The GDPR states that you must identify a lawful basis before processing personal data. But what is a lawful basis for processing? Do you always need individuals’ consent to process their data? And what exactly are ‘legitimate interests’? You must understand your GDPR and the lawful bases for processing.
The GDPR defines processing as “any operation or set of operations that is performed on personal data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, or destruction”.
Before you do any of these things, you need to identify a lawful basis for doing so, as required by Article 6.
Except for special categories of personal data (sensitive data), which you cannot process except under certain circumstances, there are six lawful bases for processing:
- If the data subject gives their explicit consent; or if the processing is necessary;
- To meet contractual obligations entered into by the data subject;
- To comply with the data controller’s legal obligations;
- In order to protect the data subject’s vital interests;
- For tasks carried out in the public interest or exercise of authority vested in the data controller; or
- For the purposes of legitimate interests pursued by the data controller.
The lawfulness of processing under the GDPR
Stated in Recital 32, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
- An ‘affirmative act’ means the data subject has to opt-in – you cannot assume their consent. For example, you cannot use pre-ticked boxes on your website.
- ‘Freely given’ means the data subject has to have a genuine choice. They must not suffer any detriment if they refuse their consent.
- ‘Specific and informed’ means you must clearly explain what they are consenting to. You must not be vague or incomprehensible otherwise the request for consent is invalid.
If you rely on consent, it’s essential to keep proper records, as stipulated by Article 7(1):
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This is particularly important because data subjects have the right to withdraw their consent at any time. It must be as easy for them to withdraw their consent as it was to provide it in the first place.
If they do withdraw their consent, you will be obliged to erase their data “without undue delay” if they ask you to, unless you can show a lawful reason to retain it.
Many businesses focus on consent. However, it’s arguably the weakest lawful basis for processing because it can be withdrawn at any time.
It’s therefore always worth determining whether another lawful basis for processing can apply.
For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment
You can rely on contractual obligations if:
- You have a contract with someone and need to process their personal data to comply with your obligations as part of that contract; or
- You don’t yet have a contract with someone, but they’ve asked you to do something as an initial step (for example, provide a quotation) and you need to process their personal data in order to do so.
In this context, a contract doesn’t have to be a formal legal document, as long as it meets the requirements of contract law. An oral statement also counts as a contract.
The processing you carry out must be necessary for the purposes of fulfilling your contractual obligations. This lawful basis will not apply if there are other ways of meeting those obligations.
If it’s necessary to process data that is sensitive for a contract, you’ll also need to identify a separate condition for processing that data. This is set out in Article 9(2) of the GDPR, and sections 10 and 11, and Schedule 1 of the DPA (Data Protection Act) 2018.
You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation. (It doesn’t apply to contractual obligations.) It should be clear from the law in question whether processing is necessary for compliance.
Again, record-keeping is essential. You must be able to identify the specific legal provision you’re complying with or show the guidance or advice that sets out your legal obligation.
This basis applies if it’s necessary to process personal data to protect someone’s life. (This applies to any life – not just the data subject’s life.)
Recital 46 of the GDPR clarifies that “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.”
It is unlikely to apply except in cases of emergency medical treatment
If your organisation needs to process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority” (Recital 50), you can do so using this lawful basis.
You don’t need a specific statutory power to process personal data. However, you must have a clear basis in law, which you must document.
The DPA 2018 clarifies that this includes processing necessary for:
- The administration of justice;
- Exercising a function of either House of Parliament;
- To exercise a function conferred on a person by an enactment or rule of law;
- Exercising a function of the Crown, a Minister of the Crown or a government department; or
- An activity that supports or promotes democratic engagement.
Data subjects’ rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
This is the most flexible of the six lawful bases for processing. Legitimate interests could theoretically apply to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if, and to the extent that:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
On the one hand, this gives you a lot of room for interpretation, on the other, the definition is unhelpfully vague. The burden is on you to determine whether or not your interests in processing the personal data really are legitimate. Many interests can be legitimate, including your interests, third parties’ interests and commercial interests. These interests must be balanced against those of the data subject(s).
The GDPR mentions processing of client or employee data. It also covers marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests. However, this list is not exhaustive.
Consideration of interests
The important thing to consider is when ‘legitimate interests’ is most likely to be appropriate. If you are using personal data in ways that the data subjects would deem reasonable and where the processing has a minimal impact on their privacy, then this is likely to be deemed as appropriate.
And, as ever with the GDPR, it’s your record-keeping that will prove vital. If you can demonstrate that you’ve carried out a full LIA (legitimate interests assessment), the supervisory authority should be satisfied. Remember, that if you use legitimate interests as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
You should also check your compliance with the PECR (Privacy and Electronic Communications Regulations 2003).
If you rely on legitimate interests it is worth noting that the right to data portability does not apply.
DPO as a service
If you need advice on determining your lawful basis for processing personal data, we would be happy to help you understand and document this. Please contact us here.
Maintaining GDPR and the lawful bases for processing, you might want to consider our DPO as a service offering. This enables you to outsource the DPO role to an expert, helping you meet your GDPR obligations without losing focus on your core business activities. This means keeping your GDPR and the lawful bases for processing accurate and up to date.