Abstract
Further processing is probably one of the lesser researched features of the General Data Protection Regulation (“GDPR”). This is remarkable since much of the data to be processed involves data that was collected at an earlier stage and further processing is highly relevant for data controllers.
“Further processing” in this article refers to the processing of personal data for a purpose other than that for which it was initially collected. Article 6(4) of the GDPR provides the legal basis for such further processing. The key mechanisms are consent and a compatibility assessment.
Many privacy advocates consider consent to be the gold standard for further processing and pay little attention to the compatibility option. Consent, however, puts a significant cognitive load on individuals (the “data subjects”), while it confronts data controllers with serious challenges in obtaining consent and recording its validity. On the other hand, the compatibility assessment allows data controllers to justify the further processing based on the criteria given in Article 6(4), but it might leave individuals powerless.
In this article, we compare the two key mechanisms for further processing, consent and compatibility, and we discuss various compensating measures controllers can take to ensure that compatibility-based processing is a real alternative to consent.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
For completeness, further processing is also possible on the basis of Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Given the specific nature and limited scope of this feature, we will not elaborate further on this in this article
Report of the State Commission on the Protection of Privacy 1976, pp. 26–27
Blok, P.H.: Het recht op privacy (The Right to Privacy). The Hague: Boom Juridische Uitgevers, p. 135 (2002)
Article 5 GDPR
Article 6 GDPR
This is not a new concept: earlier, in the context of the Directive 95/46/EC, the Working Party 29 (hereinafter: WP29) published an opinion on further processing of personal data and the assessment of compatibility thereof in its working paper on purpose limitation. The GDPR codified this approach in Article 6(4)
WP29 Guidelines on Consent under Regulation 2016/679, WP259 rev. 01, (hereinafter: WP29, WP259), adopted on 10 April 2018, p. 23
Feiler, Lukas, Forgó, Nikolaus, Weigl, Michaela: The EU General Data Protection Regulation (GDPR): A Commentary, p. 83. UK, Global Law and Business Ltd (2018)
Article 4(11) GDPR and Recital 32 GDPR
Recital 42 GDPR
Recital 50 GDPR
Article 5(1)(b) on the principle of purpose limitation
WP29, WP203, III.2.2.d, p. 26
Article 5(1)(b) and (e) GDPR
See final sentence of Article 5(1)(b) GDPR
WP29, WP203, p. 29
Pursuant to Article 5 GDPR and based on Article 8 of the European Convention on Human Rights (ECHR)
WP29, WP259, p. 23
WP29 Guidelines on transparency under Regulation 2016/679, WP260 rev. 01, (hereinafter: WP29, WP260), adopted on 11 April 2018, p. 20
WP29, WP259, p. 21
WP29 recognizes permission management systems as meaningful measures for “pull notices” in WP29, WP260, p. 20
Article 21 GDPR
Article 17(1)(b) GDPR
Article 21(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes
It is clear from the wording of Article 21 GDPR that the balancing test is different from that found in Article 6(1)(f) GDPR. In other words, it is not sufficient for a controller to just demonstrate that an earlier legitimate interest analysis was correct. This balancing test requires the legitimate interest to be compelling, implying a higher threshold for overriding objections. (WP29 Guidelines on the Automated Individual Decision-Making and Profiling, WP251 rev. 01, adopted on 6 February 2018)
Recital 7 GDPR: Natural persons should have control of their own personal data
Information Commissioner’s Office (ICO). Consultation on GDPR consent guidance, March 2017
Chapter 4 of the GDPR
Chapter 5 of the GDPR
Article 49 GDPR and WP29 Guidelines on Article 49 of Regulation 2016/679, WP262, February 6, 2018
Article 9(1) GDPR
Article 9(2) GDPR
Articles 12, 13, and 14 GDPR
WP29 Guidelines on the Automated Individual Decision-Making and Profiling, WP251 rev. 01, adopted on 6 February 2018, p. 19
ICO. 2018. Guide to the General Data Protection Regulation (GDPR), version 1.0.34, p. 44, 22 March 2018
Dutch DPA. 2015. Wifi-tracking van mobiele apparaten in en rond winkels door Bluetrace (Wifi-tracking of mobile devices in and around stores by means of Bluetrace), (hereinafter: Dutch DPA 2015), 13 October 2015
International Association of Privacy Professionals (IAPP). Privacy Tech Vendor Report (2018). www.iapp.org
KuppingerCole: Leadership Compass: CIAM-Platforms (2016)
Gartner: Critical Capabilities for Identity and Access Management as a Service, Worldwide (2016)
Ctrl-Shift. Is the EC waking up to PIMS?” (2015). (https://www.ctrl-shift.co.uk/news/2015/11/30/is-the-ec-waking-up-to-pims/)
Article 30 GDPR
Dutch DPA 2015
See working assumption in Section 3 that personal data initially collected based on consent will also have to be further processed based on the data subject’s consent
Article 45(3) GDPR
Article 46 GDPR
WP29, WP203, p. 22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix 1 – Table Overview Including All Compensating Measures
Appendix 1 – Table Overview Including All Compensating Measures
The table below shows an overview of the two key mechanisms that can be applied to enable further processing of personal data. The two mechanisms of consent and compatibility are compared on the three most important aspects of realizing privacy protection: (i) the principles of personal data processing, (ii) the data subject’s rights and freedoms, and (iii) the controller’s obligations and interests.
Initially, the comparison was done with no compensating measures in place to improve the performance of one or the other of the mechanisms. In a second consideration, the compensating measures discussed above were added to improve the performance of the compatibility assessment, possibly bringing it to the same level as consent.
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Seinen, W., Walter, A., van Grondelle, S. (2018). Compatibility as a Mechanism for Responsible Further Processing of Personal Data. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds) Privacy Technologies and Policy. APF 2018. Lecture Notes in Computer Science(), vol 11079. Springer, Cham. https://doi.org/10.1007/978-3-030-02547-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-02547-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02546-5
Online ISBN: 978-3-030-02547-2
eBook Packages: Computer ScienceComputer Science (R0)