February 20, 2023
Article 6 of the GDPR sets out the 6 lawful basis for processing as: (a) Consent (b) Contract (c) Legal obligation (d) Vital interests (e) Public task (f) Legitimate interests But first, does your processing of personal data meet the test of necessity? All but one of the 6 lawful bases for processing requires the concept of necessity which states that the processing of personal data must be the only way for your organisation to achieve your goals, and there are no other methods that can help you do this. The necessity test is determined below:
To pass the necessity test, your organisation needs to ensure that the processing of personal data is more than just for convenience’s sake or that it could be potentially useful, or even because it is standard practice. It must be the case that without the processing of personal data, a legitimate and transparent aim cannot be achieved. For example, it is necessary for an airline to process their customer’s credit card details in order to sell them tickets and no other methods can help them achieve this end.
Once you are able to answer yes, no and yes to the above questions, you can proceed to identifying a lawful basis for processing.
Article 4 (11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The method for obtaining consent should be “clear, concise and not unnecessarily disruptive” and must be distinguishable from other requests for consent in order to be specific and informed whereby data subjects have all the information on what they are consenting to. Where there is processing required for different purposes, each one must be listed so that individuals can consent to each separately. Consent must also be freely given and in situations where the data controller has significant power over the data subject, consent is less likely to be relied upon (although not impossible). Equally, consent must be separate from other processing operations for different purposes otherwise it would not be freely given. For example, a performance of a contract cannot be tied to the consent of processing of personal data for that contract as this would not be freely giving consent.
This is a commonly used ground for processing data when there is a contractual relationship between the data subject and the controller. However, the relationship alone is not enough to justify using this ground as the processing must also be necessary for the performance of a contract between the two parties. The contract itself must be between the actual data subject and the controller for the controller to rely on this basis which means that personal data cannot be processed for contracts between the controller and a third party. Thus, a controller cannot rely on this legal basis if they have a contract with a third-party provider as the data subject is not party to it. Examples
Situations where this basis is relevant is when controllers must process personal data to comply with EU or national law. The processing of personal data need not be for a specific legal obligation requiring that data be processed in this manner but rather to fulfil the overall purpose of a legal obligation.
This is a relevant basis under certain circumstances where processing is needed to protect a person's life or to mitigate danger to individuals. Oftentimes, processing under this legal basis is related to health data under emergency situations and when the vital interest of the person whose personal data needs processing needs to be protected. Processing the personal data of someone for the protection of the vital interest of another individual can also be possible although limited.
For some controllers, the processing of personal data is necessary for them to carry out a task in the public interest (as set out in law) or exercise an official authority (public functions and powers). Such processing should be grounded in EU and national law and must be proportionate and legitimate to the aim pursued. Recital 41 of the GDPR suggests that this form of processing should be foreseeable to those affected by the processing for example, if there is a particular law in place that allows for processing of personal data for the public interest. Examples Recitals 45, 55 and 56 of the GDPR gives the following examples:
This is a flexible legal basis for processing personal data as it can be used in situations that do not fit any of the above. But this also means it has more obligations on controllers to justify their reliance on it. Data controllers will need to:
As a general rule, processing under legitimate interests should have a minimal impact on data subjects and should be done in a way that they would reasonably expect. Examples Recitals 47, 48 and 49 of the GDPR gives the following examples:
You should keep a record of the lawful basis of processing you have relied upon and the justification for this for all the personal data you hold to demonstrate your organization's accountability in protecting personal data. This is where the Privasee platform comes in: it can help you identify the lawful basis for processing whilst also keeping an accurate record of all the personal data you hold by mapping it out and labelling it with the correct legal basis. This way, you can set your compliance on autopilot and demonstrate your accountability and transparency to both data subjects and regulatory bodies.
Disclaimer The above article does not constitute legal advice in any form and only seeks to break down the core concepts as defined under the GDPR.
Sources https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/#scd3 https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20on%20Legal%20Bases.pdf
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.