Article 6 of the GDPR sets out six ‘lawful bases’ for processing personal dataInformation which relates to an identified or identifiable natural person.. At least one of these must apply in order for data to be processed lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations.. Without a lawful basis then the organisation and the processing does not comply with Article 5′s principles of lawfulness and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..
If an organisation cannot demonstrate that one of the six bases applies, then processing those data is unlawful….
So, it is very important!
1. ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
For an organisation to use consent as a lawful basis, data subjects (that’s you and I) must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
2. Contract
Data can be processed if the data is necessary to perform a contract with the data subjectAn individual who can be identified or is identifiable from data.. It is acceptable to processA series of actions or steps taken in order to achieve a particular end. the data before the contract is entered into (e.g. providing an insurance quote) provided the information has been requested by the data subject.
3. Legal Obligation
If processing personal data is required to comply with a common law or statutory obligation under UK or EU law then this is considered a lawful basis providing that:
The individual’s right to erasureA qualified right under the GDPR allowing for data subjects to request that their personal data be erased (subject to exemptions)., data portability and the right to object does not apply when Legal Obligation is defined as the basis for processing
4. Vital Interests
If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life, or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... (see GDPR Article 9) if the individual is capable of providing their consent, even if they refuse to provide their consent.
5. Public Task
If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law then this is legal.
6. Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. (LI)
Legitimate Interest is arguably the most flexible lawful basis, but organisations using is must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation can LI be considered a lawful basis for processing.
Documenting the Lawful Basis
Once an organisation has established a lawful basis, then this must be documented in the privacy noticeA clear, open and honest explanation of how an organisation processes personal data..
Impact on Individual Rights
The lawful basis identified directly affects which of the rights an individual is able to exercise in respect of the data. The table below indicates which rights can be exercised according to the lawful basis applied.
Individual Rights | |||
Right to Erasure | Right to Portability | Right to Object | |
Consent | ✓ | ✓ | ⤫ |
Contract | ✓ | ✓ | ⤫ |
Legal Obligation | ⤫ | ⤫ | ⤫ |
Vital Interest | ✓ | ⤫ | ⤫ |
Public Task | ⤫ | ⤫ | ✓ |
Legitimate Interest | ✓ | ⤫ | ✓ |
Deciding on the Lawful Basis
Designating the appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for processing to each of your datasets and the categories of data they contain is not straightforward. The ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. does provide an interactive guidance tool, however making the right decision requires a thorough understanding of the requirements of the regulation as well as the manner in which the data will be used. We would recommend that a suitably qualified Data Protection Officer (DPO) assist you in making this decision, most likely as part of an Impact Assessment of your wider data landscape. For further assistance please Contact us
Further reading