In this briefing note, we examine what is meant by processing data for a lawful basis under the terms of the GDPR.
Businesses and organisations who gather personal data must have a valid and lawful basis in order to process personal data and must be aware that such basis will not apply if they can reasonably achieve the same purpose by some other less intrusive means.
Processing for this purpose means;
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
It is for the Data Controller to take responsibility for being able to demonstrate which lawful basis applies to a particular processing purpose, and be in a position to demonstrate this before they start to process the data.
Article 6 of the regulation makes it clear that there are only six lawful bases to allow the processing of personal data, all of which, save where the consent of the data subject is given, require such processing to be necessary.
The six lawful bases for processing data, in accordance with article 6 of the regulations are:
1. Consent – clear consent has been given by a data subject for processing for one or more specific purposes.
2. Contract – the processing of data is necessary for the performance of a contract with a data subject, or to enable steps to be taken prior to the data subject entering into the contract.
3. Legal obligation – processing is necessary to comply with a legal obligation to which the data controller is subject.
4. Vital interests – processing is necessary to protect someone’s life or another natural person
5. Public task – processing is necessary in order to perform a task in the public interest or in the exercise of official authority.
6. Legitimate Interest – necessary for legitimate interests pursued by the data controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The processing of data can only be lawful if there is a lawful basis for doing so. Where such a basis is not established, or data is processed other than in accord with that basis the regulation provides for a right for individuals to have their personal data erased.
It is imperative therefore that businesses clearly document the lawful basis for processing data together with the intended purpose of processing, and that data subjects are informed upfront of that basis (usually through a privacy statement).
Once GDPR comes into effect it will be important to identify clearly which basis is relied upon as it is not possible to swap between lawful bases at will if the original basis is found to be unlawful. This is not to say that a different basis could apply to different processing purpose within the same organisation.
By way of example, where data is originally processed on the lawful basis of receiving a data subjects consent, it is not then possible, where that individual withdraws their consent, to continue to process that data on the basis of legitimate interest.
If you are unsure of the lawful basis upon which you intend to process personal data then please contact Richard Burraston on 01293 596984 or at Richard.burraston@stevensdrake.com or Paul Dungate on 01293 596981 or by e-mail at paul.dungate@stevensdrake.com for further advice and assistance.