There are six options under the EU General Data Protection Regulation ("GDPR"):
For consent, legitimate interests and contract, some of the complexities are discussed below.
If relying on consent from an individual to process their personal data, the request must be offered as a genuinely free and fully informed choice, otherwise it won't be valid. It is worth noting:
If in doubt, organisations should actively explore alternative processing grounds to avoid consent's stringent requirements.
Legitimate interests is available when your organisation has an identifiable business interest in processing personal data, such as improving customer services, provided that the individual's interests do not override your organisation's interests. The regulator recommends undertaking and recording a legitimate interests balancing assessment (or "LIA") to demonstrate compliance; accountability is a legal obligation under the GDPR.
If an individual objects to their data being processed, there is likely to be an overriding interest to take account of.
Public sector bodies, organisations processing children's data or carrying out electronic marketing in particular, should be aware that there are restrictions to using this ground and additional conditions apply under related laws and guidance.
Is it absolutely necessary that your organisation process certain personal data to fulfil a service (or provide a product) under a contract with the data subject? The key factor here is 'necessity'; In May 2019 the European Data Protection Board (EDPB) issued draft Guidelines here, which make clear that necessity under the 'Contract necessity' ground should be judged objectively – it requires that "the service could not be provided and the contract could not be performed" without the personal data at issue. "If there are realistic, less intrusive alternatives, the processing is not ‘necessary’". In addition, a legally valid contract must exist (or necessary steps undertaken towards one) with the individual. The contract must therefore comply with national laws, such as the fairness of terms requirements in consumer contracts . The ability to apply this ground is consequently quite limited. Activities unlikely to meet the threshold in the EDPB's view were:
Stating in a contract that the service is conditional on personal data being processed will not be sufficient to prove necessity.
If personal data concerns race/ethnicity, political, religious/philosophical views, trade union membership, genetic/biometric data, health or sex life/orientation, your organisation must meet additional processing conditions under Article 9 GDPR and the Data Protection Act 2018, and not all of the above processing grounds are available.
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.