Legal grounds for processing - an overview
The GDPR does not change the legal grounds for processing. However, certain interpretations and practices are now expressly included in the GDPR, as further detailed below.
The processing of personal data is lawful only if and to the extent that at least one of the following conditions applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Choice of legal ground
It is of the utmost importance that the appropriate legal basis be used for each processing activity. This is especially important when it comes to consent. Organizations tend to rely on consent when it is not actually required. Consent is too often, and wrongly, seen as a safe haven. Companies think that if they have obtained consent, the processing is lawful. This is however not always the case. Using consent when reliance on another ground is called for may result in the unlawful processing of personal data. Consent will be further addressed in a separate issue of this series.
Compliance with a legal obligation and the performance of tasks in the public interest
The basis for the processing of personal data in order to comply with a legal obligation or perform a task in the public interest must be laid down in EU or Member State law. This means that organizations cannot rely on this ground if the legal obligation or task that forms the basis for the processing is found in the law of a non-EU Member State (e.g. the US). Member States are free to introduce more specific rules on the processing of personal data for these purposes.
Public authorities processing personal data in the performance of their tasks may not rely on the legitimate interest ground.
Given the accountability principle (see the previous issue on data processing principles) and the obligation to inform the data subject of the legitimate interest, the legitimate interest must be duly identified, analysed and documented.
When analysing a legitimate interest, organizations should take into account the reasonable expectations of the data subject. It must be verified whether the data subject can reasonably expect at the time and in the context of the collection of his or her personal data that processing for the indicated purpose will take place. If the processing could not reasonably be expected by the data subject, it may be hard to rely on the legitimate interest ground.
The recitals mention that the following purposes may constitute a legitimate interest:
- the prevention of fraud;
- direct marketing (in this respect, please note that for direct marketing activities consent may be required pursuant to other regulations such as the ePrivacy Directive);
- internal administration within a group of undertakings;
- to ensure network and information security.
Legal grounds for further processing
Pursuant to the purpose limitation principle, personal data may not be further processed in a manner that is incompatible with the purpose for which they were initially collected and processed. If the further processing is considered compatible with the initial purpose (e.g. processing for archiving, scientific or historical research purposes), a separate legal basis is not required. In order to ascertain whether a purpose for further processing is compatible with the purpose for which the personal data are initially collected, the controller should take into account the following elements:
- the link between the initial purpose(s) and the purpose(s) of the intended further processing;
- the context in which the personal data have been collected, in particular the reasonable expectations of the data subjects based on their relationship with the controller;
- the nature of the personal data;
- the consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include pseudonymization or encryption.
If the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller is allowed to further process the personal data irrespective of the compatibility of the purposes.
Takeaways and to do's
- Recitals 40 to 50
- Article 6