Further processing is probably one of the lesser researched features of the General Data Protection Regulation (GDPR). This is remarkable since much of the data to be processed involves data that was collected at an earlier stage and further processing is highly relevant for data controllers.
“Further processing” in this article refers to the processing of personal data for a purpose other than that for which it was initially collected. Article 6(4) of the GDPR provides the legal basis for such further processing. The key mechanisms are consent and a compatibility assessment.
Many privacy advocates consider consent to be the gold standard for further processing and pay little attention to the compatibility option. Consent, however, puts a significant cognitive load on individuals (the data subjects), while it confronts data controllers with serious challenges in obtaining consent and recording its validity. On the other hand, the compatibility assessment allows data controllers to justify the further processing based on the criteria given in Article 6(4), but it might leave individuals powerless.
In this article, we compare the two key mechanisms for further processing, consent and compatibility, and we discuss various compensating measures controllers can take to ensure that compatibility-based processing is a real alternative to consent.