Processing for archiving purposes in the GDPR International congress of the State Archives of Belgium “Right to be forgotten versus right to remember” 10 Octobre 2016
Content Articles 5, 9 and 14 GDPR Article 17 GDPR Article 89 GDPR
The notion of “processing for archiving purposes in the public interest” is now explicitly recognized in the GDPR
Principles relating to personal data processing (Art 5 GDPR)
Article 5 GDPR versus 6 Dir. 95/46 Art. 5 GDPR Derogation to the purpose limitation: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes Derogation to the storage limitation: personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject Art. 6 DIR 95/46 Derogation to the purpose limitation: further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that MS provide appropriate safeguards Derogation to the storage limitation: MS shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
Principle Special categories of personal data (Art. 9) The processing of personal data revealing Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership And the processing of Genetic data, biometric data (in order to uniquely identify a person) or data concerning health or sex life and sexual orientation PROHIBITED
1 of the Exceptions The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard the fundamental rights of the DS. DIR 95/46: no such an explicit legal basis for sensitive data.
Indirect collection (not been obtained from the DS) Right of Information Art 14 GDPR Indirect collection (not been obtained from the DS)
Exemptions from providing information notice in DIR 95/46 Article 11.2 Dir 95/46 “It shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases MS shall provide appropriate safeguards”
Exemptions from providing information notice in the GDPR 1 of the Cases is: the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as it is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; ONLY APPLICABLE TO ART. 14 PC a déjà l’info Que pour les collectes indirecte: - Impossible/ disproportionné: archivistiques dans l'intérêt public, à des fins de recherche scientifique ou historique ou à des fins statistiques l'obtention ou la communication des informations sont expressément prévues par le droit de l'Union ou le droit de l'État membre les données à caractère personnel doivent rester confidentielles en vertu d'une obligation de secret professionnel réglementée par le droit de l'Union ou le droit des États membre, y compris une obligation légale de secret professionnel
Right to erasure (“right to be forgotten”)(Art. 17 GDPR) Note that DIR 95/46 provides in its article 13 for possible derogation to the right of erasure. This is only applicable to scientific research
1 of the Exemptions = to the extent that processing of the personal data is necessary for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with article 89.1 in so far as erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing => Broader exception in comparison with the Directive 95/46
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (art. 89 GDPR)
Safeguards and derogations in the Dir. 95/46 (Art. 13.2) DIR 95/46 foresees derogations but only for data are processed solely for purposes of scientific research or statistics and when there is clearly no risk of breaching the privacy of the data subject Derogations apply to the rights provided for in Article 12 DIR 95 (= access, rectification, erasure or blocking of data) DIR 95/46 also provides for specific safeguards: “Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual”
Safeguards relating to processing for archiving purposes in the public interest in the GDPR (art. 89.1) Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.
Safeguards in the GDPR (Art. 89.1) AIM OF THE SAFEGUARDS The aim of the safeguards is to “ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization”. PSEUDONYMISATION GDPR gives the example of the use of pseudonymisation as a measure to use to fulfill that aim. (Provided that the purposes can be fulfilled in that manner.) ANONYMISATION GDPR adds that a preference goes to further processing which does not permit or no longer permits the identification of data subjects where those purposes can be fulfilled in that manner => Close to what is currently in our Belgian Royal Decree
Derogations in the GDPR (art. 89.3) What Personal data processed for archiving purposes in the public interest derogations from the rights referred to in Articles 15 (right of access), 16 (Right to rectification), 18 (right to restriction of processing), 19 (Notification obligation regarding rectification or erasure), 20 (right to data portability) and 21 (right to object) HOW By Union or MS law in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. subject to the conditions and safeguards referred to in 89.1