Legal obligation - You can rely on this lawful basis if you need to process the personal data:
- to comply with a common-law
- to comply with a statutory obligation (not including contractual obligations)
- if the processing is necessary
- if you document your decision to rely on this lawful basis and ensure that you can justify your reasoning
In short, "legal obligation" may be used when you are obliged to process the personal data to comply with the law. However, you must have identified and documented a specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.
A contractual obligation does not qualify as a legal obligation in this context. In the instance of contractual obligation, you would likely rely on the leag basis of a contract or legitimate interest so log as their provisions are met.
"It is a legal requirement Mark's financial records are kept for up to 6 years. Some of these records contain personal data. What legal basis can he store (process) their data under?"
Mark has a legal obligation to hold this data. Therefore the legal basis for processing in this instance is Legal Obligation. Legal obligation waves certain individual rights, such as the "right to erasure".
What the regulator says
Article 6(1)(c) provides a lawful basis for processing where:
- “processing is necessary for compliance with a legal obligation to which the controller is subject.”
In short, "legal obligation" may be used when you are obliged to process the personal data to comply with the law.
Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So it includes clear common law obligations.
This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.
You should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations.
Regulatory requirements also qualify as a legal obligation for these purposes where there is a statutory basis underpinning the regulatory regime and which requires regulated organisations to comply.
A contractual obligation does not comprise a legal obligation in this context. You cannot contract out of the requirement for a lawful basis. However, you can look for a different lawful basis. If the contract is with the individual you can consider the lawful basis for contracts. For contracts with other parties, you may want to consider legitimate interests.