Legitimate Data Processing – Data Protection Law  

The charter of the fundamental rights of the EU is the fundamental law of EU.

The charter states that everyone has the right for protection regarding his/her personal data.

It mandates that data has to be processed fairly. It has to be processed for a specific purpose on the basis of consent OR some other legitimate basis in accordance with law.

Criteria to make Data Processing Legitimate

Directive 95/46 set out the criteria.

• The data subject must unambiguously give consent, or
• Processing is to perform a contract, or
• It is necessary to fulfil a legal obligation, or
• It is necessary to protect vital interest of the data subject, or
• It is necessary to perform a task in the public interest
• It is necessary for the legitimate interest of the controller

If a controller has concluded there is a legitimate basis the controller must then apply the principles of data protection to the matter ie is fairness and purpose.

In Ireland we have reproduced article 7 of directive 95/46 in S2A(1) of the data protection act.

Data can only be processed by a controller if either :

• Consent was given
• Processing is necessary for the performance of a contract, to take steps on the data subjects request pre contract, to comply with a legal obligation, to prevent injury to the health or damage to the data subject, or otherwise in the vital interest of the data subject, processing is necessary regarding a legal obligation, or for the performance of a government minister or the government, or to performance a function in the public interest of the person, or there is a legitimate interest of the data controller.

A legitimate interest espoused by a controller must be balance with a data subjects rights & interest.

Irelands Section 2A(1) of the DPA is very closely aligned with article 7 of the 95/46 directive.

Data Subjects Consent

Article 2(h) of the 95/46 EU parliament directive defined this as :

‘the data subject’s consent’ shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

Consent given must be :

• Freely given
• Specific
• Unambiguous
• Informed

The burden of proof is on the controller to prove consent.

Small print in a brochure may not be sufficient to prove informed consent for example. Mistaken given by mistake will be invalid. Consent given vis a vie misrepresentation will also have an issue with validity.