if and to the extent that at least one of the conditions listed
in article 6 of GDPR applies.
Fair processing: data have not been obtained nor otherwise processed through
unfair means, by deception or without the data subject’s knowledge.
Transparent processing: natural persons should know that personal data
concerning them are collected, used, consulted or otherwise processed.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
3
4. The purpose limitation principle (art.5(1)(b) GDPR)
Purpose limitation is the cornerstone principle for data protection in GDPR.
Limited purposes processing: data may only be collected for specified, explicit and
legitimate purposes (the purpose specification dimension) and may not further
processed in a manner that is incompatible with those purposes (the compatible
dimension).
Purposes for processing personal data should be determined in the beginning at the
time of the collection of the personal data.
The purposes of data processing should be unambiguous and clearly expressed
instead of being kept hidden.
The compatible dimension
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
4
5. The compatible dimension of the purpose limitation principle
Article 6(4) GDPR: criteria to determine whether the processing for a purpose other
than that for which personal data have been collected is to be considered compatible
with the initial purpose.
1. If the data subject consents to a new incompatible purpose
2. If the processing is based on an EU or national law
Article 89(1) GDPR: certain reuses of data are considered a priori as compatible
regarding further processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
5
6. The data minimization principle (art.5(1)(c) GDPR)
Data must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.
The necessity requirement: personal data should only be processed if the purposes
cannot be reasonably fulfilled by other means.
The necessity requirement does not only refer to the quantity of data but also refers
to the quality of data processed.
The limited to what is necessary criterion also requires ensuring that the period for
which personal data are stored is limited to a strict minimum.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
6
7. The accuracy principle (art.5(1)(d) GDPR)
All data collected and processed must be accurate and be kept up to date. All
inaccurate data must be either rectified or erased.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
7
8. The storage limitation principle (art.5(1)(e) GDPR)
Data processed should not be stored in a form that permits identification of data
subjects beyond the time necessary to achieve the purposes of processing.
Controllers must establish time limits for erasure or for a periodic review of the
need for the storage of data.
Procedural measures must be adopted to ensure that time limits for the storage of
data are observed.
Controllers must implement appropriate technical and organizational measures for
ensuring that the legitimate period of storage of personal data is respected.
The storage limitation of data principle permits storage of personal data for longer
periods if it is for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, and is subject to the implementation of
appropriate technical and organizational measures in order to safeguard the rights
and freedoms of the data subjects.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
8
9. The integrity & confidentiality principle (art.5(1)(f) GDPR)
Personal data must be processed in a manner that ensures their appropriate
security including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage using appropriate technical or organizational
measures.
Articles 32-34 of GDPR are dedicated to Controllers and Processors’ duty of
security.
The requirement to notify personal data breaches to the supervisory Data
Protection Authority.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
9
10. The accountability principle (art.5(2) GDPR)
The Controller must be able to demonstrate that the processing of personal data is
in compliance with the legal rules (accountability).
Article 24 of GDPR is dedicated to the responsibility of the Controller to
demonstrate lawful processing in compliance with all the legal rules.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
10
11. Court of Justice (CJ) of the EU cases – Relevant Case Law
CJEU, Case C-201/14 Bara and Others v Case Nationala de Asigurari de Sanatate and Others, regarding
the requirement for fair processing of personal data, available at CURIA (InfoCuria Case Law).
CJEU, Joined Cases C-92/09 & C-93/09 Volker und Markus Schecke GbR and Hartmut Eifert v Land
Hessen, regarding the principle of proportionality which is part of the requirement for a legitimate purpose in
the processing of personal data, available at CURIA (InfoCuria Case Law).
CJEU, Joined Cases C-293/12 & C-594/12, Digital Rights Ireland Ltd v Minister for Communications,
Marine and Natural Resources and Others and Karntner Landersregierung and Others, regarding the principle
of proportionality which is part of the requirement for a legitimate purpose in the processing of personal data,
available at CURIA (InfoCuria Case Law).
CJEU, Joined Cases C-203/15 & C-698/15, Tele2 Sverige AB v Post-och telestyrelesen and Secretary of
State for the Home Department v Tom Watson and Others, regarding lawful processing of personal data,
available at EUR-lex.
CJEU, Case C-708/18, TK v Asociatia de Proprietari bloc M5A-ScaraA, regarding the principle of
proportionality which is part of the requirement for a legitimate purpose in the processing of personal data,
available at CURIA (InfoCuria Case Law).
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
11
12. The lawful processing principle (art.6(1) GDPR)
Article 6(1) of GDPR lays down all the six grounds for making processing of
personal data lawful. Controllers must be able to demonstrate that at least one of
these grounds applies to their processing of personal data.
The GDPR exclusive grounds for lawful processing of personal data are:
1. Consent of the data subject (art.6(1)(a) GDPR)
2. Contract and precontractual relationship (art.6(1)(b) GDPR)
3. Processing for legal compliance with the legal obligation to which the Controller is
subject (art.6(1)(c) GDPR)
4. Processing which is necessary in order to protect the vital interest of the data
subject or of another natural person (art.6(1)(d) GDPR)
5. Processing for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the Controller (art.6(1)(e) GDPR)
6. Processing on the grounds of legitimate interests pursued by the Controller or by a
third party (art.6(1)(f) GDPR)
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
12
13. Consent of the Data Subject (art.6(1)(a) GDPR)
Processing of personal data is lawful if the data subject has allowed for processing
in a way which satisfies the conditions for valid consent as defined in article 4(11) and
articles 7 & 8 of GDPR.
Where the elements that constitute valid consent are unlikely to be present and
where the data subject cannot decide in the absence of social, financial, psychological
or other pressure, the element of ‘free consent’ is not secured and consent of the data
subject is therefore not valid.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
13
14. Contract & precontractual relationship (art.6(1)(b) GDPR)
To the extent that processing data about one’s contractual or precontractual
partner (the data subject) is necessary for the fulfilment of a contract or the
establishment of a precontractual relationship by the other contractual or
precontractual partner (the Controller), the latter has a legal basis for the processing
operations on these data.
An assessment of the necessity of processing of personal data in a contractual or
precontractual relationship must be made.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
14
15. Legal compliance with legal obligation (art.6(1)(c) GDPR)
This ground for lawful processing applies for legal compliance with a legal
obligation stemming from either EU or national law to which the Controller is subject.
The law should necessitate the processing of data of others in order for the
Controller to be able to fulfil a legal obligation.
This ground for lawful processing covers also cases in which the Controller’s
obligation is not entirely specified in law, but by an additional legal act under public
law such as secondary or delegated legislation or even by a binding decision of a
public authority in a concrete case.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
15
16. Protection of the vital interests (art.6(1)(d) GDPR)
Article 6(1)(d) of GDPR pertains to the lawful processing in order to protect the vital
interests either of the data subject or of another third person.
Recital 46 of GDPR describes the ‘vital interest’ as one which is essential for the life
of an individual.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
16
17. Performance of a task in the public interest or exercise of official authority (art.6(1)(e) GDPR)
This ground for lawful processing is the general basis of personal data processing
for public sector purposes.
Processing of personal data under article 6(1)(e) of GDPR is necessary for a task
which shall be carried out in the public interest or in the exercise of official authority
and has been entrusted to the Controller.
Processing in this context is lawful if it is necessary and is necessary if it promotes
good governance in the sense that it makes the performance of the public authority
more effective and facilitates activities which are in the public interest and are
foreseen by law.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
17
18. Legitimate interests (art.6(1)(f) GDPR)
This ground for lawful processing pertains to the legitimate interests of private
sector Controllers.
The legitimate interest is an interest which is visibly, although not necessarily
explicitly, recognized by law, either EU law or national law. Mere commercial interests
do not suffice to establish ‘legitimate interest’.
Legitimate interests of either the Controller or a third party’s interests.
A Controller intending to rely on article 6(1)(f) of GDPR for data processing must
perform a balancing test in accordance with the principle of proportionality before the
processing.
The decisive criterion for the Controller’s balancing test is the intensity of
intervention that the processing in question poses to the rights and freedoms of the
data subjects.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
18
19. Compatible further processing (art.6(4) GDPR)
Compatible further processing is not an additional legal basis. The legal basis for
the initial processing is applicable to compatible further processing.
Article 6(4) of GDPR provides tools for the assessment of the compatibility of further
processing. These tools are the following:
1. any link between the purposes for which the personal data have been collected and
the purposes of the intended further processing;
2. the context in which the personal data have been collected, in particular regarding
the relationship between data subjects and the controller;
3. the nature of the personal data, in particular whether special categories of personal
data are processed, pursuant to art.9, or whether personal data related to criminal
convictions and offences are processed, pursuant to art.10;
4. the possible consequences of the intended further processing for data subjects;
5. the existence of appropriate safeguards, which may include encryption or
pseudonymization.
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
19
20. Court of Justice (CJ) of the EU cases – Relevant Case Law
CJEU, Case C-524/06 Heinz Huber v Bundesrepublik Deutschland, regarding processing of personal data
carried out in the public interest, available at CURIA (InfoCuria Case Law).
CJEU, Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland, regarding processing of personal
data on the grounds of legitimate interests of the Controller, available at CURIA (InfoCuria Case Law).
CJEU, Case C40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV regarding processing of
personal data on the grounds of legitimate interests of the Controller, available at CURIA (InfoCuria Case Law).
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
20
21. Further Reading
The Information Accountability Foundation, (May 25, 2021), The FAIR and OPEN USE Act: A Demonstration
of Accountability-Based Legislation To Assure the Fair Processing of Data Pertaining to People, available at URL:
https://secureservercdn.net/192.169.221.188/b1f.827.myftpupload.com/wp-content/uploads/2021/06/FAIR-and-OPEN-USE-Act-May-26-
2021.pdf?time=1633465269
European Union Agency For Fundamental Rights, (May 25, 2018), Handbook on European data protection
law, available at URL: https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law-2018-edition
European Data Protection Board, Guidelines, Recommendations, Best Practices, available at URL:
https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en
European Data Protection Supervisor, (August 9, 2021), EDPS Guidance on Return to the Workplace and
EUIs’ screening of COVID immunity or infection status, available at URL: https://edps.europa.eu/system/files/2021-08/21-08-
09_guidance_return_workplace_en_0.pdf
Dr. Marinos Papadopoulos | ECU.edu.au School of Business & Law Guest Lecture @ 15/10/2021
21