Personal data is important for individuals and has a high value for organisations, so it is essential to identify a lawful basis for processing it. To help you identify the correct one, we have set out what each lawful basis is and examples of scenarios where it can be relied upon. Don’t forget to include this information in your privacy policy to demonstrate your accountability and transparency!
What are the lawful bases for processing?
Article 6 of the GDPR sets out the 6 lawful basis for processing as: (a) Consent (b) Contract (c) Legal obligation (d) Vital interests (e) Public task (f) Legitimate interests But first, does your processing of personal data meet the test of necessity? All but one of the 6 lawful bases for processing requires the concept of necessity which states that the processing of personal data must be the only way for your organisation to achieve your goals, and there are no other methods that can help you do this. The necessity test is determined below:
- Is the processing of someone’s personal data a reasonable and proportionate method of achieving a given goal?
- Is there an alternative method that is a less intrusive way to meet this goal that is more reasonable and proportionate?
- Are you certain there is no equally effective available alternative?
To pass the necessity test, your organisation needs to ensure that the processing of personal data is more than just for convenience’s sake or that it could be potentially useful, or even because it is standard practice. It must be the case that without the processing of personal data, a legitimate and transparent aim cannot be achieved. For example, it is necessary for an airline to process their customer’s credit card details in order to sell them tickets and no other methods can help them achieve this end.
Once you are able to answer yes, no and yes to the above questions, you can proceed to identifying a lawful basis for processing.
Consent
Article 4 (11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The method for obtaining consent should be “clear, concise and not unnecessarily disruptive” and must be distinguishable from other requests for consent in order to be specific and informed whereby data subjects have all the information on what they are consenting to. Where there is processing required for different purposes, each one must be listed so that individuals can consent to each separately.
Consent must also be freely given and in situations where the data controller has significant power over the data subject, consent is less likely to be relied upon (although not impossible). Equally, consent must be separate from other processing operations for different purposes otherwise it would not be freely given. For example, a performance of a contract cannot be tied to the consent of processing of personal data for that contract as this would not be freely giving consent.
Examples
- Ticking a box on a website
- Choosing specific settings on apps and websites
- Allowing data subjects to show their consent via their conduct
- Consent cannot be silence, pre-ticked boxes, opt-out boxes or inactivity
Contract
This is a commonly used ground for processing data when there is a contractual relationship between the data subject and the controller. However, the relationship alone is not enough to justify using this ground as the processing must also be necessary for the performance of a contract between the two parties.
The contract itself must be between the actual data subject and the controller for the controller to rely on this basis which means that personal data cannot be processed for contracts between the controller and a third party. Thus, a controller cannot rely on this legal basis if they have a contract with a third-party provider as the data subject is not party to it.
Examples
- Taking customer contact details to contact them on a service you will provide for them
- Where the processing of personal data is required as an element of performance of the contract which is within the terms and conditions of the product or service
- Where the context of an agreement requires the processing of personal data
Legal obligation
Situations where this basis is relevant is when controllers must process personal data to comply with EU or national law. The processing of personal data need not be for a specific legal obligation requiring that data be processed in this manner but rather to fulfil the overall purpose of a legal obligation.
Examples
- Legal obligation laid down by EU or national law that must be followed by your organisation and the EU or national law is clear and precise, and its application should be foreseeable to individuals subject to it
- Processing employee personal data to comply with legal obligations under HMRC
- Processing personal data in order to submit a Suspicious Activity Report to the National Crime Agency
Vital interest
This is a relevant basis under certain circumstances where processing is needed to protect a person's life or to mitigate danger to individuals. Oftentimes, processing under this legal basis is related to health data under emergency situations and when the vital interest of the person whose personal data needs processing needs to be protected.
Processing the personal data of someone for the protection of the vital interest of another individual can also be possible although limited.
Examples
- The disclosure of a person's medical history at the A & E after a serious life threatening accident
Public task
For some controllers, the processing of personal data is necessary for them to carry out a task in the public interest (as set out in law) or exercise an official authority (public functions and powers). Such processing should be grounded in EU and national law and must be proportionate and legitimate to the aim pursued. Recital 41 of the GDPR suggests that this form of processing should be foreseeable to those affected by the processing for example, if there is a particular law in place that allows for processing of personal data for the public interest.
Examples
Recitals 45, 55 and 56 of the GDPR gives the following examples:
- For public health or social protection
- Management of health care services
- Achieving the aims of officially recognised religious associations as laid down by constitutional or international public law
- In the course of electoral activities under some instances and provided that appropriate safeguards are in place to protect data subject rights
Legitimate interest
This is a flexible legal basis for processing personal data as it can be used in situations that do not fit any of the above. But this also means it has more obligations on controllers to justify their reliance on it. Data controllers will need to:
- Identify the legitimate interest;
- Demonstrate that their processing of personal data is necessary to achieve this legitimate interest; and
- Balance the legitimate interest against the data subject’s interests, rights and freedoms.
As a general rule, processing under legitimate interests should have a minimal impact on data subjects and should be done in a way that they would reasonably expect. Examples Recitals 47, 48 and 49 of the GDPR gives the following examples:
- Processing personal data for the prevention of fraud
- Processing for direct marketing purposes
- Where there is a ‘relevant and appropriate relationship’ between the data subject and controller
- Processing of clients’ or employees’ personal data
- For the purposes of network and information security considerations
How should you document your lawful basis for processing?
You should keep a record of the lawful basis of processing you have relied upon and the justification for this for all the personal data you hold to demonstrate your organisation's accountability in protecting personal data. This is where the Privasee platform comes in: it can help you identify the lawful basis for processing whilst also keeping an accurate record of all the personal data you hold by mapping it out and labelling it with the correct legal basis. This way, you can set your compliance on autopilot and demonstrate your accountability and transparency to both data subjects and regulatory bodies.
Disclaimer
The above article does not constitute legal advice in any form and only seeks to break down the core concepts as defined under the GDPR.
Sources
https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/#scd3 https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20on%20Legal%20Bases.pdf
Related posts
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.