6 Legal Bases for Processing Personal Data
One of the seven major data processing principles of GDPR is to ensure that personal data is processed lawfully, fairly, and transparently. To comply this principle, Chapter 6 of the GDPR requires any organization processing personal data to have a valid legal basis for that personal data processing activity. Think of these as scenarios in which it would be lawful to process data. GDPR provides six legal bases for processing:
- Consent – The data subject has given permission for the organization to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so organizations need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.
- Performance of a Contract – Self-explanatory, right? The data processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, then that data processing activity needs to be covered by a different legal basis.
- Legitimate Interest – This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
- Vital Interest – A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
- Legal Requirement – The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.
- Public Interest – A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
Challenges for Choosing a Legal Basis
Choosing the appropriate legal basis for processing is extremely important for several reasons, including:
- There must be only one legal basis for processing at a time, and that legal basis must be established before the processing begins. Under GDPR, organizations cannot establish the legal basis after processing personal data or alternate between legal bases.
- Whichever legal basis is chosen must be demonstrable at all times. An organization must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each data subject. For example, organizations must be able to demonstrate when and how a data subject provided consent or executed a contract.
- The legal basis for processing has a significant impact on the way that an organization responds to data subject rights requests because there are conditions, exceptions, and limitations on requests depending on the legal basis for processing.
- If an organization uses multiple bases to process different data processing activities, the organization should be able to distinguish between which legal bases is being used for which data set and respond correctly to data subject rights requests.
- Special categories of data (such as race, ethnic origin, religion, trade union membership, biometrics, and health data) have unique legal bases for processing that includes preventive or occupational medicine, public health, collective bargaining agreements, and the legitimate activities of non-profit organizations.
It’s important to note that one legal basis for processing isn’t universally superior to another legal basis for processing. The most effective legal basis for processing depends on the purpose for processing, the type of personal data being processed, and the relationship with the data subject. Choosing which legal basis is appropriate for processing activities is incredibly important; if the wrong legal basis is chosen, it could result in unlawful processing, noncompliant response to data subject rights, and inadequate organizational and technical data processing controls.
GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. First, most organizations ask if they have to have consent to process data. The answer is, not necessarily. As I mentioned, consent is just one of six legal grounds for processing data. If you do use consent, you should know that consent must be freely given, clear, and it must be as easy to withdraw consent as it is to give consent.
Legitimate interest, for example, is something like a marketing activity. That’s a processing activity that a data subject would normally expect an organization that it gives its personal data to do. However, if an organization uses legitimate interest as its valid legal basis for processing, it has to perform a balancing test. Is the processing activity necessary for the organization to function? Does the processing activity outweigh any objection or risks to a data subject’s rights and freedoms? The contract is pretty self-explanatory. Public interest is a processing activity that would occur by a government entity or an organization acting on behalf of a government entity. Vital interest would be a rare occasion where processing data would be required to save someone’s life.
The reason why the legal basis for processing is so important is because the legal basis must be demonstrable at all times. An organization must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each individual whose data it processes. If a data subject gives its consent to an organization, the organization must be able to demonstrate when and how that data subject gave consent.
Because consent must be freely given, organizations can no longer use automatically checked boxes to demonstrate that data subjects gave consent for the organization to use their data. The consent process must be clear and sometimes it must be separate. For example, if an organization is going to use email to send marketing messages to a data subject, then an organization might choose to have a separate box for email than it does for other forms of communication or text messages or phone calls.
The legal basis for processing is also important because it has a significant impact on the way that an organization responds to data subject rights requests. There are some rights that may be granted if consent is the legal basis for processing or if performance of a contract is the legal basis for processing. There are other implications for legal basis of processing as well. For example, the processing of special kinds of data which include: race, ethnicity, healthcare data, biometric data, among other sensitive pieces of information requires certain bases for processing.
Another challenge for the legal bases for processing is if an organization uses multiple bases to process different data sets. For example, an organization might process the personal data of EU data subjects who are employees of the organization and also of customers who its selling services to and is also marketing to. The legal basis for processing employee data may be different than the legal basis for processing customer data. An organization should make sure that they can distinguish between which legal bases is being used for processing to ensure that they respond correctly to data subject rights and to ensure that they perform any balancing tests related to legitimate interests. Finally, it should be noted that organizations can’t select which legal basis they are using to process data and then later change the legal basis if they use both consent and contract. There must be only one basis for processing personal data at a time.
Here are some more notes on the legal bases for processing personal data. First, the legal basis for processing personal data must be established before processing begins. Organizations can’t start processing personal data and then go back and try to execute contract, obtain consent, or claim legitimate interest. Second, one legal basis for processing isn’t necessarily superior to other legal bases for processing. The most effective legal basis for processing depends on the purpose for processing and the relationship with the data subject.