There are six options under the EU General Data Protection Regulation ("GDPR"):
- Legitimate interests
- Public task – performance of a task carried out in the public interest, or to exercise official authority (typically used by public sector bodies)
- Processing necessary to comply with a Legal obligation, such as a legal requirement to conduct identity checks
- Protecting the Vital interests of an individual (generally limited to medical intervention in 'life or death' situations)
For consent, legitimate interests and contract, some of the complexities are discussed below.
If relying on consent from an individual to process their personal data, the request must be offered as a genuinely free and fully informed choice, otherwise it won't be valid. It is worth noting:
- an imbalance of power between the requesting organisation and the data subject (e.g. between an employer and employee) will indicate that consent has not been 'freely given';
- consent is neither 'fully informed' or valid unless sufficient information about the consequences of consenting is provided (for more on privacy notices, click here)
- individuals must be able to withdraw their consent at any time without penalty.A withdrawal request requires the organisation to stop processing the data without delay.If this prevents the organisation from being able to provide agreed services to that individual, 'Contract necessity' (discussed below) may be a more appropriate ground; and
- organisations should ensure their IT systems and organisational processes are sophisticated enough to comply with consent requirements.For instance, consider how consent is evidenced and how quickly/easily a withdrawal request be complied with.
If in doubt, organisations should actively explore alternative processing grounds to avoid consent's stringent requirements.
Legitimate interests is available when your organisation has an identifiable business interest in processing personal data, such as improving customer services, provided that the individual's interests do not override your organisation's interests. The regulator recommends undertaking and recording a legitimate interests balancing assessment (or "LIA") to demonstrate compliance; accountability is a legal obligation under the GDPR.
If an individual objects to their data being processed, there is likely to be an overriding interest to take account of.
Public sector bodies, organisations processing children's data or carrying out electronic marketing in particular, should be aware that there are restrictions to using this ground and additional conditions apply under related laws and guidance.
Is it absolutely necessary that your organisation process certain personal data to fulfil a service (or provide a product) under a contract with the data subject? The key factor here is 'necessity'; In May 2019 the European Data Protection Board (EDPB) issued draft Guidelines here, which make clear that necessity under the 'Contract necessity' ground should be judged objectively – it requires that "the service could not be provided and the contract could not be performed" without the personal data at issue. "If there are realistic, less intrusive alternatives, the processing is not ‘necessary’". In addition, a legally valid contract must exist (or necessary steps undertaken towards one) with the individual. The contract must therefore comply with national laws, such as the fairness of terms requirements in consumer contracts . The ability to apply this ground is consequently quite limited. Activities unlikely to meet the threshold in the EDPB's view were:
- behavioural advertising – even where these ads indirectly finance the service;
- service improvements or developing new functions;
- fraud prevention; and
- content personalisation – unless fundamentally the service is to provide personalised content.
Stating in a contract that the service is conditional on personal data being processed will not be sufficient to prove necessity.
If personal data concerns race/ethnicity, political, religious/philosophical views, trade union membership, genetic/biometric data, health or sex life/orientation, your organisation must meet additional processing conditions under Article 9 GDPR and the Data Protection Act 2018, and not all of the above processing grounds are available.
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.