Nico Mookhoek is an author, data protection officer and provides advice on privacy issues. In his blogs, he discusses legal aspects of privacy and provides insight into the practical issues involved in this area of law. In this blog, Nico Mookhoek discusses Further processing of personal data and when it is permitted under the AVG.
Personal data may only be processed if there is a specific and well-defined purpose for doing so. This purpose limitation is one of the seven AVG principles. "Further processing" means doing personal data processing for purposes other than the purposes for which they were initially collected. This can be processing by the same controller, but can also be the basis for disclosure of data to another controller. A separate basis for further processing is then not necessary; the basis used for the original processing also applies to this disclosure. However, the recipient must have its own basis for processing the data received.
To assess whether data may be further processed, the purpose limitation is decisive.
Goal binding has two pillars:
Personal data must be collected for "specified, explicit and legitimate" purposes
They may not be "further processed in a manner incompatible" with those purposes.
Thus, further processing for another purpose does not always mean that such processing is not possible. Whether there is incompatibility with the original purpose must be assessed on a case-by-case basis. If there is no incompatibility, the data may be processed for the new purpose.
Art. 6(4) AVG provides a number of criteria by which compatibility can be assessed. A ruling by the ECJ (1) shows that in that assessment a balance must be made between the need for predictability and legal certainty with respect to the purposes on the one hand and a certain degree of flexibility for the controller on the other.
In assessing whether further processing is possible, the relevant circumstances must be considered on a case-by-case basis. The following factors weigh in.
First, what matters is whether there is a link between the original purposes and the purposes of the proposed further processing. And what is the nature of that linkage? How do the original and new purposes relate?
Second, the framework within which the data were collected plays a role. Decisive are the reasonable expectations of the data subjects about their further use. The rule of thumb here is: would the data subject be surprised to learn of the new processing?
The nature of the personal data is the third factor in considering whether further processing is possible. What type of data does one intend to process further? Is there any special data involved?
The fourth factor for consideration is the impact of the processing on data subjects. What are the consequences of the intended further processing for the data subjects? The extent of the interests involved also plays a role: the greater the interests, the more account must be taken of what the data subject may reasonably expect.
Finally, the safeguards adopted by the controller to ensure fair processing and avoid unreasonable impact on data subjects.
In some cases, the compatibility test is not necessary.
Further processing for archiving in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes (purpose limitation). Further processing for this purpose is always permitted.
In the case of further processing to which the controller is legally obliged, the compatibility test also does not need to be performed. An example of this is the duty to pass data on staff members to the tax authorities.
The same applies if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority.
However, these two forms of further processing that do not require compatibility testing must have a basis in legislation. There is no need to have specific legislation for each processing. Legislation serving as a basis for the various processing operations will suffice.
An example is the processing of personal data in the context of national security. According to the MoU, further processing falls under the regime of Wpg/Wjsg or the Intelligence and Security Services Act (Wiv). In those cases, therefore, there is also no need for a compatibility test.
Finally, further processing can be done without performing the compatibility test if the data subject has given consent to the further processing.
The concept of further processing thus has a number of legal risks due to its open wording and the compatibility test that must be performed.
Increasingly, therefore, the choice is being made to lay down the basis in legislation. An example of this is the Data Processing by Collaborative Organizations Act (Wgs), which is now before the Senate for approval.
ECJ EU 20 October 2022 ECLI:EU:C:2022-805
