While the Information Commissioner's Office (ICO) has made clear that you must have a valid lawful basis in order to process personal data, a lot of organisations assume that this is dependent on obtaining consent. Consent is just one of a number of legitimate purposes for processing personal data. Which basis you deem to be the most appropriate to use will depend on your purpose and relationship with the individual.
Key conditions to ensure data processing is legal
The data subject has provided clear consent to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous – given by a statement or a clear, affirmative action. Data subjects must be able to refuse or withdraw consent without penalty.
2. Performance of a contract
GDPR Recital 40 mentions 'the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract' as a legitimate basis of lawful processing. This means that processing should be lawful when collecting a customer's name and address to process their order.
3. Legal or judicial reasons
Processing is necessary for legal or judicial reasons, such as administering justice or law enforcement, such as using their bank details to process a refund. However, there are limitations to this.
Recital 45 states that 'where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law'.
4. Protecting the data subject's vital interests
This only applies if it's necessary to process personal data to protect someone's life. This is clarified in Recital 46 of the GDPR: 'Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis'. In cases where, for example, someone's medical history is made available to treat them in an A&E department after a road accident, would this apply.
5. Performing a task in the public interest
Data can be processed 'for the performance of a task carried out in the public interest' or 'in the exercise of official authority'.
You don't need a specific statutory power to process personal data, but you must have a clear basis in law, which must be documented.
The DPA 2018 clarifies that this includes processing necessary for:
- The administration of justice.
- Exercising a function of either House of Parliament
- Exercising a function conferred on a person by an enactment or rule of law.
- Exercising a function of the Crown, a Minister of the Crown or a government department
- An activity that supports or promotes democratic engagement.
Data subjects' rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
6. Legitimate interest
Legitimate interest is the most flexible of the six lawful bases for data processing. It can potentially be applied to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject'.
This leaves a lot of room for interpretation and the definition is unhelpfully vague. The burden is on you to determine if your interests in processing personal data really are legitimate.
These interests must be balanced against those of the data subject(s). The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.
The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate if you are using personal data in ways that the data subject would deem reasonable and where the processing has a minimal impact on their privacy.
Remember that if you use legitimate interest as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
Where to get advice on data processing legality
If you have doubts as to the legal justification for processing data, then it best to ask your data protection officer (DPO). It could be a stand-alone or role or someone with expertise in this area. If you don't have one, you should - see Article 37(1) of the GDPR.
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.