GDPR – Prohibition law with constituent elements of permissibility
As under the Federal Data Protection (BDSG) act old version, the principle of „prohibition subject to permission“ applies. This means any form of data processing is prohibited – unless a legal basis legitimises the data processing or the data subject has given his/her consent. Article 6 GDPR (General Data Protection Regulation) regulates as a central provision the lawfulness of the processing of personal data and lists the corresponding conditions.
Personal data is any information relating to an identified or identifiable person (data subject). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and one or more specific characteristics which are expressions of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (Art. 4 No. 1 GDPR). Examples of this are: Name, place of residence, registration plate, chassis number, customer number, IMEI number, IP address.
The permissibility of processing sensitive data is regulated in Article 9 GDPR „Processing of special categories of personal data“.
Special categories of personal data are e.g.
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- information on sex life or sexual orientation
- biometric data
- genetic data
Principles relating to processing
Article 5 DSGVO lays down the principles governing the processing of personal data, i.e. the principles governing data processing. Personal data must be processed lawfully, fairly and in a transparent manner to the data subject (lawfulness, fairness and transparency). The principle of transparency (Art. 6 para. 1 lit. a GDPR) has been added. This is in line with the considerable expansion of the information duties of the controller and the rights of the data subject to obtain information.
Lawfulness of processing
Processing is only lawful if at least one of six conditions is fulfilled (Art. 6 (1) GDPR):
- The data subject has given his consent to the processing of his or her personal data for a specifice purpose.
- processing is necessary for the performance of a contract
- processing is necassary for compliance with a legal obligation to which the controller is subject.
- processing is necessary to protect the vital interests of the data subject or of another natural person.
- processing is is necessary fort he performance of a task carried out in the publik interest or i the exercise of offical authority vested in the controller
- processing is necessary fort he purposes of the legitimate interest pursued by the controller, except where such interestare overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Only one of the six points mentioned must be met in order for the processing of personal data to be lawful.
(Author: Regina Mühlich advises nationally and internationally active medium-sized companies as data protection consultant and compliance officer)
If you have any questions, please contact us:
by e-mail consulting@AdOrgaSolutions.de or
Munich office +49 89 411 726 – 35 / Vienna office +43 1 253 017- 8177.
May 28, 2019