The EU Data Protection Regulation (GDPR) makes an unambiguous statement that personal data processing is lawful only when (and to the extent that) it is permitted under applicable law. Any rationale for processing that the data controller may provide beyond this scope is without legal basis and is considered unlawful.
Organisations sometimes assume that they need to obtain consent from data subjects to process their data. This can seem like an insurmountable administrative burden, but obtaining and managing consent is not obligatory for all personal data processing activities. In fact, consent is just one of a number of legitimate purposes for processing personal data. Here is an overview of the six legal bases for processing, recognised by the GDPR:
1. Compliance with a legal obligation
The most stringent and precise, but also the optimal basis for processing (with respect to the data controller) is the existence of at least one legal provision (Recitals 39, 40, 41; Article 6(1)), demanding (i.e., justifying) the processing activities. Specification of the legal act and its numbered extract is obligatory for data controllers/processors to provide before or at the point of data collection. To learn more about the differences between data controllers and processors, read the article: EU GDPR controller vs. processor – What are the differences?
GDPR excerpts Recital 45 and Article 6(1)(c), 6(3) permit processing if it is necessary for compliance with a legal obligation under EU law or the laws of a Member State.
There are many examples of these legal bases: employment records, accident reports for health & safety records, etc..
2. Contractual performance
Recognition of the very foundation of conducting business operations (i.e., contractual obligations) is represented as the legal basis (Recital 44; Article 6(1)(b)) that permits processing in two scenarios. First, if it is necessary for entering into a new contract or working under an existing contract with the data subject, then data processing is permitted. The second scenario is when the data subject initiates activities with the data controller, in which case processing is permitted even before entering into a contract. This is the case with pre-contractual relations (preparing or negotiating before entering into a contract), where GDPR emphasises that initiation of processing steps should be taken at the request of the data subject, rather than being initiated by the controller.
An example of this is processing credit card details in order to perform payment. In cases where a contract is not yet existent, such as when an individual requests information from a service provider about a particular service via e-mail or social network, the processing of that individual’s personal data is permitted for the purposes of responding to the inquiry.
3. Vital interests
In situations not covered by a specific law, and in the absence of a contract, processing is permitted if it is necessary in order to protect the vital interests (Recital 46; Article 6(1)(d)) of the data subject. The condition can extend to other individuals (e.g., children of the data subject).
One would be advised, however, to apply this basis cautiously, as “vital interests” usually apply only to life-or-death situations. Such situations can include emergency services receiving a list of residents’ names and ages upon responding to an emergency call.
4. Public interest or acting under official public authority
When performance of a task carried out in the public interest, or the exercise of an official authority vested in the controller require processing of personal data, it is permitted on account of Recital 45; Article 6(1)(e) of the GDPR.
Although permission is granted by default, processing carried out on this basis may be subject to objections from data subjects. This is formally recognised, so as to allow review of the specifics of the situation. It basically gives the data subject the ability to question the data controller’s definition of public interest. The objection may or may not stand, but it must be acknowledged and replied to in a timely manner.
An example of this type of processing is that political parties might be allowed to manage a copy of the electoral register.
5. Legitimate interests
Perhaps the most ambiguous legal basis for processing is the principle of “legitimate interests” (Recitals 47, 48; Article 6(1)(f)). In a nutshell, it provides the possibility to develop a justification for processing data that does not fall into the above legal models. This justification will allow data to be processed while avoiding the management of data subjects’ consent. It can apply to both the data controller and the third party to whom the data will be disclosed.
However, this applies only in situations when the interests, rights or freedoms of the affected data subjects do not override the controller’s interests. In order to compare these potentially opposing sets of interests, data controllers must conduct a so-called “balancing test” (which will be subject of a separate article).
GDPR gives vague descriptions of possible scenarios that fit into the category of legitimate interests. Examples include certain client or service relationships between the data subject and the controller (with limitations regarding employment contracts and public authorities). It also includes processes for preventing fraud, as well as transmitting personal data within the data controller’s undertakings or institutions affiliated with a central body for internal administrative purposes. This can include the processing of clients’ or employees’ personal data.
6. Data subjects’ consent
Finally, for scenarios not fitting into any of the above categories, data controllers are left with the last resort: obtaining permission for processing personal data, i.e. data subjects’ consent (Recitals 32, 42, 43; Article 6(1)(a)).
Consent must be exclusive, reflective of a data subject’s discretionary action, a positive and freely given response to a well-structured, unambiguous description of the processing activity. The principle of “opt-in” is obligatory, meaning no processing can take place until consent is assured. A data controller is required to be able to demonstrate that consent was given, requiring the existence of an audit trail.
What makes this legal basis the least attractive are GDPR’s requirements for validity of obtaining and managing consent, and the fact that, once given, consent can be withdrawn at any moment and with the same level of ease with which it was given.
GDPR mandates verification of the age of a child and ensuring parental/guardian consent for the data processing activity (with some exceptions). Depending on the child’s age, it might be obligatory to present processing information to the child as well, in such plain language that the child can easily understand.
One of the most common scenarios when managing consent is obligatory and cannot be avoided is the collection of data subjects’ contact information for marketing purposes, such as e-mail newsletters. Not being governed by any law or legal obligation, nor falling into any of the above categories, processing of personal data for mere enhancement of the data controller’s business prospects is allowed only with verifiable and valid consent.
So many choices, so little time…
Keeping all these facts in mind, organisations acting as data controllers should perform a detailed review of all their data processing activities. For each of these, a legal basis must be determined, along with maintaining mandatory documentation for compliance purposes.
Most organisations should try to avoid relying on consent, in order to mitigate the risk of denial and withdrawal, but this evasive strategy will not work in all legal conditions. With any of the six bases, a legally founded and transparently communicated definition of processing is an absolute must.
Click here to download a free Project Plan for EU GDPR Implementation to learn how to comply with all the requirements of the GDPR.