Under the GDPR (General Data Protection Regulation), a lawful basis must be documented when organisations process personal data.
But what is a lawful basis for processing? Do you always need individuals’ consent to process their data? And what exactly are ‘legitimate interests’?
We answer those questions and others in this blog.
What is a lawful basis?
According to Article 6 of the GDPR, a lawful basis is necessary whenever organisations process personal data.
It outlines six bases that organisations can choose from, depending on the circumstances:
1) If the data subject gives their explicit consent or if the processing is necessary
2) To meet contractual obligations entered into by the data subject
3) To comply with the data controller’s legal obligations
4) To protect the data subject’s vital interests
5) For tasks carried out in the public interest or exercise of authority vested in the data controller
6) For the purposes of legitimate interests pursued by the data controller
Let’s now take a look at each of these in more detail.
Recital 32 states:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
- An ‘affirmative act’ means the data subject has to opt-in – you cannot assume their consent, for example, by using pre-ticked boxes on your website.
- ‘Freely given’ means the data subject has to have a genuine choice: they must not suffer any detriment if they refuse consent.
- ‘Specific and informed’ means you must clearly explain what they are consenting to: a vague or incomprehensible request for consent will be invalid.
If you rely on consent, it’s essential to keep proper records, as stipulated by Article 7(1):
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This is particularly important because data subjects have the right to withdraw their consent at any time.
It must be as easy for them to withdraw their consent as it was to provide it in the first place.
If they do withdraw their consent, you must erase their data “without undue delay” unless you can show a lawful reason to retain it.
Many people – and organisations – focus on consent, but it’s arguably the weakest lawful basis for processing because it can be withdrawn at any time.
It’s therefore always worth determining whether another lawful basis for processing can apply.
For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment.
2. Contractual obligations
You can rely on contractual obligations if:
- You have a contract with someone and need to process their personal data to comply with your obligations as part of that contract; or
- You don’t yet have a contract with someone, but they’ve asked you to do something as an initial step (for example, provide a quote) and you need to process their personal data to do so.
In this context, a contract doesn’t have to be a formal legal document, as long as it meets the requirements of contract law. An oral statement also counts.
The processing you carry out must be necessary for the purposes of fulfilling your contractual obligations. This lawful basis will not apply if there are other ways of meeting those obligations.
If it’s necessary to process sensitive data as part of a contract, you’ll also need to identify a separate lawful basis.
3. Legal obligations
You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation. (It doesn’t apply to contractual obligations.) It should be clear from the law in question whether processing is necessary for compliance.
Again, record-keeping is essential: you must be able to identify the specific legal provision you’re complying with or produce a document that sets out your legal obligation.
4. Vital interests
This basis applies if it’s necessary to process personal data to protect someone’s life. (This applies to any life – not just the data subject’s life.)
Recital 46 of the GDPR clarifies that:
Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
It is unlikely to apply except in cases of emergency medical treatment.
5. Public interest
This lawful basis applies when you must process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority”.
You don’t need a specific statutory power to process personal data, but you must have a clear basis in law, which you must document.
The DPA 2018 clarifies that this includes processing necessary for:
- The administration of justice;
- Exercising a function of either House of Parliament;
- Exercising a function conferred on a person by an enactment or rule of law;
- Exercising a function of the Crown, a Minister of the Crown or a government department; or
- An activity that supports or promotes democratic engagement.
Data subjects’ rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
6. Legitimate interests
The most flexible of the six lawful bases for processing, legitimate interests could theoretically apply to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if, and to the extent that:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
On the one hand, this gives you a lot of room for interpretation.
On the other, the definition is unhelpfully vague, and the burden is on you to determine whether or not your interests in processing the personal data are legitimate.
The ICO (Information Commissioner’s Office) has published a three-part test, covering purpose, necessity and balancing.
Numerous interests can be legitimate, including your own, third parties’ and commercial interests. This may include:
- Processing client or employee data;
- Processing conducted for marketing purposes;
- Processing that helps prevent fraud;
- Intra-group transfers of personal data; and
- Processing for IT security purposes.
You can generally determine if legitimate interests applies if you are using an individuals’ data in a way that they would expect or otherwise deem reasonable – and where the processing has a minimal impact on their privacy.
And, as ever with the GDPR, it’s your record-keeping that will prove essential. If you can demonstrate that you’ve carried out a full LIA (legitimate interests assessment), the supervisory authority should be satisfied.
You should note that when legitimate interests is used for marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
If you rely on legitimate interests, the right to data portability does not apply.
DPO as a service
If you’re looking for help meeting your DPO requirements, you should consider our DPO as a service.
The GDPR gives organisations the opportunity to outsource their DPO, and with our solution, it has never been simpler.
One of our data protection experts will perform all the necessary tasks remotely, working with you to understand your organisation and its compliance requirements.
The service, offered by our sister company GRCI Law, is also ideal for organisations that aren’t legally required to appoint a DPO but still want someone to provide expert advice.
A version of this blog was originally published on 17 July 2018.