Six Legal Bases for Processing – GDPR Article 6The legal basis are covered in GDPR Article 6. In data protection terms a ‘legal basis’ (also referred to as a lawful basis) means the legal justification for the processing of personal data. One or more valid legal basis is/are required in all cases personal data are to be lawfully processed in line with data protection law. There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. Legal basis also influence what data subject rights apply. Show Consent of the individual concerned. Consent of the individual (data subject) means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Contractual obligation between the organisation and the individual. The organisation can rely on this lawful basis if it needs to process someone’s personal data: to deliver a contractual service to them; or because they have asked the organisation to do something before entering into a contract (e.g. provide a quote). Legal obligation of the organisation. The organisation can rely on this lawful basis, if it needs to process the personal data to comply with a common law or statutory obligation. This does not apply to contractual obligations between an organisation and individuals. Vital interests of the individual. An organisation is likely to be able to rely on vital interests as a lawful basis, if it is to protect someone’s life. But it cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. Public interest/public task. An organisation can rely on this lawful basis if it needs to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law. Legitimate interest is the most flexible lawful basis for processing but will not always be the most appropriate. There are three elements to the legitimate interest basis. It helps to think of this as a three-part test. The organisation needs to:
To evaluate the balance between the organisation’s/third party’s interest and the interest of the individual(s) affected, the organisation needs to undertake a Balancing test / LIA (Legitimate Interest Assessment). It must keep a record of this assessment to help you demonstrate compliance if required. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority/body.
AnswerYour company/organisation can only process personal data in the following circumstances:
ExamplesConsent Your company/organisation offers a music app and ask for citizens’ consent to process their musical preferences in order to suggest tailored songs and possible concerts to them. Contractual obligation Legal obligation Public interest Vital interests of a person Your organisation’s legitimate interests References
Which of the following is a lawful reason to process personal data?Necessary to protect the vital interests of a person; Necessary for the performance of a task carried out in the public interest; or. In the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).
How many lawful reasons for processing data are there?You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is 'better' or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
What is an example of a lawful basis for processing data?Example of public interests as a legal basis – data may be processed by government and law enforcement if this activity is to protect the public interests. For example, law enforcement may need to access data in order to prevent criminal activity.
What are the 3 main acts we consider when dealing with personal data?Accuracy. Storage limitation. Integrity and confidentiality (security)
|