Practical considerations from EU enforcement: Legal bases and transparency

This article is the first in a two-part series. The second part covers the one-stop shop.

January arrived with a trilogy of EU enforcement that, having now waded through the 800 pages of regulator decision-making, has some very important information and considerations for privacy professionals. The consequences could be every bit as profound and challenging for privacy pros as the challenges posed by proliferating global restrictions and mechanisms on international data transfers.

Here, I break down and comment on the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s legal bases and transparency requirements.

Helpful links and extra reading are at the end of this article. On the facts of — and reaction to — the case, there’s no better place to look than IAPP Staff Writer Jenn Bryant’s reporting on the initial fines and industry reaction.

The trilogy of decisions will be of particular relevance to and impact organizations that:

• Rely on the GDPR’s ‘contract’ legal basis.
• Have personalized advertising at the center of their business models.
• Are required to maintain GDPR-compliant privacy notices.

Top tips for privacy pros:

1. Review your legal bases and terms of use.
2. Review your notices.
3. Innovate when it comes to your notices.

Legal basis

The IAPP previously published a GDPR's Six Legal Bases for Data Processing chart.

There is no legal hierarchy or regulatory preference on the GDPR’s “exhaustive and restrictive” list of legal bases for processing personal data. However, this equality among the legal bases does not mean data controllers have “absolute discretion to choose the legal basis that suits better its commercial interests.” Each basis has its own definition and scope of application.

The trilogy of enforcement decisions delves mostly into the “performance of a contract” legal basis.

Key takeaways include: