Which of the following is a lawful reason to process personal data? select all that apply.

Six Legal Bases for Processing – GDPR Article 6

The legal basis are covered in GDPR Article 6. In data protection terms a ‘legal basis’ (also referred to as a lawful basis) means the legal justification for the processing of personal data. One or more valid legal basis is/are required in all cases personal data are to be lawfully processed in line with data protection law. There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. Legal basis also influence what data subject rights apply.

Consent of the individual concerned. Consent of the individual (data subject) means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Contractual obligation between the organisation and the individual. The organisation can rely on this lawful basis if it needs to process someone’s personal data: to deliver a contractual service to them; or because they have asked the organisation to do something before entering into a contract (e.g. provide a quote).

Legal obligation of the organisation. The organisation can rely on this lawful basis, if it needs to process the personal data to comply with a common law or statutory obligation. This does not apply to contractual obligations between an organisation and individuals.

Vital interests of the individual. An organisation is likely to be able to rely on vital interests as a lawful basis, if it is to protect someone’s life. But it cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.

Public interest/public task. An organisation can rely on this lawful basis if it needs to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.

Legitimate interest is the most flexible lawful basis for processing but will not always be the most appropriate.

There are three elements to the legitimate interest basis. It helps to think of this as a three-part test. The organisation needs to:

• identify a legitimate interest. It needs to be more specific. Common examples are health & safety; to protect the property; fraud or crime prevention; network and information security; etc. Note: You must include details of your legitimate interests in your privacy information.
• show that the processing is necessary and proportionate to achieve the purpose above
• balance your/the organisation’s interest against the individual’s interests and rights and freedoms. The legitimate interests can be the organisation’s own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits.

To evaluate the balance between the organisation’s/third party’s interest and the interest of the individual(s) affected, the organisation needs to undertake a Balancing test / LIA (Legitimate Interest Assessment). It must keep a record of this assessment to help you demonstrate compliance if required.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority/body.

• Full Guidance on Legal Bases for Processing Personal Data

Answer

Your company/organisation can only process personal data in the following circumstances:

• with the consent of the individuals concerned;
• where there is a contractual obligation (a contract between your company/organisation and a client);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case.

Examples

Consent

Your company/organisation offers a music app and ask for citizens’ consent to process their musical preferences in order to suggest tailored songs and possible concerts to them. 

Contractual obligation
Your company/organisation sell goods online. It can process data that is necessary to take steps at the request of the individual prior to entering into the contract and for the performance of the contract. So you can process the name, delivery address, credit card number (if payment by card), etc.

Legal obligation
You own a company with employees. In order to obtain social security cover, the law obliges you to provide personal data (for example weekly income of your employees) to the relevant authority.

Public interest
Example: a professional association such as a bar association or a chamber of medical professionals vested with an official authority to do so may carry out disciplinary procedures against some of their members.

Vital interests of a person
A hospital is treating a patient after a serious road accident; the hospital doesn't need his consent to search for his ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.

Your organisation’s legitimate interests
Your company/organisation ensures its network security by monitoring the use of its employees’ IT devices. Your company/organisation may legitimately process personal data for that purpose, only if the least intrusive method is chosen as regards the privacy and data protection rights of your employees, for example, by limiting the accessibility of certain websites. (Note that this can’t be done in EU Member States where national law sets out stricter rules for processing in the employment context).

References

• Article 6 and Recitals (40) to (49) of the GDPR
• Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/E

Which of the following is a lawful reason to process personal data?

How many lawful reasons for processing data are there?

What is an example of a lawful basis for processing data?

What are the 3 main acts we consider when dealing with personal data?