DWF logo

Search

DWF logo

            Processing personal data? How to choose the right ground?

            Your organisation must have and record a lawful processing ground for processing personal data.

            Date: 25/06/2019

            There are six options under the EU General Data Protection Regulation ("GDPR"):

            1. Consent
            2. Legitimate interests
            3. Contract
            4. Public task – performance of a task carried out in the public interest, or to exercise official authority (typically used by public sector bodies)
            5. Processing necessary to comply with a Legal obligation, such as a legal requirement to conduct identity checks
            6. Protecting the Vital interests of an individual (generally limited to medical intervention in 'life or death' situations)

            For consent, legitimate interests and contract, some of the complexities are discussed below.

             

            Consent

            If relying on consent from an individual to process their personal data, the request must be offered as a genuinely free and fully informed choice, otherwise it won't be valid.  It is worth noting:

            • an imbalance of power between the requesting organisation and the data subject (e.g.  between an employer and employee) will indicate that consent has not been 'freely given';
            • consent is neither 'fully informed' or valid unless sufficient information about the consequences of consenting is provided (for more on privacy notices, click here)
            • individuals must be able to withdraw their consent at any time without penalty.A withdrawal request requires the organisation to stop processing the data without delay.If this prevents the organisation from being able to provide agreed services to that individual, 'Contract necessity' (discussed below) may be a more appropriate ground; and
            • organisations should ensure their IT systems and organisational processes are sophisticated enough to comply with consent requirements.For instance, consider how consent is evidenced and how quickly/easily a withdrawal request be complied with.

            If in doubt, organisations should actively explore alternative processing grounds to avoid consent's stringent requirements.

             

            Legitimate interests

            Legitimate interests is available when your organisation has an identifiable business interest in processing personal data, such as improving customer services, provided that the individual's interests do not override your organisation's interests. The regulator recommends undertaking and recording a legitimate interests balancing assessment (or "LIA") to demonstrate compliance; accountability is a legal obligation under the GDPR.

            If an individual objects to their data being processed, there is likely to be an overriding interest to take account of.

            Public sector bodies, organisations processing children's data or carrying out electronic marketing in particular, should be aware that there are restrictions to using this ground and additional conditions apply under related laws and guidance.

             

            Contract necessity

            Is it absolutely necessary that your organisation process certain personal data to fulfil a service (or provide a product) under a contract with the data subject? The key factor here is 'necessity'; In May 2019 the European Data Protection Board (EDPB) issued draft Guidelines here, which make clear that necessity under the 'Contract necessity' ground should be judged objectively – it requires that "the service could not be provided and the contract could not be performed" without the personal data at issue.  "If there are realistic, less intrusive alternatives, the processing is not ‘necessary’". In addition, a legally valid contract must exist (or necessary steps undertaken towards one) with the individual.  The contract must therefore comply with national laws, such as the fairness of terms requirements in consumer contracts . The ability to apply this ground is consequently quite limited.  Activities unlikely to meet the threshold in the EDPB's view were:

            • behavioural advertising – even where these ads indirectly finance the service;
            • service improvements or developing new functions;
            • fraud prevention; and
            • content personalisation – unless fundamentally the service is to provide personalised content.

            Stating in a contract that the service is conditional on personal data being processed will not be sufficient to prove necessity.

             

            Don't forget...

            If personal data concerns race/ethnicity, political, religious/philosophical views, trade union membership, genetic/biometric data, health or sex life/orientation, your organisation must meet additional processing conditions under Article 9 GDPR and the Data Protection Act 2018, and not all of the above processing grounds are available.

             

            How we can help

            We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits). 

            Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.

            Find out more here

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies

            (Required)

            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.