Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: notices and processes

Tuesday, May 23, 2017 - 11:51

Some of the General Data Protection Regulation's requirements on data controllers apply no matter which legal basis for processing is being used. For example there are common requirements on information given to data subjects; breach notification and rights of access and rectification will normally apply to all personal data. However other requirements are specific to particular justifications. A previous post aimed to help organisations determine the most appropriate justification(s) for particular data processing activity. This one summarises the main differences – in particular to the information organisations must provide and the processes they must support – that arise from the choice of legal basis.

For further information I've linked to relevant guidance - either under the previous Directive or proposed for the Regulation - where I can find it.

Contract: Data subjects must be informed that providing the information is necessary for the contract, and of the consequences of refusal. The Data Controller must handle requests for data portability.

Legal Obligation: Data subjects must be informed that providing the information is a legal requirement, and of the consequences of refusal.

Vital Interest: The Data Controller must handle requests for human review of any automated decision making.

Public Interest: Data subjects must be informed of their right to object, based on their particular circumstances, to processing. The Data Controller must handle requests for human review of any automated decision making; they must have a process for reviewing objections to processing; they must also handle requests for restriction of processing while this review is taking place, and for erasure if the review concludes that there are no legitimate grounds to continue processing.

Legitimate Interest: Data subjects must be informed of the legitimate interest(s) that justify processing and of their right to object, based on their particular circumstances. The Data Controller must have processes to balance the interest(s) of the data controller against those of data subjects; they must handle requests for human review of any automated decision making; they must have a process for reviewing objections to processing; they must also handle requests for restriction of processing while this review is taking place, and for erasure if the review concludes that there are no legitimate grounds to continue processing.

Consent: Data subjects must be informed how to withdraw consent, and the right to erasure if they do so. The Data Controller must ensure that processes for giving and withdrawing consent satisfy the Regulation's requirements (in particular that adult consent is obtained when relying on this basis to process a child's personal data); they must keep records of when, how and to what consent was given; they must also handle requests for erasure when consent is withdrawn, and for portability.