10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 5: The GDPR guidance continues

Since my previous update from 2018: The GDPR is here! What now?, the UK Information Commissioner’s Office (ICO) and the EU European Data Protection Board (EDPB) have continued to publish new and updated guidance on the GDPR and UK Data Protection Act 2018. The EDPB has also provided its first Opinions. This article provides an overview on some key topics.

The ICO guidance is available on the ICO website, the EDPB Guidelines are available on the EDPB website, and EDPB Opinions are available on the EDPB Website.

EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

These were adopted on 16 November 2018, and were open for consultation until 18 January 2019. As at the time of writing, the final version has not yet been published on EDPB website.

Article 3 of the GDPR states:

"1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union."

Key differences to pre-existing law are the application of the GDPR to use of personal data in the context of an EU processor’s activities (as well as those of EU controllers), and to non-EU organisations who market goods or services to or monitor individuals within the EU.

The guidelines provide some useful examples and clarifications on some of the tricky concepts within Article 3. These include the following.

  • What is an establishment? As well as registered companies and other legal entities, an establishment can include a branch, office or other ‘stable arrangements’. Cases under previous data protection law assist with the interpretation. The Guidelines clarify that a processor in the EU should not be considered an establishment of a controller merely by virtue of it being a processor (but the processor could still be an establishment of the controller if, for example, it is a subsidiary of the controller).
  • What is meant by "in the context of the activities"? Uncertainty arises where data processing activities are being undertaken by an organisation or other establishment outside the EU, which also has an establishment within the EU – to what extent can the processing activities of the non-EU organisation be said to be "in the context of the activities" of the EU establishment? The Guidelines say this should not be interpreted too restrictively, nor too broadly! Key to determining this is how close the links are between the activities of the EU establishment and the data processing activities of the non-EU establishment. Note that the EU establishment may not be carrying out the relevant data processing activities at all; the data processing by the non-EU establishment may still be in the context of the EU activities.
  • What is the position where an EU controller appoints a non-EU processor? The Guidelines indicate that a non-EU processor would not be directly subject to the GDPR, but would be indirectly subject to the requirements by virtue of its data processing contract with the controller under Article 28 (and any additional measures in place to overcome international data transfer restrictions).
  • What is the position where a non-EU controller appoints an EU processor? The Guidelines indicate that a non-EU controller would not be subject to the GDPR controller requirements merely by appointing a processor within the EU. However, the processor within the EU would be caught by the GDPR processor provisions. These include the restrictions on international data transfers, which leads to a problem which does not appear to have been addressed in the Guidelines: if a non-EU controller transfers personal data (of non-EU individuals) to its EU processor for processing, is the EU processor then restricted from transferring the same data back to the non-EU controller1?
  • To what extent does the GDPR apply to controllers or processors without an EU establishment? A key element to be assessed is whether or not the conduct of the controller or processor demonstrates an intention to offer goods or services to data subjects within the EU. Factors such as languages, domain names, currencies, marketing activities, the nature of the goods/services, and delivery locations, will be taken into account. A website which is merely accessible within the EU but is not targeted at EU data subjects would not be caught. Non-EU organisations will also be subject to the GDPR if they monitor the behaviour of data subjects within the EU, such as geo-localisation activities, online tracking or analytics, CCTV or market surveys based on profiles, or monitoring of health status. See also the ICO enforcement action in article number 1 in my series, relating to political campaigning.
  • The Guidelines also discuss the obligation on non-EU organisations subject to the GDPR to appoint a representative in the EU. They indicate that the representative should not be the same party as an external data protection officer (DPO), due to the requirements on DPOs to act with a sufficient degree of autonomy and independence.

EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

These were adopted on 9 April 2019, and were open for consultation until 24 May 2019. They discuss, in the context of online services, the legal basis for using personal data where "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".

To summarise some key points arising:

  • Controllers should avoid any confusion as to what the applicable legal basis is. In particular, where relying on necessity for a contract, data subjects should not be given the impression that they are giving their consent (for example when accepting terms of service).
  • If special categories of data are being used (such as data relating to health, ethnic origin, religious or political beliefs), an additional condition will need to be satisfied, as there is no ‘necessary for a contract’ exception to the prohibition on use of such data.
  • Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing for the objective pursued. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’.
  • A contract must exist and be valid under relevant laws (to rely on necessity for performance of an existing contract).
  • Identifying clear purposes of the processing is important (in line with the purpose limitation principle).
  • ‘Necessary for performance’ requires something more than a contractual condition. ‘Necessary’ processing is not simply what is permitted by or written into the terms of a contract (such as if a contract requires profiling).
  • The controller should be able to demonstrate how the main object of the specific contract with the data subject cannot be performed if the specific processing of the personal data in question does not occur. This includes processing of payment details for the purpose of charging for the service.
  • A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out to perform the services. This may include additional conditions about advertising, payments or cookies.
  • A controller must carefully examine the perspective of an average data subject in order to ensure that there is a genuine mutual understanding on the contractual purpose.
  • If the controller cannot rely on ‘necessity for a contract’ for a particular activity, an alternative legal basis may be available (such as consent or ‘legitimate interests’).
  • ‘Necessity for a contract’ may not be an appropriate legal basis where a controller bundles together separate services, only some of which the data subject wants to use. Certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model.
  • When the contract terminates, the processing will no longer by necessary for performance of the contract. Alternative legal bases to retain data, where needed, should ideally be considered and identified at the outset of the contract. The Guidelines also refer to Article 17 (right to erasure) and the exceptions to this right.
  • Usually or in general, necessity for a contract cannot be relied upon as a lawful basis for the following: processing for service improvement, processing for fraud prevention, online behavioural advertising
  • In some cases, personalisation of content may constitute an essential or expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases.

ICO guidance on exemptions to the GDPR

The GDPR itself contains some exceptions to specific requirements (see, for example, Article 17(3) in relation to the right to erasure, or Article 30(5) in relation to record-keeping), but also allows for (and, in some cases, requires) exemptions at national level (see, for example, Articles 23, 85 and 89), and the UK has included exemptions within the UK Data Protection Act 2018 (DPA) (in particular Schedules 2 to 4).

The ICO published guidance on these exemptions in September 2018 within its Guide to the GDPR. A lot of these are similar to exemptions in place under the previous Data Protection Act 1998, so organisations may already be familiar with applying these in practice. However, there are certain (sometimes subtle) differences in places, and also some new exemptions. A review of exemptions should therefore form part of GDPR assessments, to check how they apply to current data processing activities.

Of particular note:

  • Confidential references (Paragraph 24, Schedule 2 DPA). This is an exemption to certain transparency obligations, including subject access requests. Both the giver and receiver of a confidential reference about an individual are exempt from providing information about that reference to the individual. The DPA itself uses arguably ambiguous wording, particularly in the context of the previous law, where only the giver of the reference was exempt. This is a controversial point, as references may be key to understanding a decision about an individual, for example whether or not an applicant gets a job. In the interests of transparency, therefore, organisations may wish to consider not using this exemption (though recipients of references should also be careful not breach any duty of confidence they have to the giver of the reference, or the giver’s data protection rights).
  • Legal professional privilege (Paragraph 19, Schedule 2, DPA). This is also an exemption to certain transparency obligations, including subject access requests. A key difference to previous law is that, as well as applying to the situation where legal professional privilege applies (or confidentiality of communications in Scotland), it applies to "information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser". The ICO’s Guide provides no additional guidance on this. Law Society guidance indicates that this captures the duty of confidentiality which a solicitor owes to his or her clients. This means that personal data within confidential material (protected by such duty) need not be shared with the data subject.
  • Documenting exemptions: The ICO guidance raises that you should justify and document your reasons for relying on an exemption so that you can demonstrate your compliance in line with the GDPR accountability principle. (Note also that, in some cases, you may need to explain exemptions to data subjects – see for example Articles 12(4) and 23(2)(h) of the GDPR.)

Other new or updated guidance and Opinions include:

  • ICO Guidance on encryption: This was published in November 2018, and includes guidance on what is encryption and some encryption scenarios, including use with email, external devices and videos.
  • ICO final version of guidance on contracts and liabilities between controllers and processors and additional guidance on controllers and processors: These were published in December 2018, and include guidance on identifying the roles of controller, processor and joint controller.
  • EDPB Opinion 22/2018 United Kingdom SAs DPIA List: This was published in October 2018, and considers the ICO’s original list of processing operations which require a data protection impact assessment (DPIA) to be carried out. It requests the ICO to make changes, including reducing the circumstances which controllers need to carry out a DPIA.
  • ICO updated DPIAs guidance following the EDPB’s Opinion: This was published in Dcember 2018 and includes changes to the rules on when a DPIA must be carried out by reference to the type of processing activities being undertaken.
  • EDPB Guidelines 4/2018 on the accreditation of certification bodies: These were open for consultation until 1 February 2019.
  • EDPB Annex 2 of Guidelines 1/2018 on certification and identifying certification criteria: These were open for consultation until 29 March 2019.
  • EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies: These were open for consultation until 2 April 2019.
  • EDPB: Opinion 05/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities.

Olivia Whitcroft, principal of OBEP, 19 June 2019

1 Note that, under the Data Protection Act 1998, controllers were able to make their own assessment of adequacy which could take into account, amongst other factors, the country of origin of the data. There is no equivalent provision within the GDPR.

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details