21st September 2018 - Sam Gilbert

With the introduction of the GDPR now in full operation, it is important to consider some fundamental aspects of data protection that are contained in the GDPR, such as the lawfulness of processing personal data. But first, what is personal data?

Personal Data under the GDPR

Personal data is information that is capable of identifying an individual. Under the GDPR, the definition of ‘personal data’ is expansive. Article 4 of the GDPR states that:

‘personal data’ means any information relating to an identified or identifiable natural person… a natural person is one who can be identified either directly or indirectly.

The definition above notes that an individual’s identity may be ascertained by one or more factors, including an online identifier. Recital 30 of the GDPR provides that a natural person can be associated with online identifiers, such as internet protocol addresses, cookie identifiers or other online identifiers.

Considering the above, it is important to understand that ‘personal data’ under the GDPR is broad and includes data which can identify an individual indirectly, that is by reference to other information.

What does the GDPR say about Processing Personal Data?

Article 5 of the GDPR provides mandatory principles relating to the processing of personal data.

That is, personal data must be:

• processed lawfully, fairly and transparently;
• collected for specified, explicit and legitimate purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected;
• accurate and, where necessary, kept up to date;
• identifiable with the data subject and not stored for longer than necessary;
• secure against accidental loss, destruction or damage and protected against unauthorised access or unlawful processing.

Data controllers need to be confident in incorporating these processing standards, as they (controllers) are responsible for demonstrating how their organisations processing activities comply with these principles – that is the accountability principle.

Arguably the most important of these principles is that personal data must be processed lawfully. Correspondingly, the successive section (Article 6) of the GDPR focuses on the lawfulness of processing personal data.

Lawfulness of Processing

Article 6 of the GDPR provides for the lawful processing of personal data. That is, processing must be based on at least one of the following grounds:

• consent for one or more specific purposes;
• processing is necessary for the performance of a contractual obligation;
• processing is necessary for the compliance with a legal obligation;
• processing is necessary to protect the vital interests of an individual;
• processing is necessary for the performance or exercise of a public interest task or official authority of the controller;
• processing is necessary for the purposes of the legitimate interests of controller or third party, subject to the interests and fundamental rights of the data subject which require protection of personal data.

Take-Away Points  

Before processing an individual’s personal data, it is essential that the data controller can demonstrate that they comply with the principles set out under the GDPR for the processing of personal data. This also means that the controller must show that at the time of the processing they had a legal basis to do so. Where processing activities occur over a period, it is important that the legal basis does not become undermined or otherwise expire.

Sam Gilbert, IP and Technology Consultant, B.A., LL.B  University of Technology, Sydney

 If you would like to know more about  this article or the GDPR in general, please do not hesitate to get in contact with the team at W3IP Law on 1300 776 614 or 0451 951 528.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.