Principles of collection of personal data: from legal basis to consent
There are a large number of companies that collect various forms of personal data. For example, personal data are collected by companies with personnel. They use this data for payroll administration, keeping track of hours worked, and so on. Or what about webshops, which collect a lot of customer data every day? Even if you have a simple website with a separate contact form, you already collect personal data. Since the introduction of the AVG Act, collecting personal data means that you have to meet various requirements. For example, the data must be stored in a safe place, you must have a legal basis or permission to collect the data, and so on.
In this article, we’ll tell you more about the grey area between these legal bases and the need to seek permission. In any case, by asking users for permission, you are on the safe side!
Six different legal principles
There are six different legal principles on the basis of which personal data may be collected. If you do not comply with at least one of these principles, it is not permitted to collect and process personal data. Keep in mind that in some cases it is necessary to draw up a processing agreement. This applies, for example, if you have the personal data processed by an external party. Think of an accounting firm that carries out the payroll administration for you.
Below you will find a brief overview of the six legal bases for collecting personal data:
– You have permission from the persons involved;
– The processing of data is necessary to be able to execute an agreement;
– The processing of data is necessary to comply with a legal obligation;
– The processing of data is necessary to protect vital interests;
– The processing of data is necessary for the performance of a task that is in the public interest or in the exercise of public authority;
– The processing of data is necessary for the protection of legitimate interests.
As an organisation or person, you are responsible for estimating your appeal to one of these principles. If you are in doubt, it is advisable to always ask permission from a person.
Exceptions to these principles
It is not always possible to use these guidelines to determine your right to collect and process personal data. This applies, for example, to special and criminal personal data, which may not be processed without meeting additional, more stringent requirements. In this case, special data includes, for example, data relating to a person’s health. It is not only medical and criminal data that the Authority considers personal data to be special. Personal data about a person’s race or ethnic origin, personal data about political opinions and, for example, personal data about religious and/or philosophical beliefs also fall under the category of special personal data. Did you know that also someone’s sexual orientation does not automatically fall under “normal” personal data?
Because of the broad category with special personal data, it is advisable to minimize the collected data of persons. This way you avoid having to meet stricter requirements. Often a lot of this data is not relevant, which means that collecting and processing it is no longer necessary.
On the internet you can read more about the requirements you have to meet in such situations. It is advisable to seek prior advice from an independent party such as the lawyers at ICTRecht Groningen before collecting and processing such information.
If you only process the data for personal use, for example within a circle of family or acquaintances, you do not have to comply with these legal principles. For example, you could think of keeping a personal calendar with the birthdays of friends and family.
Accountability for organisations
Organisations must be able to justify why they have opted for one of the six legal bases during an audit by the Authority for Personal Data. If this accountability is not assessed as sufficient, the organization runs the risk of being fined. These fines can quickly increase considerably, making it very important to think carefully about accountability.
If you are in doubt, you can always contact the Personal Data Authority to ask for the consent of users. A good foundation is essential, especially with regard to medical and criminal personal data.