The first principle of the General Data Protection Regulation (GDPR) requires that all personal data is processed lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis under Article 6. If no lawful basis applies to processing, the processing will be unlawful and in breach of the first principle. Individuals have the right to request the erasure of personal data which has been processed unlawfully.
You must determine your lawful basis before you begin processing and you should document it. The individual’s right to be informed under Article 13 and 14 requires organisations to provide people with information about your lawful basis for processing. This means these details need to be included in your privacy/fair processing notice.
There are six available lawful bases for processing ‘ordinary’ personal data. No single basis is better or more important than the others, the most appropriate basis to use will depend on the purpose of processing. Consent is one lawful basis for processing, but it is not always the most appropriate basis. One of the disadvantages of consent is that it can be withdrawn, and another is that it has to pass the GDPR validity test.
When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. Valid consent is a freely given, specific, informed and unambiguous indication of the data subject's wishes by a clear affirmative action. When considering consent you should consider the following:
Conditional consent: If you make consent a precondition of a service, it is unlikely to be an appropriate lawful basis. If the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.
Imbalance of power: Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident that they can demonstrate it is freely given. It is unlikely that an employee would be able to respond freely to a request for consent from their employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent.
Bundled consents: Recital 43 clarifies that consent is presumed not to be freely given if the process/procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations. For example, a retailer asks its customers for combined consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there are no separate consents for the two separate purposes, therefore the consent will not be valid.
What are the lawful bases for processing Personal Data?
The lawful bases for processing personal data are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
|(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.|
|Example of when consent may be an appropriate lawful basis:|
A school asks students for consent to use their photographs in a printed student magazine. Consent in these situations would be a genuine choice as long as students will not be denied education or services and could refuse the use of these photographs without any detriment.
|(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.|
|Example of when contract may be an appropriate lawful basis:|
In the employment context when a person applies for a vacant position in your organisation, they can be deemed to have requested you to take steps before entering into a contract. When they become an employee, you will have a contractual basis to process their personal data in the course of their employment.
|(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (For example, you have a legal obligation to share employee data with the Revenue for tax purposes).|
|Example of when legal obligation may be an appropriate lawful basis:|
A financial institution relies on the legal obligation imposed by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 to process personal data in order submit a Suspicious Activity Report to the regulatory authorities when it knows or suspects that a person is engaged in, or attempting, money laundering.
|(d) Vital interests: the processing is necessary to protect someone’s life. (When you need to process personal data for medical purposes, but the individual is incapable of giving consent to the processing).|
|Example of when vital interests may be an appropriate lawful basis:|
An individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.
|(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (For example, a public body’s tasks, functions, duties or powers).|
|(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.|
|Example of when legitimate interests may be an appropriate lawful basis:|
An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However at the same time the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.
If your organisation is processing special category data, you will need to identify both a lawful basis for processing from Article 6 and a special category condition for processing in compliance with Article 9. We will look at the Article 9 bases in a future article.
European Data Protection Board Guidelines on Consent under Regulation 2016/679