• Rebecca Ding

How to choose the right legal basis for processing data


Personal data is important for individuals and has a high value for organisations, so it is essential to identify a lawful basis for processing it. To help you identify the correct one, we have set out what each lawful basis is and examples of scenarios where it can be relied upon. Don’t forget to include this information in your privacy policy to demonstrate your accountability and transparency!

What are the lawful bases for processing? Article 6 of the GDPR sets out the 6 lawful basis for processing as: (a) Consent (b) Contract (c) Legal obligation (d) Vital interests (e) Public task (f) Legitimate interests But first, does your processing of personal data meet the test of necessity? All but one of the 6 lawful bases for processing requires the concept of necessity which states that the processing of personal data must be the only way for your organisation to achieve your goals, and there are no other methods that can help you do this. The necessity test is determined below:

  • Is the processing of someone’s personal data a reasonable and proportionate method of achieving a given goal?

  • Is there an alternative method that is a less intrusive way to meet this goal that is more reasonable and proportionate?

  • Are you certain there is no equally effective available alternative?

To pass the necessity test, your organisation needs to ensure that the processing of personal data is more than just for convenience’s sake or that it could be potentially useful, or even because it is standard practice. It must be the case that without the processing of personal data, a legitimate and transparent aim cannot be achieved. For example, it is necessary for an airline to process their customer’s credit card details in order to sell them tickets and no other methods can help them achieve this end.

Once you are able to answer yes, no and yes to the above questions, you can proceed to identifying a lawful basis for processing.

Consent Article 4 (11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The method for obtaining consent should be “clear, concise and not unnecessarily disruptive” and must be distinguishable from other requests for consent in order to be specific and informed whereby data subjects have all the information on what they are consenting to. Where there is processing required for different purposes, each one must be listed so that individuals can consent to each separately. Consent must also be freely given and in situations where the data controller has significant power over the data subject, consent is less likely to be relied upon (although not impossible). Equally, consent must be separate from other processing operations for different purposes otherwise it would not be freely given. For example, a performance of a contract cannot be tied to the consent of processing of personal data for that contract as this would not be freely giving consent.

Examples

  • Ticking a box on a website

  • Choosing specific settings on apps and websites

  • Allowing data subjects to show their consent via their conduct

  • Consent cannot be silence, pre-ticked boxes, opt-out boxes or inactivity

Contract

This is a commonly used ground for processing data when there is a contractual relationship between the data subject and the controller. However, the relationship alone is not enough to justify using this ground as the processing must also be necessary for the performance of a contract between the two parties. The contract itself must be between the actual data subject and the controller for the controller to rely on this basis which means that personal data cannot be processed for contracts between the controller and a third party. Thus, a controller cannot rely on this legal basis if they have a contract with a third-party provider as the data subject is not party to it. Examples

  • Taking customer contact details to contact them on a service you will provide for them

  • Where the processing of personal data is required as an element of performance of the contract which is within the terms and conditions of the product or service

  • Where the context of an agreement requires the processing of personal data

Legal obligation Situations where this basis is relevant is when controllers must process personal data to comply with EU or national law. The processing of personal data need not be for a specific legal obligation requiring that data be processed in this manner but rather to fulfil the overall purpose of a legal obligation.

Examples

  • Legal obligation laid down by EU or national law that must be followed by your organisation and the EU or national law is clear and precise, and its application should be foreseeable to individuals subject to it

  • Processing employee personal data to comply with legal obligations under HMRC

  • Processing personal data in order to submit a Suspicious Activity Report to the National Crime Agency

Vital interest This is a relevant basis under certain circumstances where processing is needed to protect a person's life or to mitigate danger to individuals. Oftentimes, processing under this legal basis is related to health data under emergency situations and when the vital interest of the person whose personal data needs processing needs to be protected. Processing the personal data of someone for the protection of the vital interest of another individual can also be possible although limited.

Examples

  • The disclosure of a person's medical history at the A & E after a serious life threatening accident

Public task For some controllers, the processing of personal data is necessary for them to carry out a task in the public interest (as set out in law) or exercise an official authority (public functions and powers). Such processing should be grounded in EU and national law and must be proportionate and legitimate to the aim pursued. Recital 41 of the GDPR suggests that this form of processing should be foreseeable to those affected by the processing for example, if there is a particular law in place that allows for processing of personal data for the public interest. Examples Recitals 45, 55 and 56 of the GDPR gives the following examples:

  • For public health or social protection

  • Management of health care services

  • Achieving the aims of officially recognised religious associations as laid down by constitutional or international public law

  • In the course of electoral activities under some instances and provided that appropriate safeguards are in place to protect data subject rights


Legitimate interest This is a flexible legal basis for processing personal data as it can be used in situations that do not fit any of the above. But this also means it has more obligations on controllers to justify their reliance on it. Data controllers will need to:

  • Identify the legitimate interest;

  • Demonstrate that their processing of personal data is necessary to achieve this legitimate interest; and

  • Balance the legitimate interest against the data subject’s interests, rights and freedoms.

As a general rule, processing under legitimate interests should have a minimal impact on data subjects and should be done in a way that they would reasonably expect. Examples Recitals 47, 48 and 49 of the GDPR gives the following examples:

  • Processing personal data for the prevention of fraud

  • Processing for direct marketing purposes

  • Where there is a ‘relevant and appropriate relationship’ between the data subject and controller

  • Processing of clients’ or employees’ personal data

  • For the purposes of network and information security considerations

How should you document your lawful basis for processing? You should keep a record of the lawful basis of processing you have relied upon and the justification for this for all the personal data you hold to demonstrate your organization's accountability in protecting personal data. This is where the Privasee platform comes in: it can help you identify the lawful basis for processing whilst also keeping an accurate record of all the personal data you hold by mapping it out and labelling it with the correct legal basis. This way, you can set your compliance on autopilot and demonstrate your accountability and transparency to both data subjects and regulatory bodies.

Disclaimer The above article does not constitute legal advice in any form and only seeks to break down the core concepts as defined under the GDPR.

Sources https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/#scd3 https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20on%20Legal%20Bases.pdf