Lawful Basis for Processing Under the GDPR

Gone are the days where massive swathes of information could be collected, shared, and used for any numbers of reasons.

The GDPR goes into great detail about when and how personal information can be collected and processed. It also defines what a lawful basis is for collecting and processing personal data.

Essentially, there must be a lawful reason to handle personal data in any way.

A quick list of other stipulations is as follows:

• The data collected or processed must be proportional to the task at hand
• The reason why data is being collected or processed must be disclosed
• Only data needed to complete a task should be collected or processed
• The collected data must only be held for as long as needed

In this article, we will dig deeper into what the GDPR actually says about having a legal basis for processing and decipher what that means for you.

Legal Basis and Lawfulness

The terms "legal basis" and "lawfulness" are used throughout the GDPR referring to when it is permissible to collect or process personal data. Other terms referring to the legality of certain actions are also used, but these two terms are the most prevalent.

In the eyes of the GDPR, a legal basis is a justifiable reason why a data controller is collecting or processing the data of an individual.

Examples include in order to complete tasks which individuals have signed up for, for marketing purposes to which individuals have given their consent, or for legitimate interests that benefit both the data controller and data subject.

Let's take a look at some of the major entries in the GDPR that cover legal bases and lawfulness of data processing.

Article 6: Lawfulness of processing

Article 6 is perhaps the most important section of the GDPR covering lawful bases for the collection and processing of personal data.

In it, we're given the requirements for lawful data processing, informed that Member States may introduce stricter requirements, informed of the authorities in such cases, and given guidelines for when data may be processed for additional purposes than those originally consented to.

Let's dive deeper into each of these sections.

Part 1: Requirements for lawful processing

Part 1 of Article 6 lays out the possible circumstances for when it is lawful to process personal data.

These circumstances are:

1. When consent has been given by the data subject for a specific purpose
2. When processing is necessary to perform or prepare for a contract with the data subject
3. When there is a legal obligation
4. When protecting the vital interests of the data subject or someone else
5. For the public interest or when exercising official authority
6. To carry out legitimate interests of the data controller or a third party where these interests do not infringe on the rights, freedoms, or interests of the data subject

If none of these conditions are met, data is not to be processed under the GDPR.

Point (a) is pretty straightforward. For example, if a data subject consented to giving an email address to join a newsletter, the data controller has the right to use that email address to send the newsletter. The data controller obtained consent, then followed through with the task.

Point (b) refers to situations similar to point (a), but in these cases data processing is often implied and consent may not be specifically needed.

For example, if an individual gives a phone number to the website of an attorney to be contacted about a potential case, the attorney has a right to use that phone number and contact the individual. This is because it is implied that this was the reason why the individual gave out their phone number.

Point (c) refers to situations where the data controller is legally obligated to provide certain information.

For example, if a company is subpoenaed to provide documentation about an event, this could include information regarding an individual involved in the event. The data controller may be legally obligated by the court to process such data as it is relevant and necessary for the case.

There are, of course, requirements for when a legal obligation could require data processing and situations where the data subject's rights and freedoms would not permit such processing, but that topic would require an article in and of itself.

Point (d) may refer to situations such as data breaches or suspected fraud.

For example, if a company discovers suspicious behavior on a customer's account, it may be in the vital interest of that individual to take action to protect their account, personal information, or finances.

Data processing may be required to suspend the account, temporarily change a compromised password, and/or contact the customer about the situation. This would be permissible in the vital interest of that data subject.

Point (e) may refer to situations such as investigating a crime where it is in the public interest or by official authority that data be processed to track down a suspected culprit.

For example, if an email is distributed which contains a phishing scam to steal private information from its recipients, it would be in the public interest to track down the sender of the email and determine their identity in order to stop the email from being further distributed or for information obtained to be unlawfully used.

Point (f) is the kludge in the GDPR which is "legitimate interests" of the data controller.

Essentially, this point is intended to cover unforeseen and unregulated instances where the data controller has a compelling reason to process data that is not covered by the previous points.

This is counterbalanced by the inclusion that the data controller's legitimate interests must be weighed against the rights, freedoms, and interests of the data subject.

For example, a company claiming "legitimate interests" as a lawful basis for sending marketing material to a former customer without first obtaining consent would not be a strong case as the former customer has rights to privacy and may or may not be interested in receiving those marketing offers.

However, an app developer contacting users to inform them of an update to the app that solves a newly discovered security issue would be a strong case, as a potential security flaw would be of interest to both the app developer as well as its users. This would be a good case for a company claiming legitimate interest as the lawful basis for processing data where prior consent was not obtained.

All in all, Article 6 gives us some clear circumstances for when data processing is lawful, though it is not exhaustive and leaves some room for interpretation about what might count as "legitimate interests." We are expecting more clarification about this in the near future.

Article 8: Children and minors

Article 8 covers when it is lawful to process the personal data of children and minors.

Simply put, children under the age of 16 require a parent or guardian to give consent in place of the child. Individuals over the age of 16 are permitted to give consent on their own behalf under the GDPR.

Member States are given the authority to lower the age from 16 down to as low as 13, but not lower.

Article 17: Right to erasure

Article 17 gives situations where the right to erasure can be invoked. One of these situations is when personal data has been unlawfully processed.

This is important because it means that if data is processed in a way that lacks lawfulness or has an unsatisfactory legal basis, data subjects can immediately request that their personal data be erased and cease any processing of that data.

This serves as a strong deterrent for companies not to process any personal data without a legal basis as they could lose that valuable data (in addition to other potential fines and legal ramifications).

Article 18: Right to restriction of processing

Article 18 is very similar to Article 17, but it gives data subjects the right to have their personal data processing restricted rather than outright erased.

This could happen in instances where they want their personal data to continue to exist for personal use or legal purposes, but they no longer want it processed in a certain capacity or at all.

Penalties for failure to comply

Along with guidelines for the lawful collection and processing of personal data, the GDPR gives some guidelines about the potential fines and penalties for failing to comply.

The maximum penalty for breach of privacy laws has been increased under the GDPR to the higher of €20 million or 4% of annual global turnover. A fine of this magnitude would be reserved for only the most egregious breaches of privacy, but goes to show that it is vitally important to understand when it is and is not lawful to process the personal data of residents of the EU.

Article 82: Right to compensation and liability

Article 82 states that individuals who have suffered damages from from a breach of the GDPR are entitled to compensation from the data controller and/or processor.

While it does not go into detail about how much compensation could be required or give any examples of such a case, it simply states that this would be handled in court.

Conclusion

At this stage of the GDPR, we are given some concrete scenarios of when it is lawful to process personal data such as with consent, where obligated by law, or for the public interest.

However, only the future will reveal other situations not covered in this early version of the GDPR where it would also be lawful to process personal data.

As it applies to you, if you process data for one of the reason mentioned in Article 6 then you have nothing to worry about. If, however, you process data for other reasons or by claiming legitimate interest, you may need to seek further clarification about whether your procedures are compliant.

If you are truly uncertain about your situation, use common sense and consider the rights of your data subjects first and foremost. We expect further clarification on this topic in the near future, but until then, familiarize yourself with the appropriate sections of the GDPR and play it safe when possible.