What legal basis you should use depends on two things:
- The type of personal data you process. The data protection rules distinguish between personal data and sensitive personal data. The Data Protection Act also provides special rules for, among other things, the processing of social security numbers. You can read more about this categorization under the heading “What are personal data?”.
- The situation in which processing of the personal data is necessary. Is this a performance of a contract? A legal obligation? Is it a matter of carrying out the tasks of a public authority? Often, the context of processing personal data determines which legal basis is relevant to the controller.
Personal data may be processed without consent if necessary for the purposes of:
- A contract with the data subject
- The legal obligations of the controller
- The vital interests of the data subject or of another physical person
- A task in the public interest or exercise of public authority
- A legitimate interest not exceeded by the interests or rights of the data subject;
Point 5 does not apply to the processing of personal data by public authorities and should most often not be used for the processing of personal data relating to children.
Processing of sensitive personal data
The term sensitive personal data covers, inter alia, race, political beliefs, religious beliefs, health information and sexual orientation.
Generally, the processing of sensitive personal data is prohibited, but there are a number of exceptions to this ban.
First, sensitive personal data may be processed without consent if the data subject has published the data in advance.
In addition, you may process sensitive personal data if necessary for the purposes of:
- The obligations and rights of the controller or of the data subject
- The vital interests of the data subject or of another physical person, if it is impossible to give consent;
- A political, philosophical, religious or trade union non-profit organisation’s treatment of member information
- A decision or treatment of a legal claim
- Essential social interests
- Processing of the health profession in the health care sector
- Processing for archives, scientific or historical research purposes or for statistical purposes
In addition to having a legal basis (see above) when processing sensitive information, you must also be able to identify one of the exceptions to the prohibition on processing sensitive data.
As a rule, processing of personal data can always take place if the data subject has given consent.
However, for consent to be valid it must be voluntary, specific, informed and explicit. This means, among other things, that consent cannot be given tacitly and that there may not be associated (unnecessary) negative consequences by not giving consent.
In addition, consent can always be withdrawn. Consent is therefore not always the most appropriate legal basis. Furthermore, if you have initiated processing on the basis of consent, you are usually bound by the purpose for which the data subject was informed when the consent was obtained.
The term ‘consent’ is widely used outside data protection law, and the meaning and requirements for its validity may vary. If you base a processing of personal data on consent, it is important that you meet the requirements for a data protection consent. For example, non-data protection consents are used in health care or social administration. However, this is often a case of processing operations where consent does not constitute the legal basis for the processing, but where for example the legislation gives the data subject an opportunity to refrain from processing.
Processing of data on criminal offences and social security number (CPR number)
Information on criminal offences cannot be processed by the public administration unless it is necessary for the performance of the tasks of the authority. In addition, the information may not be disclosed unless:
- The data subject has given his express consent to the disclosure,
- The disclosure must be made for safeguarding private or public interest which clearly exceeds the interests justifying secrecy, including the interests of the data subject,
- The disclosure is necessary for the performance of an authority’s activity or required for a decision to be taken by an authority; or
- The disclosure is necessary for the performance of an individual or company’s tasks to the public.
Private bodies may process data on criminal offences if the data subject has given her express consent. In addition, processing may take place where it is necessary for safeguarding legitimate interest and that interest clearly exceeds the consideration of the data subject. Private bodies cannot disclose the information without the data subject’s express consent. However, disclosure can be made without consent where it is intended to protect public or private interests, including those of the person concerned, which clearly exceed the interests of confidentiality.
Public authorities may process information on the personal identification number for the purposes of a unique identification or as a record number.
Private bodies may process personal data only when:
- It follows from the legislation,
- The data subject has given its consent in accordance with Article 7 of the Data Protection Regulation;
- The processing is carried out solely for scientific or statistical purposes, or in the case of the disclosure of information relating to personal identification, where the transmission is a natural part of the normal operation of undertakings etc. of that kind, and where the disclosure is essential to ensure the unambiguous identification of the data subject or disclosure is required by a public authority; or
- The conditions laid down in § 7 are fulfilled.
Personal identification numbers may not be published unless consent has been given in accordance with Article 7 of the General Data Protection Regulation.
Basic processing requirements
It is important to be aware that the concept of “processing” covers a number of different ways of handling personal data. If you have the right to carry out one particular form of data processing – for example the collection – it does not automatically mean that you also have the right to carry out other forms of processing – for example, disclosure – of the same data.
Normally, there is no doubt that when a public authority or private company has to collect certain information, it must also systematize, register, use and delete it. However, it is not obvious that the information also can be disclosed to others. These questions must be assessed separately.
In addition, it is prerequisite for processing personal data that the general and fundamental principles are fulfilled. These principles do not provide a legal basis for processing personal data, but must always be complied with in the case of processing under the data protection rules.
Special forms of processing
A number of processing operations are subject to special regulation in the Data Protection Act.
- Legal information systems (§ 9)
- Processing for statistical or scientific studies (§ 10)
- Employment relationship (§ 12)
- Marketing (§ 13)
- Archives (§ 14)
- Credit information agencies (§§ 15-21)