GDPR Conundrums: The myths and realities explained

As the May 25 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer, Nicolas Hamblenne, associate of KOAN Law Firm in Brussels, sheds light on the more complex guidelines and debunks some of the myths surrounding the legislation.

What does 'legitimate interests' mean and how might it apply to associations?

The legitimate interest is one of the six grounds foreseen by the GDPR to lawfully process personal data (e.g. in the context of direct marketing). Associations using the legitimate interest will need to show a balance of interests between their own and those of the individual(s) concerned. To sum up, there should be a reasonable expectation from the data subject that his/her data will be processed (e.g. to prevent fraud, to check a child’s age, to retain an email address in a “opt-out” list if (s)he unsubscribed from a newsletter). Where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first and the association may not rely on this legal basis.

What is the right to data portability? What sort of data falls into this category? What challenges do associations face when putting it into practice?

Data portability is a new right – applicable as from 25/05/2018 – allowing any data subject to require the transfer of his/her data (s)he has provided to another association. This transfer must be performed via a structured, commonly used, machine-readable and interoperable format. The main challenges are (i) to gather that data and (ii) that associations from similar sectors agree on such formats to ease that kind of transfers. This right does not apply where processing is based on a legal ground other than consent or a contract.

How should associations handle the tricky matter of employee data processing? Must consent be granted in the context of employer-employee relationship?

Consent will be stricter than under the current legislation. Moreover, the consent must be free, specific, informed and unambiguous (or explicit in case of sensitive data). A key challenge in the HR context is that consent will rarely be valid between an employer and an employee due to the different level of negotiation powers. Moreover, consent can be withdrawn at any time without any justification, hence the fragility of such legal basis. Instead, it is highly recommended to use other legal bases to justify such processes of personal data in a HR context, such as the execution of the contract (e.g. payments, establishing the contract), legal obligations (e.g. data transmitted to social security services) or legitimate interest (see above).

Are there different retention periods for different types of data processed? What are the issues or factors that associations have to consider?

Indeed, according to the principle of proportionality, an association processing data must only keep it for as long as necessary for the purpose of such processing. Supervisory authorities have already set different kind of retention periods. Moreover, legal obligations and limitation periods (e.g. strict deadlines to invoke responsibility before a court, tax controls) are lawful justifications to keep the data.

The GDPR is more flexible regarding the retention period when data are kept for scientific, historical research or statistical purposes. Therefore, associations should make sure to agree on the most appropriate retention period and delete or anonymise outdated data in their possession.

What are some of the biggest myths about GDPR in your opinion?

• 1st myth: “GDPR compliance will end as from 25/05/2018”. Compliance is a two-step process: firstly, an association should build compliance simultaneously from a technical, legal and organisational point of view. Secondly, an association should run compliance – which is an ongoing process and should be reassessed regularly.
• 2nd myth: “GDPR is a revolution”. Indeed, the GDPR has received a lot of attention recently. However, in comparison with the Data Protection Directive of 1995 (23 years ago!), the main concepts, principles, obligations and rights remain identical. There is indeed an evolution of the regime due to the development of digitalisation and big data, including new/extended obligations for entities processing data and rights for data subjects. However, it is true that supervisory authorities will now be equipped with much more powers to control and sanction non-compliant companies and associations.