On the way to the practical side of the GDPR we need to recognize reasons for processing the personal data, officially known as lawful basis. It has been long time since the data processing had been uncontrolled. You have needed lawful basis since the directive had come into effect, but under the GDPR there is more of them, even more specifically described. We must admit the lawful basis is constructed in favour of data subjects and it brings new obligations for data processors. This statement is actually applicable throughout the whole GDPR.
Consent is one of the lawful basis. As it is the most difficult to handle, we prepared two individual blogs with detailed description of its requirements. Once again, we must emphasize that it is recommended to avoid processing the personal data based on consent, if possible. A lot of complications may arise in the future and in the end, you may be left without the right to further processing, even though you have not failed any of your obligations.
Contractual necessity will definitely be the most common lawful basis. Entering into or performing a contract would be literally impossible without it. Essentially, you cannot conclude the valid contract without disclosing personal data.
Example: Starting new job is inevitably connected with many administrative steps to take throughout many bureaus, registering for insurance or taxes. Concluded employment agreement is sufficient basis for processing personal data and explicit consent is not needed, even for processing sensitive personal data. The information of data processing needs to be included in employment agreement or in alternative way to give effect to the rights of data subjects.
Sometimes you have to process the data solely because the law requires it. It could be either EU law or the laws of a particular EU country. If it is necessary for compliance with legal obligation, such processing is permitted. However, we expect that organizations subjecting to non-EU court may be put in a difficult position.
Example: Employment law obliges employers to archive details on employees’ salaries for certain time periods. The employers are bound by it, even though a former employee would ask for data deletion.
Vital interests of the data subject are another lawful basis for processing. In case when life or health of individual is endangered, you do not have to bother with the GDPR and its requirements (finally!). Processing is also permitted on behalf of another natural person.
Example: If vital interests of a child need protection and it is needed to check parent’s health records, this situation sets lawful basis for data processing. Naturally, even sensitive personal data could be subject to such lawful basis.
Living in society implies there has to be higher interest than the data subject’s one. Usually public interests have the higher priority. Performance of tasks carried out by a public authority or private organization acting in the public interest is considered as lawful.
Example: During a football match, security service performs monitoring of attendees to safeguard their security. It is supposed that every fan should be aware of such processing of personal data by means of video monitoring. Even processing carried out on this basis may be subject to objectives from data subjects.
What is more, the GDPR leaves some space for EU countries to use additional lawful bases according to their own needs. There will always be differences in particular jurisdictions among them. A key aim of the GDPR is to harmonise EU data protection law across all the countries. However, it also leaves some space for the individual differences between the countries. This is the consequence of EU’s power limits, but first signs of countries activities suggest even more strict approach to the data protection.
Next time we will add more lawful basis, mention the different approach to processing Sensitive Personal Data and recommend several practical steps to handle lawful basis in your organisation.