Back to Basics: Lawful Bases for Processing Personal Data
Tuesday 20th December 2022
Welcome to the first in a series of data protection ‘Back to Basics’ articles. This one’s about choosing an appropriate lawful basis for processing personal data.
Organisations that decide on the purposes and means of processing individuals’ personal data (‘data controllers’) can only do this if they have a lawful basis.
Under Article 6 of the UK GDPR, there are six lawful bases (below), all of which have equal weight. The appropriate lawful basis depends on the nature of the processing and the relationship between the data controller and the individual.
Consent
Relying on consent can be a powerful tool for data controllers. It also gives individuals the option to agree with how their data is used, and enhances trust in an organisation. However, consent should be used cautiously as it is not always appropriate where the controller can’t give individuals a genuine choice, and consent can be withdrawn by an individual at any time. It also may not be appropriate if there is an imbalance of power between the two parties where consent may not be freely given (e.g. in an employer/employee context)
Example: An organisation includes an opt-in feature on its website to allow individuals to sign up to its newsletter. Individuals can unsubscribe at any time. Consent is the most appropriate lawful basis and a ‘gold standard’ approach to direct marketing.
Contract
This could apply if the processing is necessary for the performance of a contract to which the individual is a party. ‘Necessary’ does not mean that the processing is essential for the performance of the contract, however, it must be a proportionate way of achieving that outcome.
Example: When an individual makes a purchase online, the organisation uses the individual’s address to deliver the goods. This is required to carry out the contract. ‘Contract’ is the most appropriate lawful basis here.
Legal obligation
When a data controller is required by law to process personal data, ’legal obligation’ is the organisation’s appropriate lawful basis for processing. Organisations that wish to rely on this basis should document their decision, and identify the relevant obligation.
Example: When a financial institution knows or reasonably suspects that someone is engaging in, or attempting to engage in money laundering, it has a legal obligation under the Proceeds of Crime Act 2002 to file a Suspicious Activity Report to the National Crime Agency. The organisation is correct to use ‘legal obligation’ as a lawful basis for processing.
Vital interests
This is a less common lawful basis for processing, which can only be used where processing personal data is necessary to preserve someone’s life.
Example: A patient is rushed to hospital for life-saving treatment. The patient is unconscious, so cannot consent to their medical history being shared. The hospital can use the lawful basis of ‘vital interests’ to access the patient’s data.
Public interest
Any data controller that exercises official authority (e.g. public authorities) or carries out a specific task in the public interest (e.g. private energy companies) may use this lawful basis, as long as that legal basis is sufficiently clear.
Example: Bad weather has caused power cuts in a village. The energy provider wants to contact individuals to update them about maintenance works. It is in the public interest for the energy provider to process this data.
Legitimate interests
This is the most versatile lawful basis, but can be tricky to navigate. It is likely to be most appropriate when a data controller uses individuals’ personal data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Those who wish to rely on this legal basis must identify a legitimate interest, show that the processing is necessary to achieve it, and balance it against the individual’s interests, rights and freedoms. This should be documented using a ‘Legitimate Interests Assessment’. If the processing would cause unjustified harm or is overly intrusive, their interests are likely to override a data controller’s legitimate interests.
Example: An e-commerce company analyses user data in real-time to detect and prevent fraud. It is in the company’s legitimate interests to minimise the amount of fraud that takes place on its platform. The company undertakes a Legitimate Interest Assessment and is satisfied it can justify its processing activities.
