Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Lawful Bases for Processing Personal Data Under the GDPR
In this edition of the GDPR article series, we will explore the lawful bases a business can rely on to process data, and the limits it must observe under each ground.
In earlier articles, we explained that organisations need to tell people why they are collecting personal data and what they will do with their personal data. There are a number of possible grounds (lawful bases) that an organisation can rely upon. Each ground (lawful basis) must be clear from the outset and the grounds that an organisation relies upon will determine the rights that an individual has over their data processing.
This article discusses five of the possible lawful bases.
Most data processing for professional service businesses will be carried out to meet obligations under a contract with a client. This basis can only be used as a valid lawful basis where the data collection is necessary for a particular purpose stated in a contract. Pre-contractual data processing (such as know-your-client checks and anti-money laundering checks for regulated businesses) falls within this lawful basis.
It is important for practitioners not to state ‘contract’ as the sole legal basis if legal or regulatory requirements require the processing of personal data for clients despite what the contract says. In such scenarios, the legal obligation will be the lawful basis to state, or the joint lawful basis to state.
Some professional service businesses (such as lawyers and auditors) process data because of a legal obligation stipulated by the nature of their work. This basis does not cover the legal obligation of a business performing their contract with their client but it does cover a business’s duties to regulators. There is no test of necessity (unlike the basis of contract) and a subject has very limited data rights where legal obligation is the lawful basis. It is important that practitioners state this as the lawful basis in advance in their engagement letters where relevant.
Unless a business’s work involves saving lives in imminent life and death situations where consent is physically or legally impossible, this basis will not apply. The GDPR gives examples of epidemics, humanitarian emergencies and natural disasters. The ICO guidance describes urgent Accident and Emergency care as a possible context for this basis.
This is relevant, for the most part, for public authorities so will arise rarely for most private businesses. In certain, limited, cases, a business’s duties may bring certain data processing activities within the lawful basis of a public task, for example where they are exercising a public power. If a practitioner considers that this might apply, they should consider the ICO’s guidance before acting.
Where a business is processing personal data because of legitimate interests, they must state this. They may have legitimate commercial or business interests in processing data, or it may be in the interests of others for them to do so, for example a business might process some data for their own benefit to help with their strategic analysis of a market, in their own legitimate interest. The processing must be necessary for the basis to attach and the personal data collected must be targeted and proportionate.
This is a flexible lawful basis, but it is also balanced with a person’s right to privacy. Where a business states that legitimate interests is the basis (or a basis) for processing personal data, they must have additional measures in place to demonstrate responsibility towards personal data and it is important that a record of the decision-making process is kept. A business does not need to disclose the assessment records to clients but will need to be transparent about the legitimate interest they (or a third party) has in the processing of data.
It is important to note that a business may collect and process personal data for a number of purposes. In each case, both lawful bases must be mentioned.
The option of ‘consent’ exists alongside the above grounds for processing data (lawful bases) as discussed in the previous article in this series. Selecting the appropriate lawful basis is critical.
The next article will discuss the methods by which different rights for individuals attach to different lawful bases.
White & Black is a specialist commercial and technology law firm. If you need technology or commercial law advice, contact the team on 0800 035 2656 or email firstname.lastname@example.org.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.