The GDPR's Article 6 and the future of anti-bribery due diligence

Illya Antonenko (iantonenko@traceinternational.org) is Privacy Counsel at TRACE International, Inc. in Annapolis, MD.

Compliance and ethics professionals know that anti-bribery due diligence of third parties involves processing large amounts of personal data about individuals associated with the third party. In May, the European Union’s (EU) General Data Protection Regulation (GDPR) will have a significant impact on anti-bribery due diligence processes of US companies as long as there is a chance that the individuals under review reside in the European Union. Companies “established” in the European Union must comply with GDPR requirements with respect to personal information of individuals regardless of where they reside. Much has been written about the GDPR and its complex, burdensome requirements. In this piece we will focus only on one such requirement.

As one of the initial GDPR thresholds for processing personal data of EU residents, the controller must determine which of the six lawful bases under the GDPR’s Article 6 applies to such processing. If none of the six bases apply, such personal data processing would be deemed unlawful under the GDPR. The six bases are: (1) an express consent of data subjects, (2) performance of a contract with the data subject or a request of the data subject before such contract is executed, (3) a legal obligation imposed by an EU or EU member state law, (4) vital interests of the data subject or another individual, (5) a public interest task or processing under official authority, and (6) legitimate interests of the controller or a third party.[1]

We have outlined below the general considerations in support of our choice of using legitimate interests of the controller as the Article 6 basis for processing of personal data in the context of anti-bribery due diligence and rejecting each of the other five bases. In our analysis, we have been guided by the Article 29 Data Protection Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 36 (WP 217).

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field