The General Data Protection Regulation (GDPR) is arguably one of the most comprehensive and heavily enforced privacy laws in the world. GDPR went into effect on May 25, 2018 and aims to protect the personal data of European Union residents by providing them with certain privacy rights, requiring websites to have a Privacy Policy, and placing restrictions on how businesses can collect, use and disclose personal data. The most surprising restriction is the fact that GDPR actually explicitly prohibits the processing of personal data. This means that if GDPR applies to you, then you cannot collect, process or share personal data unless an exception, or a legal basis for processing, applies. In this article, we will discuss the legal bases for processing personal data under GDPR.
Table of Contents
Consent as a legal basis for processing
First, GDPR allows for the processing of personal data when the data subject has given consent to such processing for one or more specific purposes. Consent must be given by a clear and affirmative action and must be freely given, specific, and unambiguous. If you are relying on the legal basis of consent, you must be able to show that you have obtained such consent. While checkboxes to indicate consent are acceptable according to Recital 32, pre-ticked checkboxes or silence do not work as they cannot be used to show an affirmative action that demonstrates consent. Consent should cover all processing activities for the same purpose or purposes. If the processing has multiple purposes, consent should be given for all of them.
The issue of gaining consent under GDPR has ties to your Privacy Policy as well, as any declaration of consent should be provided in an intelligible and easily accessible form, using plain and clear language that does not contain any unfair terms. Your Privacy Policy plays a large part in the “informed” portion of consent as for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the data is intended. If you do not provide these disclosures, then a user of your website cannot properly provide consent, making your processing of their data unlawful.
Consent should be provided freely and data subjects have the right to withdraw consent at any time. In fact, it should be as easy to withdraw consent as it is to receive it. It is also important to note that a data subject revoking his or her consent does not affect the lawful processing of the data before that time. However, entities must ensure that no further processing of that data is performed after consent is withdrawn.
Contracts
Second, you can process data when such processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract under the contracts legal basis. Recital 44 clarifies that under the contracts legal basis, processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. For example, if a consumer purchases shoes online, it would be lawful to process their shipping address to mail the shoes as part of this contract. However, using that address for marketing emails is not necessary to perform the contract and thus would not qualify for this legal basis. For more information on this legal basis, read our article on how contracts can be used to process data under GDPR.
Legal obligations
Third, GDPR allows for the processing of personal data when such processing is necessary for compliance with a legal obligation to which the controller is subject. While GDPR does not require a specific law to be cited for each individual processing, the processing as a whole must have a basis in European Union or Member State law to qualify for this legal basis. An example of this might be having to process personal data in order to pay taxes.
The legal basis of vital interests
Fourth, GDPR allows the processing of personal data when such processing is necessary in order to protect the vital interests of the data subject or of another natural person. In this case, “vital interests” are defined as interests which are essential for life. Examples of processing under this legal basis would include monitoring epidemics and their spread, natural disasters and humanitarian emergencies.
Public interests and official authority
Fifth, GDPR allows for data processing when such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Once again this could be the Tax Administration Agency needing to process personal data to determine how much tax someone owes for the year.
Legitimate interests
Lastly, GDPR allows for the processing of personal data when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject which would require protection of personal data, in particular where the data subject is a child.
As GDPR prohibits all processing of personal data unless one of the above exceptions apply, it is imperative that you understand which legal basis for processing applies to you. Your Privacy Policy must also disclose the legal bases that apply to you or you could be in violation of GDPR and thus face fines. Make sure to avoid the fines by creating your GDPR ready Privacy Policy with Termageddon’s Privacy Policy generator.
