The Lawful Use of Personal Data

Deepen your knowledge with an interactive video lesson on this topic in our app. Quizzes and pauses will help you better absorb the material!

'The lawful use of personal data' means that the processing of personal data must be in accordance with the law and justified by specific, lawful purposes. This means that data processing must have a clear legal basis, such as the consent of the individual, the necessity to fulfill a contract, a legal obligation, or significant public interest. Furthermore, data processing must be conducted fairly, transparently, and only to the extent necessary for the specified purposes. Personal data may be processed for various legitimate purposes, established in accordance with the General Data Protection Regulation (GDPR). These purposes include:
  • Consent: The data subject has given clear consent for their data to be processed for a specific purpose.
  • Fulfilling legal obligations: For example, data is processed to fulfill a contract to which the data subject is a party, or to take pre-contractual measures at the request of the data subject. Or processing is necessary to comply with a legal obligation imposed on the data controller.
  • Vital interests: Processing is necessary to protect the vital interests of the data subject or another individual. This means that in certain cases, personal data can be processed without the data subject's consent if it is absolutely necessary to protect the life or fundamental needs of the data subject or another person. For example, in emergencies such as medical, technological, or criminal situations where a person's life or health is at risk.
  • Public interest tasks or official authority: This means that personal data can be processed without the data subject's consent if it is necessary to protect broader public interests or to perform tasks entrusted to a specific governmental body or institution. For example, in the case of a census or criminal investigation, enabling agencies to perform functions necessary for public interest realization.
  • Legitimate interests: Processing is necessary for the legitimate interests of the data controller or a third party, as long as these interests do not override the interests or the fundamental rights and freedoms of the data subject requiring data protection. This purpose requires a deeper understanding as it includes circumstances such as video surveillance and marketing activities, thus we will explore it more extensively in another video. In conclusion, the proper execution of all these purposes ensures that personal data processing is conducted legally and in accordance with the regulation's requirements, while simultaneously protecting the rights and freedoms of data subjects.

Understanding the Lawful Use of Personal Data Under GDPR

Understanding the Legitimate Use of Personal Data

The concept of 'Datu tieskais lietojums' or the lawful use of personal data, is a cornerstone of GDPR compliance. While the video lesson covers the basics, let's delve deeper into specific examples and methods to ensure a profound understanding of this crucial topic.

The Fundamental Principles

When processing personal data, it is imperative to have a clear legal basis, such as obtaining consent, fulfilling contractual obligations, complying with legal requirements, or protecting vital and public interests.

Example 1: Obtaining Consent

Consent must be explicit. For instance, when you sign up for a newsletter, the provider should inform you about the specific use cases of your email address. This transparency meets the GDPR’s requirement for lawful data collection.

Example 2: Contractual Necessity

Suppose you're applying for a loan. The bank needs your financial history. Here, processing your data is essential to fulfill a contract. This legal basis ensures that your financial information is utilized legitimately.

Example 3: Legal Obligations

Employers are legally required to maintain employee records for tax and regulatory compliance. This means that personal data, such as social security numbers, are processed to adhere to these legal duties.

Example 4: Vital Interests

Data can be processed without consent in emergencies, like during medical crises. If someone is unconscious and in need of urgent medical care, their health data can be accessed to save their life, emphasizing the processing under vital interests.

Example 5: Public Interest Tasks

Organizations like census offices can process data without consent to compile demographic information needed for public policies. This supports societal needs without compromising on legal principles.

Example 6: Legitimate Interests

Consider a retail store using CCTV for security purposes. Even without explicit consent from customers, this processing serves the legitimate interest of preventing theft and ensuring safety, provided it does not infringe on individual rights excessively.

Transparency and Fairness

Processing must be conducted transparently. Individuals need to know what data is collected and why. Clear privacy notices and accessible data protection officers play vital roles here.

Data Minimization

GDPR emphasizes that only necessary data should be collected. For example, an online retailer should collect only relevant information to fulfill and deliver an order, such as the shipping address and payment details, without unnecessary additional data.

Conclusion

Adhering to these principles ensures that personal data is processed lawfully, ethically, and transparently. By doing so, organizations not only comply with GDPR but also build trust with their customers or data subjects.