The general conditions for processing have remained the same, but significant changes have been enacted for some conditions that make it more difficult to process personal data, as individuals (data subjects) are given more control and oversight over how their personal data is used.
Conditions in the GDPR
Article 6 of the GDPR is concerned with lawful bases of processing. The GDPR allows for six grounds upon which your processing can be legally based. If you cannot satisfy any of the requirements, you must not process the data.
These conditions are as follows:
- You have obtained consent for specific purposes of processing
- Performance of a contract
- Compliance with legal requirements
- Vital interests of the individual
- Processing would be in public interest
- You have legitimate interest to continue processing
We will examine each of these conditions separately, but overall, we expect consent and legitimate interest to prevail as the most commonly used grounds for processing, except in extreme circumstances. This is not unlike the DPD where these conditions are the most applicable as well.
You should determine the legal basis for processing before you begin, and keep records of all processing activities. In case of SMEs, they are not obliged to keep all records unless the data is sensitive, but they are encouraged to do so.
A single act of processing may be covered by several conditions. This is fine under the GDPR and further strengthens your right to data processing, but we advise you to choose a single ground as a primary. When and if asked, you may provide other evidence that corroborates your rights.
Consent is one of the simplest and most effective ways of ensuring that the data you obtain can be lawfully stored and processed. It is a well-known mechanism under the DPD, but the GDPR contains a stricter definition that makes it more difficult to obtain proper consent.
Whereas under the DPD consent can be implied, the GDPR states that consent must be explicit; doubly so for sensitive personal data.
This means that consent must be unambiguous, voluntary, and explicit. It must be affirmative. In other words, a user must click the ‘I Agree’ button in order for consent to be valid.
Passive consent is not satisfactory. Pre-ticking of boxes, automatic opt-ins or stating that ‘proceeding is considered as consenting’ is not valid. Users must have a choice not to give consent, otherwise the consent so obtained is considered unlawful.
Consent need not be in electronic form. Written or verbal consent is also considered valid (as long as the other points hold true). Consenting under the terms that are inconsistent with the GDPR is not valid, and such a consent is not binding.
When asking for consent, you must clearly list the purposes for which the personal data will be used. The consent is only valid for the purposes you have listed originally. Other purposes require another consent, unless they are very similar.
When explaining the consequences of consent and the purposes for which the data is used, you must be as clear and concise as possible. Do not use excessive verbiage and too much legal language. Make it understandable.
You should also provide data about your company and the contact details of a privacy rep from within the company.
Ensure that you can demonstrate consent at any time, such as when asked by the regulators. You must prove that you have been given consent. Make sure to update the records if a user decides to withdraw consent as soon as possible. Upon receiving a request to withdraw consent, you must cease processing if no other bases apply. You may still use the results from processing that took place prior to withdrawal.
Consent is generally considered as indefinite until otherwise agreed, but ICO’s (UK’s privacy regulator) practices show that they encourage periodic review and renewal of consent, every 24 months for example. The British Red Cross has opted for such an arrangement.
Consents you currently have may not satisfy the updated, more stringent requirements. Review your consent policy with help from your data privacy officer in order to determine whether you will need to re-obtain consent. If you do, you should begin with this “refresher” process as soon as possible, since other companies will be doing the same. The result – user mailboxes full to the brim and ignored requests. The entire opportunity to easily reubild your consent database would go down the drain.
You can find out more information on consent in our guide to the official Working Party guidelines on consent.
Children and Consent
Children are especially protected under the GDPR. When offering services to them, phrase your language in simple and understandable terms. They cannot consent on their own; you must obtain parental (guardian’s) consent. It is still unclear as to how you would verify that, though.
Performance of a Contract
Processing is also legal if it is necessary for the performance of a contract that both you and the individuals are parties to.
This may be, for example, an online sale. You are expected to process the individual’s payment data in order to fulfill the requirements of the contract – the individual has to pay you somehow before you dispatch the item. In this case the processing is reasonable, necessary and expected. This basis also encompasses pre-contractual communication if there is an intention on behalf of the individual to enter a contract.
However, make sure to avoid consent bundling. In the example above, this can easily turn out to be the case. Processing for the performance of a contract is fine, but it does not imply consent for further and more exhaustive processing.
Processing is also legal if there is an intention (a request) by the individual to enter into a contract, if personal data is required for such a purpose.
Do note that the scope is limited and it does not give you a blank cheque for all sorts of data processing. Remember the principle of data minimisation, and do not collect and keep more data than absolutely necessary. Destroy unneeded data afterwards.
Legitimate interest is the second most common basis we expect businesses to use. It this case, you may use the individuals’ data even without consent as long as the use is not spurious; i.e. you have legitimate interest to use the data (most likely, profit, but also administrative purposes, data security etc.)
However, you must weigh your interest over those of the data subject, and be impartial when doing so. If you deem that you stand a lot to gain from such a processing and the risk to the freedoms and privacy of the individual is minimal, then you are allowed to process the data. This basis is therefore a balancing act. If the risks to the individuals (data subjects) are very high, then you might not have a case for data use even if you have a strong interest.
Be aware that you must keep records of these assessments and assess every processing activity you do. Even if your assessment shows that you have legitimate interest, the individual can object to your use of data, and then you have to prove that your interest overrides theirs.
Notably, direct marketing is allowed under the basis of legitimate interest, but it must not be obtrusive and you must cease with marketing if you receive such a request. You have no recourse or other options in that case.
Legitimate processing can be invoked if it is reasonable to assume that processing would result as a consequence of actions of a data subject. For example, an occasional promotional letter from a company to an individual who is a regular client is reasonable and expected.
You can also process personal data if that would reduce the risk of breaches, i.e. improve the security of your IT infrastructure. Administrative purposes – transfer of employee or client data within the company is also allowed, as is the processing of data for fraud and criminal analysis.
If you can be reasonably sure that the individual would not mind the processing you do on their data, and if such processing is necessary and beneficial to you, then you can consider legitimate interest as your basis. Keep in mind that the person has the right to object, and then you have to prove that this is indeed the case in order to continue processing (except for direct marketing, as explained above).
Compliance with Legal Requirements
Laws in certain EU member states may require an organisation to process personal data, even if it would not want to process it otherwise. Since acting contrary to those laws would mean the data controller is in breach of the law, processing is allowed even if it would otherwise be contrary to the GDPR.
This is in line with the Data protection Directive. The laws must originate from an EU member state. The obligation must be ‘clear and precise’.
The ‘vital interests’ provision is similar to the DPD, but expanded to include the vital interests of both the individual in question (data subject) and those of other people. This encompasses data vital to the survival of a person – a life-or-death matter. For example, processing a person’s blood type or medical data in case of an accident.
Such processing may include the vital interest of children or relatives of the data subject, for example. Consent should generally be sought beforehand, unless the person is incapable of doing so. In contrast with the Data Protection Directive, vital interests can be invoked even if processing would benefit an individual other than the data subject.
If the processing of data would result in benefits to the society at large, such processing is legal. These particular benefits and conditions must be set in member state law beforehand. Examples include the prevention of disease pandemics (public health), public safety (product recalls etc.), archival, statistics and scientific purposes (when properly pseudonymised and/or anonymised).
Data subjects have the right to object to this kind of processing. Generally, you must cease processing unless you can demonstrate that the benefits exceed the potential risk to the freedoms of the individual.
This basis also covers the processing carried out by public authorities (police, tax offices, the government etc.) or by controllers to whom this power has been vested by these authorities.
The GDPR presents plenty of opportunities for processing of personal data, but at the same time strengthens the individuals’ rights and control over it. Depending on how you look at it, this can be considered either a crown achievement of the GDPR or a major setback for the ease of doing business.
We opt for the former. The legal bases are not excessively restrictive, and responsible companies who care about their users and customers will not have a problem adapting to the requirements of the GDPR. Plus, they will enjoy a safer processing environment with less risk of breaches and better accountability. It truly is a win-win situation.