#9 – The Legal Bases

Head first into the pool of lawfulness; the different legal bases. As we covered last Tuesday, there are six of them. Some are more commonly applied than others.

The important thing now is to apply a correct legal basis to each processing activity, differentiate the legal basis for each of the processing activities, and connect the appropriate legal basis to the specific purpose of processing.

Therefore, as a controller, you have to evaluate the context and circumstances of the processing activity. Looking at your purpose, you should identify and justify what legal basis you will use for every processing activity. When you have decided on a legal basis, that should be documented. All of that can be done in DPOrganizer’s tool, you can easily apply, differentiate and connect a lawful basis for each processing activity and data subject category.

If you recall, the bases are:

• Consent
• Necessary for the purposes of a legitimate interest
• Necessary in for compliance with a legal obligation
• Necessary for the performance of a contract with the individual
• Necessary in order to protect the vital interest of the data subject or another natural person
• Necessary in order to carry out a task in the public interest or exercising official authority

Consent is defined by four criteria: (1) freely given, (2) specific, (3) informed, and (4) unambiguous indication of wishes by the data subject. In some instances, the GDPR requires what’s called explicit consent. The term explicit requires the data subject to give an expressed statement of consent. The EDPB have elaborated some on consent in a dedicated guideline.

The data subject must have genuine and free choice, and be able to refuse or withdraw consent at any time without detriment. Consent is not freely given in such scenarios as a denied service when you don’t consent to the collection of personal data that isn’t necessary for the provision of the service. The consent needs to be specific so that, for example, if the processing has multiple purposes then consent is given for each one of them. A request for consent should at least include the controller’s identity, the processing purposes, the personal data types that will be collected and used, and the existence of the right to withdraw consent. When the data subject gives their consent, it should be without a doubt what their intentions are.

Legitimate interest means that processing is necessary for a purpose of a legitimate interest pursued by the controller, or by a third party to whom the data are disclosed. To use this legal basis, you need to carry out the specific Legitimate Interest Assessment (LIA), which will be covered by another post. Any legitimate interest must be lawful (i.e., under applicable EU and Member State law), sufficiently specified to allow a LIA, and representative of real and present interest (i.e., not speculative). The old Article 29 Working Party had published an opinion on the notion of legitimate interest for the old directive before GDPR, which still could be of use now as a deep-dive.

Fulfilment of a legal obligation is when it’s necessary for you as a controller to comply with a legal obligation. Such as laws like social security, tax, and bookkeeping, or specific sectoral laws like financial, anti-money-laundering, or telecommunications.

Performance of a contract is when the processing of personal data is necessary for the performance of a contract. It also includes the time before the formation of a contract. There should be a clear connection between the factor of necessity for processing and the contract’s substance and objective on the other. If the situation is pre-contractual, it’s a prerequisite that the action that requires the processing activity is initiated from the data subject, e.g., by requesting goods or services provided by you.

Protecting the vital interest of the data subject or another natural person means that processing is essential for their lives. This legal basis should only be used if the processing cannot be manifestly based on another legal basis.

A task in the public interest is a legal ground that only the public sector can apply to their processing activities. That in practice includes private entities, but only if they are indeed carrying out an activity in the public’s interest.

§

Looking at the last five, they all demand necessity for processing. The EDPB have stated that the notion of necessity in the GDPR must reflect the objectives of data protection law, as well as the fundamental rights to privacy and the protection of personal data, and the GDPR’s principles. Then they continue to explain necessity in the context of contracting, and they constructed a necessity test as follows:

1. What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
2. What is the exact rationale of the contract (i.e. its substance and fundamental object)?
3. What are the essential elements of the contract?
4. What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
5. The final question that you should ask yourself is: does the intended processing go beyond what is objectively necessary for the performance of the contract in question?

Whether an alteration of this test is applicable to the other legal basis is an open question, but I propose that it is possible to think similarly for the prerequisite of necessity.

If you have any questions, like if you run into trouble with applying, differentiating and connecting legal bases, you can always email me at albin.thelin@nulldporganizer.com. In next week’s post, I am thinking about writing a bit more about consent and legitimate interest assessments. So stick around!