Lawful basis

Lawful Basis | ProvePrivacy | Article Image 15

In order for personal data to be processed lawfully, it must be processed according to a specific lawful basis.  Personal data should only be processed if at least one of the following applies:

  • The data subject has provided consent for the processing of the personal data for specific purposes
  • The processing is necessary for the performance of a contract to which the data subject is party (or to take steps to move towards such a contract)
  • The processing is necessary for compliance with a legal obligation
  • The processing is required in order to protect the vital interests of the data subject
  • The processing is necessary to perform a task in the public interest
  • The processing is necessary for the purposes of the legitimate interest of the controller. 

Where the data being processed is sensitive personal data, then additional lawful bases are needed in order to justify the processing of this special category of data.

Data protection consent is provided by a data subject as a means of granting the organisation permission to carry out a specific processing activity.  It provides the greatest level of control to the data subject, but is arguably the most difficult of the lawful basis to manage operationally. The organisation must be able to demonstrate that it has obtained the consent of the data subject, therefore records must be maintained for when consent is both obtained and withdrawn.

For consent to be valid in must be:

  • Specific and informed, so the data subject must know what they are consenting to and the consequences of their consent. 
  • It should not be vaguely worded to allow extended processing.
  • Consent must be freely given, so consent should be avoided in situations where the data controller has a level of power over the data subject (i.e. in employment situations).
  • Consent must be evidenced through an affirmative action, for example asking a data subject to ‘untick a box’ to avoid marketing would be unlawful as this requires an affirmative action to avoid the consent.
  • Consent should be as easy to withdraw as it was to be given in the first place.

Consent should not be confused with other means of consent, for example, consent to undertake a clinical procedure would not be the same as consent to process personal data.

Contract

The contract lawful basis allows us to process personal data if we need it to enter into or perform a contract with the data subject. For example we may need to collect details of an individuals address if we need to post goods to them, or we may collect multiple items of personal data in order to provide contractual benefits to an employee.

The legal obligation lawful basis allows us to process personal data if there is a legal obligation to do so, for example a bank might collect identity information or source of bank funds information to satisfy thier legal obligation to evidence anti-money laundering requirements. Employers would provide information to tax authorities as a legal obligation also. When we identify that an activity is being performed as a legal obligation it is good practice to record the reason too.

Vital Interest

The vital interest lawful basis allows us to process personal data if the processing is vital and there is no other way to obtain the consent of the individual. This might include where personal data is required in order to preserve the life of the data subject, such as in a hospital where the data subject is unconscious.

Public Interest

The public interest lawful basis allows us to process personal data if the processing is necessary to perform a public service or is otherwise in the public’s interest. Public interest is more widely used in the public services or in journalism. Using public interest as a lawful basis will need justification, therefore when we identify that an activity is being performed in the public interest it is good practice to record the reason too.

Legitimate Interest

Legitimate interest is a lawful basis which to some degree is assumed by an organisation when it does not rely on any other lawful basis. Legitimate interest provides a good level of control for the organisation but might assume that the data subject will not object to the processing. An assessment must take place to determine, if the processing is necessary in order to achieve the purpose it is set out to achieve and this purpose must be balanced against the rights and expectations of the data subject.

If you are relying on legitimate interest, a number of things will be important to you.

  • Firstly, before processing the personal data you must undertake and evidence that you do have a compelling legitimate interest by completing a legitimate interest assessment (LIA).
  • Secondly, if your LIA is successful you must also inform the data subject within your privacy notice that the processing is taking place in your legitimate interest.
  • Finally, you should have a plan for how you will respond if and when a data subject were to exercise their right to object to the processing.

This is likely to be different for different processes, for example a marketing activity is likely to be halted if an objection is received, but an activity to reclaim unpaid fees is unlikely to halted.

How can ProvePrivacy Help?

ProvePrivacy’s RoPA module includes a Lawful Basis Assessment, which allows users to review if an activity has an appropriate lawful basis. This allows a user to record where consent is evidenced and the justification for public interest or legal obligation tasks, it also includes a Legitimate Interest Assessment. This in turn highlights any associated risks.

Manage personal data and privacy risks

Suggested reading

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

See our Privacy Statement for more details.

Get expert tips and business insights