GDPR – Pro­hi­bi­ti­on law with con­sti­tu­ent ele­ments of permissibility

As under the Federal Data Pro­tec­tion (BDSG) act old version, the prin­ci­ple of „pro­hi­bi­ti­on subject to per­mis­si­on“ applies. This means any form of data pro­ces­sing is pro­hi­bi­ted – unless a legal basis le­gi­ti­mi­ses the data pro­ces­sing or the data subject has given his/her consent. Article 6 GDPR (General Data Pro­tec­tion Re­gu­la­ti­on) re­gu­la­tes as a central pro­vi­si­on the lawful­ness of the pro­ces­sing of per­so­nal data and lists the cor­re­spon­ding conditions.

De­fi­ni­ti­ons
Per­so­nal data is any in­for­ma­ti­on re­la­ting to an iden­ti­fied or iden­ti­fia­ble person (data subject). An iden­ti­fia­ble natural person is one who can be iden­ti­fied di­rect­ly or in­di­rect­ly, in par­ti­cu­lar by re­fe­rence to an iden­ti­fier such as a name, an iden­ti­fi­ca­ti­on number, lo­ca­ti­on data and one or more spe­ci­fic cha­rac­te­ristics which are ex­pres­si­ons of the phy­si­cal, phy­sio­lo­gi­cal, genetic, psy­cho­lo­gi­cal, eco­no­mic, cul­tu­ral or social iden­ti­ty of that natural person (Art. 4 No. 1 GDPR). Ex­amp­les of this are: Name, place of re­si­dence, re­gis­tra­ti­on plate, chassis number, cus­to­mer number, IMEI number, IP address.

The per­mis­si­bi­li­ty of pro­ces­sing sen­si­ti­ve data is re­gu­la­ted in Article 9 GDPR „Pro­ces­sing of special ca­te­go­ries of per­so­nal data“.
Special ca­te­go­ries of per­so­nal data are e.g.

• racial or ethnic origin
• po­li­ti­cal opinions
• re­li­gious or phi­lo­so­phi­cal beliefs
• trade union membership
• in­for­ma­ti­on on sex life or sexual orientation
• bio­me­tric data
• genetic data

Prin­ci­ples re­la­ting to processing
Article 5 DSGVO lays down the prin­ci­ples go­ver­ning the pro­ces­sing of per­so­nal data, i.e. the prin­ci­ples go­ver­ning data pro­ces­sing. Per­so­nal data must be pro­ces­sed lawful­ly, fairly and in a trans­pa­rent manner to the data subject (lawful­ness, fair­ness and trans­pa­ren­cy). The prin­ci­ple of trans­pa­ren­cy (Art. 6 para. 1 lit. a GDPR) has been added. This is in line with the con­sidera­ble ex­pan­si­on of the in­for­ma­ti­on duties of the con­trol­ler and the rights of the data subject to obtain information.

Lawful­ness of processing
Pro­ces­sing is only lawful if at least one of six con­di­ti­ons is ful­fil­led (Art. 6 (1) GDPR):

1. The data subject has given his consent to the pro­ces­sing of his or her per­so­nal data for a spe­ci­fice purpose.
2. pro­ces­sing is ne­ces­sa­ry for the per­for­mance of a contract
3. pro­ces­sing is ne­cas­sa­ry for com­pli­ance with a legal ob­li­ga­ti­on to which the con­trol­ler is subject.
4. pro­ces­sing is ne­ces­sa­ry to protect the vital in­te­rests of the data subject or of another natural person.
5. pro­ces­sing is is ne­ces­sa­ry fort he per­for­mance of a task carried out in the publik in­te­rest or i the exer­cise of offical aut­ho­ri­ty vested in the controller
6. pro­ces­sing is ne­ces­sa­ry fort he pur­po­ses of the le­gi­ti­ma­te in­te­rest pursued by the con­trol­ler, except where such in­te­re­sta­re over­ridden by the in­te­rests or fun­da­men­tal rights and free­doms of the data subject which require pro­tec­tion of per­so­nal data, in par­ti­cu­lar where the data subject is a child.

Only one of the six points men­tio­ned must be met in order for the pro­ces­sing of per­so­nal data to be lawful.

(Author: Regina Mühlich advises na­tio­nal­ly and in­ter­na­tio­nal­ly active medium-sized com­pa­nies as data pro­tec­tion con­sul­tant and com­pli­ance officer)

If you have any ques­ti­ons, please contact us:
by e-mail consulting@AdOrgaSolutions.de or 
Munich office +49 89 411 726 – 35 / Vienna office +43 1 253 017- 8177.

May 28, 2019