GDPR and archive care: what else is possible?
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018.
There were however lots of uncertainties that made this quite a struggle. One thing that this new legislation barely covered, if at all, was information relating to repercussions for archive care. What information are organisations still allowed to collect? What data can be stored in the long term? And what can’t? What happens in the event of an archive being transferred, for example? And what about making archive content available (online), or consulting or reusing it?
Principles relating to personal data processing
In order to formulate answers to the above questions, the principles relating to personal data processing need closer inspection. Before we do this, it makes sense to return to the definitions of ‘personal data’ and ‘processing’.
Personal data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
According to these definitions, archive care involves personal data processing in almost all cases. After the glossary, the regulation lists a whole series of principles governing personal data processing: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles must be respected when processing personal data and so also for archive care.
The first principle stipulates that personal data must be processed lawfully, fairly and transparently. There are six cases in which processing is lawful:
- when the person concerned has given permission;
- when the processing is necessary for fulfilling an agreement or contract;
- in the case of representation of a legitimate interest;
- to comply with a legal obligation;
- for the protection of vital interests;
- to fulfill a task of public interest.
The main legal grounds for processing personal data for arts organisations are the permission from the person concerned, the fulfilment of an agreement or contract and the representation of a legitimate interest (e.g. ensuring the proper functioning of the organisation).
Proper processing means, among other things, that the processing of the data collected is done with respect for the person concerned in a manner that is aligned with this person’s expectations. For example, it is fair to process an email address in your address database to send a newsletter. It is however not considered proper to allow other organisations with a similar target audience to process this email address. Transparent processing relies mainly on open, clear and easy-to-understand communication about the processing. The person concerned must be able to see what data is collected and what happens with their personal data. This can be done by means of a privacy statement, for example.
A second important principle for processing personal data is that of purpose limitation. Processing must always take place in accordance with specific, explicit and legitimate purposes, for which the person concerned has given their permission in each case. In principle, the data may not then be processed in a way that is incompatible with those purposes, unless a legitimate interest can be demonstrated. A number of other principles derive from this principle of purpose limitation. For example, there is the principle of data minimisation, which states that the processing must remain limited to what is necessary for the purposes it is being processed for. There must also be storage limitation. The data may not be stored for longer than is necessary for the purposes listed for its collection.
Then there are the principles of accuracy, integrity and confidentiality. The principle of accuracy entails that the personal data collected must contain correct information and that changes are implemented if necessary. In this context, the persons concerned are entitled to rectification. The principle of integrity and confidentiality encourages the data controller to ensure proper security and prevent any unauthorised or unlawful processing, or any accidental loss or destruction of personal data. Appropriate technical and organisational measures must be taken to ensure this.
What about archive care?
The principles described above represent the interests of the persons whose personal data is being processed. There are however also other interests at stake, which must be reconciled with personal data protection. For example, among other things there is the right to information, the interests of scientific and historical research, or simply the smooth and efficient functioning and management of an organisation (where archive care is a part of this).
Anyone who reads and lists the principles can get the sense that the GDPR forms a problem for an organisation’s archive care. The principles of purpose limitation, data minimisation and storage limitation in particular seem to imply that archiving becomes a legally precarious undertaking. Indeed, the purposes communicated for the processing rarely include the long-term storage of collected data (which, furthermore, is contrary to the principles of data minimisation and storage limitation).
The legal text does take these issues into account, however. For example, it states that ‘the further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall … not be considered to be incompatible with the initial purposes’. The GDPR therefore provides the data controller with room to manoeuvre in the field of archive care. But this is not the end of the matter.
Considering that lots of personal data processing does not specify archive care as a purpose, the permission from the person concerned will often be lacking. In this case, the data controller will not be able to invoke permission as a legal ground for the processing. Invoking a legitimate interest as a ground for processing is the most obvious solution. The various exceptions in the legal text relating to archiving show that the legislator recognises the importance of archiving. It is, after all, important for both the archival organisation and society as a whole that good archives are maintained. A society without archives cannot reconstruct its history. An organisation without archives loses sight of its previous actions and loses essential information. Good management of the dynamic archives is also instrumental for an organisation’s efficient operation. Good archive care is furthermore important for satisfying the GDPR principle of integrity and confidentiality, as this can prevent the loss of information and unlawful processing.
Processing activities in the context of archive care therefore form a legitimate interest. In the case of a legitimate interest, however, it is necessary to always weigh up the right to privacy on one hand with the interests of the organisation (and society) on the other.
When explaining the principle of storage restriction, the GDPR also states that personal data may be stored for longer periods ‘insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. This enables processing operations such as long-term and sustainable storage, transferring archives, making archives accessible and consultable, creating an inventory or other access, etc. The protection of personal data must be actively pursued in all these processes. Article 89 of the GDPR, which establishes a specific exception for archiving, deals with this in more detail and states that appropriate technical and organisational measures must be in place.
Additional concepts and important articles
Appropriate technical and organisational measures
The GDPR states several times that each organisation must take appropriate technical and organisational measures for personal data processing. These measures must take into account the technology currently available, the implementation costs and the nature, scope and context of the organisation, and the processing purposes. The legal text mentions pseudonymisation and encryption as possible measures, and also states that organisations must guarantee, assess and evaluate the reliability of their processing systems.
This lack of specific interpretation means it is advisable to consult sectoral codes of conduct. These codes define the different sectors’ best practices regarding the processing of personal data, and have been drawn up by representative groups and approved by data protection authorities. It will still be some time before these sectoral codes of conduct are drawn up in Belgium.
Article 30: Records of processing activities
Another significant innovation in the GDPR is the Records of processing activities (article 30). Organisations are obliged to maintain a record of the processing activities that take place under their responsibility. This record must contain all of the contact details for the data controller, the purposes of the processing, a description of the categories of data subjects and controllers, the envisaged time limits for erasure where possible, and the technical and organisational security measures where applicable.
This record must be drawn up in writing, which also includes in electronic form. The text states that this is not obligatory for an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data. Considering that very standard processing operations such as personnel administration or the sending of a newsletter are also non-occasional, almost every organisation will need to maintain such a record.
The actions that you perform in the context of archive care must be included in this record. Transferring an archive to an archive repository is part of personal data processing, for example, as is making an archive available and accessible or offering it for consultation purposes. Organising, valuing and destroying archives also fall within the scope of personal data processing and must be included in this record.
Article 17: Right to erasure (‘right to be forgotten’)
In the context of attempting to offer individuals more rights and protection, with article 17 the GDPR invokes the right to erasure, or the ‘right to be forgotten’. This entitles the persons concerned to request that their personal data is erased.
Data controllers must also erase personal data that is no longer needed for the purposes it was collected or processed, or for which permission has been withdrawn, or which has been unlawfully processed.
This right is not absolute, however, and not applicable for processing that is necessary for exercising the right for freedom of expression and information, nor for processing for archiving purposes in the public interest, scientific or historical research or statistical purposes.
Organisations that do not satisfy GDPR requirements when processing personal data run the risk of being fined.
The text provides more information about the fines and states that they must be effective, proportionate and dissuasive, and must take into account the nature, gravity and duration of the infringement. The nature, scope and purpose of the processing also need to be analysed. In determining the sanction, it is also considered whether the infringement is intentional or negligent, whether (technical and organisational) measures have been implemented to mitigate the damage suffered, and whether there have been relevant previous infringements. The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate its possible adverse effects, is also considered. Finally, any financial benefits gained are also a factor in determining the sanction.
Former Secretary of State for Privacy, Philippe De Backer, stated that it was not the intention to organise a witch hunt. This certainly does not mean, however, that infringements cannot have consequences. Case law will show in the near future what the specific application of the sanction system will be.
Article 85: Processing and freedom of expression and information
Article 85 is a very important article for arts organisations. This is because it stipulates that the right to data protection must be reconciled with the right to freedom of expression and information, which also includes artistic forms of expression. Some exceptions may be laid down by various Member States in the context of this agreement, but this has not yet happened in Belgium. This will hopefully change as soon as possible, so that the necessary clarity and room for manoeuvre can also be established here.
- Art. 4§1, General Data Protection Regulation, Official Journal of the European Union, 4 May 2016.
- Art. 4§2, General Data Protection Regulation, Official Journal of the European Union, 4 May 2016.
- You can find more information regarding permission and the legitimate interest as a legal ground for processing here (in Dutch).
- Art. 5§1 sub b, General Data Protection Regulation, Official Journal of the European Union, 4 May 2016.
- Art. 5§1 sub e, General Data Protection Regulation, Official Journal of the European Union, 4 May 2016.