Course sections

LAWFULNESS OF PROCESSING (Article 6. GDPR), Lecture 1

LAWFULNESS OF PROCESSING (Article 6. GDPR)

This article covers the concept of the lawfulness of processing. What does that mean? Processing the personal data of customers/users (e.g., email address) can be lawful only under certain circumstances that are laid out in Article 6. There are only 6 valid bases for processing personal data: consent, contractual necessity, compliance with legal obligations, vital interests, public interest, legitimate interests.

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes

The most relevant valid basis for processing personal data is “consent”. Under Article 6, the “data subject” must give consent for the use of their data. To be more precise – if data is to be used for a purpose other than the consumer originally consented, the “data controller” must determine if this new purpose is appropriate. Relationship between the two uses is the key considerations which include the context that data was acquired and whether or not data safeguards like encryption are in place to protect the consumer. However, under the GDPR, valid consent becomes significantly harder to obtain. It is very important to remember that when consent is chosen for any particular processing activity we need to follow all rules and rights regarding consent.

To have a lawful basis in respect of each processing activity is obligation of organizations.

a) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Contractual necessity remains a lawful basis for processing personal data. “Compliance with legal obligations” remains a lawful basis for processing personal data. Basically, EU may place organizations that are subject to non-EU court orders to disclose data in a difficult position, the relevant aspects is fact that this legal basis is explicitly limited to legal obligations arising out. Necessary does not mean that the processing must be base for the purposes of taking relevant pre-contractual steps or performing a contract. Besides, it must be a targeted and proportionate way of achieving that purpose. If there are other reasonable and less intrusive ways to meet your contractual obligations or take the steps requested this lawful basis does not apply.

The processing must be necessary with this particular person to deliver side of the contract. This lawful basis will not apply if the processing is only necessary to maintain business model more generally, and we should consider another lawful basis, such as legitimate interests.

b) Processing is necessary for compliance with a legal obligation to which the controller is subject

 If we are processing on the basis of legal obligation, the individual has no right to erasure, right to data portability, or right to object. The controller is obliged to process personal data for a legal obligation. Basically, as long as the application of the law is foreseeable to those individuals subject it does not have to be an explicit statutory obligation. Briefly, it includes clear common law obligations. The point is that overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute. This does not mean that there must be a legal obligation specifically requiring the specific processing activity.

c) Processing is necessary in order to protect the vital interests of the data subject or of another natural person

Under the GDPR, the vital interests processing condition can extend to other individuals (e.g., children of the data subject). Vital interests can now provide a basis for processing, not just those of the data subject themselves.  To identify if you have any ongoing processing for this reason or are likely to need to process for this reason in future you need to review your existing processing. You should then document where you rely on this basis and inform individuals if relevant. In such a way, this lawful basis generally only applies to matters of life and death and is very limited in its scope. In case that the individual is incapable of giving consent to the processing, personal data when you need to can be processed for medical purposes and for emergency medical care. Another lawful basis such as public task or legitimate interests is likely to be more appropriate in this case

d) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Public interest remains a lawful basis for processing personal data. Note also that processing carried out on this basis may be subject to objections from data subjects. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. The processing must be necessary. This lawful basis does not apply if you could reasonably perform your tasks or exercise your powers in a less intrusive way. To help you demonstrate compliance if required, document your decision to rely on this basis. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis. There is no additional public interest test if you can show you are exercising official authority, including use of discretionary powers. But, you must be able to demonstrate that the processing is ‘necessary’ for that purpose. ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. If there is another reasonable and less intrusive way to achieve the same result you do not have a lawful basis for processing.

The term ‘public task’ in this guide we use to help describe and label this lawful basis. Anywise, this is not a term used in the GDPR itself. Focus of the above should be on demonstrating either that you are carrying out a task in the public interest, or that you are exercising official authority.

e) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Legitimate interests remain a lawful basis for processing personal data. Note also that processing carried out on this basis may be subject to objections from data subjects. Parental permission is required to process the personal data of children (and note that a child is anyone under the age of 16). In some contexts (especially online) proving that parental permission has been obtained may be difficult. The GDPR is clearer that you must give particular weight to protecting children’s data.

Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing. You are taking on extra responsibility for considering and protecting people’s rights and interests if you choose to rely on legitimate interests. You must tell people in your privacy information that you are relying on legitimate interests and explain what these interests are. If you want to process the personal data for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose.