This post is also available in: esEspañol

Can professional data be processed without consent?

One of the questions that arose regarding the General Data Protection Regulation (“GDPR”) was that relating to the processing of professional contact data. This point has been clarified with the new Spanish Act on Data Protection and Guarantee of Digital Rights Act (“new Spanish Data Protection Act”).

Under the regulations before the GDPR, in line with article 2 of Royal Decree 1720/2007, the processing of data relating to individuals providing services at legal entities (consisting only of their name and surnames, duties carried out or positions held, postal and email addresses, and professional telephone and fax numbers), and data relating to individual employers, was excluded from application of the data protection regulation. However, following the introduction of the GDPR and, in line with the definitions incorporated, it can be verified that such data is included in its scope of application and, therefore, questions have arisen regarding the legal basis that legitimizes the processing of that data.

In line with article 19 of the new Spanish Data Protection Act, although the application of the data protection regulation does not exclude professional data, it does allow that data to be processed without the data subject’s consent, with a rebuttable presumption that the data is covered under the legal basis of “legitimate interest.”

This article provides legal cover for processing the professional data of individuals providing services at a legal entity, as well as that of individual employers or liberal professions, without needing to have obtained their consent, if:

  • the processing is limited to the data necessary for their professional localization; and
  • the purpose of the processing is limited to maintaining any relationships with the legal entity at which the party concerned provides its services, or with individual employers or liberal professions, but only in their capacity as such and not as individuals.Lastly, the new Spanish Data Protection Act allows public authorities (the courts, constitutional bodies, the central government and other public bodies) to process the mentioned professional data if there is a legal obligation to do so or if necessary to exercise the powers conferred.
  • Authors: Raúl Pérez and Adaya Esteban
  • In any case, we must not forget that article 19 of the new Spanish Data Protection Act establishes a rebuttable presumption that the controller has a legitimate interest when the mentioned requirements are met and, therefore, the presumption may be contested through evidence to the contrary. However, processing that data when the requirements established in article 19 are not met may also be legal; as this is not covered by the presumption that there is a legitimate interest, the corresponding balancing of interests must be carried out, or a different legal basis to those established in article 6.1 of the GDPR must be used.

This post is also available in: esEspañol

Autores:

Graduado

7 artículos



raul.perez@cuatrecasas.com

Asociada

23 artículos



adaya.esteban@cuatrecasas.com

Leave a Reply

Your email address will not be published. Required fields are marked *