Article 6 of the GDPR sets out six ‘lawful bases’ for processing personal data. At least one of these must apply in order for data to be processed lawfully. Without a lawful basis then the organisation and the processing does not comply with Article 5’s principles of lawfulness and accountability.
If an organisation cannot demonstrate that one of the six bases applies, then processing those data is unlawful….
So it is very important!
For an organisation to use consent as a lawful basis, data subjects (that’s you and I) must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
- Consent requests must be clear, unambiguous and separate from other terms
- Individuals must actively opt in by ticking a box, signing a document, providing an affirmative response to a verbal statement etc.
- If a new purpose for processing arises, new consent must be requested from individuals
- Consent must be as easy to withdraw was to give
- Evidence of consent must be recorded (when, where and how it was given)
Data can be processed if the data is necessary to perform a contract with the data subject. It is acceptable to process the data before the contract is entered into (e.g. providing an insurance quote) provided the information has been requested by the data subject.
- Processing must be “necessary”. The processing must be a reasonable and proportionate way of achieving the purpose
- If the data subject is less than 18 years old, then an organisation must ensure the individual is sufficiently competent to enter into the contract
- The individual’s right to object does not apply if Contract is identified as the legal basis for processing. Similarly, the individual’s right not to be subject to a decision based solely on automated processing does not apply
- Legal Obligation
If processing personal data is required to comply with a common law or statutory obligation under UK or EU law then this is considered a lawful basis providing that:
- The organisation’s overall purpose in processing is to comply with the legal obligation
- The legal obligation is identifiable in a specific provision or official guidance document
- Processing is necessary
The individual’s right to erasure, data portability and the right to object does not apply when Legal Obligation is defined as the basis for processing
- Vital Interests
If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life, or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other special category data (see GDPR Article 9) if the individual is capable of providing their consent, even if they refuse to provide their consent.
- Public Task
If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law then this is legal.
- This basis is mostly used by public authorities, however it can also apply to private organisations that carry out duties ‘in the public interest’ (such as a college).
- Processing must be necessary
- In this case individuals do not have the right to erasure or data portability
- Legitimate Interests (LI)
Legitimate Interest is arguably the most flexible lawful basis, but organisations using is must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
- Establishing a legitimate interest:
- What are the benefits for the company/individual/wider society?
- How important are the benefits?
- Is the interest ethical and lawful?
- Establishing necessity:
- Is the processing reasonable and proportionate?
- Does the processing benefit the legitimate interest?
- Individuals’ interests v legitimate interest:
- Do the individual’s interests outweigh the legitimate interest?
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation can LI be considered a lawful basis for processing.
Documenting the Lawful Basis
Once an organisation has established a lawful basis, then this must be documented in the privacy notice.
Impact on Individual Rights
The lawful basis identified directly affects which of the rights an individual is able to exercise in respect of the data. The table below indicates which rights can be exercised according to the lawful basis applied.
|Right to Erasure||Right to Portability||Right to Object|
Deciding on the Lawful Basis
Designating the appropriate lawful basis for processing to each of your datasets and the categories of data they contain is not straightforward. The ICO does provide an interactive guidance tool, however making the right decision requires a thorough understanding of the requirements of the regulation as well as the manner in which the data will be used. We would recommend that a suitably qualified Data Protection Officer (DPO) assist you in making this decision, most likely as part of an Impact Assessment of your wider data landscape. For further assistance please Contact us