Lawfulness, transparency, and fairness are the key ingredients to the first principle of data processing in the General Data Protection Regulation (GDPR): “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”
Each of these elements deserves special attention, but today, we want to look specifically at the “lawful” requirement, exploring the six lawful bases for processing personal data under the GDPR:
- Consent: The data subject has freely given consent for their information to be processed for a specific purpose.
- Contract: Processing is necessary due to the fulfillment of a contract.
- Legal Obligation: Processing is necessary to comply with the law.
- Vital Interest: Processing is necessary to save or protect an individual’s life.
- Public Tasks: Processing is necessary to perform a public interest in official functions. (Primarily applies to governmental agencies/entities.)
- Legitimate Interests: Processing is necessary to the legitimate interests of an organization or a third-party affiliate.
Lawful basis is not to be trifled with – it’s the foundation for data processing under the GDPR. The GDPR requires every organization (government, non-profit, commercial, etc.) to have a lawful basis for each and every instance of data processing. Those who don’t properly identify a lawful basis that corresponds to each processing activity will be in violation of the regulation.
The definitions for each basis are clear, but it can be difficult to know how to tie each processing activity to the right lawful basis. To help you out, we’ve put together a list of examples for the three lawful bases that apply to most global, commercial businesses.
Examples of Lawful Basis Under the GDPR
Other than Consent, all other lawful bases for data processing require the processing to be necessary. This means that organizations should only be collecting and processing information for a specific purpose. This list is going to focus on scenarios where processing is necessary for conducting business and falls under the legal basis of Contracts, Legal Obligation, or Legitimate Interest. We wrote a whole other blog post on Consent, which you can check out here.
This post will not cover the bases of Public Tasks and Vital Interest, as those are less likely to affect organizations based in the U.S.
Let’s dive in!
Using Contracts as a Lawful Basis
Contractual relationships are a core part of doing business for many organizations. Recognizing that contracts between customers and businesses may require the collection of personal information like credit card numbers and contact information, the GDPR has established Contracts as a lawful basis for processing.
Scenario One: Pre-Contractual Relationship
During the sales process, a customer may request more information or sign up for a trial, which may require the processing of personal data like credit card information or contact information.
Scenario Two: New Contract
In order to complete a new contract or fulfill an existing contract, personal data processing is necessary.
Using Legal Obligation as a Lawful Basis
Organizations can only process data under the basis of Legal Obligation if it is necessary to comply with an existing EU Member State law. Some examples of these legal scenarios include:
- Scenario One: Employee information (salary, etc.) is needed by a regulatory or government body.
- Scenario Two: A criminal investigation requires the processing of personal data.
- Scenario Three: Court orders or subpoenas require the processing of personal data.
- Scenario Four: Information from accident reports require processing for health and safety records.
Using Legitimate Interest as a Lawful Basis
For many organizations, the most common lawful basis for processing will be Legitimate Interest. This basis allows organizations to process data without an individual’s consent as long as the processing does not interfere with the individual’s rights, freedom, or legitimate interest. Unfortunately, this description is pretty vague and leaves a number of questions unanswered, but the good news is the GDPR does provide a few specific examples of when Legitimate Interest can serve as a lawful basis.
Scenario One: Direct Marketing and Fraud Prevention
This scenario allows an organization to process an individual’s data without direct consent when the purpose for processing can be described as a reasonable expectation stemming from the relationship between the data subject and controller, pursuant to this interest, such as direct physical or electronic mailing with an effective opt-out. For example:
- The data subject has requested more information on specific services provided by the organization and submitted their contact information. This information can be processed in order to respond to their request. Legitimate Interest may be used for marketing purposes as long as it has a minimal impact on a data subject’s privacy and it is likely the data subject will not object to the processing or be surprised by it.
- The data subject has committed an action that will negatively affect the organization, like not paying an invoice. The organization may need to process the data subject’s information in order to collect payment.
Scenario Two: Internal Administrative Purposes
This one is pretty simple. Legitimate Interest can be used as a lawful basis for the transmission of personal data within the organization for internal operations like payroll.
Scenario Three: Market Research
Situations that call for the transfer of customer data to a third party for data analysis as part of market research can fall under Legitimate Interest. The GDPR considers market research activities under the umbrella of Legitimate Interest as long as processing will never affect a data subject negatively and the purpose of data processing is a “reasonable expectation” for service (for example, if the market research will allow a company to provide its customers with a better, more personalized customer experience).
It’s important to note here that companies that process “special categories of data” (like racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, and more) cannot rely on Legitimate Interest as a lawful basis for processing such data. However, a restrictive form of Consent can be used. Article 9(2)(1) permits processing based on “explicit consent,” which requires “an express statement” of approval, a heightened requirement beyond the “clear affirmative act” necessary to establish consent when processing “regular” personal data. The Article 29 Working Party (WP29) suggests that a written statement, signed by the data subject where appropriate, is one means of demonstrating compliance with this requirement.
How Do I Know Which Lawful Basis Applies?
We know that the examples we just listed only cover a small portion of processing activities. Determining which lawful basis applies can be challenging, but here are a few helpful guidelines:
First, remember that the lawful basis for processing depends on three things:
- The type of data being processed,
- The purpose of processing, and
- The relationship between data subjects and data controllers (i.e., employee and employer vs. customer and business).
Once you’ve identified these three qualifications, ask the following questions:
- What kind of information is being processed (sensitive or general)?
- What kind of impact could processing have on the data subject?
- What is the likelihood that the data subject would consent to processing? Is the data subject able to provide consent?
Determining these factors and answering these questions will help you understand the need for processing, the consequences of the processing, and which lawful basis correlates to a specific processing activity.
We’ll get into this more in a future blog post, but it’s important to keep in mind that using Consent as a lawful basis should be considered as a last resort and used in circumstances where no other lawful basis is applicable. Under the GDPR, individuals have the right to be informed as to which lawful basis an organization has for processing their data, which means organizations are required to provide the data subject with a privacy notice that includes the lawful basis they are using for processing.
What Steps Do I Need to Take After Determining Lawful Basis?
Once you have identified the lawful basis your organization will use for a specific type of data processing, you must turn your focus to properly documenting the purpose for processing and the justification for the lawful basis you have determined. Properly articulating the legal justification for processing varying types of data (credit card information, employment records, etc.) is a core part of demonstrating that your organization meets the accountability principle of the GDPR. As part of this documentation process, your organization should keep proper records of processing activities, who has access to the data, descriptions of the relationships between the organization and data subject, and the types of personal data.
Determining the right lawful basis for each processing activity is going to be a challenge but will give your organization a reason to pause and consider why you collect the data you do, what types of data are actually necessary for doing business, and the consequences data processing may have on your customers or employees. If you have questions about determining lawful basis or need assistance mapping the data your company processes, we have GDPR experts ready to help.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more GDPR insights like this?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.