The EU General Data Protection Regulation (GDPR) sets out some key principles for the processing of personal data. These include that such data may only be processed fairly. Some data controllers may be surprised at the consequences this seemingly inconspicuous obligation has in data protection practice.
Fair processing as an undefined legal concept
Compared to the other principles of Art. 5 GDPR, fair processing is an undefined legal concept that is difficult to grasp.
It can generally be understood to mean decent and fair behaviour towards the data subject in accordance with the rules of coexistence, including ensuring that the data subject is not unfairly disadvantaged when processing personal data and that appropriate consideration is given to the rights and interests of the data subject. Fair data processing therefore means “decent”, “correct”.
The GDPR principles explained
- Transparency of the processing
- Fairness of the processing
- to be continued …
Consequences of the principle of fairness in practice
Priority of direct collection
It can be inferred from the principle of fairness that a balance of power must be maintained between the data controller and the data subject. To ensure this, direct collection is generally preferable to collection from a third party. This means that personal data should – where possible and appropriate – primarily be collected directly from the data subject rather than from a third party. This is because in the case of direct collection, the data subject has more influence on the data processing, as they can actively determine which personal data they disclose and thus make the entire processing procedure more comprehensible for them.
If the controller wishes to collect data indirectly from a third party, there must be objective reasons for doing so. If the controller has nevertheless collected personal data indirectly, it is subject to the duty to provide information pursuant to Art. 14 GDPR. They must therefore inform the data subject about the processing and their rights. Although this does not replace the lack of cooperation of the data subject, the data subject can understand the processing in the same way as if they were informed about the scope and overall circumstances of the processing in the case of direct collection in accordance with Art. 13 GDPR.
Overriding legitimate interest
Art. 6 (1) (f) GDPR provides a legal basis for the processing of personal data if the controller has an overriding legitimate interest in the data processing. In order to justify that the controller’s interest in processing outweighs the rights and interests of a data subject, a balancing of interests is required. The principle of fairness is of great importance in this balancing of interests.
Recital 47 GDPR specifies in more detail that the “reasonable expectations of the data subjects” in particular must be taken into account. This means that the controller may not, in principle, carry out any data processing that a reasonable data subject could not have expected. This applies, for example, to the question of industry standard.
For example, a buyer may expect a seller to advertise similar goods after completing a purchase. However, in the same circumstances, the data subject cannot expect the controller to sell their data on to third parties.
With regard to expectations, the relationship between the person responsible and the person concerned is particularly important. Particularly in relationships such as an employment relationship, which is characterised by a natural hierarchical relationship and thus a relationship of dependency, even more consideration must be given to what the employee can reasonably expect. The greater the difference in power, the less can be expected of the person concerned and the more restrictively the overriding legitimate interest must be applied.
Consent
The principle of fairness is also reflected in the context of consent. In particular, the requirements of voluntariness and the prohibition against coupling within the meaning of Art. 7 (4) GDPR are affected.
As already explained, the principle of fairness is intended to prevent an imbalance between the controller and the data subject and to strengthen the cooperation of the data subject in data processing. For this reason, consent is only effective if it is given voluntarily, i.e. free from threats or coercion. If the controller wishes to justify its processing with consent, the data subject must have a “genuine or free choice” in accordance with Recital 42 GDPR. In other words, it must be possible for the data subject not to give consent without suffering any disadvantages as a result.
To return to the previously described reasonable expectations, this way of thinking is also reflected in the prohibition against coupling declarations of consent. Accordingly, when concluding a contract, the data subject may not be forced to consent to further processing that is not necessary for the fulfilment of this contract or that he or she does not reasonably expect, has not been informed about the further use of his or her personal data and has therefore not given his or her consent for this data. This circumstance must be taken into account to the greatest possible extent when assessing whether consent has been given voluntarily in order to ensure fair processing.
Conclusion: principles should not be underestimated
Fair processing, which is so difficult to conceptualise and seems almost harmless, has serious consequences in data protection practice. If the balance of power between the controller and the data subject is to be as equal as possible, numerous considerations must be made when processing data. In case of doubt, the advice of a data protection expert or the company’s data protection officer should be sought.