Why you must establish a valid legal basis for processing personal data

Overview

GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle.

Individuals also have the right to erase personal data which has been processed unlawfully. 

To process personal data in accordance with the law, you must first establish which of the 6 legal bases for processing are best applicable for your purposes.

It is very common to have at least two legal bases for processing. 

Your obligations, as well as individuals rights regarding their personal information data, can vary significantly depending on the assigned legal basis. Because of this, it is important to map out your legal basis accurately, and at a granular level to be clear what legal obligations each personal data category has.

The 6 legal bases are:

  • Contract - mainly for the purpose of delivering contracted services
  • Legitimate Intrestassigned to low-risk and expected processing such a replying to an enquiry
  • Consent - for any processing outside the direct scope of your services such as marketing
  • Legal obligation - when you process personal information to comply with a common law or statutory obligation.
  • Vital interest - when you need to process personal information to protect someone’s life.
  • Public interest when you need to process personal data 'in the exercise of official authority’.

Example

You may need to store customers contact information in order to fulfil an order or contract, This could be deemed as processing under the legal basis of contract.

The customer refers a friend to you who enquires about your services, requesting a quote. Here you could process their information under the legal basis of legitimate interest.

You want to offer a special discount to promote your services to your existing customers. However 'promoting your services' is not what your customers shared their information with you for when acquiring your services. This means you will need to process their information under the leag basis of consent (granted permission), which will require them to grant you express permission to do so.

To run your company you manage a staff off 5. You are required by law to hold on to some of their personal information for HMRC purposes for up to 5 years. You hold this information for the legal basis of legal obligation.

By assigning legal basis at a granular level like this, their varying retention periods and obligations can be observed accurately.

Here is an example of how you might assign legal basis across your organisation:

Legal Basis

Purposes of processing

Categories of purposes

Categories of individuals

Categories of personal data

Legal Obligation

Payroll

Staff administration

Employees

Contact details

Legal Obligation

Regulatory purposes

Financial details...

Contract

To co-ordinate the workforce

Emergency contacts...

Contact details...

Contract

To send emails and other communications;

Customer orders

Customers

Contact details

Contract

For billing, account management and other administrative matters;

Financial details

 

Legal Obligation

Regulatory purposes

IP address...

Contract

To provide, update, maintain and protect our Services, Websites and business;

Suppliers...

Contact details

Legitimate interest 

to send emails and other communications;
 

Financial details

Contract 

for billing, account management and other administrative matters;
 

Location...

Consent 

information about our latest offers

Marketing

Customers

Contact details

 Consent exclusive discounts

Lifestyle information

Consent 

industry insights

Clients...

Contact details...

What the regulator says

The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

The lawful basis for your processing can also affect which rights are available to individuals. For example, some rights will not apply:  

However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.
 
The remaining rights are not always absolute, and there are other rights which may be affected in other ways. For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice.
 
Summary
  • You must have a valid lawful basis in order to process personal data.
  • There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
  • Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
  • You must determine your lawful basis before you begin processing, and you should document it. The ICO has an interactive tool to help you.
  • Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
  • If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
  • If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

References