Article 6 of the GDPR sets out six ‘lawful bases’ for processing personal data. At least one of these must apply in order for data to be processed lawfully. Without a lawful basis then the organisation and the processing does not comply with Article 5’s principles of lawfulness and accountability.
If an organisation cannot demonstrate that one of the six bases applies, then processing those data is unlawful….
So it is very important!
For an organisation to use consent as a lawful basis, data subjects (that’s you and I) must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
Data can be processed if the data is necessary to perform a contract with the data subject. It is acceptable to process the data before the contract is entered into (e.g. providing an insurance quote) provided the information has been requested by the data subject.
If processing personal data is required to comply with a common law or statutory obligation under UK or EU law then this is considered a lawful basis providing that:
The individual’s right to erasure, data portability and the right to object does not apply when Legal Obligation is defined as the basis for processing
If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life, or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other special category data (see GDPR Article 9) if the individual is capable of providing their consent, even if they refuse to provide their consent.
If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law then this is legal.
Legitimate Interest is arguably the most flexible lawful basis, but organisations using is must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation can LI be considered a lawful basis for processing.
Documenting the Lawful Basis
Once an organisation has established a lawful basis, then this must be documented in the privacy notice.
Impact on Individual Rights
The lawful basis identified directly affects which of the rights an individual is able to exercise in respect of the data. The table below indicates which rights can be exercised according to the lawful basis applied.
|Right to Erasure||Right to Portability||Right to Object|
Deciding on the Lawful Basis
Designating the appropriate lawful basis for processing to each of your datasets and the categories of data they contain is not straightforward. The ICO does provide an interactive guidance tool, however making the right decision requires a thorough understanding of the requirements of the regulation as well as the manner in which the data will be used. We would recommend that a suitably qualified Data Protection Officer (DPO) assist you in making this decision, most likely as part of an Impact Assessment of your wider data landscape. For further assistance please Contact us