GDPR EXPLAINED: The 6 Legal grounds for Processing Personal Data LAWFULLY
For many businesses, compliance with the General Data Protection Regulation (GDPR) has proven to be a bigger challenge than first anticipated, with much of the confusion caused by the complexities of the 99 articles and 173 recitals that make up the 261-page document.
But the need for regulatory controls over the processing of personal data isn’t something new. The GDPR’s predecessor, the Data Protection Directive (officially Directive 95/46/EC), required companies collecting and processing personal data to register as a data user, and to comply with the Directive.
Those 99 Articles and 173 Recitals contained within the GDPR basically concur with the old data protection act. However, the main differences are;
the GDPR provides clearly defined legal rights in regard to the collection and processing of EU residents’ personal data, and a process for redress when their privacy rights are violated, and;
all organizations that collect and process the personal data of EU residents have a responsibility to ensure that their collection and processing practices comply fully with the law, or face potentially severe consequences.
Adhering to the GDPR is not optional, and there are no legitimate reasons for non-compliance. This ‘new’ law has far-reaching consequences for businesses operating around the world - not just businesses located within EU countries. But despite the fact that the GDPR became law in May 2018, countless thousands of affected firms around the world are still not compliant.
Achieving GDPR compliance can be complex and requires significant investment, as well as changes to processes and technologies.
But here’s the problem. Instead of addressing the issue by identifying what personal data is held, and then establishing the legal grounds for collecting and processing such data, many firms have concentrated their efforts on avoiding the penalties of non-compliance, while other have simply buried their heads in the sand, in the belief that the GDPR doesn’t apply to them.
Compliance Preparation & Establishing Legal Grounds
The Data Privacy Group advises businesses to begin the compliance process by first identifying;
what data is being held;
where it is stored - both within the organization and remotely (employees and third-party devices);
what data is being processed (activity), and why (purpose).
Once the above have been fully documented, the next step is to establish a lawful basis for processing this personal data. There must be at least one of the GDPR legal grounds. This can vary depending on the personal data processing activity and purpose.
For those who are somewhat confused about the GDPR and its impact on business operations, the best reference point, when considering legal grounds for processing, is the GDPR’s two primary components - Recitals and Articles.
The GDPR’s 99 Articles constitute the actual requirements that businesses must meet in order to be considered compliant, while the Recitals provide context and greater depth of meaning to the Articles.
In regard to the lawfulness, fairness, transparency and purpose of personal data processing, Recital 39 of the GDPR document states the following:
Any processing of personal data should be lawful and fair.
It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.
The Six Legal Grounds for Processing Personal Data LAWFULLY
The GDPR requires that in order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis.
That “legitimate basis” should be laid down in law, with the law being either the GDPR, or other European Union or Member State laws, depending on the EU Member State the affected data controller is subject to.
Any personal data processing must be lawful and fair, it should be transparent to data subjects whose personal data is processed. The principle of transparency requires that any information and communications concerning the processing of personal data is easy to understand, and easily accessible.
Article 6(1) of the GDPR states the conditions that must be met for the processing of personal data to be lawful. The six conditions are as follows:
The data subject has given consent to the processing of their personal data for one or more specific purposes;
Processing is necessary performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It is important to establish the most appropriate legal basis for each lawful processing activity BEFORE actual processing begins. This in itself requires that a mandatory record of all personal data processing activities has been made.
The Information Commissioner’s Office (ICO) warns that; “you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.”
Another important point is to ensure that privacy notices clearly state the purpose of the processing. If the stated purpose changes, it may be possible to continue processing under the original lawful basis, as long as the new purpose is compatible with the original purpose (unless your original lawful basis was consent).
Although currently favored by most businesses as a legal ground for processing, consent is but one of the six legal grounds that render the processing of personal data legitimate. When a data controller commences processing activities involving personal data, it should be considered whether consent is in fact the most appropriate legal ground for lawful processing. In some situations, another one could prove to be more suitable. However, when consent is chosen for a particular processing activity all rules and rights regarding consent must be strictly adhered to, such as informing the data subject about the legal grounds he invokes for the processing of personal data.
Using Consent as a legal ground for lawful processing
Consent is the first legal basis for processing personal data documented in the GDPR. A high standard has been set for cases where Consent is considered the most appropriate ground for processing.
The ICO has stressed the following important principles when Consent is used as the legal basis for processing personal data:
Consent must be named, i.e. third parties with whom the data may be shared with must be specifically named. Merely providing categories of third parties is not acceptable;
Consent must be granular, i.e. separate consent must be obtained for each processing activity;
Consent cannot be a pre-condition and must not be bundled in with Terms & Conditions;
Consent should only be relied upon if there is no other lawful basis for processing.
In simple terms, Consent means individuals are offered choices and ultimately, greater control over their personal information. Genuine consent effectively places the individual (data subject) in charge of their data and should build trust and confidence in an organization (data controller).
Consent requires a positive opt-in. Pre-checked boxes or other methods of consent by default are not acceptable under GDPR law. Consent requests must be clear and concise, and totally separate from other terms and conditions.
The GDPR requires that businesses make it easy for individuals to give consent and withdraw their consent. Furthermore, consent must be ‘granular’, meaning that separate consent must be given for each individual processing activity. Blanket consent is not acceptable.
GDPR Article 4(11) defines Consent as:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
For further clarity, GDPR Recital 32 states:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Using Contractual Necessity as a legal ground for lawful processing
As shown in GDPR Article 6, the second legal ground relates to the necessity of personal data processing for the performance of a contract.
Any natural person (data subject) is a party in a contract or has to take certain steps in order to enter into a contract. To enter into a contract, or perform a contract, it is required and agreed that personal data processing will occur within the scope of the contract.
Recital 40 says “the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” as a legitimate basis of lawful processing.
Recital 44 states that “processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.”
The contract sets out the details of the processing including:
the subject matter of the processing;
the duration of the processing;
the nature and purpose of the processing;
the type of personal data involved;
the categories of data subject; and
the controller’s obligations and rights.
A written contract (or other legal act) in place whenever a data controller uses a processor. The contract is important in order for both parties to understand their responsibilities and liabilities.
If a processor uses an external organization (sub-processor) to assist in its processing of personal data for a controller, it must have a written contract in place with that sub-processor.
Each contract basically means that personal data relating to a living person is being processed. So, entering into a contractual relationship relies on the provision of personal data, and depending on the nature of the contract this will, at the very least, involve data subjects’ contact information.
However, there are certain types of contracts where a significantly larger amount of personal information is required. For example, in the case of an insurance contract. It is therefore vitally important to avoid stretching the definition of a contract merely to avoid having to use consent. So many situations could be viewed as a contract, and there may be occasions where a data controller takes a broader approach in order to use a contract as the basis for lawful processing.
Using Legal Obligations as a legal ground for lawful processing
Legal Obligation is the third legal ground for lawful processing documented in the GDPR.
Article 6(1)(c) provides a lawful basis for processing where “processing is necessary for compliance with a legal obligation to which the controller is subject.”
In simple terms, this mean in cases where a data controller is legally obliged to process personal data in order to comply with the law, the processing is deemed lawful.
For example: A financial institution relies on the legal obligation imposed by the Part 7 of Proceeds of Crime Act 2002 to process personal data in order submit a Suspicious Activity Report to the National Crime Agency when it knows or suspects that a person is engaged in, or attempting, money laundering.
Another example could be when a court order requires a company to process personal data for a particular purpose. This also qualifies as a legal obligation.
When processing personal data on the basis of legal obligation, the individual(s) concerned has no right to erasure, right to data portability, or right to object.
Legal Obligation can be relied upon as a lawful basis if it is necessary to process personal data to comply with a common law or statutory obligation. However, it does not apply to contractual obligations.
The processing must be necessary, and if this basis cannot be relied upon in cases where compliance can be reasonably achieved without processing the personal data.
In all cases of processing in compliance with legal obligations, the following procedures should be undertaken:
Document your decision that processing is necessary for compliance with a legal obligation;
Identify an appropriate source for the obligation in question; and
Include information about your purposes and lawful basis in your privacy notice.
Using Vital Interests as a legal ground for lawful processing
The use of Vital Interests as a legal ground for processing can normally be relied upon when there is a need to process the personal data to protect the life of an individual.
However, such processing must be deemed absolutely necessary. If it is possible to reasonably protect the individual’s vital interests in another less intrusive way, this basis will not apply.
Vital Interests cannot be relied upon for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
An example of where Vital Interests is likely to apply could be, an individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.
Vital Interests is less likely to be appropriate grounds in cases where medical care is planned in advance. Legitimate Interests is likely to be more appropriate in this case.
At the end of the day, if Vital Interests will need to be relied upon, the circumstances should be fully documented, and care should be taken to ensure that such reasoning can be justified.
GDPR Recital 46 suggests that Vital Interests could apply when processing personal data on humanitarian grounds such as monitoring epidemics, or where a serious incident has occurred, which has caused a humanitarian emergency:
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.
Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
Using Public Interest as a legal ground for lawful processing
GDPR Article 6 describes Public interest (Public Task) as a basis for lawful processing as follows:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
This lawful basis can be applied when the personal data is being processed ‘in the exercise of official authority’. This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law.
This is most relevant to public authorities but can also be applied to any organization that exercises official authority or carries out tasks in the public interest.
There is no requirement to hold a specific statutory power to process personal data. However, the underlying task, function or power must have a clear basis in law.
The processing must be deemed absolutely necessary. If the same task can be reasonably performed in a less intrusive way, this lawful basis does not apply.
Again, it is important that any decision to rely on this basis is fully documented, to help demonstrate compliance. Affected organizations should be able to specify the relevant task and function or power, as well as to identify its statutory or common law basis.
GDPR Recital 45 states:
“It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association”.
Using Legitimate Interest as a legal ground for lawful processing
Legitimate Interest is the last of the six legal grounds for the lawful processing of personal data and is documented in the first part of GDPR Article 6.
Although it should not be assumed that Legitimate Interest will always be the most appropriate lawful basis for processing, it does provide the most flexible legal grounds for processing personal data.
It is particularly reliable in cases where personal data is being processed in ways that people would reasonably expect, and which have a minimal impact on personal privacy.
There are three essential ingredients to Legitimate Interests. Organizations need to:
identify a legitimate interest;
show that the processing is necessary to achieve it; and
balance it against the individual’s interests, rights and freedoms.
For added clarity, GDPR Recitals 47 and 48 provide examples of legitimate interest. Article 48 states:
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.
The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
When considering the use of Legitimate Interest as a legal basis for processing, companies must balance their own interests against the interests of the individuals concerned. If data subjects would not reasonably expect the processing, or if such processing would cause unjustified harm, then their interests are likely to override the company’s legitimate interests.
Article 6(1)(f) states that processing is necessary for the purposes of the legitimate interests as pursued by the data controller or a third party, as follows:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The ICO suggest the following ‘Acid Test’ for justifying the use of Legitimate Interest:
Purpose: Are you pursuing a legitimate interest?
Necessity Test: is the processing necessary for that purpose?
Balancing Test: do the individual’s interests override the legitimate interest?
As previously mentioned, Legitimate Interest is the most flexible lawful basis for processing. However, it is important for companies to always balance their own interests against the interests of the individual, in order to avoid causing unwarranted harm.
But practicing this ethic does not necessarily mean that the interests of the company must always be in alignment with the individual’s interests. Where there is a conflict, the company’s interests may still prevail, so long as they can be clearly justified.
And finally …
Be sure to carefully document your data processing operations and select the most appropriate legal grounds for processing. This process may not always be straightforward, as there can be special categories of personal data in some sectors, such as legal, healthcare and religion, where specific rules may apply.
Further reading: Lawful basis for processing (ICO)
This article is provided for informational purposes only. The Data Privacy Group strongly recommends that you engage the services of an experience data privacy practitioner when preparing for GDPR compliance.