Chapter 5: Choosing the Right Legal Basis

Choosing the Right Legal Basis

The GDPR goes into great detail about when and how personal information can be collected and processed. Gone are the days where massive swathes of information could be collected, shared, and used for any number of reasons. The GDPR defines what is a lawful basis for collecting and processing personal data. Anything outside of that is not compliant.

Essentially, there must be a lawful reason to handle personal data in any way.

Article 6 of the GDPR gives the conditions for when it is legally permissible to process data. By requiring businesses to meet one of these conditions before processing personal information, the GDPR ensures that there is a justifiable reason whenever personal data is handled.

A quick list of other stipulations is as follows:

• The data collected or processed must be proportional to the task at hand
• The reason why data is being collected or processed must be disclosed
• Only data needed to complete a task should be collected or processed
• The collected data must only be held for as long as needed

In the eyes of the GDPR, a legal basis is a justifiable reason why a data controller is collecting or processing the data of an individual.

Examples include to complete tasks which the individual has signed up for, for marketing purposes to which the individual has given consent, or for legitimate interests that benefit both the data controller and data subject.

Let's take a look at some of the major entries in the GDPR that cover legal bases and lawfulness of data processing.

Article 6: Lawfulness of Processing

Article 6 is perhaps the most important section of the GDPR covering lawful bases for the collection and processing of personal data.

In it we are given the requirements for lawful data processing, informed that Member States may introduce stricter requirements, informed of the authorities in such cases, and given guidelines for when data may be processed for additional purposes than those originally consented to.

Let's dive deeper into each of these sections.

Section 1: Requirements for Lawful Processing

Section 1 of Article 6 lays out the possible circumstances for when it is lawful to process personal data.

These circumstances are:

1. When consent has been given by the data subject for a specific purpose
2. When processing is necessary to perform or prepare for a contract with the data subject
3. When there is a legal obligation
4. When protecting the vital interests of the data subject or someone else
5. For the public interest or when exercising official authority
6. To carry out legitimate interests of the data controller or a third party where these interests do not infringe on the rights, freedoms, or interests of the data subject

If none of these conditions are met, data is not to be processed under the GDPR. Period.

Point (a) is pretty straightforward:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

For example, if a data subject consented to giving their email address to join a newsletter, the data controller has the right to use that email address to send the newsletter. The data controller obtained consent to do something specific, then followed through with that activity.

Point (b) refers to situations similar to point (a), but in these cases data processing is often implied and consent may not be specifically needed.

1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

For example, if an individual gives their phone number to the website of an attorney to be contacted about a potential case, the attorney has a right to use that phone number and contact the individual as it is implied that this was the reason why the individual gave out their phone number.

Point (c) refers to situations where the data controller is legally obligated to provide certain information.

1. processing is necessary for compliance with a legal obligation to which the controller is subject;

For example, if a company is subpoenaed to provide documentation about an event, this could include information regarding an individual involved in the event and the data controller may be legally obligated by the court to process such data as it is relevant and necessary for the case.

There are, of course, requirements for when a legal obligation could require data processing and situations where the data subject's rights and freedoms would not permit such processing, but that topic would require extensive explanation that you likely will never need to worry about.

Point (d) may refer to situations such as data breaches or suspected fraud.

1. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

For example, if a company discovers suspicious behavior on a customer's account, it may be in the vital interest of that individual to take action to protect their account, personal information, privacy or finances.

Data processing may be required to suspend the account, temporarily change a compromised password, and/or contact the customer about the situation. This would be permissible in the vital interest of that data subject.

Section (e) may refer to situations such as investigating a crime where it is in the public interest or by official authority that data be processed to track down a suspected culprit.

1. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

For example, if an email is distributed which contains a phishing scam to steal private information from its recipients, it would be in the public interest to track down the sender of the email and determine their identity in order to stop the email from being further distributed or for stolen information to be unlawfully used.

Point (f) refers to "legitimate interests" which may be one of the more confusing and misunderstood aspects of the GDPR. It also tends to be the go-to legal basis that many businesses use.

1. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Essentially, this point is intended to cover unforeseen and unregulated instances where the data controller has a compelling reason to process data that is not covered by the previous points.

This is counterbalanced by the inclusion that the data controller's legitimate interests must be weighed against the rights, freedoms, and interests of the data subject to avoid taking advantage of this legal basis.

For example, a company claiming "legitimate interest" as a lawful basis for sending advertisements to a former customer without first obtaining consent would not be a strong case, as the former customer has rights to privacy and may or may not be interested in receiving those ads. The legitimate interest of the company to engage in marketing doesn't override the individual's rights to not be bombarded with ads.

However, an app developer contacting current users to inform them of an update to the app that solves a newly discovered security issue would be a strong case, as a potential security flaw would be of interest to both the app developer and the user. Being required to obtain consent first would likely do more harm than good in such a case where time could be of the essence.

Let's take a better look at this last legal basis.

Legitimate Interest as a Legal Basis

One of the legal bases for which a business can collect and process the personal information of their data subjects is for the legitimate interest of the business and/or the data subject. If that sentence was confusing, it's because the term "legitimate interest" under the GDPR is one of the most uncertain and controversial concepts in the regulation.

Determining what constitutes a legitimate interest for a business compared to the legitimate interests of their data subjects can sometimes be a complex question.

This section will explore the main areas of the GDPR that deal with legitimate interests in a way that could be relevant to business owners.

Article 6 Section 1(f) (shown earlier) is the first major usage of the term "legitimate interest."

Here we see the term "legitimate interests" used when referring to a legal basis that data controllers can use to justify the processing of personal information. While at first glance this may not seem too complicated, try considering exactly what is meant by this clause.

What qualifies as a legitimate interest? Updates to policies? Marketing new products? Sales? Where do we draw the line between legitimate interests of the business versus the interests of their customers/data subjects?

In order to answer these questions, let's look at other usages of the term to find more evidence so we can achieve a more complete understanding of what is intended by the term "legitimate interest."

Recital 47: Overriding Legitimate Interest

Recital 47 starts by saying that:

"The legitimate interests of a controller... may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller."

This may seem straightforward on the surface, but once again, where do we draw the line?

What happens when the company's definition of "legitimate interest" varies from the definition of one of their data subjects? Who is right?

In the usage in Recital 47, we might interpret that the "legitimate interests of a controller" means "the reasons a business might want to process a data subject's personal data." This could range anywhere from notifying users about a data breach to marketing a new product. Both of those things would certainly be of legitimate interest to the business owner.

This is where the counterbalance of Recital 47 comes in:

"At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing."

Rectial 47 clarifies that just because the business has a legitimate interest in doing something, this must also be fair and reasonable to the data subjects involved. That is to say, data subjects have certain rights of their own that must be respected and considered when processing their personal information without their consent.

For example, a business sending an email out of the blue to its users to notify them about an update to their app that fixes a security flaw would be of interest to both the user and the business. This would likely constitute a justifiable reason to invoke the "legitimate interest" clause as a legal basis to contact users without their pre-approval.

On the other hand, a business sending an unwarranted email to its users promoting another brand may not be in the interest of the data subjects. If they did not give prior consent for the use of their contact information in that manner, and if the business does so under the guise of "legitimate interest," it is likely that the data subject could see it as spam and invoke their right to object because the business did not take the rights and interests into account.

The GDPR gives data subjects the right to object for this very reason, to ensure that businesses are not taking advantage of the "legitimate interest" clause to process personal data without consent. The right to object is discussed in Recital 69 which we will cover shortly.

Recital 48: Overriding Legitimate Interest Within Group of Undertakings

Recital 48 of the GDPR clarifies that data controllers may consider transferring data within their organization a legitimate interest.

That is, a branch of a company may transfer data to another branch or central administration in order to complete agreed upon tasks. This may seem obvious, but it is helpful as evidence of what is and is not considered legitimate interest under the GDPR.

Recital 48. Overriding legitimate interest within group of undertakings*

Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

Recital 49: Network and Information Security as Overriding Legitimate Interest

Recital 49 of the GDPR makes it clear that instances of security and fraud prevention should be considered legitimate interests for data controllers.

We can assume things like notifying users of new updates with security fixes, warning users about fraud attempts, or verifying the identity of users to prevent security breaches would all likely be strong cases for invoking legitimate interest as a legal basis in order to process personal data without consent. After all, these scenarios should be in the interest of the data subjects in order to protect their rights and privacy.

Recital 49. Network and information security as overriding legitimate interest*

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.

Article 13: Information to be Provided Where Personal Data are Collected from the Data Subject

Article 13 gives guidelines for what must be shared with data subjects upon the collection and processing of their personal data.

In Section 1(d), it refers to Article 6, saying that the data subject must be informed where processing is based on the legitimate interests of the controller:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
   1. the identity and the contact details of the controller and, where applicable, of the controller's representative;
   2. the contact details of the data protection officer, where applicable;
   3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
   4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
   5. the recipients or categories of recipients of the personal data, if any;
   6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Essentially, this means that if data is being processed on the grounds of legitimate interests, this must be disclosed to the data subject.

This can be done through a Privacy Policy clause, like this one:

WWF-UK's legitimate interests include administering the charity, sending you marketing materials by phone and post, and understanding our supporters. A summary of each of these and some examples of how we may use your data in these ways on the basis of it being within our legitimate interests to do so are set out below:

1. Administration of the charity. As a charity our mission is to conserve the natural world for future where people and nature thrive. In order to deliver against these charitable purposes, we need to undertake certain processing activities. Some of these will be to govern our charity and its trading subsidiary, and some will be for operational administration reasons.

Specific examples of processing activities under this legitimate interest include:

• Recording your communication and marketing preferences and maintaining suppression files so we don't contact you when you have asked us not to
• Keeping a record of who our supporters are, your relationship with us, and your order and donation history
• Reviewing our database of supporters across the organisation for historical, scientific and statistical purposes

Article 14: Information to be Provided Where Personal Data Have Not Been Obtained From the Data Subject

Article 14 of the GDPR similarly states that data subjects should be informed if their personal data is being processed on the grounds of legitimate interests when their data is processed without being collected directly from the data subjects.

This ensures that data subjects retain the right to challenge unfair data processing no matter how their data was obtained.

1. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
   1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
   2. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

Article 14 also states that data subjects should be informed how legitimate interests justify any further processing of their personal data.

Data Controller Interests Versus Data Subject Interests

The conclusion we can draw is that if a data controller has a good and compelling reason (a legitimate interest), they may process data without another legal basis so long as it does not infringe on the rights, freedoms, or interests of the data subject.

The GDPR states that you must consider the legitimate interests of the individual before processing their data. You must weigh their rights, freedoms, and interests against your reason for processing their data and be able to prove that it is fair and proportional.

If you have any doubt, you are better off asking for consent or using another legal basis from Article 6.