GDPR Updates: Draft Guidelines on Contract as a Legal Basis, Clinical Trial Data Processing, Online Services Used by Children and Biometric Data at the Workplace

Performance of an Online Services Contract as a Legal Basis for Data Processing. The European Data Protection Board (EDPB) has published draft guidelines on processing personal data in the context of online services, under the legal basis of performance of an online service contract. Processing under the GDPR is permissible only if it is performed under a recognized legal basis. One of those bases is where the processing is necessary for the performance of a contract with the data subject. 

The guidelines explain that in order to rely on this legal basis, the controller needs to be able to prove necessity – that the services contract cannot be performed without that particular data processing, and that processing at a lesser degree or scope would not achieve the required contractual performance. Examples of processing that the draft guidelines deem insufficiently necessary for the performance of the contract (and thus impermissible under this legal basis): processing for the purpose of improving the service, for fraud prevention or detection, or for profiling a user’s online behavior in order to deliver targeted ads (even if that processing is the funding basis for the provision of a free online service).

The draft guidelines are open for public comments through May 24, 2019.

CLICK HERE to read the EDPB’s draft guidelines.

GDPR Interplay with EU Clinical Trial Regulation. The European Commission’s Directorate General for Health and Food Safety has published ‘Questions and Answers’ guidance on the interplay between the EU Clinical Trials Regulation and the GDPR. Although the guidance will fully be relevant only when the EU Clinical Trials Regulation enter into effect (currently anticipated next year), some of the guidance has a bearing on the current state of the law. 

The Q&A indicate that processing operations related to a specific clinical trial protocol during its whole lifecycle can be legitimized for the trial’s research purposes under the legal bases of the public interest in clinical research, the legitimate interest of the trial sponsor, or in rare cases – consent of trial participants (provided that consent is freely given, specific, withdrawable, informed and unambiguous). The Q&A go on to explain that processing operations for the purposes of drug safety reporting, disclosures to national drug-regulating authorities and archiving of clinical trial data can be legitimized under the legal basis of compliance with legal obligation to which the trial sponsor is subject. 

The Q&A also emphasize that the requirement of informed consent under clinical trial law must not be confused with consent as a legal basis for data processing. The former is an ethical and procedural safeguard for the conduct of trials, while the latter is a restrictive legal basis for data processing.

CLICK HERE to read the EU Commission’s Q&A.

Draft Code of Practice for Online Services Whose Users Include Children. The UK Information Commissioner’s Office (ICO), the UK privacy regulator, has published its draft code of practice for online services likely to be accessed by children. It applies to apps, connected toys, social media platforms, online games, educational websites and streaming services. It is not restricted to services specifically directed at children.

According to the draft code, the best interests of the child should be a primary consideration when designing and developing online services. The code also clarifies, among others, that privacy must be ingrained into the service; settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained; children’s data should not usually be shared; and geolocation services should be switched off by default in most circumstances.

The ICO indicates that when the code is finalized, it expects it to become an international benchmark. As for enforcement, the code warns that “[i]f you do not follow this code, you are likely to find it difficult to demonstrate your compliance, should [the ICO] take regulatory action against you”. It is planned as a statutory code of practice prepared under the authority of the UK Data Protection Act 2018.

The code is open for public comments through May 31, 2019.

CLICK HERE to read the ICO’s draft code of practice.

Guidelines for French Companies Processing Biometric Data of Employees. The CNIL, the French privacy regulator, has adopted regulations requiring companies that wish to collect and process employees’ biometric data to justify the need for a biometrics-based system, implement significant data protection safeguards, and perform data protection impact assessments. These regulations were adopted pursuant to Article 9 of the GDPR, which gives each EU member state latitude to promulgate local rules on processing biometric, genetic or health data.

According to the rules, French employers seeking to use biometric systems will have to demonstrate that lesser privacy-invasive solutions that do not process biometric data are unable to achieve the imperative purposes for which the biometric system is needed. Employers that meet all these conditions will be able to process biometric data of employees without having to obtain their consent. The rules also favor biometric solution which do not store the biometric data in a centralized database.

CLICK HERE to read the CNIL’s regulations (in French).