MATCHING THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA - THE GREAT EXAMPLE GIVEN BY THE UNITED KINGDOM'S DATA PROTECTION AUTHORITY (ICO)

September 27, 2021

One of the biggest challenges for a company's adequacy projects to personal data protection's legislation is matching the processing of certain personal data in any legal basis available in the law; depending on the country and, consequently, on its local law, there is not even the possibility of choosing a legal basis for matching, as occurs, for example, in the USA. However, this difficulty affects both Brazil and most European countries.

As the Brazilian Data Protection Act (LGPD) has been in force for only 1 year and its penalties have come into effect just over 30 days ago, the greatest examples of this difficulty in matching turn out to come from the old world. It is impressive the amount of penalties that are imposed by national data protection authorities, in the respective European countries, to companies that, according to such authorities, inadequately match the processing of such personal data and, therefore, are penalized for violating the law.

Thus, the National Data Protection Authority in the United Kingdom (Information Commissioner's Office - ICO) created an interactive online tool to help those seeking guidance in matching the processing of personal data in some of the legal bases provided for in the GDPR, European data protection act, to which the United Kingdom was a signatory before its separation from the European Union.

In order to use this service free of charge, the user must access the website https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/.

Upon entering, the user already finds a preset questionnaire with the following questions, as set below:

PAGE QUESTION ANSWERS 
Page 1 - Agreement Do you have or intend to enter into an agreement with the individual? a) Yes, b) No, c) I do not know 
Page 2 - Legal Obligation Are you processing this personal data to comply with any law? a) Yes, b) No, c) I do not know, d) Somehow 
Page 3 - Vital Interests Are you processing this personal data to save or protect someone's life? a) Yes, b) No, c) I do not know, d) Somehow 
Page 4 - Public Activity Are you processing this personal data to carry out your public activity or function or other specific activities of public interest? a) Yes, b) No, c) I do not know, d) Somehow 
Page 5 - Consent Do you want to give individuals the power to decide whether or not you can process their data? a) Yes, b) No, c) I do not know, d) Somehow 
Page 6 - Legitimate Interest Are you satisfied with taking full responsibility for processing personal data? a) Yes, b) No, c) I do not know, d) Somehow 

After submitting the results, according to the answer, a justification is presented for which legal basis or bases the user should carry out the matching of the processing of personal data; if the user has answered that he does not know or somehow, the authority instructs him to identify what would be needed to validate your choice of framing.

In this way, ICO makes the user navigate through the 6 legal bases provided for in the GDPR for matching the processing of personal data. It is a simple but very useful initiative, considering that, just as there are large corporations with many resources to seek adequate advice that can show the way, there are many companies that do not have adequate resources and have great difficulty in trying to understand and apply the law. ICO really deserves congratulations for the initiative.

Something similar could be done in Brazil, keeping the proportions as to the differences foreseen between the legislations, since here we have 10 legal bases for matching the processing of common personal data, 8 legal bases for matching the processing of sensitive personal data and also a differentiated matching for the processing of personal data of children and adolescents -- in this case, there is still controversy regarding the understanding over the applicability if only for children or if also for adolescents, since the lawmaker was unfortunate in its corresponding wording.

No items found.

RECENT POSTS

LINKEDIN FEED

Newsletter

Register your email and receive our updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Newsletter

Register your email and receive our updates-

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Licks Attorneys' Government Affairs & International Relations Blog

Doing Business in Brazil: Political and economic landscape

Licks Attorneys' COMPLIANCE Blog

MATCHING THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA - THE GREAT EXAMPLE GIVEN BY THE UNITED KINGDOM'S DATA PROTECTION AUTHORITY (ICO)

No items found.

One of the biggest challenges for a company's adequacy projects to personal data protection's legislation is matching the processing of certain personal data in any legal basis available in the law; depending on the country and, consequently, on its local law, there is not even the possibility of choosing a legal basis for matching, as occurs, for example, in the USA. However, this difficulty affects both Brazil and most European countries.

As the Brazilian Data Protection Act (LGPD) has been in force for only 1 year and its penalties have come into effect just over 30 days ago, the greatest examples of this difficulty in matching turn out to come from the old world. It is impressive the amount of penalties that are imposed by national data protection authorities, in the respective European countries, to companies that, according to such authorities, inadequately match the processing of such personal data and, therefore, are penalized for violating the law.

Thus, the National Data Protection Authority in the United Kingdom (Information Commissioner's Office - ICO) created an interactive online tool to help those seeking guidance in matching the processing of personal data in some of the legal bases provided for in the GDPR, European data protection act, to which the United Kingdom was a signatory before its separation from the European Union.

In order to use this service free of charge, the user must access the website https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/.

Upon entering, the user already finds a preset questionnaire with the following questions, as set below:

PAGE QUESTION ANSWERS 
Page 1 - Agreement Do you have or intend to enter into an agreement with the individual? a) Yes, b) No, c) I do not know 
Page 2 - Legal Obligation Are you processing this personal data to comply with any law? a) Yes, b) No, c) I do not know, d) Somehow 
Page 3 - Vital Interests Are you processing this personal data to save or protect someone's life? a) Yes, b) No, c) I do not know, d) Somehow 
Page 4 - Public Activity Are you processing this personal data to carry out your public activity or function or other specific activities of public interest? a) Yes, b) No, c) I do not know, d) Somehow 
Page 5 - Consent Do you want to give individuals the power to decide whether or not you can process their data? a) Yes, b) No, c) I do not know, d) Somehow 
Page 6 - Legitimate Interest Are you satisfied with taking full responsibility for processing personal data? a) Yes, b) No, c) I do not know, d) Somehow 

After submitting the results, according to the answer, a justification is presented for which legal basis or bases the user should carry out the matching of the processing of personal data; if the user has answered that he does not know or somehow, the authority instructs him to identify what would be needed to validate your choice of framing.

In this way, ICO makes the user navigate through the 6 legal bases provided for in the GDPR for matching the processing of personal data. It is a simple but very useful initiative, considering that, just as there are large corporations with many resources to seek adequate advice that can show the way, there are many companies that do not have adequate resources and have great difficulty in trying to understand and apply the law. ICO really deserves congratulations for the initiative.

Something similar could be done in Brazil, keeping the proportions as to the differences foreseen between the legislations, since here we have 10 legal bases for matching the processing of common personal data, 8 legal bases for matching the processing of sensitive personal data and also a differentiated matching for the processing of personal data of children and adolescents -- in this case, there is still controversy regarding the understanding over the applicability if only for children or if also for adolescents, since the lawmaker was unfortunate in its corresponding wording.

No items found.