Lawful basis Part II. - Evolveum | Open Source Identity Management & Governance

As the entry into force of the GDPR approaches, we continue in our search for the most appropriate lawful basis and assess each requirement. The most discussed kind of legal basis is “legitimate interests”. It is the most flexible one and is designated for various situations, where the others obviously don’t fit. Nevertheless, you cannot assume it will always be appropriate or applicable. If you choose to rely on legitimate interests, you must take into account the responsibility for assessing and protecting people’s rights and interests.

There are particular steps a controller needs to take to be able to rely upon its Legitimate Interests subject to:

Determining the legitimacy of an interest: interest must be lawful, therefore in compliance with relevant laws, clearly articulated allowing the balancing test to be carried out and represent not speculative, but real and present interest.

Determining the necessity for achievement of pursued interest: other, less invasive methods are unavailable to achieve the legitimate interest.

Carry out a Balancing Test

Several factors must be considered when weighting the legitimate interests. These include the nature of the interests, the impact of processing and any safeguards which are or could be put in place. The nature of the interests includes the reasonable expectations of the individual about the processing taking place and the type of data. The impact of processing includes positives and negatives and also the likelihood and severity of impact on the individual.

Few recitals of the GDPR provide us with the examples of legitimate interests. Processing of personal data for direct marketing may be regarded as carried out for legitimate interest. Since consent is not viable or preferred everywhere, although you will still need to show there is a balance of interests. Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (e.g. unsubscribe link).

Relevant and appropriate relationship, such as where the individual is a client, will be very commonly used legitimate interests. If the client has expressed his interest in the previous campaign, the controller may certainly approach him with the e-mail about the upcoming campaign. Whereas I would definitely recommend double opt-in style, proving information about the legitimate interests as well as about the rights of data subjects.

Some reasons for legitimate interest are meant for the controller to be able to ensure his safety and the personal data safety. Processing for preventing fraud and transmitting personal data within the group of undertakings for administrative purposes applies here. Furthermore, the processing for the purposes of ensuring network and information security.

Where legitimate interests are relied on in relation to specific operations, this will now need to be set out in relevant information notices. Individuals are able to object to processing based on legitimate interests. The burden now lies on data controllers to prove they have compelling grounds to continue processing the data.

For all we have stated to lawful basis issue in the GDPR there is an exemption, namely Sensitive personal data. In order to process special category data lawfully, you must identify both a standard lawful basis (art.6) and a separate condition for processing special category data. Those bases do not have to be linked. You must determine your condition for processing sensitive data prior to processing and document it. The choice of lawful basis is independent. For example, if you use consent as your lawful basis, you are not restricted to use the explicit consent for special category processing.

Recommendation:

Lawful basis management is necessary for the GDPR solution in every bigger organization processing personal data, as it would not be efficient to engage several employees with this. If you want to build strong process to control lawful basis, you should:

Review all activities regarding data processing,
Reveal and record lawful basis for each processing activity,
If consent is the basis for processing, set its GDPR’s standards,
If legitimate interest is the basis for processing, assess the legitimate interest in consideration with the rights of data subjects and maintain records for the accountability
Document and manage lawful basis to achieve accountability.

Here is an example how we deal with lawful basis management using our identity management software – midPoint.

midPoint’s lawful basis management screenshot

Name	Provider	Purpose	Expiry	More information
PHPSESSID	Evolveum s.r.o.	Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.	When you close your browser
moove_gdpr_popup	Evolveum s.r.o.	When this Cookie is enabled, these Cookies are used to save your Cookie Setting Preferences. You can enable or disable your Cookie Settings on our website at anytime via Cookie Settings.	1 year	Read more
wordpress_test_cookie	Evolveum s.r.o.	Tests that the browser accepts cookies.	Session	Read more
wp-settings-[user_id]	Evolveum s.r.o.	Used to preserve user’s wp-admin settings	1 year	Read more
wordpress_[hash]	Evolveum s.r.o.	On login, WordPress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the Administration Screen area, /wp-admin/	Session	Read more
wordpress_logged_in_[hash]	Evolveum s.r.o.	Remember User session	Session	Read more
wordpress_sec_[hash]	Evolveum s.r.o.	This cookie is used to store your authentication details. Its use is limited to the admin console area, /wp-admin/	Session	Read more
wp-postpass_[hash]	Evolveum s.r.o.	This cookie is used to grant access to password protected areas of the site.	10 days
wp-settings-time-[user_id]	Evolveum s.r.o.	The number on the end is your individual user ID from the user’s database table. This is used to customize your view of admin interface, and possibly also the main site interface.	1 year	Read more

Name

Provider

Purpose

Expiry

More information

PHPSESSID

Evolveum s.r.o.

Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.

When you close your browser

moove_gdpr_popup

Evolveum s.r.o.

When this Cookie is enabled, these Cookies are used to save your Cookie Setting Preferences. You can enable or disable your Cookie Settings on our website at anytime via Cookie Settings.

1 year

wordpress_test_cookie

Evolveum s.r.o.

Tests that the browser accepts cookies.

Session

wp-settings-[user_id]

Evolveum s.r.o.

Used to preserve user’s wp-admin settings

1 year

wordpress_[hash]

Evolveum s.r.o.

On login, WordPress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the Administration Screen area, /wp-admin/

Session

wordpress_logged_in_[hash]

Evolveum s.r.o.

Remember User session

Session

wordpress_sec_[hash]

Evolveum s.r.o.

This cookie is used to store your authentication details. Its use is limited to the admin console area, /wp-admin/

Session

wp-postpass_[hash]

Evolveum s.r.o.

This cookie is used to grant access to password protected areas of the site.

10 days

wp-settings-time-[user_id]

Evolveum s.r.o.

The number on the end is your individual user ID from the user’s database table. This is used to customize your view of admin interface, and possibly also the main site interface.

1 year

Leave a Reply Cancel reply

Cookie settings

Strictly necessary

Third party

Technical