First published June 2018. Last updated March 2020.
Under the EU GDPR (General Data Protection Regulation), you need to identify a lawful basis before processing personal data. But what is a lawful basis for processing? Do you always need individuals’ consent to process their data? And what exactly are ‘legitimate interests’?
The GDPR defines processing as “any operation or set of operations that is performed on personal data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, or destruction”.
Before you do any of these things, you need to identify a lawful basis for doing so, according to Article 6.
Except for special categories of personal data (sensitive data), which you cannot process except under certain circumstances, there are six lawful bases for processing.
- If the data subject gives their explicit consent;
or if processing is necessary:
- To meet contractual obligations entered into by the data subject;
- To comply with the data controller’s legal obligations;
- To protect the data subject’s vital interests;
- For tasks carried out in the public interest or exercise of authority vested in the data controller; or
- For the purposes of legitimate interests pursued by the data controller.
This blog explains each of the six lawful bases and how to choose the most appropriate one.
Lawfulness of processing under the GDPR
Recital 32 states:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
- An ‘affirmative act’ means the data subject has to opt-in – you cannot assume their consent, for example by using pre-ticked boxes on your website.
- ‘Freely given’ means the data subject has to have genuine choice: they must not suffer any detriment if they refuse consent.
- ‘Specific and informed’ means you must clearly explain what they are consenting to: a vague or incomprehensible request for consent will be invalid.
If you rely on consent, it’s essential to keep proper records, as stipulated by Article 7(1):
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This is particularly important because data subjects have the right to withdraw their consent at any time.
It must be as easy for them to withdraw their consent as it was to provide it in the first place.
If they do withdraw their consent, you will be obliged to erase their data “without undue delay” if they ask you to, unless you can show a lawful reason to retain it.
Many people – and organisations – focus on consent, but it’s arguably the weakest lawful basis for processing because it can be withdrawn at any time.
It’s therefore always worth determining whether another lawful basis for processing can apply.
For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment.
- Contractual obligations
You can rely on contractual obligations if:
- You have a contract with someone and need to process their personal data to comply with your obligations as part of that contract; or
- You don’t yet have a contract with someone, but they’ve asked you to do something as an initial step (for example, provide a quote) and you need to process their personal data to do so.
In this context, a contract doesn’t have to be a formal legal document, as long as it meets the requirements of contract law. An oral statement also counts.
The processing you carry out must be necessary for the purposes of fulfilling your contractual obligations. This lawful basis will not apply if there are other ways of meeting those obligations.
If it’s necessary to process sensitive data as part of a contract, you’ll also need to identify a separate condition for processing that data, as set out in Article 9(2) of the GDPR, and sections 10 and 11, and Schedule 1 of the DPA (Data Protection Act) 2018.
- Legal obligations
You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation. (It doesn’t apply to contractual obligations.) It should be clear from the law in question whether processing is necessary for compliance.
Again, record-keeping is essential: you must be able to identify the specific legal provision you’re complying with, or show the guidance or advice that sets out your legal obligation.
- Vital interests
This basis applies if it’s necessary to process personal data to protect someone’s life. (This applies to any life – not just the data subject’s life.)
Recital 46 of the GDPR clarifies that:
“Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.”
It is unlikely to apply except in cases of emergency medical treatment.
- Public interest
If your organisation needs to process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority” (Recital 50), you can do so using this lawful basis.
You don’t need a specific statutory power to process personal data, but you must have a clear basis in law, which you must document.
The DPA 2018 clarifies that this includes processing necessary for:
- The administration of justice;
- Exercising a function of either House of Parliament;
- Exercising a function conferred on a person by an enactment or rule of law;
- Exercising a function of the Crown, a Minister of the Crown or a government department; or
- An activity that supports or promotes democratic engagement.
Data subjects’ rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
- Legitimate interests
The most flexible of the six lawful bases for processing, legitimate interests could theoretically apply to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if, and to the extent that:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
On the one hand, this gives you a lot of room for interpretation.
On the other, the definition is unhelpfully vague, and the burden is on you to determine whether or not your interests in processing the personal data really are legitimate.
The ICO (Information Commissioner’s Office) has published a three-part test, covering purpose, necessity and balancing.
Numerous interests can be legitimate, including your interests, third parties’ interests and commercial interests. These interests must be balanced against those of the data subject(s).
The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.
The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate if you are using personal data in ways that the data subjects would deem reasonable and where the processing has a minimal impact on their privacy.
And, as ever with the GDPR, it’s your record-keeping that will prove essential. If you can demonstrate that you’ve carried out a full LIA (legitimate interests assessment), the supervisory authority should be satisfied.
Remember that if you use legitimate interests as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
If you rely on legitimate interests, the right to data portability does not apply.
DPO as a service
If you need advice on determining your lawful basis for processing personal data, you should consider outsourcing a DPO (data protection officer).
Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security.
Its DPO as a service offering enables you to outsource the DPO role to an expert, helping you meet your GDPR obligations without losing focus on your core business activities.
This blog was first published in June 2018. It was updated in March 2020 to reflect the latest guidance.