#8 – The principle of lawfulness & lawful basis

Hi guys, welcome back and a big thanks to Anna for these latest posts. In these coming posts, this included, the GDPR Requirements Series will look a bit deeper into the legality of processing. Meaning the principle of lawfulness, lawful basis and some niche aspects of it, like legitimate interests and consent management.

The principle of lawfulness states that “personal data shall be processed lawfully /…/ in relation to the data subject.” That means that you as the controller must:

1. Identify a valid legal basis for the processing of personal data
2. Implement measures and safeguards that should support the principle of lawfulness to make sure that the whole processing lifecycle is in line with the relevant legal grounds for processing

Lawfulness means that processing must be based on consent or a legitimate basis. A legitimate basis might be laid down by the GDPR itself, by the laws of the EU, or by the EU/EEA Member States’ national law. It may include data protection laws or other applicable rules and codes that deal with areas such as employment, competition, health, tax, or other objectives of public interest, depending on the particular case. The UK’s ICO also stated that lawfulness means that you can’t do anything generally unlawful with personal data, e.g., infringing on copyrights, breaching a contractual agreement, etc.

Here is a list from the European Data Protection Board with aspects that one can consider when implementing the principle of lawfulness:

• Applying a correct legal basis to each processing activity
• Differentiating the legal bases for each of the processing activities
• Connecting the appropriate legal basis to the specific purpose of processing, together with the principle of purpose limitation
• The processing must be necessary and unconditional for the purpose to be lawful
• Granting the data subjects with the highest degree of autonomy possible for control over their data within the frames of the legal basis
• Establishing a legal basis before the processing takes place
• Ceasing the processing if the legal basis no longer applies
• Adjusting the processing if there is a valid change of legal basis, so the processing is suitable for the new legal basis
• Whenever a joint controllership is envisaged, the parties must allocate their respective responsibilities toward the data subject clearly and transparently, and design the measures of the processing following this allocation

Determining a specific legal basis for all processing activities is the most prominent expression of the principle of lawfulness. It regulates that every processing activity is prohibited unless you apply one of the six legal bases. These legal bases are:

• Consent
• Legitimate interest
• Fulfilment of a legal obligation
• Performance of a contract with the individual
• Protecting the vital interest of the data subject or another natural person
• Carrying out a task in the public interest or exercising official authority

This was just dipping the toe into the principle of lawfulness. In the next post, we will deep-dive into the application of these legal bases and some interesting aspects of each one of them. If you have any questions about lawfulness, don’t hesitate to reach out to me or the Professional Services Team. In any case, please join me next week for a continued look at the regulations’ cornerstone, the lawfulness principle.