Article 6 of the GDPR sets out six ‘lawful bases’ for processing Information which relates to an identified or identifiable natural person..... At least one of these must apply in order for data to be processed In data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations..... Without a lawful basis then the organisation and the processing does not comply with Article 5’s principles of lawfulness and accountability.
If an organisation cannot demonstrate that one of the six bases applies, then processing those data is unlawful….
So, it is very important!
For an organisation to use consent as a lawful basis, data subjects (that’s you and I) must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
Data can be processed if the data is necessary to perform a contract with the An individual who can be identified or is identifiable from data..... It is acceptable to A series of actions or steps taken in order to achieve a particular end.... the data before the contract is entered into (e.g. providing an insurance quote) provided the information has been requested by the data subject.
If processing personal data is required to comply with a common law or statutory obligation under UK or EU law then this is considered a lawful basis providing that:
The individual’s A qualified right under GDPR allowing for data subjects to request that their personal data be erased (subject to exemptions)..., data portability and the right to object does not apply when Legal Obligation is defined as the basis for processing
If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life, or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other Personal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation.... (see GDPR Article 9) if the individual is capable of providing their consent, even if they refuse to provide their consent.
If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law then this is legal.
Legitimate Interest is arguably the most flexible lawful basis, but organisations using is must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation can LI be considered a lawful basis for processing.
Documenting the Lawful Basis
Once an organisation has established a lawful basis, then this must be documented in the A clear, open and honest explanation of how an organisation processes personal data.....
Impact on Individual Rights
The lawful basis identified directly affects which of the rights an individual is able to exercise in respect of the data. The table below indicates which rights can be exercised according to the lawful basis applied.
|Right to Erasure||Right to Portability||Right to Object|
Deciding on the Lawful Basis
Designating the In the event of processing personal data, an appropriate rationale in order to process personal data.... for processing to each of your datasets and the categories of data they contain is not straightforward. The ICO does provide an interactive guidance tool, however making the right decision requires a thorough understanding of the requirements of the regulation as well as the manner in which the data will be used. We would recommend that a suitably qualified An independent data protection expert whose role includes the monitoring of internal compliance, advising on data protection obligations and acting as a contact point for data subjects and the supervisory authority.... (DPO) assist you in making this decision, most likely as part of an Impact Assessment of your wider data landscape. For further assistance please Contact us