Under the UK General Data Protection Regulation (GDPR), personal data must be processed under a valid lawful basis. These conditions are outlined in Article 6 of the GDPR, which covers six different lawful grounds for processing personal data:
- Consent
- Contractual obligations
- Legal obligation
- Vital interests
- Public interests
- Legitimate interests
No one basis is more important than the other, i.e. no hierarchy exists. Organisations process data under the lawful basis that is most applicable and appropriate to the processing which is being conducted, although, the processing will only be lawful if at least one of these conditions is met.
An individual’s personal data and the purpose (purpose limitation) for which it is processed will determine which lawful basis is the most appropriate ground for data processing, I.e. data should be collectedfor specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those original purposes;
If you can avoid it, it’s important for businesses to get it right the first time – If you ask for consent as your lawful basis and are unable to gain consent, you can’t simply decide to switch to another lawful basis.
In this article, we take a look at each basis in more detail, with some helpful GDPR lawful basis examples.
What are the 6 lawful bases for data processing?
Consent
Consent is the process of obtaining an individual’s permission to collect and store their personal data.
Before collecting personal data, you should ask the individual for their permission. A person’s consent can’t be implied, and should be explicit. You can’t assume that an individual is agreeing to your data processor agreement just by visiting your website and browsing around. An example of this would be using pre-ticked consent boxes on pages of a website, which in fact are not a legal way to collect consent.
In order to process personal data under this lawful basis, consent must be given freely –This is known as an ‘affirmative act’, whereby the user must actively decide to provide consent and opt into data processing agreements.
- There are several ways to obtain consent when processing personal data:
- Through opt-in check boxes
- Through Website cookie banners or pop-ups
- Through written consent
- Through oral consent
Basically, if the user has expressed that they are happy for your business to process their data, for instance to receive emails, text messages, ordirect mail, then they have opted in and given you consent.
Prior to giving consent, an individual must understand what they are consenting to and have a choice of channels they are consenting to, i.e. no bundled consent. Subsequently, your data processing terms and conditions must be explained clearly, and made easily accessible to the user. It is always advisable to display a clear link to the privacy policy associated with the consent you are collecting, and this information should be written in clear and plain language and not over legalistic.
Consenting individuals must also be able to withdraw it at any time. It is imperative that consent should be as easy to withdraw as it is to give, and the fundamental rights of consumers are protected under GDPR laws. Users are entitled to the right to withdraw, and the organisation that holds their data must be able to delete the data if the individual requests this.
Example of consent as a lawful basis– when you decide to buy a ticket for a concert, on that web page you would be asked if you want to receive any information regarding new concerts, new parties etc. If you check the box saying that you are happy to receive via email or text message or post, that is opt-in consent.
Contractual obligations
Contractual obligation refers to the processing of data that is required under a contract, or in the performance of a contract.
A contractual obligation applies when data processing is necessary to deliver a contracted service, such as plumbing, or gas or a mobile phone contract.
Processors who need data to fulfil a contract are protected by this lawful basis.
It isn’t necessary for a contract to be a formal legal document, as long as it complies with the requirements of contract law. It is also acceptable to make an oral statement.
Example of contractual obligations as a lawful basis– your internet, gas, or water provider holds your personal data because they need that information to be able to give you the best service, i.e. the performance of a contract. They need to know and hold personal data such as your name and address, your contact details (telephone number and/or email address) to be able to get in contact with you whenever necessary regarding your contract. In most cases, there would be a reasonable expectation held by the individual that they would be contacted by an organisation they hold a contract with.
Legal obligations
Legal obligation is the processing of an individual’s personal data to comply with laws or statutory obligations. It should be noted that this does not include contractual obligations.
This lawful basis requires either the identification of a specific legal provision or the reference to appropriate advice or guidance that clearly sets out your obligations.
Example of legal obligations as a lawful basis– Your bank needs to process your personal data to comply with its legal obligation toprevent fraudand the laws which govern how financial institutions conduct business.
The importance of record-keeping cannot be overstated, so it is necessary to make sure to maintain documents and audit trails that detail what you’re supposed to do, and that it complies with the law.
Vital interests
Vital interest is to process an individual’s personal information in case of an emergency medical situation, or to protect their life. This applies to both the essential protection of the data subject and other people.
Processing data through vital interests is rare, and is only used in emergency situations where processing cannot be based on other legal bases. Vital interest is also one of the grounds on which ‘special categories’ (as defined in the UK GDPR) of personal data can be lawfully processed under.
Example of vital interests as a lawful basis– in the event of a medical emergency, your doctor can lawfully access your medical records on the grounds of vital interests if the individual’s or another person’s life would otherwise be at risk. For example, if they need to know your blood type, or check if you are an organ donor.
Public interests
Under the basis of public interests, data is processed in order to protect the welfare of the general public, under the governance of official authority.
Whenever you process personal data that is necessary to perform a task in the public interest, or under official authority, you must rely on this lawful basis. This basis can only be used by public sector organisations, such as the government and local authorities.
In order to process personal information, you do not need statutory authority, but you must have a legal basis for doing so, and this must be documented. The data processing must be necessary, just like other lawful bases.
It is also a basis where Individuals rights to erasure and or data portability do not apply, however Individuals do have the right to object.
Example of public interests as a legalbasis– data may be processed by government and law enforcement if this activity is to protect the public interests. For example, law enforcement may need to access data in order to prevent criminal activity.
Legitimate interests
As opposed to the other lawful bases, legitimate interest is the most flexible of the six lawful basis for processing. A legitimate interest can be based on any reasonable purpose and encompasses any type of processing within reason.Legitimate interests apply if you are using an individuals’ data in a way that they would expect or otherwise deem reasonable – and where the processing has a minimal impact on their privacy.
Numerous interests can be legitimate, which might include:
- Processing Client or employee data
- Processing being conducted for marketing purposes
- Processing that helps prevent fraud
A good example would be collecting certain data to prevent fraud, which is in the interest of both your organisation, and the data subject.
In order for this lawful basis to apply, you must identify the interest, demonstrate that the processing is necessary to attain it, and balance it with the interests and rights of the individual.
In case of legitimate interests being used for marketing purposes, the right to object of the data subjects is absolute, and you must stop processing if they do so.
Example of legal interests as a lawful basis–if a new golf club is opening near you, the owner may come to us and ask for acustomer data listof individuals within certain postcodes, aged between 18 and 60 who like golf. We will provide that list on the basis that the golf club owner will contact you to see if you would be interested in becoming a member.
Is it necessary to have a lawful basis for processing?
Processing without a lawful basis is illegal, violating the UK GDPR’s first principle.
Identifying your lawful basis is crucial before processing data. You’ll need to decide on which basis is the most appropriate for your specific situation and goals.
Also, the basis on which you process information can have an impact on the fundamental rights of Individuals. For the individual’s right to know, you must provide information regarding your lawful basis for processing.
Remember, it is vital to document and be able to demonstrate why you are processing an individual’s data. It is vital to ensure that any material you record demonstrates a lawful basis in sufficient detail. A good way to demonstrate this is via balancing tests and privacy assessments. Keeping a record will assist you when meeting your accountability obligations.
GDPR compliance services
By law, it is required that data protection guidelines must be followed if your business uses any third-party communication services or software to store customer or client information.
When your business takes advantage of our unparalleled GDPR compliance services, you will be giving your customers and clients confidence that their personal data is safe secure and compliant, making them feel that they are in control of how it is processed.
Get in touch to find out more
