TOOP and GDPR, an impossible marriage?
The European Commission launched the €8 Million “Once-Only” Principle Project (TOOP) on January 1st 2017. This project is part of the EU eGovernment Action Plan 2016-2020 and will contribute towards increasing the efficiency of the Digital Single Market.
The project will ensure that information is supplied to public administrations only once regardless of the company’s country of origin therefore eliminating unnecessary burdens for European businesses who are asked to repeatedly present the same data and documents. According to the “Once-Only” principle, public bodies should take action to share data with each other, respecting privacy and data protection rules, both nationally (across sectors) and across borders.
When initial data that has been entered once by an organisation, is needed for another digital procedure within the EU, then this data should be automatically entered in advance in the digital form at hand. This is known as pre-filling.
Here comes the challenge:
Article 5.1(b) of the EU General Data Protection Regulation states clearly that “Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”
When the initial datacollector retrieves the data for the process that needs it, gives the legal grounds to do so and gets consent, then every forwarding of that data is incompatible with the initial purpose.
Article 5.1(c) states that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
When data is collected to be forwarded to another European service or entity, this is not compatible with the initial purpose for which it was collected.
Article 5.1(d) states that “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
When data is collected by the initial service and is forwarded throughout services in EC member states then who is responsible for keeping all the data accurate, up-to-date and rectified when needed. Also who is responsible to keep the oversight when a datasubject asks for insight or executes the right to be forgotten (article 17)?
Also, articles 12 and 13 are all about transparency and access to personal data. If personal data is scattered around European services and datacontrollers/processors then who will be the single point of contact when a data subject asks for information or insight in it?
Article 18 states that “The data subject shall have the right to obtain from the controller restriction of processing under certain circumstances.” What happens when the datasubject executes that right? Will TOOP be able to NOT forward and process the personal data?
Realising the impossible?
It is pretty clear that TOOP is not in line with the philosophy of the GDPR and is incompatible with many of the 99 articles in it. We look forward to the stretch and bend exercises the TOOP project will enforce itself into to deliver some value for the €8Million project it started.
Amsterdam, June 27th 2017
D.A. van Zantvliet Rozemeijer MBA
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.