GDPR Lawful Basis: Legal Obligation

If you have customers or users in the European Union, you must have a "lawful basis for processing" under the General Data Protection Regulation (GDPR).

Having a valid lawful basis is a core requirement under the GDPR. You must carefully consider your lawful basis every time you collect, use, erase, or share EU consumers' personal information.

Most organizations will need to rely on the lawful basis of "legal obligation" for certain uses of personal information. In this article, we'll help you understand when "legal obligation" applies, when it doesn't apply, and how to explain your use of this lawful basis in your Privacy Policy.

The GDPR's Lawful Basis for Processing

Let's start with a quick explanation of the GDPR's concept of a "lawful basis for processing."

What is a lawful basis for processing?

The GDPR protects "personal information" ("personal data"), meaning any information relating to an identifiable person. This could mean anything from a person's name, their credit card number, to their internet browsing history.

"Processing" personal information means doing something to or with personal information. For example, collecting it, sharing it, storing it or deleting it.

People in the EU have a fundamental right to privacy. Under EU law, it's illegal to process personal information unless you have a good reason for doing so. This "good reason" for processing personal information is known as a "lawful basis for processing."

What are the lawful bases?

Article 6 (1) of the GDPR cites six lawful bases for processing:

Along with legal obligation, the lawful bases include "consent" (you ask a person if you can process their personal information) and "contract" (you need to process personal information to fulfill contractual obligations or enter into a contract).

There are some general principles for choosing a lawful basis. For example:

• If you need to process personal information to comply with the law, choose "legal obligation"
• If you can offer someone a genuine, free choice as to whether to process their personal information, "consent" may be appropriate
• If it is in your interests to process someone's personal information, and the person's right to privacy doesn't outweigh your interests, "legitimate interests" may be appropriate

What if you don't have a lawful basis for processing?

Before you process personal information, you must establish a lawful basis unless the processing is covered by one of the GDPR's very narrow exemptions.

If you can't establish a lawful basis, you shouldn't process personal information.

Processing personal information without a valid lawful basis can lead to the highest fines available under the GDPR: up to 4% of annual worldwide turnover, or €20 million (whichever is higher).

Legal Obligation FAQs

Article 6 (1) (c) of the GDPR states that you may process personal information if it is: "necessary for compliance with a legal obligation to which the controller is subject."

This means that you can process someone's personal information if you need to do so in order to comply with the law.

What are the relevant laws?

There doesn't necessarily have to be a specific law dictating that you process personal information in a given way. But there has to be a particular law dictating that you do (or don't do) something, and processing personal information must be the only way of doing it.

What about contract law?

You can only rely on law originating from a statute or legal decision (sometimes known as the "common law"). For obligations under contract law, you may be able to rely on the lawful basis of "contract" instead.

What about non-EU law?

The relevant law must be a law of the GDPR-covered country in which you are operating or the EU itself. If a country is not covered by the GDPR (for example, the U.S., Canada, or Australia), then its laws will not provide a lawful basis for processing.

When is it "necessary" to process personal data to fulfill a legal obligation?

The GDPR states that it must be "necessary" to process personal information for legal compliance purposes. The term "necessary" shouldn't be interpreted too narrowly.

If processing personal information is a "reasonable and proportionate" way for you to ensure legal compliance, then you might be able to rely on "legal obligation." Make sure that you have made an assessment and documented your decision.

How does "legal obligation" affect data subjects' rights?

The GDPR provides data subjects (individuals) with certain rights over their personal information. These rights are not absolute. This is particularly apparent when it comes to personal information collected under the lawful basis of "legal obligation."

Under some circumstances, you may need to refuse a data subject's request on the grounds that you are processing their personal information due to a legal obligation.

Here's how "legal obligation" impacts on the GDPR's data subject rights:

• Right of access: The right of access functions normally regarding personal information processed under "legal obligation." You should still be able to provide a data subject with any personal information you have retained about them, regardless of the reason for which you have retained it.
• Right to rectification: Rectification requests are also unlikely to be affected where personal information is processed under "legal obligation."
• Right to erasure: You must not comply with an erasure request if you have a legal obligation to retain personal information.
• Right to restrict processing: If you are legally obligated to process personal information in a given way, you will not be able to comply with a request to restrict your processing of that personal information.
• Right to data portability: Data subjects do not have a right to data portability in respect of personal information processed under "legal obligation."
• Right to object: Data subjects cannot object to your processing of their personal information if you are legally obliged to do so.

If you need to refuse a data subject request, you must explain your reasons for this.

What about exercising or defending legal claims?

The GDPR contains exemptions to its usual rules when personal data is required for "exercising or defending legal claims."

This means that if you need to use personal information in court, whether to pursue a claim against someone or defend against someone's claim, you might not need a lawful basis for doing so.

This activity is an exception to the GDPR's "lawful basis" requirements and is a separate concept from the lawful basis of "legal obligation."

Examples of Legal Obligations

Here are some examples of scenarios in which using the "legal obligation" lawful basis might be appropriate.

Payroll departments

A person's salary is personal information. People have a right to keep information about their income private. However, this right to privacy is not absolute.

Employers and human resources departments are legally obliged to provide payroll data to the tax authorities. They don't need to ask their employees for permission to do this. Indeed, it would not be appropriate to do so, as there is no meaningful way to object.

In this scenario:

• The legal obligation is provided by tax authorities in their official guidance
• The relevant type of personal information is "payroll data"
• The method of processing is "sharing" (with the tax authorities)

An employer doesn't need to know which law provides the legal obligation to process payroll data with the tax authorities. It would be sufficient to show that it is following government advice.

Court subpoena

A common example of the "legal obligation" lawful basis arises where a court or law enforcement agency orders a company to provide personal information as part of a legal investigation or court case.

Suppose a legal authority orders you to share personal information to investigate a crime or administer justice. In that case, you can rely on "legal obligation" to share the personal information (so long as the order is valid and not overridden by professional confidentiality).

In this scenario:

• The legal obligation is provided in a court order
• The relevant type of personal information is whatever information is required by the court
• The method of processing is "sharing" (with the court)

You must let people know that you may have to disclose their personal information in this way. We'll look at how you can do this in your Privacy Policy below.

Financial institutions

Financial institutions, such as banks, payment processors, and financial advisers, have extensive legal obligations to share personal information with law enforcement agencies where appropriate.

For example, under the UK's Proceeds of Crime Act 2002 (available here), financial institutions are required to report suspicious activity that might indicate money laundering.

In this scenario:

• The legal obligation is stated in Section 7 of the Proceeds of Crime Act 2002 (and other relevant laws)
• The relevant type of personal information is a person's name and other direct identifiers
• The method of processing is "sharing" (with the National Crime Agency)

Updating Your Privacy Policy

The GDPR requires you to identify your lawful basis for processing personal information in your Privacy Policy. Note that you are likely to use several different lawful bases for processing different types of personal information.

Here's an example from the Financial Times:

The Financial Times' Privacy Policy identifies each category of personal information, examples of the type of personal information collected from this category, the retention period for this type of data, and the reason it is required to retain personal information for this period.

This approach might work if you are legally obligated to retain personal information for a given period.

Here's another approach from Complete Business Solutions:

Complete Business Solutions provides the source of its personal information, the type of "process" that applies, and the purpose for processing personal information in each instance.

Many companies also include a general disclaimer in their Privacy Policy to make it clear that they might be required to share personal information with a court.

Here's an example from The Drum:

Summary

The GDPR requires that you have a lawful basis whenever you process personal information. "Legal obligation" is the correct lawful basis where you need to process personal information for legal compliance purposes.

Before you proceed:

• Can you point to the legal obligation with which you are complying?

  • This could be a statute or guidance from an official government source

• Can you explain why processing personal information is the only way for you to meet this legal obligation?

  • The processing must be necessary, or at least a "reasonable and proportionate" way to comply with the law

• Have you updated your Privacy Policy?

  • You must notify data subjects of your lawful basis for processing personal information