Misunderstanding 6: Covenants

In the blog series The 7 biggest misunderstandings about the GDPR, we settle the 7 most common misunderstandings. This week we are dealing with covenants.

A covenant is a document in which parties declare their intention to work together towards a certain (policy) objective. Usually a covenant, or gentleman’s agreement, is an agreement between a number of public and/or private entities. For example, a municipality and a housing corporation may sign a covenant in which they agree to exchange personal data in order to fight nuisance. What is often erroneously assumed is that this exchange (i.e. processing) of personal data is lawful because the two parties agreed to do so in a covenant. However, the mere agreement in the covenant does not form a lawful basis for processing. The misunderstanding here is really about lawfulness of processing.

Lawfulness

The first principle that must be borne in mind when processing is that personal data shall be processed lawfully. Processing of personal data is only lawful in 6 specific cases:

(a) after consent of the data subject (b) processing is necessary for the purposes of a contract to which the data subject is party (c) processing is necessary for compliance with a legal obligation (d) processing is necessary to protect the vital interests of the individual (e) processing is necessary for the performance of a task carried out in the public interest (f) processing is necessary for the purposes of the legitimate interest of the controller

These 6 specific cases are also called grounds. Before you start processing personal data, you must therefore always have a ground; and it must be one of the 6 cases above. Without a ground, the processing is unlawful. Note that 'a covenant' is not on the list.

We return to the example in which the municipality and a housing corporation share personal data in order to combat housing nuisance. The legitimacy of the processing cannot be based on the covenant. Because this is not a basis. In the case of a covenant, confusion can arise because the parties to the covenant think they can rely on basis (b): processing is necessary for a contract to which the data subject is a party. This is not possible because the party concerned is not a party to the covenant. In order to rely on this basis, the contract must be a contract to which the person concerned is a party.

Is exchange between the municipality and the housing corporation illegal? That's not necessarily the case. However, point (b) cannot, in any case, be the basis. If the exchange of data is actually necessary in order to combat housing nuisances, the processing can be based on ground e): processing is necessary for a task of general interest. After all, one of the tasks of general interest of both municipalities and housing corporations is to combat housing nuisance. The performance of this task will then form the ground of the processing.

Joint responsibility

A characteristic feature of a covenant is that the parties cooperate on an equal footing. There is therefore no question of a client and contractor. The Parties shall jointly determine the purposes and means of the processing. This means that the covenant parties are jointly responsible for processing personal data. Instead of a processor's agreement (the contract between the responsible party and the processor), they lay down everyone's responsibilities in the covenant or in an appendix to the covenant. It is particularly important to write down who the parties involved can turn to and which of the parties to the covenant can inform the parties involved. These agreements should also be made available to the data subject, so that the data subject knows who to contact if he or she has any questions about his or her personal data.

If you need help with drawing up a covenant, Privacy Company can help you with this. Please do not hesitate to contact us.