GDPR and Whether You Need to Obtain Explicit Consent of Previous Clients to Hold Sensitive Data for Legal / Insurance Purposes

Transcript of the Video

Hello ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you raw and uncut from sunny Dubrovnik, or rather it was. It's not pitch black Dubrovnik, but it was gloriously sunny earlier today.

So today I want to deal with a question from Lucy Peltnoy who's asking whether she needs to write to previous clients to get their explicit consent to continue to hold their sensitive data. She's not going to marketing to them, but simply holding their records for seven years in accordance with legal and insurance requirements. So, does she need to go back to previous clients and get explicit consent for holding their data?

Oh, I've just noticed that the tripod is a little bit wonky, so sorry about that. It must have got squashed in my suitcase.

So with the processing of sensitive data, there is a further processing step that you need to think about for the processing condition that you need to think about.

So the first thing is, as with all processing of data, there has to be a lawful ground of processing, so we have to check that first before we go on to that extra condition for processing special data, special category data.

So the six grounds of lawful processing, I've dealt with this in the overview video, and I believe the marketing video, but I'll just very, very quickly recap them for you.

The first is consent. The second is necessary for the performance of a contract. The third is necessary for compliance with a legal obligation to which the controller is a subject. Next is necessary in order to protect the vital interests of the data subject or another natural person. Next is processing is necessary for the performance of a task carried out in the public interest. And the next is processing is necessary for the purposes of the legitimate interest of the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects.

So it sounds to me like Lucy's first ground, the main ground of lawful processing, will be necessary for compliance with a legal obligation. So that would be the first one.

Then we need to look at article nine which says that, "You can't process sensitive data unless one of the following applies." Now there's ten of those. I'm not going to read them all out, but the one that is probably relevant for Lucy is, "Processing is necessary for the establishment exercise of defense of legal claims."

So now having read commentary on this, because that is all that the regulation says, having read commentary on it the consensus seems to that the full scope of this exemption remains uncertain, which is very helpful. However, to date the ICO, so the information commissioner's office, the supervisory authority in the UK, has treated the equivalent provision as encompassing potential future claims. So under the existing DPA regime, the ICO guidance indicates that if an organization keeps personal data to comply with the requirement within guidelines from professional organizations, in terms of keeping the records for potential future claims. It will not be considered to have kept the information for longer than is necessary.

So, in my view the extra condition for processing the special category data would be that the processing is necessary for the establishment exercise or defense of legal claims, and in that case you would not need to go back to previous clients to get their consent because you've already fulfilled that additional condition for processing the sensitive data.

So I hope that that clarifies. Number one, your general lawful ground of processing would be, necessary for compliance with a legal obligation. And the second one would be, necessary for the establishment exercise or defense of legal claims, or whenever courts are acting in their judicial capacity. So the bit there, the establishment exercise or defensive of legal claim, which can encompass potential future claims.

So, as I say, if you have one of those lawful ground of processing then you don't need consent, and for the additional ground of processing for sensitive data we got a ground that is other than explicit consent, so we don't need to go back to previous clients and ask for their explicit consent to you retaining that data for legal grounds etc.

So I hope that clears things up for you, and for those others of you who are processing sensitive data. That is it for today. I will see you tomorrow.