Lawful Use (processing) of Personal Data (General Provisions)
The (EU Wide) GDPR provides that the processing (use) of personal data is permitted, provided that the processor complies with one or more of the following conditions;
- the data subject (the person whose personal information it is) has unambiguously given his consent; to the processing for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering a contract;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller (data holder) or in a third party to whom the data are disclosed;
- the processing is necessary for the purpose of the legitimate interests pursued by the controller or the third party to whom they are disclosed, except where such interests or overridden by the fundamental rights and freedoms of the data subject.
Lawful Use (processing) of Personal Data (Legal Obligation and Governmental Functions)
The GDPR criteria for processing of data are set out above. EU Member States may maintain or introduce more specific provisions to adapt the application of the GDPR rules in the context of a legal obligation, public interest or the exercise of public authority. There are criteria in the GDPR in relation to such rules.
See the separate chapters in relation to the Irish rules in this context. Most of these areas relate to governmental and public interest activities. The processing must comply with broad data protection principles. The member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued.
The national rules may contain specific provisions to adapt the GDPR rules to the public and other function concerned including
- the general conditions governing the processing by the controller;
- the types of data which are subject to the processing;
- the data subjects concerned;
- the entities to, and the purposes for which, the personal data may be disclosed;
- the purpose limitation; storage periods; and
- processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations
Consent to Use of Personal Data
Consent must be unambiguous, freely given and informed. A positive consent, as opposed to a consent by inertia is almost invariably required. It cannot be usually inferred or implied. Explicit consent is preferable in all cases. If a person has not realised that he is consenting, it is unlikely to be sufficiently unambiguous and free for the purposes of the legislation.
Consent may usually be withdrawn. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed thereof. It shall be as easy to withdraw as to give consent.
Consent must have been demonstrably given. Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.
Explicit Consent Usually Required I
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this requirement is not binding.
Consent must be informed. The embodiment of consent in small print, where it does not come to the attention of the data subject, is unlikely to suffice. In the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.
A declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.
Explicit Consent Usually Required II
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity do not constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for each and all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Extent of Consent
For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
The extent to which the consent is required to be informed or explicit depends on whether the processing is unusual, invasive or affects the data subject’s fundamental rights. Very explicit consent will be required where the processing is unusual or affects fundamental rights.
Consent may not be implied, subject to some limited necessary exceptions. The commencement of litigation, for example, impliedly consents to disclosure of the claimant’s material records. This, for example, would include medical records, when the claimant’s physical condition is in issue. His initiation of litigation is voluntary and necessarily implies consent to the extent necessary to protect the defendant’s legitimate interests.
Freely Given I
Consent given by fraud, duress, misrepresentation, pressure or violence is not valid consent. The consent must be genuine and free. Consent obtained by deception or misstatement is invalid. Consent, induced by mistake, may be invalid.
Consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
When assessing whether consent is freely given, account shall be taken of whether, amongst other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Freely Given II
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations, despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
A higher standard than that required for contractual consent is necessary. Contracts entered under economic pressure are not generally invalidated. However, such pressure is likely to invalidate consent for the purpose of Data Protection legislation. A bare consent in a contract may not be sufficient, particularly where the party who consents, has very little choice.
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Consent of Child and Those Lacking Legal Capacity
The Data Protection Act provides that if the data subject by reason of his physical, mental incapacity or age, is likely to be unable to appreciate the nature and effect of the consent, it is to be given by a guardian, parent, uncle, aunt, brother or sister of the data subject, provided that such consent is not prohibited by law.
The GDPR recites that specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The data controller must make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility for the child, taking into consideration available technology.
This does shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child. The general age at which a person can enter a contract is 18 years, subject to exceptions in particular for necessaries.
Digital Age of Consent
Information society services are broadly, those acquired or purchased through a digital/electronic medium. The GDPR provides that in relation to the offer of information society services directly to a child, the processing of the personal data of the child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility for the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Ireland has provided in the Data Protection Act 2018 that the digital age of consent is 13 years.
The GDPR recitals provide that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Codes of Conduct regarding Children’s Data
The Data Protection Commission is to encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR with regard to—
- the protection of children,
- the information to be provided by a controller to children,
- the manner in which the consent of the holders of parental responsibility for a child is to be obtained, and
- integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner.
For the purpose of considering whether a draft code of conduct or an extension or amendment to an existing code of conduct provides sufficient appropriate safeguards, the Commission may, where it concerns the application of the GDOR to children, consult with such persons as it considers appropriate including—
- children and bodies who appear to the Commission to represent the interests of children,
- the holders of parental responsibility for children, and
- the Ombudsman for Children
Contract or Legal Obligation I
The processing (use) of personal data is lawful where
- the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering a contract or
- the processing is necessary for compliance with a legal obligation to which the controller is subject.
The extent to which data processing is necessitated for the performance of a contract, or in order to take steps at the request of the data subject to enter the contract, may be a question of interpretation in the circumstances.
Pre-contract consent must relate to steps taken by the other party at the data subject’s request. This, for example, may involve the use of personal data in preparing a quotation for a job.
Contract or Legal Obligation II
Necessary does not mean that the processing must be essential for the purposes of performing a contract or taking the relevant pre-contractual steps. However, it must be a targeted and proportionate way of achieving that purpose.
The lawful basis does not apply if there are other reasonable and less intrusive ways to meet the contractual obligations or take the steps requested.
The processing must be necessary to deliver the data processor’s side of the contract with the particular party. If the processing is necessary only to maintain the processor’s business model more generally, the lawful basis will not apply. The legitimate interests basis may be available.
Legal Duty I
Data processing is permissible in relation to obligations imposed other than by contract. The obligations may arise from another obligation or duty having the force of law.
Although the processing need not be essential in order to comply with the legal obligation, it must be a reasonable and proportionate way of achieving compliance. The processor cannot rely on the lawful basis if it has a discretion over whether to process the personal data or if there is another reasonable way to comply. It will be often clear from the law in question whether the processing is actually necessary for compliance.
The GDPR contemplates that the legal obligation be laid down by national or EU law. The obligation does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. It includes clear common law obligations. It may be a court order.
This basis of processing does not require that there must be a legal obligation specifically requiring the specific processing activity. If the processor’s overall purpose is to comply with a legal obligation which has a sufficiently clear basis in either common law or statute, the basis is likely to be available.
Legal Duty II
The processor should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. This may be a government website or industry guidance that explains generally applicable legal obligations.
Regulatory requirements are legal obligations for these purposes where there is a statutory basis underpinning the regulatory regime and which requires regulated organisations to comply.
A contractual obligation is not a legal obligation in this context. A processor cannot contract out of the requirement for a lawful basis. However, the contract basis may be available in relation to contracts with the data subject. In the cases of contracts with other parties, the legitimate interests basis may apply.
Legitimate Interest Basis
The data controller may process the personal data of another, to the extent that it is necessary for the purpose of the protection of his legitimate interests. This does not apply where it would infringe the fundamental freedoms of the data subject. Legitimate interests embrace a broad range of considerations.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
Assessment of Legitimate Interests
The existence of a legitimate interest needs careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Given that it is for the State to provide by law for the legal basis for public authorities to process personal data, that legal basis does not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security constitutes a legitimate interest of the data controller concerned. This covers
- the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data,
- the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams, computer security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services,
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Collected for Another Purpose / Further Processing
The processing of personal data for purposes other than those for which the personal data were initially collected is allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or an EU or national law which constitutes a necessary and proportionate measure in a democratic society, the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, amongst other things:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular, whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences are processed;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Processing Does Not Require Identification
If the purposes for which a controller processes personal data do not or no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.
Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, the rights of the data subject in Articles 15 to 20 of GDPR (access, rectification, erasure, objection etc.) do not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller is not obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of the GDPR. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights.
Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the data controller.
The processing of personal data for purposes other than those for which the personal data were initially collected is allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separates from that which allowed the collection of the personal data is required.
In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia:
- any link between those purposes and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular, the reasonable expectations of data subjects based on their relationship with the controller as to their further use;
- the nature of the personal data;
- the consequences of the intended further processing for data subjects; and
- the existence of appropriate safeguards in both the original and intended further processing operations.
Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in the GDPR and in particular, the information of the data subject in relation to those other purposes and on his or her rights including the right to object should be ensured.
Freedom of Expression and Journalism
The processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, is exempt from compliance with the below provisions of the GDPR where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with the provision would be incompatible with such purposes.
The provisions of the GDPR for the above purposes are
- the general principles (other than processing in a manner that ensures appropriate security of the personal data)
- rights of the data subject
- controller and processor
- transfer of personal data to third countries and international organisations
- independent supervisory authorities and
- cooperation and consistency.
The Commission may, on its own initiative, refer any question of law which involves consideration of whether processing of personal data is exempt to the High Court for its determination. An appeal shall, by leave of the High Court, lie from a determination of that Court on a question of law to the Court of Appeal.
In order to take account of the importance of the right to freedom of expression and information in a democratic society, the right is to be interpreted in a broad manner.
Disclosure includes disclosure of information extracted from data and the transfer of data. It does not include disclosure made by a data controller or processor to his employee, for the purpose of carrying out his duties.
Where the identification of the data subject depends partly on the data and partly on other information in the control or possession of the data controller, disclosure does not take place until the other connecting information is disclosed.
Disclosure may take place when sufficient information is given in a public sphere such that may potentially identify the person concerned. It may be sufficient disclosure to mention a person on radio based on data held. Disclosure encompasses unintentional and accidental disclosure.
Data may be disclosed to third parties, even though this was not anticipated at the time of collection. If this occurs, the data subject should be informed at the date of disclosure.
Rights in relation to automated decision making
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Subject to the GDPR and to suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject, the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her shall, in addition to the GDPR grounds, does not apply where the decision is authorised or required by or under an enactment, and either
- the effect of that decision is to grant a request of the data subject, or
- in all other cases, adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable him or her to make representations to the controller in relation to the decision.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008
- Lawful Use (processing) of Personal Data (General Provisions)
- Lawful Use (processing) of Personal Data (Legal Obligation and Governmental Functions)
- Consent to Use of Personal Data
- Explicit Consent Usually Required I
- Explicit Consent Usually Required II
- Extent of Consent
- Freely Given I
- Freely Given II
- Consent of Child and Those Lacking Legal Capacity
- Digital Age of Consent
- Codes of Conduct regarding Children’s Data
- Contract or Legal Obligation I
- Contract or Legal Obligation II
- Legal Duty I
- Legal Duty II
- Legitimate Interest Basis
- Assessment of Legitimate Interests
- IT Security
- Collected for Another Purpose / Further Processing
- Processing Does Not Require Identification
- Further Processing
- Freedom of Expression and Journalism
- Rights in relation to automated decision making
- References and Sources