Menu ≡
Home »CPDP Practical Guidelines in Which Cases No Consent Is Required for the Processing of Personal Data
CPDP Practical Guidelines in which cases consent to the processing of personal data is not required
The processing of personal data by data controllers, both in the public and in the private sphere, is legal, if any legal information is available.
the grounds, exhaustively listed in Art. 6 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation, CPD, GDPR):
(a) the data subject has consented to the processing of his personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject
before the conclusion of the contract;
(c) processing is necessary to comply with a legal obligation that applies to the controller;
(d) processing is necessary to protect the vital interests of the data subject or of another individual;
(e) processing is necessary for the fulfillment of a public interest task or for the exercise of official powers conferred on
the administrator;
(f) processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests have an advantage
the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular when the data subject is a child.
Consent is one of the reasons for collecting and processing personal data. Despite the fact that it is mentioned in the first place, it is important to know that everyone
the legal bases are alternative and equal and they are not hierarchically dependent. The presence of any of them makes the processing
legally, provided that the other requirements of the Regulation are complied with.
Where a data controller decides whether to process personal data on the basis of consent, he or she must investigate the circumstance.
whether there is another legal basis for processing them, such as a legal obligation or contract, and what would be the consequences for
the relevant activity upon withdrawal of consent from the person.
Some of the most common situations where the controller should not seek the consent of the person to process his or her personal data are the following:
1. Administrator - public or private, collects a certain amount of personal data in the performance of a duty under a law, e.g.
by virtue of the Health Act, the Accountancy Act, the Administrative Offenses and Sanctions Act, the Labor Code,
The Social Security Code, the Ministry of the Interior Act, the Civil Registration Act, the Law on Social Security
tourism, the Pre-school and School Education Act, etc.
In these cases, the legislator did not leave the discretion of the controller or the data subject, resulting in the possible consent of the person
will not be freely given, respectively, will not be valid. This is especially true for public administrators, as well as for sectors where there is a detailed legal framework
regulation, such as healthcare, education, banking, etc.
2. Personal data shall be collected in connection with the provision of various administrative services by public authorities or bodies
local government.
In these cases, the legal basis is the fulfillment of a public interest task or the exercise of official powers and the requisite consent of the persons
is unnecessary.
3. Personal data shall be collected and processed for employment purposes.
In these cases, the employee has no genuine free choice and is unable to refuse or withdraw his / her consent without leading to
its adverse effects due to the apparent inequality between the two countries. In addition, the relationships between data subjects and theirs
employers or appointing authorities, including with regard to the processing of personal data, are fully regulated by the employment
legislation, individual and / or collective agreements. In these circumstances, the condition for the lawfulness of the processing of personal data is
a legal obligation and / or performance of a contract (depending on the hypothesis).
4. Personal data are necessary for the conclusion and performance of a contract to which the data subject is a party.
Insofar as the main object and purpose of the contract cannot be objectively achieved without providing a certain amount of personal data, in these cases it is sufficient
the willingness of the parties to enter into contractual or pre-contractual relations and, accordingly, no separate consent is required for the processing of personal data.
This does not preclude the consent being used as a legal basis for the processing of personal information (contact details, etc.) for additional purposes,
such as marketing and advertising, unless a regulation provides a justification for it. In these cases, the requirement to obtain consent may be waived,
if the requirements laid down in the relevant regulatory act are fulfilled. It's important to know that the administrator has no right to bind the performance of a contract,
including the provision of a service, with the consent to the processing of personal data, where this is not necessary for the performance of the contract, such as
such as receiving promotional messages. In these cases, consent will not be given freely as the person has no real free choice and is not able to
refuse or withdraw its consent without adversely affecting it.
5. Personal data are necessary to protect the legitimate interests of the controller or of a third party, if such interests have
an advantage over the interests and / or fundamental rights and freedoms of the person.
Such hypotheses in practice are the taking of security and security measures, including through video surveillance, verification of persons and registration of access to
buildings, actions to ensure information and network security, etc.
There is also a legitimate interest in the processing of personal data for the protection of the rights of the controller through a judicial or non-judicial procedure, for example, filing a claim for
failure to perform a contract or claim liability for damages.
6. Personal data are transferred from one controller to another as a result of transfer of receivables (cession).
In these cases, the legal basis for the processing of personal data is the fulfillment of the legal obligation under Art. 99, para 3 of the Law on Obligations and Contracts.
The law obliges the previous lender to submit to the new lender the documents in his possession establishing the claim. This circumstance also determines
the transmission of personal data insofar as they are contained in the relevant documents. Upon receipt of the claim, the new creditor may process the data of
grounds its legitimate interest in collecting the amount due, including in the order of enforcement. The assignment should not be overlooked
to the previous creditor to notify the debtor of the transfer, which also corresponds to the obligation of transparency and to provide information within the meaning of
The general regulation.
7. Personal data shall be transmitted by the controller of the processing personal data.
The general regulation allows controllers to attract a "data processor" - natural or legal person, public body, agency or other
a structure that processes personal data on behalf of the controller. One of the most common hypotheses of personal data processing is accounting firms,
occupational medicine, debt collection companies, IT companies that maintain information systems of companies and agencies, etc.
In all these cases, the General Regulation does not require the consent of the data subject to the processing of personal data, such as
the discretion is left entirely to the administrator.
8. Specific hypothesis of processing personal data without requiring the consent of the data subject
video recording of persons in a public place.
If it is carried out by an individual in the course of purely personal pursuits, then the General Regulation shall not apply at all. In case the recording is part of
professional activity, then the exceptions and reliefs for academic, artistic or literary expression under Art. 85 of the Armed Forces.
The provision of Art. 13 of the Copyright and Related Rights Act, according to which the photographer (videographer) does not require consent
by the depicted person, if the image was taken in the course of the public activity of the depicted person or in a public or public place, the image
the face is just a detail in a work showing an assembly, procession, or landscape, or the depicted person has been paid to pose.
9. In cases where special categories of (sensitive) personal data, such as ethnic origin, are processed,
political views, religious beliefs, union membership, biometrics, health status, sexual
orientation, etc., the grounds for legality are specified in Art. 9 (2) of the CPD.
In this regard, the processing of health data is legal, if carried out for the purposes of preventive or occupational medicine, for
assessment of the employee's work capacity, medical diagnosis, provision of health and social care, treatment, management of healthcare systems
or social care, in the field of public health, to protect against serious cross-border threats to health, etc. Therefore, if the processing is
necessary for any of these purposes, the hospital, laboratory or pharmacy concerned has neither the obligation nor the right to request additional express
consent of the person (patient). The opposite would mean that the hospital would refuse treatment or the drug store if the person did not consent. Like
conduct would constitute a direct violation of the General Regulation, which may be penalized by a fine or a pecuniary penalty.
Example non-exhaustive list of cases where consent is not required:
In accordance with these criteria, as a rule, no separate consent is required from persons, including the signing of any form of declaration, for
the processing of their personal data by the administrators listed below in the course of their normal professional activities. This does not include personal processing
direct marketing data, where consent should be the leading ground.
- doctors, dentists and pharmacists;
- lawyers;
- employers;
- public authorities (state and municipal);
- educational establishments (kindergartens, schools and higher education institutions);
- banks and other credit institutions;
- insurers;
- undertakings providing public electronic communications networks and / or services;
- courier companies and other postal operators;
- utilities providing utilities (electricity distribution companies, plumbing, district heating);
- processing personal data (accountants, occupational health services, etc.);
- hoteliers and travel agencies;
- condominium managers (homeowners);
- copying services;
- translators;
- journalists, photographers and videographers;
- religious, political, social and trade union organizations;
- and other.
print
Links Sitemap Accessibility
Personal Data Protection Commission, Sofia 1592, “Prof. Tsvetan Lazarov ”№ 2
Cookie Settings