Controlling data breaches is an abundant task for all Data Protection Authorities (‘DPAs’) worldwide. Organisations process large volumes of data and there may just be a scenario that the organisation is in receipt of data that it shouldn’t have dealt with in the first place. These circumstances of ‘accidental receipt of personal data’ shall be dealt with amicably and regulated by DPAs. For this purpose, the Data Protection Commission of Ireland (‘DPC Ireland’) has published Guidance for Organisations Accidentally in Receipt of Personal Data (‘Guidance’). The Guidance provides for examples through which an organisation may accidental come to deal with personal data. Such examples are when a customer accidentally sends some other picture instead of the defective product for which the customer was trying to file a complaint or the careless use of auto-fill functions where the individual accidentally sends the personal data such as email addresses to some other organisation.
Obligations of the organisation in case of accidental receipt
The definition of ‘processing’ under Article 4(2) of the General Data Protection Regulation (‘GDPR’) is worded as such that when an organisation is storing personal data which may have been acquired ‘unintentionally’, the application of the GDPR would come into play. The Guidance provides that even though the organisation acquires personal data accidentally, it must respect its obligations as a data controller. Under the GDPR, Article 24 provides for the responsibilities of a controller and the DPC Ireland has also provided for obligations of a data controller. Moreover, the organisation must not process such data until and unless the 6 (six) principles of lawful processing as provided under Article 6 of the GDPR is fulfilled. Such principles are:
a. Consent: the data subject must have given the consent to the controller for the purpose of processing and for a specific purpose;
b. Contract: the processing of the data is necessary for the performance of a contract to which the data subject is a party;
c. Legal obligation: the processing is necessary for compliance of a legal obligation to which the controller is subject;
d. Vital interests: the processing is necessary for the purpose of protecting the vital interests of a data subject;
e. Public interests: the processing is necessary for the performance of a task carried out in the public interests or when the controller is exercising its official authority; and
f. Legitimate interests: the processing is necessary for the purposes of legitimate interests pursued by the controller, where such legitimate interests do not override the fundamental rights of the data subject.
Moreover, if in a circumstance the data belongs to special categories under Article 9(1) of the GDPR such as racial, ethnic, genetic data, biometric data, then the data controller shall place regard to Article 9(2) before processing any such special category data. The DPC Ireland warns in this regard that the organisation in receipt with accidental data shall be aware of the rights of all data subjects and civil actions that may be taken against the organisation in case of breach of personal data.
The Guidance states that organisations shall remedy the breach in case of accidental receipt of personal data by identifying the rightful data controller immediately. The following steps may also be taken to limit any further intrusion or exposure:
a. Respond to the misaddressed email/package/letter and inform the sender of the mistake while deleting the contents immediately and without viewing any attachments or materials which are not intended for the controller; and
b. Keeping the data in a secure place until retrieved by the lawful controller.
The DPC Ireland further states that once the rightful controller has been identified, the obligations of the rightful controller for the purpose of notification of a personal data breach under Article 33 of the GDPR, the DPC Ireland shall advise them of the same.
BlockSuits Comments
Interestingly, the Guidance does not provide for whether the consent would be lawful for the incorrect controller in the first place. Meaning that since the initial consent was not for the processing of personal data by the wrong data controller, could it amount to a lawful consent. The conditions of consent under Article 7 of the GDPR clearly states that the liability is upon the data controller to demonstrate whether the data subject has consented to the processing of personal data. The question remains as to if the data controller processes such data which it has come across accidentally, should such data be processed at all in the first place? Moreover, since one of the factors that determine the processing of personal data is ‘performance of a contract’, and since there is no contractual relationship between a controller who is in accidental receipt of personal data and the data subject, would this circumstance amount to 'consent which is not freely given'. The GDPR is ever-evolving and such answers may occur when DPAs assess circumstances of accidental breaches. For now, any receipt of the accidental personal data shall be immediately informed to the DPAs to avoid any violation of Article 33 of the GDPR which may amount to penalties.
Authored by Samaksh Khanna and Shivani Agarwal.
Comments