Data Processing Beyond the Original Purpose
People’s personal data is increasingly being processed (either by accident or design) for purposes other than that for which it was originally collected, often without informing the data subject.
Compatibility Test for Data Processing
Where data processing is for a purpose other than that for which the personal data was collected is not based on the data subject’s consent or required by UK law, the controller has to satisfy the test set out in Article 6(4)(a) – (e) of the GDPR, in order to confirm that the processing purpose is compatible with the purpose for which the data was initially collected.
Article 6(4)(a) – (e) requires that the controller determines:
- any link between the purposes for which the personal data was originally collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular, whether special categories of personal data are processed, pursuant to Article 9, or whether
- personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects; and
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Duty of ‘Data Protection by Design and by Default’
Having complied with Article 6(4), Article 25(1) and (2), which are possibly the least understood and implemented GDPR’s provisions, imposes a duty on controllers to implement ‘data protection by design and by default’, to ensure that the data processing complies with the GDPR’s provisions.
In particular, the Article 25 measures should ensure the controller’s compliance with the GDPR’s Article 5(1) data protection principles.
Consequences of Failing Article 6(4)
A failure by a controller to meet Article 6(4) can easily lead to its failure to implement measures to comply with Article 25 and Article 5(1).
Real-world Example
In the UK in February 2022, a firm of Solicitors was issued with a £98,000 monetary penalty notice by the ICO for its contravention of Article 25 (failure to implement data protection by design and by default) as well as Articles 5(1)(e) (Storage limitation principle), 5(1)(f) (Integrity and confidentiality principle) and 32(1)(a) and (b) (Security of processing).
Rise of Data Protection Law Firms
The recent rise in specialist claimant data protection law firms and those employing data protection specialists, are likely to be quick, in the event of a data breach, to seek ICO sanction and compensation from controllers who have failed to implement measures to comply with Article 25 and this failure has resulted in a breach of the Article 5(1) principles.
Importance of GDPR Compliance
The GDPR has now been in force for over five years and data subjects, the ICO and the courts expect that controllers now fully understand the GDPR’s provisions and comply with its requirements. While the courts have all but eliminated spurious and low-value damages claims, complex GDPR provisions such as those outlined in this article mean that claimant solicitors can run genuine claims in the High Court incurring high legal costs.
It is important that companies operating in the UK fully understand the GDPR’s provisions and that they take specialist advice where they are unsure of their duties and immediately if they suspect an incident might lead to ICO action and/or a damages claim.
This blog was written by David Sinclair, a Data Protection Lawyer at 360 Business Law