Visit fondia.com
The content concerns Finnish legislation.
 

On What Grounds Can Personal Data Be Processed?

The controller has a legal obligation to ensure that the processed personal data is accurate and that there is a valid legal ground for the processing. The controller has the burden of proof to show that the processing is performed in accordance with the law.

The data protection legislation applies regardless of the technical means used to store the data. For instance, user data collected by a service provider in connection with the use of an online service constitutes personal data, as well as data filled in manually by the users of an online service. What is decisive is, whether the data can be linked to an identifiable person or contain entries about an identifiable individual. If personal data is collected from the web, the data subject has the right to receive information about the purposes of the collecting of data, and information on how the data is being processed.

According to the GDPR, processing is lawful only if and to the extent that at least one of the following applies:

a)     the data subject has given consent to the processing of their personal data for one or several specified purposes;

b)    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c)     processing is necessary for compliance with a legal obligation to which the controller is subject;

d)    processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e)     processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

When processing special categories of personal data (so-called ‘sensitive data’, such as data concerning a person’s health), special requirements contained in article 9 need to be observed. Read more about the topic in section [Special Categories of Personal Data, Criminal Convictions and Personal Identity Numbers].

The national Data Protection Act specifies the grounds for processing under paragraph e) above, as well as the grounds for processing special categories of personal data and data regarding criminal convictions.

To be valid, a consent to processing of personal data must be:

  • specific,

  • informed,

  • freely given, and

  • unambiguous expression of intent

The data subject can give their consent for a predefined, explicit and lawful purpose of processing. If the purpose of processing changes, the data subject must be notified, and a new consent must be obtained before initiating the processing. The controller must be able to prove that the data subject has consented to the processing of personal data, and that the consent fulfils the legal requirements. Before a valid consent can be obtained, the data subject shall be informed about the right to withdraw the consent, and how to withdraw it in practice. Withdrawing a consent must be as simple as the act of giving it. The withdrawal must be possible to complete at any time, without costs.