Can we collect personal data concerning members´ relatives?

We receive many questions regarding relatives’ data. Data concerning relatives can be collected in different contexts. First and foremost, many think that data concerning relatives is collected regarding relatives of employees, but it might be of interest to collect data concerning relatives in other contexts as well. One example is data concerning relatives of members. Many companies, associations and organizations have members. We will therefor in this blogpost discuss if and how you can collect, and thereby process, personal data concerning member´s relatives.

What does the GDPR stipulate?

The GDPR sets the limits to judge whether a processing is allowed or not. For example, it might follow from a contractual obligation or a provision in law that you are under obligation to process personal data. There is no general prohibition in the GDPR toward processing personal data, but for the processing to be legal, certain considerations must have been made and you must follow the demands set out in the regulation.

Regarding member´s relatives´ personal data, it is mostly name, relationship with the member and phone number that will be collected. These types of personal data are not sensitive personal data (read more about sensitive personal data in Swedish here), which means that there, in most cases, should not be any major obstacles for processing the personal data. Even though the personal data is not sensitive, the requirements set forth in the GDPR must be met. These requirements mainly mean that you 1) must have a purpose with the processing at hand and 2) must have a legal basis for the processing at hand. It is also important to work in accordance with the other principles that controls all processing of personal data. I will describe these important parts of the GDPR below.

Legal basis

In order for a processing to be legal, the controller must have a legal basis for the processing in question. In the GDPR, there are six different legal bases. These are:

1. Consent,
2. Contract,
3. Legal obligation,
4. Public interest or exercise of official authority,
5. Vital interest and
6. Legitimate interest.

Generally, two different legal bases can be used when processing relatives´ personal data: consent or legitimate interest.

Consent: you can collect a valid consent from the relative whose personal data you are going to process. It is important to remember that it is not possible to give consent for someone else. This means that the member can not give consent for the relative. Instead, the consent must be collected from the relative directly. In order for a consent to be valid, the request for consent must be clear and precise. The relative must be given information regarding inter alia that it is possible to withdraw a consent, the purpose of the processing and which types of personal data that will be processed. This information must be given before the consent is given. A consent must be given voluntarily, which means that the data subject should not feel forced to give consent to something she or he does not really want to. Finally, a consent has to be unequivocal, which means that it has to be actively given by the data subject. The data subject must take action in order to give a consent to a certain processing.

Legitimate interest: it is possible to do an assessment in order to determine whether you, with the support of a legitimate interest, have the right to process personal data regarding your members´ relatives. Your interest of processing the personal data, e.g. in order to contact relatives in case of an emergency, must then outweigh the loss of integrity for the relative and the relative’s rights and freedoms. This impact assessment should be documented.

A number of conditions are stipulated in order for a valid consent or an impact assessment, but you as a controller have many possibilities to process personal data in your organization – as long as you do it right. We are happy to help you ensure a legal processing of personal data. Contact us for help.

You can read more about the other four legal bases here.

Principles

Another important part of the GDPR are the principles. Controlling all handling of personal data, these principles are a large part of the GDPR and if you work after the principles, you have come a long way in fulfilling the GDPR. There are six different principles stipulated in the GDPR. These are as follows:

1. Lawfulness, fairness and transparency – the personal data shall be processed lawfully and fairly. It shall also be transparent, which inter alia means that the data subject shall be given information regarding the processing.
2. Purpose limitation – the personal data has to be collected for a specified, explicit and legitimate purpose. This purpose determines how the personal data is processed and the data can not later be processed in a manner that is incompatible with the original purpose. There is reason to describe this principle more, which will be done in the section below.
3. Data minimisation – the personal data collected has to be necessary in relation to the purpose of the processing. The personal data has to be adequate, relevant and not to extensive.
4. Accuracy – the personal data that is collected or stored has to be correct and updated. Wrongful personal data shall be erased or rectified without delay.
5. Storage limitation – the personal data shall not be stored longer than what is necessary in order to fulfil the purpose.
6. Integriry and confidentiality – the personal data shall be processed in a way that ensures appropriate security. What is appropriate security can vary depending on the type of personal data being processed and how sensitive the personal data is. For example, if it is just name and phone number that is being processed, the safety demands are not as high as if the processing includes diagnoses and medical conditions.

Purpose limitation

Every processing must have an explicit and clear purpose. It is often not a major issue to determine a purpose for a specific processing. On the contrary, a processing usually has a purpose even if you haven´t thought about it when initiating the processing. However, it might be problematic to formulate this purpose in a clear and precise way.

When processing relatives´ data, the purpose might be e.g. in order to contact relatives if a member were to be involved in an accident. If this is the purpose of the processing, relative’s personal data can not be used for a different purpose, unless the new purpose is compatible with the original purpose. The relative must also be given information regarding what the purpose of the processing is before the processing is initiated in order for the relative to know what the personal data will to be used for.

Do you need help?

GDPR Hero, together with our partner Sällberg & Co, are happy to help you with your GDPR-related questions – no matter how small or big they might be.

Please, do not hesitate to contact us for further information!