The EU’s data protection regime includes a number of exceptions to the application of its framework of rights and responsibilities. These provide the basis for the processing of information in light of certain contexts. They are strongly related to the operation of a collaborative information management system as they can provide ways of legitimately processing data in an emergency situation. The specific legal basis on which the processing is based will depend on the actors involved and the purposes of the processing. Within the context of PPDR and DRM we can identify the following legal bases:
Article 6(d) of the GDPR states that personal data can be processed when this is in the vital or essential interests of the data subject. Recital 46 of the GDPR further clarifies that this legal basis could be relied upon specifically within the context of a natural or manmade disaster. Consequently, this provision could serve as the legal basis for the processing of personal information that relates to the victims of a disaster.
The processing of personal data of affected people could also fall within the scope of Article 6 (e). According to this paragraph, the processing of personal data is lawful if the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed”.
On the other hand, first responder agents using the collaborative platform will undoubtedly exchange information that relates to their forces active on the terrain. In this case the first responder agencies will have to base the processing operation of personal information concerning their employees on their legitimate interest as provided by article 6(f) GDPR. If volunteers are working on behalf of a first responder agency, the processing of their data could also be based on consent.
Guiding Questions
How does the GDPR strengthen the need for end user consent in relation to data processing?
What are the exceptions to the requirement of consent and how do they operate?
At what point does an exception lapse and what steps should be taken to deal with the data at this point?
Does the lawfulness of the processing vary according to the specific situation of the person concerned?