« ICO warning: "enforced subject access" used by insurance industry is an abuse of data subject rights | Main | Council’s exceptions from the Data Protection Regulation degrade the privacy protection below Directive 95/46/EC »



Feed You can follow this conversation by subscribing to the comment feed for this post.

Thank you for posting this. It's an interesting argument. For what it's worth, I think it's also pretty clear that the GDPR's notion of lawfulness is not confined to compliance with its own provisions. However, I think EDPS' concerns are not really about this issue in any case (probably I suspect because it agrees with the broader interpretation I just gave) but rather concerns whether if processing under certain legitimating justifications this should disable independent application of other (legal) aspects of the data protection regime, notably the duty to not to process data incompatibility with the purpose for which it was initially collected. This is the suggestion of the current Council of the EU text and I think that the EDPS wants to signal that it strongly disagrees with it!

But surely at least one prerequisite for processing to be lawful must be that is not unlawful. Processing might be unlawful for all sorts of reasons which don't fall under the DPA, as outlined in your blog. I'm not sure that we (or the EDPS) are any further forward!

The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.