Disclaimer: This blog is made available by NIPO for the purposes of providing general information and a general understanding of GDPR, and should not be considered or used as a substitute for legal advice. NIPO does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
This is the second post in our GDPR blog series. In the first post, we gave you an overall, high-level look at GDPR. In this second post, we will focus on the legal basis on which personal data can be processed, more specifically on the legal bases that market researchers can rely on to process respondents’ personal data.
The GDPR provides several legal grounds on which the collection and processing of personal data can be based. In order to lawfully process personal data, at least one of these grounds must apply.
The collection and processing of personal data are fundamental to the work of many market researchers. Therefore, it is imperative to know and understand what lawful basis can be used to process respondents’ personal data. For market researchers,the two most common lawful basesto process personal data are:
- Consent of the data subject (respondent)
- Legitimate interest of the data controller (market research company or its client) or a third party (client).
The approach to deciding what lawful basis researchers should use for processing personal data may vary by member states, as domestic markets may have different characteristics. Researchers need to assess what legal basis are most used within their individual jurisdiction, and comply with any national research code of conduct, in addition to the GDPR requirements.
Consent
Consent of respondents will often be used as the lawful basis for carrying out research in many EU member states. The GDPR retains the concept of consent contained in the 1995 directive, but raises the bar for considering it valid, by setting out additional requirements.
Under GDPR consent shall be:
- Freely given: It must reflect the respondent’s genuine and free choice, and he/she must be able to refuse or withdraw consent without detriment. There should be no element of coercion, if the consent was not freely given, then that consent will not be valid.
- Specific: Consent must be intelligible (easy to understand) and distinguishable from other matters like terms & conditions (no bundled consent). It must relate to specific processing operations. Blanket consent that does not specify the exact purposes of the processing is not valid consent.
- Informed: Respondents must be able to understand the extent to which they are consenting and be aware at least of the identity of the controller and the purposes of the processing.
- Unambiguous: It should not be open to more than one interpretation.
- Clear affirmative action: The respondents must do something to manifestly indicate that they agree to the processing of their personal data, such as by a written statement, including electronic means, or an oral statement. An example of a clear affirmative action is the ticking of a box. Silence, pre-ticked boxes or inactivity does not constitute valid consent under GDPR.
Where data processing has multiple purposes, consent should be given for all of them, unless such purposes are considered compatible. This essentially means that the data controller (market research company or its client) can further process personal data, where the purpose of the processing is compatible with the purpose for which the personal data was initially collected.
EXAMPLE
If a company that produces chocolate wants to know, through a survey, how many adults (ages 18-40) eat their chocolates, it needs to obtain consent for the processing of the respondents’ personal data and specify to the individuals the purpose for which they will be using such data, which is to know how many adults in that age range eat their chocolates. After completing the survey, the chocolate company compiled a list of the people that eat their chocolate often, this list is then used for direct marketing (they send emails and posts to the individuals about their new products). This will be considered incompatible with the purpose for which the respondents’ personal data was collected because the chocolate company never informed the respondents that they would use the information collected from the survey for profiling or direct marketing, and the respondents did not give their consent for the use of their data for this additional purpose.
If the legal basis used is consent, researchers must understand what GDPR consent means and the fact that respondents will generally have stronger rights (right to erasure, right to data portability) where consent has been given.
Explicit consent needed for sensitive personal data
There is a higher threshold for consent when the processing involves sensitive personal data. The GDPR provides that the respondent must have given his/her ‘explicit’ consent, but it does not specify what ‘explicit’ consent entails. Therefore, existing interpretations and guidance from legal advisers and/or supervisory authorities should be consulted.
The Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State), in its guidelines on consent, provided that the term ‘explicit’ is the way consent is expressed by the data subject. This means that the data subject must give an express statement of consent. It further stated that, in order to make sure consent is explicit, the data subject must have given consent in a written statement (e.g. signed statement) or an oral statement.
EXAMPLE
Going back to the survey in the earlier example, let’s suppose the chocolate company also asked about health information (i.e. how many are diabetic) of the respondents, the purpose is to enable them to improve their products so their diabetic customers can continue to consume, but with reduced health implications. All health information is considered sensitive personal data under GDPR, and so before the data can be collected and processed, the individuals must have given their explicit consent for this use of the data (granularity will allow respondents to consent for each processing activity).
Children’s personal data is further protected under GDPR. If the research project involves respondents (children) that are below the age of 16 (age limit can change based on the jurisdiction), GDPR states that parental consent must be obtained in order for the processing to be lawful, if you intend to rely on consent.
Consent needs to be re-validated
The GDPR makes clear that consent is not a one-off compliance box to tick and file away, it is an ongoing actively managed choice. It is important to keep records of consent (i.e. how it was obtained, for what purposes and what was consented to).
Data subjects’ consent needs to be regularly reviewed to ensure that the consent is still valid. The GDPR does not give a timeframe for consent to be reviewed, this has to be determined by the controller (market research company or its client), taking into account its needs as well as the rights of individuals, and preferably included in its internal procedures.
Legitimate interests
The term “legitimate interest” refers to the reasonable business purpose that the market research company processing the personal data may have to process data. This may include a benefit inherent in the processing of the company itself or society at large.
The GDPR provides that the legitimate interests of the controller (or third parties) must be necessary for these purposes, except where such interests are overridden by the rights and freedoms of the data subject which require protection of personal data. This means that researchers need to determine whose legitimate interests (market research company or a third party) and understand what exactly the legitimate interests are.
Researchers using legitimate interests as a lawful basis, need to, first of all, do an assessment before processing any personal data of respondents. This assessment is referred to as a balancing test. The balancing test is weighing between what the controller considers a legitimate interest on the one hand, and what the rights of the data subjects are on the other hand.
The balancing test must always be conducted fairly, there are several factors that need to be considered, these include:
- The nature of the interests of the controller and the reasonable expectations of the data subject (respondent). Is there already an existing relationship between the market research company and the respondent?
- The impact of the processing on the respondents’ rights and freedoms and the severity of that impact; for this purpose, it is useful to consider the particular status of the respondent (i.e. a child, an employee, a customer etc.)
- Safeguards which are in place or could be put in place: the market research company needs to ensure that there are appropriate technical and organizational measures in place that will protect the respondent, and mitigate any risks or potential negative impacts of the processing.
EXAMPLE
An example of legitimate interest is in a situation in which a market research company recalls respondents for quality control purposes, although the respondents have not consented to such recall. In this case, the legitimate interest of the market research company is to perform a quality control, while on the other hand, there are the rights of the respondents.
In order to ensure that the rights of respondents are not infringed, the balancing test needs to be applied: after identifying what the legitimate interest is (quality control), the market research company needs to look at what type of data is involved, and to put in place appropriate safeguards (among others encryption or pseudonymization) to protect the personal data of respondents. Only at this point, will it be possible to assess the existence of a balance and the consequent validity of the legitimate interest.
Conclusion
The GDPR provides several legal grounds on which personal data can be processed, however, when it comes to market research, not all the lawful basis can be used. Researchers need to identify which of the lawful grounds for processing can be used for the particular research project before processing any personal data of respondents. As explained above, in most cases, obtaining consent from respondents is the best option, while in other cases, using legitimate interests as a lawful ground may also be appropriate.
If legitimate interest is the legal basis chosen by the market research company for the processing of respondent’s personal data, then it must ensure that it has carried out a fair balancing test. If the balancing test shows that the controller’s interests do not outweigh the rights of the data subject, then legitimate interest cannot be relied upon and the market research company will have to use another lawful basis (e.g. consent) in order to process this personal data.
