The lawful bases for processing are set out in Article 6 of the GDPR. At least one must apply whenever you process personal data:
- Consent: Consent must be freely given, clearly distinguishable from other matters and simple to withdraw at any time.
- Contract: the processing is necessary for a contract you have with the individual.
- Legal obligation: the processing is necessary for you to comply with the law
- Vital Interests: the processing is necessary to protect someone’s life.
- Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Consent is defined in Article 4(11) as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Freely Given: People must have a genuine choice & control over how you use their data. They must be able to refuse consent without detriment and must be able to withdraw consent at any time. Consent should not be bundled up with other terms and conditions or as a condition of service.
Specific & Informed: Consent must cover the following:
- The Controller’s identity
- The purposes of the processing
- The processing activities
- The right to withdraw consent at any time
Unambiguous Indication: It must be obvious that the individual has consented and what they have consented to. If there is room for doubt, it is not valid consent.
How long does consent last? There is no specific timeframe for this but consent is likely to degrade over time. Often if your processing activities evolve, you will need to seek fresh consents and can’t rely on previous consents.
You can rely on this lawful basis if you need to process someone’s personal data:
- to deliver a contractual service to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
You are likely to be able to rely on this legal basis if:
- you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
- you have a contract with the individual and you need to process their personal data so that they can comply with specific counter-obligations under the contract (eg you are processing payment details).
- you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask. This applies even if they don’t actually go on to enter into a contract with you, as long as the processing was in the context of a potential contract with that individual.
3. Legal Obligation
This legal basis applies if you are obliged to process the personal data to comply with the law. This can include the following examples:
You have a lawful basis for processing if:
- An employer needs to process personal data to comply with its legal obligation to disclose employee salary details for tax purposes
- A financial institution may rely on this legal basis in order to combat money laundering
- A court order may require you to process personal details for a particular purpose.
4. Vital Interests
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life. Article 6(1)(d) provides a lawful basis for processing where:
“processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
It’s clear from Recital 46 that vital interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing.
5. Public Task
You can rely on this lawful basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law.
Article 6(1)(e) gives you a lawful basis for processing where:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
6. Legitimate Interest
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In determining whether you can rely on legitimate interests, the key is to undertake the following three-part test:
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests could be considered legitimate. The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
When relying on legitimate interests may be appropriate:
- Marketing where you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object you may be able to rely on legitimate interests for your marketing interests. However, this is only if you don’t need consent under PECR.
- Minimal impact Where you can show that your processing is light touch and you are processing data in ways that people would reasonably expect and that have a minimal privacy impact.
- Third Parties You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.