Databases compliant with the GDPR

- One to send regular updates on our activities to people who requested it once, either by opting-in on our website or sharing their contacts details during an event. It also contains people who registered to our events, but in that case, the fact that we would keep their details to update them on our activities was not explicit.
- A stakeholders mapping with details of people that we contact once in a while, on an ad-hoc basis (meetings, polls, etc.)
My questions are the following:
1. How to make these databases compliant with the GDPR?
2. In which conditions can we keep personal data such as name, email, position and organisation?

Answers:

1. For the first databases it seems to me that your processing activity, namely sending emails to promote your activities, is based on the consent of the individuals. Where consent has been given under the Data Protection Directive, it will continue to be valid under t he EU GDPR if it also meets the requirements of the Regulation. The EU GDPR requests that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes ( Article 7 – Conditions for consent - https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/). Also, as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual.

There are several consequences of the consent requirements under the EU GDPR:
- consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts.
- where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
- consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.
- if the relevant processing has multiple purposes, consent must be given for all of them.
- consent will not be valid if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
- consent might not be valid if there is a clear imbalance of power between the individual and the controller, particularly where the controller is a public authority.
- you cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
- consent is presumed not valid if it is a condition of performance of a contract.
- the individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.

Considering the above mentioned conditions you need to check your consents and if they match the requirements you are fine, if not you may need to reach out to the individuals to obtain a compliant consent.

Regarding your second data base if the individuals are member of your organization or stakeholders you can base your processing activation legitimate interest and you can contact them for meetings polls and similar activities. No consent is needed, you just need to provide them with a Privacy Notice as required be EU GDPR article 13 - Information to be provided where personal data are collected from the data subject https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/

2. In order to process any personal data a controller such as your NGO must ensure the processing of personal data complies with all six of the following general principles:
1. Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner;
2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);
3. Data minimization - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed;
4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;
5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and
6. Integrity and confidentiality - Personal data should be kept secure.

Besides respecting the principles set up above processing of personal data will only be lawful if it satisfies at least one of the following processing conditions:

a. Consent - The individual has given consent to the processing for one or more specific purposes.
b. Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
c. Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
d. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies;
e. Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
f. Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition