GDPR in Context: The 6 Legal Bases for Processing
GDPR outlines six scenarios in which data processing is legally permitted. Unless the organization can show that the processing activity fits within one or more of these scenarios, then it is deemed to be unlawful to process the personal data.
As such, the six legal bases for data processing are:
1. The data subject has given consent to the processing of his/her personal data for one or more specific purposes.
The data subject(s) has consented to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous – given by a statement or a clear, affirmative action. Data subjects must be able to refuse or withdraw consent without penalty. Furthermore, there must not be an imbalance between the parties i.e. employee/employer relationship.
A good example here is when you sign up for marketing emails. By ticking that you agree to receive those emails, you are agreeing to allow that company / its processor to use your data for outreach and marketing purposes. By unsubscribing, you revoke that consent.
Financial institutions should not rely on consent for anything other than direct marketing or automated decision making/profiling purposes. Regular, finance-related processing activities should be covered by other legal bases.
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Such processing is necessary in order to enter into or perform a contract with the data subject. For example, any processing that takes place in order to kick-off a possible contract at the behest of the individual falls under this category, as well as any processing carried out during the contractual period – so long as it relates to the terms of the contract. Anything outside of that will have to be covered by any alternative legal basis.
For example, filling in an account opening form at an investment bank counts as pre-contractual processing and processing transactional information during the term of your contract is also covered. But the service provider also wants to take your details so they can offer you additional products and services as part of marketing outreach, they must obtain your consent first.
3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
The controller has a legal obligation to perform the processing but this only applies to EU or Member State law. That last part is crucial.
Take ABC Bank DAC – a retail bank that needs to process lots of your information because you want to take out a mortgage with them. ABC Bank has a legal obligation to carry out Know Your Customer (KYC) due diligence on you, and they also have to share your information with the national credit register. That legal obligation is rooted in European and Irish law, so they can rely on this legal basis for processing.
Now consider XYZ Bank LLC, a US bank who is opening an investment account for you in the United States – assuming you are resident in the European Union. They also have a legal obligation to carry out KYC due diligence and have several other regulatory obligations to meet under Federal or State law, but they are also in-scope for GDPR. They cannot rely on a legal obligation as a condition for processing. Instead, they should rely on Legitimate Interest, which we will come to in a bit.
4. Processing is necessary in order to protect the vital interests of the data subject.
The processing activity must be absolutely necessary e.g. life or death situations, and used as a last resort. This will most likely be used by the health industry, though data controllers can’t rely on this as a condition for processing if the data subject is able to consent.
This will apply mainly to emergency medical care. Imagine someone has been in a horrific accident, and admitted to the local A&E in a comatosed state for treatment. The hospital has a right to process that person’s medical history and health data in order to provide potentially lifesaving treatment.
Article 29 Working Party (a European Union advisory body who have written guidance papers on GDPR) have also suggested that this would be used in case of epidemics or for humanitarian care during a large-scale disaster.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This condition allows for processing of data by public authorities and other bodies that exercise “official authority” and the activity must have a clear basis in domestic or European law. The processing must also be absolutely necessary, so if there is an easier route to achieving the goals of the public body, they should do that instead. They must be very specific about what the activity is, why they are carrying out that processing and how.
Examples could include a water services company or a national identity card.
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This will be the fallback option for most controllers as it is generally the most flexible option. In order to rely on this, controllers will have to identify the legitimate interest (legitimate being the operative term here), show that the processing is necessary for that purpose and then demonstrate that it doesn’t infringe upon the rights and freedoms of the data subjects in question. If those rights and freedoms are impacted in some way, the controller must justify the processing activity.
The fictional US bank referred to earlier, XYZ Bank LLC, could rely on Legitimate Interest for their KYC obligation. An employer might rely on this condition when recording calls for “training and monitoring purposes”. A business might rely on this when installing CCTV on their property. The list is endless.
In the next blog of our GDPR in Context series, we will look at the “Principles of Data Protection”.