The GDPR requires every organization government, non-profit, commercial, etc. The definitions for each basis are clear, but it can be difficult to know how to tie each processing activity to the right lawful basis. Other than Consent, all other lawful bases for data processing require the processing to be necessary. This means that organizations should only be collecting and processing information for a specific purpose.
This list is going to focus on scenarios where processing is necessary for conducting business and falls under the legal basis of Contracts, Legal Obligation, or Legitimate Interest. We wrote a whole other blog post on Consent, which you can check out here. This post will not cover the bases of Public Tasks and Vital Interest, as those are less likely to affect organizations based in the U.
Contractual relationships are a core part of doing business for many organizations. Recognizing that contracts between customers and businesses may require the collection of personal information like credit card numbers and contact information, the GDPR has established Contracts as a lawful basis for processing. During the sales process, a customer may request more information or sign up for a trial, which may require the processing of personal data like credit card information or contact information.
In order to complete a new contract or fulfill an existing contract, personal data processing is necessary. Organizations can only process data under the basis of Legal Obligation if it is necessary to comply with an existing EU Member State law. Some examples of these legal scenarios include:. For many organizations, the most common lawful basis for processing will be Legitimate Interest. Unfortunately, this description is pretty vague and leaves a number of questions unanswered, but the good news is the GDPR does provide a few specific examples of when Legitimate Interest can serve as a lawful basis.
For example:. This one is pretty simple. Legitimate Interest can be used as a lawful basis for the transmission of personal data within the organization for internal operations like payroll. Situations that call for the transfer of customer data to a third party for data analysis as part of market research can fall under Legitimate Interest. However, a restrictive form of Consent can be used. The Article 29 Working Party WP29 suggests that a written statement, signed by the data subject where appropriate, is one means of demonstrating compliance with this requirement.
We know that the examples we just listed only cover a small portion of processing activities. Determining which lawful basis applies can be challenging, but here are a few helpful guidelines:.
Determining these factors and answering these questions will help you understand the need for processing, the consequences of the processing, and which lawful basis correlates to a specific processing activity.
Under the GDPR, individuals have the right to be informed as to which lawful basis an organization has for processing their data, which means organizations are required to provide the data subject with a privacy notice that includes the lawful basis they are using for processing.
Once you have identified the lawful basis your organization will use for a specific type of data processing, you must turn your focus to properly documenting the purpose for processing and the justification for the lawful basis you have determined.
Properly articulating the legal justification for processing varying types of data credit card information, employment records, etc. As part of this documentation process, your organization should keep proper records of processing activities, who has access to the data, descriptions of the relationships between the organization and data subject, and the types of personal data.
Determining the right lawful basis for each processing activity is going to be a challenge but will give your organization a reason to pause and consider why you collect the data you do, what types of data are actually necessary for doing business, and the consequences data processing may have on your customers or employees. If you have questions about determining lawful basis or need assistance mapping the data your company processes, we have GDPR experts ready to help. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy.
Public Tasks: Processing is necessary to perform a public interest in official functions. Legitimate Interests: Processing is necessary to the legitimate interests of an organization or a third-party affiliate.Under the GDPR, organisations need to ensure activities involving the processing of personal information are undertaken under one of the six legal grounds for processing.
Article 6 1 of the GDPR sets out the conditions the must be met for the processing of personal data to be lawful. They are:. This shall not apply to processing carried out by public authorities in the performance of their tasks.
These conditions are all equally valid and organisations should assess which of these grounds are most appropriate for different processing activities and then fulfil any further requirements the GDPR sets out for these conditions GDPR Article 5. Processing activities that fall under performance of a contract, legal obligation, vital interests and public task may be fairly straight-forward to identify.
The key for many is in assessing whether Consent or Legitimate Interests will be most appropriate for specific processing of personal information. Recital 32 states:. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them. Consent requires a positive opt-in. The ICO has stressed the following:. Simply providing categories of third parties will not be acceptable. The final text of the proposed Regulation on Privacy and Electronic Communications is anticipated later this year. When considering whether you can rely on Legitimate Interests, organisations should be aware of four key factors:.
Updated October The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation GDPR or other statutory measures referred to. Data protection advice from Opt Opt-4 has been supporting clients on data protection for more than 15 years.In order to help clarify these questions this blog post extracts the relevant information directly from the GDPR text itself and from the guidance given by the ICO The Information Commissioners Office.
In many areas there is more information available than is replicated here, so please refer to the original ICO source for further information. Firstly, just to set the scene. Although marketers are very right to be aware of it GDPR is not about marketing.
Whatever that processing may be, another fundamental of GDPR is that any processing of personal data needs to be lawful. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing. Take care to get it right first time — you should not swap to a different lawful basis at a later date without good reason.How to appeal a refusal in 2020 ⚖️ (UK immigration) 🇬🇧 Preparing your GROUNDS OF APPEAL ✅️
Anyone who is already practicing a robust permission-based email marketing strategy will have little more to do in order to comply with the new definitions of consent which GDPR brings.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.GDPR outlines six scenarios in which data processing is legally permitted. Unless the organization can show that the processing activity fits within one or more of these scenarios, then it is deemed to be unlawful to process the personal data. The data subject s has consented to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous — given by a statement or a clear, affirmative action.
Data subjects must be able to refuse or withdraw consent without penalty. Furthermore, there must not be an imbalance between the parties i. A good example here is when you sign up for marketing emails. By unsubscribing, you revoke that consent. Regular, finance-related processing activities should be covered by other legal bases. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Such processing is necessary in order to enter into or perform a contract with the data subject. For example, any processing that takes place in order to kick-off a possible contract at the behest of the individual falls under this category, as well as any processing carried out during the contractual period - so long as it relates to the terms of the contract. Anything outside of that will have to be covered by any alternative legal basis. For example, filling in an account opening form at an investment bank counts as pre-contractual processing and processing transactional information during the term of your contract is also covered.
But the service provider also wants to take your details so they can offer you additional products and services as part of marketing outreach, they must obtain your consent first. Processing is necessary for compliance with a legal obligation to which the controller is subject.
The controller has a legal obligation to perform the processing but this only applies to EU or Member State law. That last part is crucial. ABC Bank has a legal obligation to carry out Know Your Customer KYC due diligence on you, and they also have to share your information with the national credit register. That legal obligation is rooted in European and Irish law, so they can rely on this legal basis for processing.
They also have a legal obligation to carry out KYC due diligence and have several other regulatory obligations to meet under Federal or State law, but they are also in-scope for GDPR. They cannot rely on a legal obligation as a condition for processing.
GDPR in Context: The 6 Legal Bases for Processing
Instead, they should rely on Legitimate Interest, which we will come to in a bit.But what is a lawful basis for processing? Before you do any of these things, you need to identify a lawful basis for doing so, according to Article 6. Except for special categories of personal data sensitive datawhich you cannot process except under certain circumstances, there are six lawful bases for processing.
This is particularly important because data subjects have the right to withdraw their consent at any time. It must be as easy for them to withdraw their consent as it was to provide it in the first place. An oral statement also counts. The processing you carry out must be necessary for the purposes of fulfilling your contractual obligations.
This lawful basis will not apply if there are other ways of meeting those obligations. You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation. It should be clear from the law in question whether processing is necessary for compliance. However, they do have a right to object. The most flexible of the six lawful bases for processing, legitimate interests could theoretically apply to any type of processing carried out for any reasonable purpose.
On the other, the definition is unhelpfully vague, and the burden is on you to determine whether or not your interests in processing the personal data really are legitimate. These interests must be balanced against those of the data subject s. The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive. This blog was first published in June It was updated in March to reflect the latest guidance.
Neil has worked at IT Governance since He writes about all IT governance, risk management and compliance subjects. First published June Last updated March This blog explains each of the six lawful bases and how to choose the most appropriate one. Legal obligations You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation.Guidance to help Managing Trustees understand what lawful bases are, why they are needed, which lawful bases are appropriate in different circumstances and their responsibilities.
Focus Note. There are six lawful bases that can be relied upon:. You need to consider what category of personal information you are dealing with, the purpose of using processing the personal information and what lawful basis you can rely on under the Methodist Privacy Notice. The controller decides which of the six lawful bases will be used depending on the category of personal information data and the proposed use of that information to ensure that it is handled fairly.
This Lawful Bases Guidance Note is designed to take you through the process taken by the controllers to identify the appropriate lawful basis or bases to use. More detailed guidance on each of the lawful bases and special cases is set out in the Lawful Bases Fact Sheets available at the end of this Lawful Bases Guidance Note:.
Now that the results of the data mapping exercise carried out by the Data Protection Working Party Working Party are known, the Working Party is preparing a breakdown of results which will be set out in the Privacy Notice. While this will suggest lawful bases for typical Methodist purposes, this Lawful Bases Guidance Note will help you to understand the reasons for selecting a particular lawful basis and check that any suggested lawful bases are appropriate to your situation.
In many cases there is no right or wrong answer but there is a need to show that the options have been considered and the lawful basis or bases selected is justified. The information in this Lawful Bases Guidance Note should assist you in doing this. You can work through the questions in Charts 1 and 2 in this Section to help establish the requirements under GDPR and identify why the lawful basis or bases suggested in the Privacy Notice is appropriate or adapt the suggestions to particular circumstances.
Note that more than one lawful basis can be used if appropriate and due to the different rights attaching to the different lawful bases it is helpful to use all those that are applicable.
GDPR Legal Grounds for Processing – Consent? Legitimate Interests?
YES To collect and use process the information a lawful basis for doing so must be established. You should check whether there are any other limits on using the information such as a confidentiality clause in a contract with a surveyor or contractor.
These separate conditions will be confirmed by UK legislation. NO One or more lawful bases to process the personal data still needs to be established. Will use of the personal information involve sending or directing any advertising or marketing material to specific recipients by text, email or telephoning individuals registered with the Telephone Preference Service TPS?
Will the personal information be shared outside of the Methodist Church e. NO You should consider if there is an alternative lawful basis that would be appropriate. Are you under a legal obligation to use process the personal data in a certain way e. Is the processing necessary to fulfil the legal obligation e. Does the Methodist Church have legitimate interests for using processing the personal data? As a membership organisation the Methodist Church has a legitimate interest in using personal information for purposes including maintaining lists of members and providing pastoral support.
AND unless the individual is a Minister in Full Connexion, probationer or an office holder whose contact details would need to be in the public domain to fulfil specific Church functions e. Has a record been kept of the lawful basis being relied upon and privacy information provided? You need to be careful that 1 a written record is kept of what lawful basis is being relied on and 2 provide the required privacy information to the individuals concerned data subjects.
In terms of which lawful basis or bases will be used, there is often not a right or wrong answer. You do however need to follow the guidance provided including the policy set out in the Privacy Noticebe able to explain the reason for the decision reached, show a proper decision making process and justify the outcome.At least one of these must apply whenever you process personal data:.
This cannot apply if you are a public authority processing data to perform your official tasks.
GDPR, lawful processing, consent and legitimate interest
The lawful basis for your processing can also affect which rights are available to individuals. For example, some rights will not apply:. This depends on your specific purposes and the context of the processing. You should think about why you want to process the data, and consider which lawful basis best fits the circumstances. You can use our interactive guidance tool to help you.
You might consider that more than one basis applies, in which case you should identify and document all of them from the start. You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. In other cases you are likely to have a choice between using legitimate interests or consent.
You need to give some thought to the wider context, including:. We have produced the lawful basis interactive guidance toolto give more tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.
The basic approach is the same. You should think about your purposes, and choose whichever basis fits best. You can still use our lawful basis tool to help you. The public task basis is more likely to be relevant to much of what you do. If you are a public authority and can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis.
But if it is for another purpose, you can still consider another basis. In particular, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the individual.
There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, although there are some limitations. For more information, see the specific guidance page on each lawful basis.
A university that wants to process personal data may consider a variety of lawful bases depending on what it wants to do with the data. Universities are classified as public authorities, so the public task basis is likely to apply to much of their processing, depending on the detail of their constitutions and legal powers.