Points for attention when fighting subversive crime

Legal basis for processing

First you need to check whether you have a valid legal basis for processing personal data for the fight against subversive crime. This must be one of the 6 legal bases from Article 6 of the GDPR.

Are you a governmental organisation? Then you may be able to rely on the legal basis of public interest or official authority for your processing. This is only possible if you carry out a public task that is based on a law.

This legal task has to be described sufficiently clearly and precisely to serve as a legal basis for processing personal data for fighting subversive crime.

Data protection impact assessment (DPIA)

There is a good chance that you will have to carry out a data protection impact assessment (DPIA). You have to do this before you start processing data. A DPIA is required for data processing operations that will probably entail a high privacy risk for the data subjects.

A DPIA that is carried out properly:

• contains a systematic description of the envisaged data processing;
• provides insight into the privacy risks that this processing entails for the data subjects;
• provides insight into the possible measures that you take to mitigate these risks.

Note: Do you use algorithms? This may entail additional risks for data subjects. You have to determine beforehand if your use of algorithms meets the requirements of the GDPR. In doing so, you have to identify and list the risks of the use of algorithms in your DPIA, and where necessary take measures to protect the data subject(s) against these risks.

Prior consultation

Does your DPIA show that the envisaged processing entails a high risk? And are you unable to find measures to mitigate this risk? Then you have to consult with the Dutch Data Protection Authority (DDPA) before you start processing.

This is called a prior consultation. In this consultation, the DDPA provides advice on how you can limit the privacy risks. The DDPA can also advice you to not to go ahead with the processing at all.

Special and criminal personal data

Do you want to process special personal data or criminal personal data? Then you have to be extra careful. You are not permitted to process this type of personal data, unless a statutory exception applies in your situation.

Note: Are you a private party and do you want to share criminal data with others? Then you may need a permit from the Dutch DPA for this purpose.

Data minimisation

An important principle from the GDPR is data minimisation. This means that you have to bear in mind that, you are only allowed to collect, share or otherwise process personal data if these data are strictly necessary for fighting subversive crime. When making this assessment, you always have to take the interests of the data subject(s) into careful consideration.

Purpose limitation

Do you already have personal data in your possession, because you collected them for another purpose? Then you might not not be allowed to use them for fighting subversive crime. This is because of the GDPR principle of purpose limitation.

Article 6, paragraph 4 and recital 50 of the GDPR say that in 3 cases, you are allowed to use personal data for a purpose other than for which you collected them:

1. If the data subject gives consent for this. When fighting subversive crime, this will usually not be an option.
2. If this is necessary for the protection of, for example, national and public security or for the investigation into criminal offences (Article 23, paragraph 1 of the GDPR).
3. If this use is compatible with the purpose for which you originally collected the data.

You have to determine for yourself if one of these 3 cases applies to you. If none of them applies, you are not permitted to use the personal data that you already have for fighting subversive crime.

It is difficult to give a concrete indication of when you are or are not permitted to use personal data that you have collected for another purpose for the fight against subversive crime. This very much depends on the exact features and context of the personal data processing that you want to carry out.

In any case, it is important that you are careful and that you find out and substantiate properly why you think that you are allowed to use the data.

Clear agreements and safeguards

Do you want to collaborate with one or more organisations on fighting subversive crime? Then you will have to make clear agreements with these organisations about:

• Who is responsible for what. Especially if, for example, you are going to use a joint registration.
• To whom the data subjects can turn if they want to exercise their privacy rights. This could be unclear when different parties work together and share data with each other. It is up to you and the collaborating party or parties to make clear who processes which personal data and to provide clear information about this to the data subjects.  
• How you are going to ensure proper security of the personal data.

In addition, you have to agree guarantees that limit the negative impact on data subjects as much as possible, such as:

• clear agreements on which data you are permitted to provide to whom, and when you are permitted to do so;
• being as transparent as possible towards the data subjects about the processing operations that take place;
• immediately destroying incorrect data and data that are no longer strictly necessary.

You and the other party or parties have to record these and other guarantees clearly before you start sharing data.

Engaging an external party

Do you use an external party for investigating the legal possibilities? Or for setting up a system using which data can be processed or shared? In that case, bear in mind that you, as the controller, are and remain responsible yourself for the data processing. Make sure that you are certain that the processing is lawful before you start processing. And evaluate this at regular intervals.