top of page
Search
Writer's pictureKristen
Feb 23, 20224 min read

GDPR: Deep Dive - Violations

Updated: Mar 22, 2022


Deep dive

It cannot be a coincidence that organizations violate the same Articles of the Regulation repeatedly. While this may be related to the Articles themselves, it can only help to review the usual suspects.


Some violations are easily tied to a single Article; many others are implied or derived from multiple Articles, increasing the difficulty for understanding and compliance. Still, there are some concepts with recurring issues.


Legitimate interest

As mentioned in the top fines from the previous post, "legitimate interest" was cited —and rejected —as grounds for processing personal data multiple times.


In the normal course of conducting business activities, personal data may need to be processed. If those activities are not justified by a legal obligation or necessary to fulfil the terms of a contract, the processing of data in this context can still be conducted on the "grounds of legitimate interest."


A common practice is to use this term as a "catch all" categorization, without taking the time to perform due diligence and determine if this processing is necessary. The fact that a process has always been conducted a certain way does not "legitimize" it; GDPR requires a review and ensuing documentation to ascertain legitimacy.


The effort to conduct these evaluations is labor-intensive and review of data at this level is often not prioritized. In many cases, the organization is unaware that the examination was the actual intent of the Regulation. This lack of inspection —and supporting evidence created —is a violation that results in fines.


Subsequently, if an organization has examined the process and deemed it legitimate, it is still not free from informing individuals of the data processing in question; it must. Even further, a final step is needed to ensure that the rights of the individuals are not impacted by the process. If it is determined that that they are, even if the process had been considered legitimate, the justification cannot be used. The company will have to find another legal basis for the activity or an alternative method to conduct its activities.



Cookies

Many of the Top 25 refer to violations involving "cookie consent." This is primarily because cookies are used most frequently in tracking online activity —and thus targeting users. To somewhat complicate understanding, regulations governing cookies themselves are split between the GDPR and the ePrivacy Directive.


Cookies alone are harmless and are essential to crucial functions for websites. In the full 88 pages of the GDPR, there is only a single mention of cookies directly, in Recital 30. The beauty —and downfall —is the wealth of data that can potentially be stored. When the data contained is enough to identify an individual, the "cookie" becomes "personal data," and subject to GDPR as such.


GDPR.eu provides guidance specifically related to this issue: Cookies, the GDPR and the ePrivacy Directive.


Given that, in the violations involving "cookie consent," what is truly at stake is the consent to process personal data.


Consent

Consent itself is the most abused topic, perhaps because it is a concept defined through a combination of the following Articles:

  • Article 4 - Definitions

  • Article 6 - Lawfulness of processing

  • Article 7 - Conditions for consent

  • Article 8 - Conditions applicable to child's consent in relation to information society services

  • Article 9 - Processing of special categories of personal data

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject

  • Article 17 - Right to erasure ("right to be forgotten")

  • Article 18 - Right to restriction of processing

  • Article 20 - Right to data portability

  • Article 22 - Automated individual decision-making, including profiling

  • Article 40 - Codes of conduct

  • Article 49 - Derogations for specific situations

  • Article 83 - General conditions for imposing administrative fines

  • Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

It is noteworthy that the term "consent" does not only include acceptance; it also encompasses refusal of consent, revocation of consent, auditing and modification of records related to consent of any kind, access and ownership by the individual of all traces, the clear communication of context and term related to making a decision as to consent, and the manner in which any version of consent is requested or remediated, as well as a timely response to all.


It is deceptive to simplify the breadth and scope of this topic's rules with only the word "consent."


Privacy policy

Company privacy policies were another of the frequent contentions. A privacy notice is a public document from an organization that explains how that organization processes personal data and applies data protection principles. (While the terms "privacy notice" and "privacy policy" are not used in the text of the GDPR, they are implied and considered interchangeable.)


Detailed information describing how to create a privacy notice, as well as emphasis on ease of understanding and accessibility, is available in Articles 12, 13, and 14. Perhaps more helpful in practice, though, is guidance provided by GDPR.eu, with step-by-step explanations for creating your own GDPR-compliant privacy notice, complete with a downloadable template. (The site's own Privacy Policy can be reviewed as well.)


For clarity, the titles of the referenced Articles in the Regulation are:

  • Article 12 - Transparent information, communication, and modalities for the exercise of the rights of the data subject

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject

Other

While included in the prior list related to consent, Articles 6, 13, 14, 17, and 22, are referenced individually and capable of standing alone as violations. They are titled as follows:

  • Article 6 - Lawfulness of processing

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject

  • Article 17 - Right to erasure ("right to be forgotten")

  • Article 22 - Automated individual decision-making, including profiling

Not included in the list for consent, Articles 5 and 47 are also referenced alone and titled:

  • Article 5 - Principles related to processing of personal data

  • Article 47 - Binding corporate rules



Republished with permission from eruditeMETA, ©2022. All rights reserved.

Comentarios

© 2018-2023 By Kristen Swearingen - swearingen.me | MiddleChild Tech | eruditeMETA. All rights reserved.

This publication may not be reproduced or distributed in any form with the author's prior written permission. It consists of opinions of the author's research and experience, which should not be construed as statements of fact. While the information contained in this publication has been created and cited where obtained from sources believed to be reliable, the author disclaims all warranties as to the accuracy, completeness, or adequacy of such information. Although this post and cited research may address legal and financial issues, the author does not provide legal or investment advice and its publication should not be construed as such. Your access and use of this publication is governed by the Usage Policy for swearingen.me | MiddleChild Tech | eruditeMETA,, respectively. The author prides his/her/their self on his/her/their reputation for independence and objectivity. The research and publication(s) are produced independently by its authors and organization without input or influence from any third party. For further information, see the Guiding Principles on Independence and Objectivity.

bottom of page