The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: What is a law firm’s lawful purpose for processing data that it receives from a client as part of a representation?

Answer: The GDPR only recognizes six lawful purposes for processing personal data. While it is possible that a law firm’s processing may be based in certain scenarios on any one of the six recognized purposes, in many (if not most) of the situations in which a law firm is retained and must process data related to that retention the processing will likely be based upon the legitimate interest of the firm in carrying out its function of representing, advising, or defending clients.

The following chart discusses each lawful purpose and suggests when the purpose might – or might not – apply to the processing of personal data collected as part of a client representation:

Lawful Purpose

When Lawful Purpose Might Apply

When Lawful Purpose Might Not Apply

Consent (Article 6(a))

In order for a law firm to process personal data based upon consent, it must obtain that consent from the individual about whom the data relates. This might apply if a lawyer were to collect personal information solely about its client and were to collect consent from the client prior to the representation. For example, it might apply if a trust and estates lawyer were to assist a client with tax or estate planning and the client provided only information about himself or herself.

Consent would be unlikely to apply if a law firm collected personal data about individuals other than a client. For example, it would be unlikely that consent would be a lawful purpose if a law firm needed information about third party witnesses, employees of a client, or adverse parties. Even in the simple hypothetical described to the right where an attorney is retained to provide tax or estate planning, if the attorney received information about potential beneficiaries or recipients of income, it would be unlikely that the attorney attempts to, or is able to, collect consent from each of the individuals about whom data relates.

Performance of a contract (Article 6(b))

As with consent, performance of a contract may be a lawful purpose when the data collected only relates to a law firm’s immediate client. As a result, the same hypothetical provided under the consent section (i.e., collecting information about a client to render tax advice) might equally be based lw firm’s performance of its contract to provide advice to its client.

Performance of a contract would be unlikely to apply to the extent that the law firm collects personal data about individuals other than the client herself. For example, it would be unlikely that performance of contract would be a lawful purpose for collecting information about third party witnesses, employees of a client, or adverse parties.

Compliance with a legal obligation (Article 6(c))

This lawful purpose might apply if a law firm is required to collect information to fulfill a regulatory obligation. For example, if a Member State’s court ordered a law firm to disclose certain documents or information that disclosure might be consistent with the GDPR based upon the law firm’s need to comply to comply with a legal obligation.

It is doubtful that a law firm could rely upon the need to comply with legal obligations to perform the day-to-day processing of data in conjunction with a case or a representation as the law firm is not mandated by law to retain a specific client, to take on a specific representation, or to collect data as part of a specific representation.

Protecting the vital interests of a person (Article 6(d))

This lawful purpose might be used if a law firm were (consistent with any professional obligation of secrecy) to disclose a real or imminent threat to the safety of a person.

As most client engagements do not involve threats to life or safety it is unlikely that this lawful purpose would apply to most representations.

Task carried out in the public interest (Article 6(e))

This lawful purpose might be used to the extent that law firm is engaged to represent a public authority.

As most client engagements do not relate to the representation of a public body, it is unlikely that this lawful purpose would apply to most representations..

Legitimate interest of the controller (Article 6(f))

As law firms have a strong and legitimate interest in performing their professional obligation to represent clients, this lawful purpose is likely to apply to most (if not all) client engagements assuming that the collection of personal data is necessary for the engagement.

This lawful purpose may not apply to the extent that a law firm processes personal data that is not necessary to the representation of a client.