What are the Grounds for Processing Personal Data under GDPR?
As we have seen, GDPR is the new law governing the processing of personal data, which is coming into force on 25 May 2018. One of its core requirements (in Article 5) is that all personal data must be processed lawfully, fairly and transparently.
In Article 6, it is specified that processing (including collection) is only lawful if one of the following lawful grounds applies:
- The data subject has given their consent to the processing.
- The processing is necessary for the performance of a contract you have with the data subject, or to take steps requested by them in the lead up to entering a contract (such as preparing a quote).
- The processing is necessary to comply with a legal obligation.
- The processing is necessary to protect the data subject’s (or another person’s) vital interests.
- The processing is necessary to perform a task in the public interest or in exercise of official authority.
- The processing is necessary to protect the organization’s (or a third party’s) legitimate interests.
For the grounds other than consent, the processing must be necessary for that purpose. This means that if you could reasonably achieve the task (performance of a contract etc) without processing personal data, the lawful ground will not apply.
You should determine what the lawful basis for processing will be ahead of time and notify the data subject of it. When processing data under a different ground from the one for which it was originally collected, you will need to check that the new purpose is compatible with the original purpose (unless the new ground is consent or legal obligation). To do so, you will need to take into account:
- Any link between the old and new purposes.
- The context in which the data was collected, such as the relationship between the parties.
- The nature of the data.
- The possible consequences of the further processing for the data subjects.
- The existence of safeguards to protect the data subjects.
Finally, note that for both special categories of data (along with criminal convictions and offenses) and automated decision-making, the requirements are stricter - we will consider these towards the end of this article. First, we will look at the basic grounds in a bit more detail.
The six grounds
This ground is more complicated than it may sound, as there are various requirements about the quality of the consent. It is certainly not acceptable to assume that by providing their personal data, a data subject has therefore consented to you using it in whatever way you see fit. We will look in detail at the requirements to establish valid consent in the next article.
Performance of a contract or preliminary steps
In order for the second ground to hold, one of the following must apply:
- You have entered into a contract with the data subject. In this case processing is valid if it is that necessary in order to perform this contract.
- The data subject has requested that you take steps (such as providing a quote) prior to entering into such a contract. In this case processing is valid if it is necessary in order to take those steps.
Take care when relying on this ground, as it will only cover types of information and processing which are genuinely necessary for these purposes. For example, say that you require people to provide contact details when they purchase goods or services from you. This is likely to be legitimate to the extent that you may need an address to deliver goods, and you may need to contact them about their order. However, this does not mean that it will be legitimate to use these details for research into your customers’ purchasing habits (which will not be necessary to the contract in question).
It may be that you are required by EU or national law to collect certain data, or process it in a certain way. If this is the case, then it is lawful to do so under GDPR.
Key Point: A contractual obligation is not enough to satisfy this requirement. Also note that as written, this does not cover the laws of countries outside of the EU.
This is an extremely narrow ground which will only cover processing necessary to protect an interest “essential to the life of” the data subject or another person. Examples could include certain crime prevention or humanitarian operations. Note that special categories of data cannot be processed under this ground if the data subject is capable of consent (even if they refuse).
Public interest or official authority
This will cover public authorities (such as the government or emergency services) and organizations to which official tasks are delegated. This processing has to be authorized by EU or national law, so it is not generally available to organizations to argue that they are covered as their activities are “in the public interest”. Note that data subjects have the right to object to processing carried out under this ground, under Article 21.
This is a potentially quite flexible category, catching a number of processing activities which are not necessary to the performance of a specific contract, but are nonetheless vitally important to running most types of business.
The nature of these legitimate interests is not spelled out in the text of GDPR. However the explanatory notes provide some guidance. A crucial consideration is the reasonable expectations of data subjects when their data is collected. This will be assessed in light of their relationship to the data controller.
The guidance notes also give the following potential legitimate interests which may justify processing:
- Direct marketing.
- The prevention of fraud.
- Ensuring network and data security.
- The administrative transfer of data between organizations within a group.
What is clear from the text is that these legitimate interests only give a lawful ground if they are not overridden by the interests, rights and freedoms of the data subjects. As such, a balancing act must take place.
Also note that data subjects have the right to object to processing under this ground, under Article 21. If they do so, such processing must stop unless the data controller can demonstrate compelling legitimate grounds for the processing which override the data subject’s rights. If data subjects object to processing for direct marketing (including profiling for this purpose), then you cannot refuse to stop the processing.
The grounds in practice
Most of the time, for most commercial organizations, the “vital interests” and “official authority” grounds are unlikely to have much impact on your operations.
Of the other grounds, consent is the broadest, allowing you to catch anything not otherwise covered. You can refer to the next article for details on how to make sure that the consent collected is sufficient to make processing lawful.
However, consent can be refused, or it can be withdrawn at any time. The other grounds can therefore allow you to ensure that you are able to collect and process the data you need in order to perform a contract, comply with any legal obligations, and otherwise pursue your legitimate interests (although remember that data subjects can object to this last type of processing).
To see how this might work in practice, the following is likely to be the best approach when entering into a contract with a client (for example through an online submission form):
- Only require them to supply information that satisfies a non-consent ground (for example, data that will genuinely be necessary for the performance of the contract or for your legitimate interests, or which you are required to collect by law).
- Clearly ask for consent to take any other data and to use the collected data for any other purpose.
- If a customer or other data subject refuses to give this consent, and provides only the information required, you will have to exclude this data from any other types of processing. To do this, you will probably need to flag the different sets of data according the processing permitted for each.
Special categories of data
In Article 9, there are stricter rules for processing the following special categories of personal data:
- Racial or ethnic origin.
- Sexual orientation.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data.
- Biometric data.
- Health data.
- Information about a person’s sex life.
For these categories, you will still need to have one of the six grounds considered above. However, you will also need one of the following grounds for processing (although there is considerable overlap):
- The data subject has given their explicit consent to the processing.
- The processing is necessary to protect the data subject’s (or another person’s) vital interests, and the data subject is incapable of giving consent.
- The processing is carried out by a not-for-profit organization, in the course of its legitimate activities and with appropriate safeguards. The processing must only relate to its members or former members, or people regularly in contact with it, and it must not disclose the data externally without consent.
- The processing is of personal data manifestly made public by the data subject.
- The processing is necessary to establish or exercise legal claims or defences, or is by courts in their judicial capacity.
Alternatively, there are other potential grounds which will first have to be established by specific EU or national laws before they can be relied on:
- The processing is in the field of employment, social security or social protection.
- The processing is necessary for reasons of substantial public interest.
- The processing is necessary for medical purposes.
- The processing is necessary for public health purposes.
- The processing is necessary for archiving purposes.
Of this second category, the most important one for most organizations is likely to be the one covering employment, as governments attempt to strike a balance between employee rights over their data and the needs of employers to keep full HR records.
If collection and processing of this information is necessary to your organization, it will be important for you to check that one or more of the above grounds applies, as well as one of the original six.
Comparing these to the standard list of six grounds, consent will still justify the processing of special category data (as long as it is explicit), as will a person’s vital interests (if the data subject is unable to consent) and most cases of legal obligations and official authority. However, neither the performance of a contract nor an organization’s legitimate interests will be enough by itself.
Note that while information about criminal convictions and offences is not a special category, Article 10 states that it should only be processed under the control of official authority or where specifically authorized by law.
In Article 22, there are also stricter rules where decisions are made based solely on automated processing (including profiling). This is only justified under one of the following grounds:
- The processing is necessary to enter into or perform a contract with the data subject.
- The processing is authorized by EU or national law.
- The data subject has given their explicit consent to the processing.
You will need to implement measures to safeguard the data subject’s rights, freedoms and legitimate interests. In practice, the biggest difference between these grounds and the standard six grounds is that legitimate interests are not enough to justify this processing.
Note that these decisions may only be based on the special categories of data (above) if the data subject has given explicit consent, or if it is authorized by law and necessary for reasons of substantial public interest.
Getting familiar with the various lawful grounds is a vital part of preparation for, and compliance with, GDPR. You will need to document the grounds under which processing is done (along with the additional grounds for special categories of data) and communicate this to data subjects.
A number of your processing operations are likely to be covered by performance of a contract (or preliminary steps), legal obligations or your legitimate interests. However, outside of these categories you will need to get the consent of data subjects to processing. That is the next area we will cover.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: