Explain the reasons for the legitimacy of personal data processing from the perspective of EU and Iranian law

Document Type : Research Paper

Authors

1 Ph.D. Graduated in Private Law, Faculty of Law and Political Science, Ferdowsi University of Mashhad, Mashhad, Iran

2 Associate Professor, Department of Private Law, Faculty of Law and Political Science, Ferdowsi University of Mashhad

3 Faculty member of FAssociate Professor, Department of Private Law, Faculty of Law and Political Science, Ferdowsi University of Mashhaderdowsi University of Mashhad

4 Assistant Professor, Department of Private Law, Faculty of Law and Political Science, Ferdowsi University of Mashhad

Abstract

With the adoption of the European Union General Data Protection Regulation (GDPR) on personal data protection in 2016 and its entry into force in 2018, all EU member states were required to provide maximum protection of personal data and individuals. The maximum protections of this regulation are expressed in various provisions, which are more accurate, stricter and more practical than the previous legal frameworks of the European Union and other countries. In order to fully realize such protection, this regulation has stated several reasons for the legitimacy of personal data processing under the title of legal bases of personal data processing. According to the relevant article, controllers must have a valid legal basis for processing personal data. By explaining the aforementioned legal bases, the current research seeks to verify the feasibility of these legal bases in Iranian law. In other words, the answer to the question that in Iran's legal system, personal data can be processed despite the existence of which reasons. The result of the investigations is that the flow of the legal bases mentioned in the European data protection regulation - consent, contractual necessity, processing under the legal obligation of the controller, protection of the vital interests of individuals and the legitimate interests of the controller or a third party if prevailing - Due to the lack of Iranian law regarding the protection of personal data, it should be checked through different sources of Iranian law. Also, the results indicate that the aforementioned legal bases can also be used in Iranian law; But its full realization is achieved by the law.

Keywords


  • Breen, Stephen, Ouazzane, Karim, & Patel, Preeti (2020) "GDPR: Is Your Consent Valid?" Business Information Review, 37, No.1, pp.19-24.
  • Colcelli, Valentina (2019) "Joint Controller Agreement Under GDPR." EU and Comparative Law Issues and Challenges Series (ECLIC),3, pp.1030–1047.
  • Custers, Bart, et al (2013) "Informed Consent In Social Media Use – The Gap Between User Expectations And EU Personal Data Protection Law." SCRIPTed, Vol.10, No.4, pp. 435–457.
  • Eija, Saaranen (2018) Applying General Data Protection Regulation In Small Organizations Simplified Framework and Templates For Managing a Privacy. School of Business and Culture.
  • EUR-Lex (2016) "Regulation (EU) 2016/679 On The Protection of Natural Persons With Regard To The Processing Of Personal Data and On The Free Movement of Such Data (General Data Protection Regulation – GDPR)." Official Journal of The European Union, pp.1–88.
  • European Commission. (2018a) Can My Employer Require Me to Give My Consent to Use My Personal Data? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/can-my-employer-require-me-give-my-consent-use-my-personal-data_en
  • European Commission. (2018b) How Should My Consent Be Requested? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-should-my-consent-be-requested_en
  • European Commission. (2018c) What Data Can We Process and Under Which Conditions? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/what-data-can-we-process-and-under-which-conditions_en
  • European Commission. (2018d) What Is a Data Controller or a Data Processor? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en
  • European Commission. (2018e) When Can Personal Data Be Processed? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/when-can-personal-data-be-processed_en
  • European Commission. (2018f) When Is Consent Valid? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/when-consent-valid_en
  • Goddard, Michelle (2017) "Viewpoint: The EU General Data Protection Regulation (GDPR): European Regulation That Has a Global Impact." International Journal of Market Research, 59, No.6, pp. 703–706.
  • (n.d.-a). "Contract." (Retrieved October 3, 2021,) from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/
  • (n.d.-b). "Legal Obligation." (Retrieved February 18, 2021,) from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
  • (n.d.-c). "Public Task." (Retrieved August 17, 2020,) from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/public-task/
  • (n.d.-d). "What Is The ‘Legitimate Interests’ Basis?" (Retrieved February 28, 2021,) from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
  • (n.d.-e). "What Is Valid Consent?" (Retrieved September 21, 2021,) from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/
  • (2018a). The Principles. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/
  • (2018b). Vital Interests. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/
  • (2019). Lawful Basis for Processing (pp. 1–43).
  • Kubben, Pieter, Dumontier, Michel, & Dekker, Andre (Eds.) (2019). Fundamentals of Clinical Data Science. Springer International Publishing.
  • Marelli, Luca, & Testa, Giuseppe (2018) Scrutinizing the EU General Data Protection Regulation How Will New Decentralized Governance Impact Research? Science, pp. 496–498.
  • Mittal, Sandeep (2017) "Old Wine With a New Label: Rights of Data Subjects Under GDPR." International Journal of Advanced Research In Computer Science,8, No.7, pp. 67-71.
  • Mittal, Sandeep, & Priyanka, Sharma (2017) "The Role of Consent In Legitimising The Processing of Personal Data Under The Current EU Data Protection Framework." Asian Journal of Computer Science and Information Technology, Vol.7, No.4, pp. 76–78.
  • Politou, Eugenia, Alepis, Efthimios, & Patsakis, Constantinos (2018) "Forgetting Personal Data and Revoking Consent Under The GDPR: Challenges and Proposed Solutions." Journal of Cybersecurity, Vol.4, No.1, pp. 1–20.
  • Prins, Jej (2004) "The Propertization of Personal Data and Identities." Electronic Journal of Comparative Law, Vol.8, No.3, pp.1–7.
  • Reini, Pasi (2019) GDPR Implementation Case: Headpower Oy. University of Transport and Communications.
  • Schwartz, Paul (2004) "Property, Privacy, and Personal Data." Harvard Law Review, Vol.117, No.7, pp.2055–2128.
  • Singh, Atul (2016) "Protecting Personal Data as a Property Right." ILI Law Review, (Winter Issue), pp.123–139.
  • Sousa, Mariana, et al (2018) "Open EHR Based Systems and The General Data Protection Regulation (GDPR)." Studies in Health Technology and Informatics, Vol. 247, pp.91–95.
  • Sparapani, Timothy (2012) "Putting Consumers at The Heart Of The Social Media Revolution: Toward a Personal Property Interest to Protection Privacy." North Carolina Law Review,90, No.5, pp. 1309–1326.
  • Victor, Jacob M. (2013) "The EU General Data Protection Regulation: Toward a Property Regime For Protecting Data Privacy." Yale Law Journal, Vol.123, No.2, pp. 513–528.
  • Voigt, Paul, & von dem Bussche, Axel (2017) The EU General Data Protection Regulation (GDPR). Springer International Publishing.
  • Zarsky, Tal (2017) "Incompatible: The GDPR in The Age of Big Data." Seton Hall Law Review, Vol.47, No.4, pp. 995–1020.