inaki-del-olmo-602632-unsplash

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6 of the GDPR describes six scenarios when you are allowed to process data legally. 

1. Data subject has given consent

The GDPR states that the individual’s consent must be:

  • freely and clearly given,
  • specific,
  • informed, and
  • unambiguous. 

It is important to know that consent must be distinguished from all other text, for the individual to understand what data is collected from them and how it is used.

Individuals must be given an option to refuse or withdraw their consent at any time and without penalty. The companies must obey the withdraw and stop processing the individuals’ data. 

The process of consent withdrawal needs to be done the same way as giving consent. It is the obligation of the company to demonstrate that the individual has given their consent to process their data.

If data is used for multiple purposes, then consent is required for every process separately.

2. There is an existing contract

The processing is necessary for the performance of a contract, or for taking steps at the request of the individual before entering into a contract. 

For example, when an individual wants to open a bank account, he or she is requested to fill out a form with his or her personal details. This counts as a pre-contractual processing. 

But, once the account is opened the bank would like to send you campaign offers as part of marketing activities, it needs to use your email address to be able to do so. In this situation, the bank must obtain your consent first to have a valid lawful basis. 

3. Processing is necessary for compliance with a lawful obligation

The controller is obliged to processing if it is required by the EU or EU Member State law. 

National laws may require companies to process personal data, for example, Estonian accounting law requires companies to preserve documents for 7 years, therefore the companies are bound by national laws to process data.

For a public authority processing data, legal obligation means that there is an official mission set for them by the law. For example, the tax department, police, and financial institutions are processing individuals’ personal data as it is their job. 

4. Processing is necessary in order to protect the vital interests

This processing is necessary to protect the individuals’ life or physical integrity when in danger (emergency medical care) and when the data subjects are not able to give consent. This should be used only as a last resort. 

For example, it is important that the ambulance staff can access the individuals’ medical data in case of an accident. Processing under vital interest is used mostly in extreme conditions and circumstances.

A man sits at a wooden desk, focused on reviewing, understanding and managing the lawful basis for data processing documents under the GDPR.
Courtesy of Canva/PeopleImages

5. Processing is necessary for the performance of a task carried out in the public interest

The processing is necessary to perform a task in the public interest or of official functions, and the task or function has a clear basis in law.

Processing individuals’ data for the benefit of the public can be seen as public interest, for example, an outbreak occurred and the data processing can help with statistics and information flow. Processing data of a public figure is public interest when the interest of the public is high.

6. Processing is necessary for the purpose of the legitimate interests

The processing is necessary for companies interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate interest may only be applied in situations, where there is a relevant and appropriate relationship between the individual and data processor.

Those situations can be for example a client and service provider relationship, where the client can reasonably expect that their data will be processed. When a company belongs to a group, transmitting the data between the group for internal administrative purposes is a legitimate interest.

A LIA (Legitimate Interests Assessment) must be thoroughly documented as part of the organization’s compliance records. This documentation should demonstrate that the organization has carefully considered the rights and interests of the data subjects and has appropriate safeguards in place to protect those interests.

Legitimate interest does not apply to public authorities processing personal data to perform their tasks.

Recording the lawful basis for each processing activity

According to the GDPR Article 30, the lawful basis should be recorded in the Record of Processing Activities.

The most simple way to manage and record all the processing activities is with a tool like GDPR Register. 

More to read on this topicRecords of processing activities in GDPR Article 30

 

Easy to use GDPR compliance tool

With GDPR Register you can keep a record of processing activities, create & manage documents, report to the Data Protection Agency.

GDPR Lawful Basis - Frequently Asked Questions:

How do we decide which lawful basis applies?

Start by clearly understanding why you want to process the data. This will guide you in choosing the most appropriate basis. Remember, there’s no one-size-fits-all answer; the choice depends on your unique processing situation. Note that the GDPR does not favor one lawful basis over another.

Consider these key factors to guide your decision:

  • Purpose of Processing: Some lawful bases are linked to specific purposes like fulfilling a contract, complying with legal obligations, protecting vital interests, or performing tasks in the public interest. Start by examining these purposes as they may directly point to the suitable lawful basis.
  • Expectation and Relationship with the Individual: Reflect on whether the individuals would reasonably expect this processing, and consider your relationship with them. This is particularly relevant when weighing the merits of legitimate interests versus consent.
  • Impact on the Individual: Evaluate the potential impact of the processing on individuals, considering if they are in a vulnerable position, the balance of power, and whether they are likely to object to the processing.
  • Control and Responsibility: If maintaining control over the processing and taking responsibility for demonstrating its alignment with individuals’ expectations and impacts is a priority, legitimate interests might be the preferred basis. Conversely, if offering individuals complete control and the ability to revoke their data processing consent is your goal, then consent could be the better choice.

Document your decision-making process to ensure compliance and provide a rationale for the chosen lawful basis or basis. This thoughtful approach ensures that your data processing activities are both justified and compliant with GDPR principles.

Can we change our lawful basis?

Generally, you should not change your lawful basis for processing personal data after you have started processing.

However, there are exceptional situations where a change might be justified. If you find that the basis you initially chose does not apply or is no longer appropriate, you must carefully document this change and ensure it can be justified, keeping in mind the principles of transparency and accountability under the GDPR. You also need to inform the data subjects of this change in a clear and understandable manner, explaining the reasons behind it.

It’s important to approach any change cautiously and ensure that it does not lead to unfairness or surprise for the individuals whose data you are processing. In most cases, it’s better to select the most appropriate lawful basis from the start rather than trying to switch bases later on.

What is Special Category data?

Special Category data under the GDPR refers to a type of personal data that is considered more sensitive and, therefore, requires higher levels of protection. This type of data can reveal an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), and health information.

Due to its sensitive nature, processing Special Category data is subject to stricter conditions. Generally, you need a stronger legal basis to process this data, such as explicit consent from the individual or the necessity for substantial public interest under EU or member state law. The GDPR aims to ensure that an individual’s privacy rights are protected, especially when it comes to personal data that could lead to discrimination or other harm if processed improperly.

If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
DPR software: 10 Great Tools For Compliance in 2024

DPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that results...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...