The General Data Protection Regulation (GDPR) has been in place for several years, yet many businesses still struggle to understand whether they can process personal data. While the GDPR provides six lawful bases for data processing, there is a lack of understanding among businesses on which basis they can rely to process data. As a result, companies often add unnecessary consent requests to all their documents, which can cause confusion and frustration for their customers. To avoid this, it's important to understand when personal data can be processed and how to choose an appropriate basis for doing so. Unlawful data processing may cost you up to €20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher – a valid reason to check your data processing practices.
Basics
The GDPR says that companies and organisations must have a good reason for collecting, using, and keeping people's personal data. There are six such reasons, called lawful bases, that companies can use:
- Consent: a person has agreed to let a company use their data for a specific reason.
- Contract: a company needs the data to fulfil a contract with a person or to make a contract with them.
- Legal obligation: a company needs to comply with the requirements imposed by law (e.g., tax or social security obligations).
- Vital interests: an organisation needs the data to protect someone's life – in other words, where the processing is vital to an individual's survival.
- Public interest: the data is being processed to perform a task in the public interest, for instance, to prevent criminal activity.
- Legitimate interests: a company needs the data for its own good reasons – the range of such reasons is wide. This basis is the most flexible for a company to process personal data yet requires extra efforts from them to justify the reason for data processing and to demonstrate that individuals' rights has been considered.
If you are not sure about your legal basis for data processing, feel free to book a free 20-minute consultation with our data protection lawyer, or keep reading this article.
Consent
Consent is a widely used ground for processing personal data. To be valid under the GDPR, consent must be freely given, specific, informed, and unambiguous. The data subject must also be able to withdraw their consent at any time. Consequently, it might not be the best choice for your business to rely on consent in your data processing, if you have other grounds to do so. Depending on your relationship with an individual, you can use another, more appropriate, basis for processing personal data. Note that in most cases you cannot switch from consent to another lawful basis.
Most likely, in commercial relationships, for instance, if you run a business in e-commerce or IT sector, apart from consent, you would rely on either a contract, your legal obligations or legitimate interests to process personal data. In contrast with consent, these bases require you to prove the necessity of data processing for achieving a purpose – if you can reach the same without processing the data, then you will not have a lawful basis for doing so. Remember to document your decisions about lawful bases to justify your choices.
Contract
Contractual obligations allow you to process personal data in case:
- You need to perform the existing contract; or
- An individual asked you to take some steps before entering into a contract.
For example, in e-commerce, retailers and marketplaces process personal data to give a quote, fulfil orders, facilitate transactions, and provide customer support. If you are a software or IT services provider, you ay process personal data to provide software updates, your services such as hosting, cloud computing, or cybersecurity, and technical support.
Legal obligation
Legal obligation means that you need to process personal data in order to follow the law or fulfil a legal requirement. It's important to know that this doesn't include any obligations you might have under a contract. To use this basis for processing, you need to be able to point to a specific law or regulation that requires you to collect and use your data.
As an example, e-commerce companies are required to collect and process personal data about their customers to comply with tax and accounting regulations, such as keeping records of transactions and reporting sales tax.
Legitimate interests
As we mentioned above, this is the most flexible basis for personal data processing. However, when relying on legitimate interest, you need to consider individuals' rights and interests. There are three main actions you should perform before deciding in favour of this basis for data processing:
- Consider the purpose: are you pursuing a legitimate interest?
- Be sure about the necessity: can you achieve the purpose without processing personal data?
- Maintain the balance: does your interest outweigh the interests or rights of the individual? Would individuals reasonably expect such use of their personal data?
For instance, online retailers may process personal data to detect and prevent fraudulent activity on their website. E-commerce companies may process personal data to retain existing customers, such as by offering loyalty programs, and to send marketing communications, such as promotional emails.
Do you have any concerns whether you can process personal data? Feel free to book a free 20-minute consultation with our data protection lawyer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
