Interpretation question 48: when data processing is permitted
For episode 48 of the c’t data protection podcast, Joerg and Holger decided, at the suggestion of a listener, to clarify in detail when data processing is permitted under the GDPR. The result is an obviously excessively long question of interpretation. Time is well invested, because as a podcast guest, lawyer Sascha Kremer, specializing in data protection, explains the situation also to laypersons and uses many concrete examples.
The mantra of the GDPR is: All processing of personal data is prohibited without authorization (“prohibition with reservation of authorization”). What is allowed is regulated by art. 6 GDPR, which defines the six possible legal bases. At the beginning of the list is the informed consent of the person concerned. Everyone knows them, for example through the cookie banners upstream of websites. Companies don’t particularly like it because it can be revoked at any time. They prefer to refer to the data processing authorized within the framework of the conclusion of a contract. This already takes effect during initiation, for example when a potential customer puts products in the shopping cart of an online store.
In the podcast episode, Joerg and Sascha Kremer pay particular attention to article 6, paragraph 1f, “processing permitted to safeguard the legitimate interests of the person responsible or a third party”. Joerg calls this legal basis the “catch-all rule”. Kremer points out that this legal basis is often misunderstood: it is not only about the legitimate interests of the processor, but also the balancing of the interests of the processor, the data subject and perhaps also third parties. Therefore, under no circumstances can a license be constructed from this. Using examples, the three speakers express their interests on both sides and see if there really is a “legitimate interest”.
180 pages of advice from specialized lawyers: what companies, associations and freelancers need to know! With lots of FAQs, instructions, checklists and samples. On DVD: 60-minute “Anatomy of a Computer Disaster” webinar – prepare for and master the crisis.
More information in the heise shop: c’t know GDPR 2021
Here are all the episodes so far:
Source of the article
Disclaimer: This article is generated from the feed and is not edited by our team.