On its entry into force, the GDPR would make reliance on data subjects' consents inappropriate for many personal data processing activities. A practical tip to self-test current consents: if it seems difficult for a controller to obtain a valid consent, perhaps there is another legal ground that should apply. When implementing a GDPR compliance strategy, it is of high importance to know the legal grounds for lawful processing but also what their context is.
- Contractual performance
Personal data processing would be lawful, if it is necessary either for the performance of a contract to which the data subject is a party or to act at the request of the data subject prior to entering into such contract. This would be the case where a customer is ordering a product or a service through the Internet and the processing of his or her name, address and credit card details is required for the delivery and payment. Where a third party performs the delivery, it would be appropriate to inform the data subject about, among others, that third party's identity (in line with the right to be informed, previously discussed). This legal basis generally remains unchanged under the GDPR.
- Legal obligation
Pursuant to Article 6, par. 1, it. (c) of the GDPR, data controllers may process personal data to comply with a legal obligation to which they are subject. The obligation must be imposed by law (i.e. the laws of the European Union or of a Member State). Obligations stemming from a third country law do not qualify as a "legal obligation" within the meaning of Article 6 of the GDPR. It should be the law and not the controller to determine the type of personal data, which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.
- Protection of the vital interests of the data subject or of another natural person
The GDPR stipulates that processing will be lawful where it is necessary to protect the vital interests of the data subject or of another individual. The term "vital interests" implies that such legal basis should be applied only in exceptional circumstances where the life or health of the data subject or that of another natural person needs protection. Recital 46 of the GDPR provides some examples: "for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters".
- A task carried out in the public interest or in the exercise of official authority
Personal data may be processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GDPR leaves to the EU or Member State national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes, by private law, such as a professional association. Companies may not themselves consider that they are performing a task in public interest unless such task is conferred to them by law.
This legal basis may also apply where the controller is disclosing personal data to a third party which is vested with an official authority (for example to report theft, fraud or other crime to the police).
- Legitimate interests of the controller
Under Article 6, par. 1 (f) of the GDPR, processing would be permitted for the purposes of the controller's or third party's legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.
According to the Article 29 Working Party a "legitimate interest" is a clearly articulated, real and present (i.e. not too vague or speculative) stake that the company has when processing personal data. Moreover, such interest must be lawful, i.e. compliant with the applicable EU and national law.
After a legitimate interest is clearly defined, the balancing test between such interests and the interests or fundamental rights and freedoms of the data subject must be performed. The GDPR stipulates that "the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place... interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing" (emphasis added).
Additional criteria when performing the balancing test might be:
- the type and amount of personal data processed;
- the nature of the processing activities (e.g. strictly internal use with limited access or disclosed publicly);
- the impact (of any kind, e.g. material, emotional etc.) of the processing and the likelihood of the risks (if any) on individuals' interests and rights, and
- whether the controller's interest is of a compelling nature; where such interest is minor or not very compelling, it may override the rights and freedoms of data subjects only if the impact of the processing would be even more trivial.
For example, analysis of trends in clients' activities and conducting promotional campaigns based on the results (e.g. discount price offers sent by traditional mail or e-mail) may serve a legitimate interest of the controller (better customer service) and might not constitute an excessive intrusion in the individuals' privacy, given the potential benefits for them. However, the same scenario may lead to the opposite conclusion, if the amount or type of personal data processed is disproportionate and is being processed in a non-transparent manner and without any additional safeguards like a user-friendly procedure for objecting to such processing, data pseudonymisation or similar.
Finally, processing on the basis of legitimate interests imposes obligation on controllers to inform the data subjects of the pursued interests and entitles data subjects to object to the processing (you can find more details on individuals' rights under the GDPR in our article "Rights of Data Subjects under the GDPR").
As mentioned in Section 5 above, sometimes the legitimate interests test might lead to open-ended interpretations, where a fine line separates the justified from unjustified processing. Thus, it will become critical for data controllers to achieve an efficient and safe balance among the lawful grounds for processing and to consider obtaining data subjects' consents when necessary for them to stay on the safe side.
Under the GDPR, situations would arise where a data controller would have to rely on several legal grounds for processing of personal data related to one single data subject. For example, an employer may have legal obligations to report certain personal data to the social security authorities. That very same data might be necessary for the performance of the employment agreement (payment of salary, etc.). Further, the employer's overriding legitimate interests might justify CCTV surveillance or monitoring of the employee's online activities at work. Sharing employee's personal data in a company journal or bulletin may require that employee's consent.
Businesses should have and keep at all times a clear picture of all processing activities taking place within the company and be able to define unambiguously the legal basis for each of them. Any unlawful processing (i.e. where no legal ground, including consent, is applicable) must be suspended, analysed and eventually terminated, as appropriate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.