Gdpr Case Analysis
Essay Preview: Gdpr Case Analysis
Report this essay
Table of ContentsQuestion 1: Do you agree with this recommendation? Why? Which alternatives, if any, would you consider? 1Question 2: Which legal basis should this processing be based on? 3Question 3: Which specific steps need to be taken to ensure that this processing has a valid legal basis? Does this processing call for a data protection impact assessment? 4Question 4: You are negotiating an agreement with CI on ACME’s behalf. Do you have any concerns about the proposed functionalities in their systems? Which changes would you suggest? 5Question 5: Assuming that the processing of personal data by ACME is legal, which specific steps would you take to ensure that giving CI access to ACME’s personal data is compliant with the GDPR? 7Works Cited 9Question 1: Do you agree with this recommendation? Why? Which alternatives, if any, would you consider?We don’t agree with this recommendation because of Article 5, Article 6 and Article 7 of GDPR. Since ACME, a fitness company, is located in Norway and requires processing personal data, GDPR applies to ACME. Also, ACME determines purposes and means of data processing itself, we can see ACME is a data controller, and no data processor exists in this case. And this case is mainly concerned that is consent established or now. Before all the discussions, we want to figure out how GDPR defines the consent. GDPR defines consent should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.From the recommendation, ACME’s external counsel advised adding a tick box consent both in employee contracts and membership agreement. We object this recommendation because, first of all, ACME needs to separate employee contracts and membership agreement for different responsibilities. Secondly, it should not have only one tick box of consent with a forcible sentence to force people agreeing with the consent. Finally, consent cannot be contained three purposes together.Under GDPR Article 7 part 4, it explicitly states that the consent should be freely given. In order to ensure freely given consent, one of interpretation of freely given under GDPR Recital 43 is consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject (ACME employees in this case) and the controller (ACME), consent will not be valid. So, ACME is better not to add consent in employee contracts.Now let us look at the membership agreements. In this part, ACME’s external counsel wants to add a tick box in consent, which violates GDPR Article 7 part 4 freely given as well. One tick box implies a pre-ticked box. Under Recital 32 Conditions for Consent, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. Therefore, silence, pre-ticked boxes or inactivity should not constitute consent.
Besides the previous two parts, consent content cannot include more than one purpose. Under GDPR Article 5 part (b), collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The statement explicitly points out that processing for each specific purpose must have a legal basis. From consent, it states three purposes from processing personal data which are 1) controlling access to the facilities, 2) implementing other security measures, and 3) marketing purpose.Based on these three purposes, consent does not need to state the first purpose into consent. According to Article 6 part (b), processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. ACME providing gym facilities is the performance of a contract, which does not need a consent from customers. For the second purpose, ACME should clearly point out what other security measures are. If these security measures are the public interest or in the exercise of official authority vested in the controller (GDPR Article 6(e)), ACME does not need to include this purpose in consent as well. However, if the security measures are not part of Article 6(e) for different situation excluding public interest, ACME should add another consent with a context of a written declaration which also concerns other matters using clear and plain language, based on Article 7 part 2. For marketing purpose, ACME needs to do a purpose test, indicating which kind of marketing is. Is this purpose related to direct or indirect? If the marketing purpose is direct, this is one of the legitimate interests. Moreover, ACME should go to a necessity test to check if direct market is necessary. For example, if ACME promotes its service by sending emails, or asks a feedback from exist customers, then direct marketing is necessary during this time. Therefore, a balancing test will be utilized by checking whether the private interest is hurt from this behavior. Normally, potential risk would not be caused by sending email or asking feedback. Therefore, the marketing purpose can be stated. Overall, ACME should state this consent independently from other purposes and give right to customer to reject or withdraw.Last but not least, a forcible sentence “failure to do so may result in reduced access to the facilities” violates Recital 32’s unambiguous regulation and Article 7 part 3 right to withdraw consent portion. If ACME insists to add this part into consent, consent is invalid based on GDPR in this case.To fix this consent, if ACME gives customers the right to reject or withdraw consent without harm the access power; states purpose clearly in plain language based on specific legal basis, we will consider this is a valid consent to let customer agree with.Question 2: Which legal basis should this processing be based on?To find the legal basis, we should start from extracting purposes. Based on the general rule, one purpose has one legal basis. In this case, ACEM has two purposes, one is collecting and analyzing their customers’ access records, another one is e-marketing purpose. Therefore, this processing should be based on two legal bases corresponding to their purposes.For the first purpose, collecting and analyzing access records, the main issue is to determine if this processing necessary for a contract or at the request of the data subject. According to Art. 6(1), processing shall be lawful if it is contractual necessary. In this case, the promotion email will be sent to the email address customers used to sign up for this service, which means signing up for the service prior to collecting and analyzing their access records. Additionally, the standard to receive discount is 10 times to visit training centers per month. Processing access records is necessary to determine whether the customers will receive discount or not. Therefore, collecting and analyzing access records are necessary at the request of data subjects. The legal basis for collecting and analyzing access records is contractual necessity.