The Data Protection Commission (“DPC”) has published guidance on the lawful bases for processing personal data. The guidance aims to assist organisations involved in processing personal data (“controllers”) to identify the correct legal basis for such processing, and to recognise the obligations which stem from that legal basis.
Legal bases under the GDPR
The DPC emphasises the importance of a controller correctly determining which legal basis they are relying on in order to ensure that any processing they undertake is lawful. The guidance provides a detailed overview of each potential legal basis available to controllers. Regardless of the legal basis or bases availed of, controllers should ensure that each processing operation is necessary as a specific and proportionate way of achieving a transparent stated purpose or goal, which could not reasonably be achieved by some other less intrusive means, or by processing less personal data.
• Consent – The DPC recommends that controllers carefully consider whether consent is the most appropriate legal basis and are aware of the requirements and obligations that come with reliance upon consent. The DPC provides guidance as to what constitutes consent under the GDPR and addresses the obligation on controllers to be able to demonstrate that a data subject has consented to the data processing in question. As data subjects have the right to withdraw consent at any time, controllers must ensure that withdrawing consent is as easy as granting it.
• Contract – The DPC highlights that controllers need to be aware that this legal basis can only apply to contracts between the actual data subject and the controller (i.e. not a third party).
• Legal Obligation – This is likely to be the appropriate legal basis in circumstances where controllers are obliged to process personal data in order to comply with EU or Irish legislation or the common law. The guidance sets out what constitutes a legal obligation and expands on the concept of “necessity” in the context of complying with a legal obligation.
• Vital Interests – Processing personal data to protect the vital interest of an individual is a less commonly used legal basis. The guidance looks at whose vital interests are relevant and what constitutes a vital interest. Most cases in which vital interests are the appropriate legal form will be medical or healthcare situations.
• Public Task – This legal basis applies only to controllers where it is necessary to process personal data to carry out a task in the public interest or in the exercise of official authority. The guidance sets out examples of tasks that are in the public interest. Controllers availing of this legal basis are likely to be public authorities or other natural or legal persons governed by public law, but might also include, where it is in the public interest to do so, controllers governed by private law, such as professional associations.
• Legitimate Interests – While this is a flexible legal basis, which may apply in circumstances where processing operations do not fit neatly into any other legal bases, the DPC notes that it also carries heighted obligations on controllers to balance the legitimate interests they are seeking to purse with the rights and interests of the data subject. The guidance states that the balancing exercise which controllers are required to undertake when relying on this legal basis should take into account the reasonable expectations of the data subjects, in the context of their relationship with the controller.
The guidance provides a helpful overview of the legal bases for the processing of personal data. It will be of use to firms in determining the correct legal basis for any proposed personal data processing activity.
The guidance can be accessed here.