Under the General Data Protection Regulation (GDPR), the controllers must determine the legal basis for each purpose of data processing operations carried out under its responsibility (i.e. data processing carried out either by itself or by its processor).
The different legal bases for processing personal data are laid down in article 6 GDPR and include, among others, consent, legitimate interest, the performance of a contract and compliance with a legal obligation.
However, where special categories of data and/or data about criminal convictions are processed, controllers must pick an additoinal legal basis among those laid down in articles 9 or 10 GDPR.
Not considering the legal basis of processing beforehand may lead to various breaches of the GPDR and in particular, breach of individuals’ rights.
1. Why determining the legal bases of data processing activities?
The main reason for determining the legal basis of data processing activities is that personal data must be processed lawfully (see the privacy principle here). That means each processing purpose must rely on a legal basis provided for in the GDPR to be lawful. A lack of legal basis is sanctioned by a fine of up to 4% of the controller’s global annual turnover.
Beyond the risk of unlawful processing, it is important to determine the legal basis of a data processing for, among others, the following reasons:
– GDPR requires to set out the legal basis of processing purposes in the privacy notice provided to individuals (see articles 13 and 14 GDPR).
– The rights of individuals apply differently depending on the legal basis of the purpose(s) for which personal data are processed (e.g. It is only possible to withdraw consent where the processing is based on consent, to object where the processing is based on the legitimate interest or a public interest etc.).
2. What are the different legal bases?
The controller must determine the legal basis for each purpose of data processing even when the same set of personal data is used for different purposes (i.e. one legal basis per purpose).
The legal bases for processing personal data are set out in article 6 GDPR.
However, where the processing concerns special categories of data or data relating to criminal convictions, articles 9 and 10 GDPR apply respectively. These two articles are way more restrictive and may be further detailed by national law (see 2.2 and 2.3 below).
2.1. Legal bases for processing personal data
Consent must be informed, specific, freely given and unambiguous. (i) The risk when relying on consent is that data subjects may withdraw their consent at any time. Therefore, controllers should rely on consent where no other legal basis applies or where required by another applicable law (e.g. direct marketing email). (ii) Where there is an unbalanced relationship between the individuals and the controller (e.g. employment relationship), consent may not be valid as it may not be considered as freely given. (iii) Consent should not be conditional on the provision of another service or confused with the consent to an agreement, which may be another legal basis for processing (see below). (iv) A specific consent is necessary for each processing purpose relying on this legal basis. Bundle consent is, therefore, not valid. (v) Furthermore, where the processing of personal data is unlawful or in breach of other data protection principles such as proportionality, obtaining individuals' consent does not necessarily make this processing of personal data lawful (for more details about consent, read the article relating to consent here ). This legal basis is about the legitimate interest pursued by the controller or by a third party. (i) Legitimate interest is often used to justify data processing activities relating to HR or marketing activities (e.g. profiling, employee's activities monitoring etc.). However, the interests pursued by the controller should not be overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a child. (ii) Therefore, a balancing test must be carried out and in some cases, providing additional safeguards such as an easy way to opt-out or by making the collection of data optional may be necessary. If, as a result of the balancing test and despite any additional safeguards in place, such processing remains a threat for the rights and freedoms of individuals, the legal basis applicable should be the individual’s consent. Though not explicitly required under the GDPR, the authorities expect the controller to keep a record of the balancing test it has carried out (i.e. analysis taking in consideration expectations of people, impact on their privacy; risks etc.). The Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Controller should not confuse this legal basis with consent (see above) as the former is applicable to any processing activities necessary to perform a contract to which the data subject has agreed (i.e. the consent to terms and conditions or to any other kind of agreement). This legal basis typically applies to the processing of data collected to carry out an online sale (e.g. billing, delivery etc.). However, including terms in a contract that would not normally be a provision thereof in order to make a processing of personal data contractually binding, does not necessarily make the “contractual basis” applicable/valid (e.g. including provisions in T&C for profiling not necessary to the provision of the service etc.). Furthermore, this legal basis also includes steps taken at the request of the data subject prior to entering into a contract. It includes, for example, any question individuals may ask on a product via a contact form. This legal basis is applicable to processing activities necessary for compliance with a legal obligation to which the controller is subject (e.g. employment law, anti-money laundering, online communication regulation etc.). For example, when hiring an employee, the employer is often rquired by law to process social security number / national insurance number as well as any tax ID for paying taxes and national insurance. Below are listed the less usual legal bases on which a controller may rely for processing personal data: - (Processing is necessary in order) to protect the vital interests of the data subject of another natural person (e.g. emergency call etc.) - (Processing is necessary for) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Relying on this exemption requires the controller to refer to national law that may set out in more details what processing activities is in the public interest (e.g. journalism etc.)
2.2. Legal bases for processing special categories of data (“sensitive data”)
Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Their processing is, in principle, prohibited unless the controller relies on one of the legal bases set out in article 9 GDPR and as further detailed in each Member States law where necessary.
If both personal data and sensitive data were processed for the same purpose of processing, the controller should both pick a legal basis set out in article 6 for the processing of personal data and pick another legal basis set out in article 9 for the processing of the special categories of data. If no legal basis under article 9 (or as provided for in national law) is applicable to the purpose for which special categories of data is processed, then the controller should consider not processing any special categories of data for such purpose.
The legal bases on which commercial companies usually rely are as follows:
– the data subject has given explicit consent (that must not be confused with consent to the processing of non-sensitive data).
– processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement;
– the processing relates to personal data which are manifestly made public by the data subject. More details about when data is considered as manifestly made public would be helpful;
– processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
– processing is necessary for reasons of substantial public interest. “Public interest” is defined by each Member States and may differ greatly from one another. However, it often covers journalism and artistic exemptions.
2.3. Processing data relating to criminal convictions or other security measures (“criminal data”)
Criminal data may be processed in accordance with article 10 GDPR, which provides that processing of criminal data based on Article 6 GDPR “shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.” Furthermore, any comprehensive register of criminal convictions shall be kept only under the control of the official authority.
These provisions, whilst being quite restrictive, provide a large margin of manoeuvre to each Member State. Therefore, the legal framework may differ greatly from one Member State to another.
In practice, the controller must both ensure that the purpose of processing relies on a legal basis laid down in article 6 GDPR and, if it is not an official authority, it must also ensure such processing of personal data is allowed by national law.
In this regard, such authorisation is not always provided for in national data protection law and may be found in other kinds of laws such as money laundering regulation, banking regulation etc.
This post is also available in fr_FR.