06 November 2020
If you have customers or users in the European Union, you must have a "lawful basis for processing" under the General Data Protection Regulation (GDPR).
Having a valid lawful basis is a core requirement under the GDPR. You must carefully consider your lawful basis every time you collect, use, erase, or share EU consumers' personal information.
Let's start with a quick explanation of the GDPR's concept of a "lawful basis for processing."
The GDPR protects "personal information" ("personal data"), meaning any information relating to an identifiable person. This could mean anything from a person's name, their credit card number, to their internet browsing history.
"Processing" personal information means doing something to or with personal information. For example, collecting it, sharing it, storing it or deleting it.
People in the EU have a fundamental right to privacy. Under EU law, it's illegal to process personal information unless you have a good reason for doing so. This "good reason" for processing personal information is known as a "lawful basis for processing."
Article 6 (1) of the GDPR cites six lawful bases for processing:
Along with legal obligation, the lawful bases include "consent" (you ask a person if you can process their personal information) and "contract" (you need to process personal information to fulfill contractual obligations or enter into a contract).
There are some general principles for choosing a lawful basis. For example:
Before you process personal information, you must establish a lawful basis unless the processing is covered by one of the GDPR's very narrow exemptions.
If you can't establish a lawful basis, you shouldn't process personal information.
Processing personal information without a valid lawful basis can lead to the highest fines available under the GDPR: up to 4% of annual worldwide turnover, or €20 million (whichever is higher).
Article 6 (1) (c) of the GDPR states that you may process personal information if it is: "necessary for compliance with a legal obligation to which the controller is subject."
This means that you can process someone's personal information if you need to do so in order to comply with the law.
There doesn't necessarily have to be a specific law dictating that you process personal information in a given way. But there has to be a particular law dictating that you do (or don't do) something, and processing personal information must be the only way of doing it.
You can only rely on law originating from a statute or legal decision (sometimes known as the "common law"). For obligations under contract law, you may be able to rely on the lawful basis of "contract" instead.
The relevant law must be a law of the GDPR-covered country in which you are operating or the EU itself. If a country is not covered by the GDPR (for example, the U.S., Canada, or Australia), then its laws will not provide a lawful basis for processing.
The GDPR states that it must be "necessary" to process personal information for legal compliance purposes. The term "necessary" shouldn't be interpreted too narrowly.
If processing personal information is a "reasonable and proportionate" way for you to ensure legal compliance, then you might be able to rely on "legal obligation." Make sure that you have made an assessment and documented your decision.
The GDPR provides data subjects (individuals) with certain rights over their personal information. These rights are not absolute. This is particularly apparent when it comes to personal information collected under the lawful basis of "legal obligation."
Under some circumstances, you may need to refuse a data subject's request on the grounds that you are processing their personal information due to a legal obligation.
Here's how "legal obligation" impacts on the GDPR's data subject rights:
If you need to refuse a data subject request, you must explain your reasons for this.
The GDPR contains exemptions to its usual rules when personal data is required for "exercising or defending legal claims."
This means that if you need to use personal information in court, whether to pursue a claim against someone or defend against someone's claim, you might not need a lawful basis for doing so.
This activity is an exception to the GDPR's "lawful basis" requirements and is a separate concept from the lawful basis of "legal obligation."
Here are some examples of scenarios in which using the "legal obligation" lawful basis might be appropriate.
A person's salary is personal information. People have a right to keep information about their income private. However, this right to privacy is not absolute.
Employers and human resources departments are legally obliged to provide payroll data to the tax authorities. They don't need to ask their employees for permission to do this. Indeed, it would not be appropriate to do so, as there is no meaningful way to object.
In this scenario:
An employer doesn't need to know which law provides the legal obligation to process payroll data with the tax authorities. It would be sufficient to show that it is following government advice.
A common example of the "legal obligation" lawful basis arises where a court or law enforcement agency orders a company to provide personal information as part of a legal investigation or court case.
Suppose a legal authority orders you to share personal information to investigate a crime or administer justice. In that case, you can rely on "legal obligation" to share the personal information (so long as the order is valid and not overridden by professional confidentiality).
In this scenario:
Financial institutions, such as banks, payment processors, and financial advisers, have extensive legal obligations to share personal information with law enforcement agencies where appropriate.
For example, under the UK's Proceeds of Crime Act 2002 (available here), financial institutions are required to report suspicious activity that might indicate money laundering.
In this scenario:
Here's an example from the Financial Times:
This approach might work if you are legally obligated to retain personal information for a given period.
Here's another approach from Complete Business Solutions:
Complete Business Solutions provides the source of its personal information, the type of "process" that applies, and the purpose for processing personal information in each instance.
Here's an example from The Drum:
The GDPR requires that you have a lawful basis whenever you process personal information. "Legal obligation" is the correct lawful basis where you need to process personal information for legal compliance purposes.
Before you proceed:
Can you point to the legal obligation with which you are complying?
Can you explain why processing personal information is the only way for you to meet this legal obligation?
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.