Lawful Basis For Preparation
Topics to be covered
- Six lawful bases for processing
- Personal data
- Why is the lawful basis important?
- How to determine the appropriate
- Lawful basis?
- New purpose
- Keeping records
- Special category and criminal
- Offence data
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
- Summary
- Assessment
Six lawful bases for processing personal data
→ you must have a legitimate lawful basis to process personal data.
→ there are six lawful bases, which apply to the processing, and they are all as important as each other.
→ the basis that should be used will depend on the purpose of processing.
→ most lawful bases require processing to be necessary for a specified purpose.
→ you must know your lawful basis before processing personal data, and you should document it.
→ and it is important that you choose the right lawful basis, as you shouldn’t try to change your lawful basis later on.
Six lawful bases for processing personal data
Your privacy notice needs to have your lawful basis for processing as well as the purpose of processing.
In processing special category data, you need both a lawful basis and a condition for processing data of this type.
When processing data regarding criminal offences or conviction, you need to confirm your lawful basis for processing and a condition for processing data of this type.
Six lawful bases for processing personal data
The six lawful bases are:
- Consent
- Contract
- Legal obligations
- Vital interests
- Public task
- Legitimate interests
Why is the lawful basis important?
Having a lawful basis is important for many reasons.
→ they help to protect individuals and their data.
→ they also ensure that there is a necessary purpose for processing.
→ it can also determine the rights available to individuals who have their data processed.
The first principle requires legal, fair and clear processing of data. If you don’t have a lawful basis in your processing, it becomes unlawful and breaches the first principle.
If personal data is processed unlawfully, individuals have the right to erase their data. Under articles 13 and 14, organisations with information about an individual require a lawful basis for processing. These details need to be included in your privacy note.
Why is the lawful basis important?
Individuals always have the right to object to the processing of their data when applied to direct marketing, whatever the lawful basis may apply. The remaining rights are not absolute.
The lawful basis may affect how provisions to automated decisions and profiling apply if relying on legitimate interests; you need to include these details in your privacy notes.
How to determine the appropriate lawful basis?
When we decide which lawful basis applies, we must consider the specific purpose of the processing.
You may consider more than one basis, in which case you should begin by identifying them.
You must not take a one size fits all approach, and understand that no basis is more important than the others.
To help us decide which basis applies, we should think about:
→ who does the processing benefit?
→ what is the impact of processing on the data subject?
→ are they vulnerable?
→ is the data subject likely to object?
→ are you able to stop processing at any time upon request?
How to determine the appropriate lawful basis?
It is important to get the right lawful basis from the start. It may be possible that more than one basis applies, as there may be more than one purpose. If this applies, it must be made clear from the outset.
You should not change the lawful basis once processing begins; however, there may be a time when a genuine change in circumstances occurs.
This may give cause to review the lawful basis you have begun with and change it.
If this happens, you must inform the individual and make a record of the change.
New purpose
Over time our purpose for processing might change. Equally, we may have a new purpose that we hadn’t considered from the start.
This doesn’t necessarily change our lawful purpose, so long as it’s the same as our original purpose.
The same doesn’t apply when our lawful basis gives consent.
As the gdpr states, consent must always be specific and informed. This means that if there is a new purpose, we have to get consent specifically for that purpose or find a different basis for it.
If you obtain consent for the new purpose, you do not need to show that it is compatible.
New purpose
When you do need to show compatibility between the original purpose and the new purpose we must consider:
→ any links between the purposes
→ how the data was collected
→ potential consequences to the data subject
→ if there are appropriate safeguards in place
Even when the processing for a new purpose is lawful, we should still consider whether it is fair and transparent,and gives the data subject information about the new purpose.
Keeping records
When deciding which lawful basis applies, we must document the steps you have taken.
This means the following:
Showing that you have considered which lawful basis applies best for your purpose and showing how you came to that decision
This shows that we are complying with the GDPR
You must ensure that when you document the steps you have taken, there is enough evidence to show that a lawful basis applies
This will help you comply with accountability obligations, and will also help you when writing your privacy notices.
Keeping records
You also need to include information about your lawful basis in your privacy notice. The information you need to give includes:
The purpose of processing personal data
The lawful basis for the processing
This applies if you obtain the data directly from the data subject or a third party.
Special category and criminal offence data
The GDPR says that special category data is more sensitive and so, requires more protection.
This type of data can create risks to an individual’s rights and freedoms and may subject them to discriminations.
When we process special category data, we need to determine:
→ what the lawful basis will be for processing
→ the special category condition for processing
To show compliance with the gdpr and accountability, we must document the lawful basis for processing and the special category condition.
When we process data concerning criminal convictions and offences, we need to determine a lawful basis, and either official authority or a separate condition for processing.
We must also document both the lawful basis for processing and data condition to show compliance with the gdpr and accountability.
Consent
What is consent?
When we want consent for processing personal data, we are asking for specific permission to use an individual’s personal information for a specific purpose.
Getting consent is important, as it is a lawful basis for processing personal data. It can also allow the use of special category data.
Gaining consent puts the data subject in control of the use of their data. For an organisation, gaining consent builds trust between them and the subject.
However, not gaining consent from a data subject will harm the relationship with the data subject and may leave you open to large fines.
Valid consent
Consent must be given freely without pressure.
→ this means giving an on-going choice over the use of personal data to the individual.
→ this gives individual control and builds trust and engagement.
→ consent should be clear and concise and require the individual to physically opt-in.
→ consent requests must stand out, be concise and easy to understand.
It must specifically cover:
→ the controller’s name
→ purposes of the processing
→ types of processing
Providing information before consent
When requesting consent from a data subject, organisations must provide some information.
Some of the information to include is:
→ name of the organisation
→ names of all controllers who will rely on the consent
→ the purpose of the data
→ state that the data subject can withdraw consent at any time
You must also make sure you give individuals sufficient privacy information to comply with their right to be informed.
Methods for obtaining consent
Today there is an ever-growing number of ways an organisation can gain personal data. This allows them to contact data subjects, and to ask for their consent to process their data. Some of the common methods used to obtain consent include:
→ the physical signing of consent on a form
→ ticking an opt-in box on paper, electronically or online
→ selecting yes or no on paper, electronically or online
→ responding to an email request for consent
→ verbally answering a yes or no request for consent
Even if the data subject doesn’t respond to these requests for consent, it still means you do not have their consent.
Pre ticked boxes are banned, as they can be misleading and cause confusion.