Again, record keeping is essential: you must be able to identify the specific legal provision you are complying with or provide a document outlining your legal obligation. Many people – and organisations – focus on consent, but this is arguably the weakest legal basis for processing, as it can be withdrawn at any time. Of course, you can`t always choose another one and you need to be sure of that. This starts with knowing and understanding the six legal bases for processing personal data. So, a quick look at each of them as a reminder. The most flexible of the six legal bases for processing, namely legitimate interests, could theoretically apply to any type of processing carried out for an appropriate purpose. You may prefer to consider legitimate interests as your legal basis if you wish to retain control over the processing and take responsibility for demonstrating that it meets the reasonable expectations of individuals and would not have an undue effect on them. On the other hand, if you prefer to give individuals full control and responsibility for their data (including the ability to change their mind about whether it can continue to be processed), you should consider relying on individuals` consent. An example of this type of treatment is that political parties are allowed to keep a copy of the voters list. The basis of legitimate interest consists of three elements.
It`s worth thinking of this as a three-part test. The organisation shall: Designating the appropriate legal basisIn the case of the processing of personal data, adequate justification for the processing of personal data. Processing each of your files and the categories of data they contain is not easy. The UK`s independent supervisory authority to ensure compliance with the UK`s GDPR, Data Protection Act 2018, privacy and electronic communications regulations, etc. provides an interactive guidance tool, but making the right decision requires a thorough understanding of the regulation`s requirements as well as how the data is used. We recommend a suitably qualified data protection officerAn independent data protection expert who includes, among other things, internal compliance monitoring, advice on data protection obligations and the role of contact point for data subjects and supervisory authority. (DPO) supports you in this decision, most likely as part of an impact assessment of your broader data landscape. For assistance, please contact us If it is necessary to process sensitive data under a contract, you must also provide a separate legal basis. These guidelines emphasise that consent is one of the six legal bases for the processing of personal data, as summarised in Article 6. However, where a controller initiates activities related to the processing of personal data, it should be examined at the same time whether consent is the most appropriate legal basis for lawful processing or whether another processing could be better. Remember that when selecting consent for a particular processing activity, you must also comply with all rules and rights relating to consent.
Example: If a person makes an online purchase and wants the goods to be delivered to their home, the online retailer may process the customer`s personal data in order to fulfill the delivery request. In addition, certain types of processing of personal data in such cases could not only serve the vital interests of the data subject or another natural purpose, but also serve the public interest, e.g. in the event of disasters, epidemics, etc., as set out in recital 46 of the GDPR. And this brings us to the next legal basis for lawful processing: the public interest grounds as such. Where the processing of personal data is necessary to comply with a general law or legal obligation under UK or EU law, this is considered a legal basis, provided that: To comply with this principle, Chapter 6 of the GDPR requires that any organisation processing personal data has a valid legal basis for such processing of personal data. Think of them as scenarios where it would be legal to process data. The GDPR provides six legal bases for processing: If the processing of data is in the vital interest of the data subject, this is a legal basis. This basis is only likely to apply in emergency medical situations where the processing of medical data is necessary to protect the life of one person or the life of another person, but the person is unable to give consent.
One company chose to process on the basis of consent and obtained consent from individuals. An individual has subsequently decided to withdraw his consent to the processing of his data, as is his right. However, the company wanted to continue processing the data and decided to continue processing on the basis of legitimate interests. This legal basis applies if you need to process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority”. `Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.` Although consent is granted by default, processing carried out on this basis may be subject to objections by data subjects. This is formally recognized in order to allow an examination of the specificities of the situation. In principle, it gives the data subject the opportunity to challenge the controller`s definition of public interest. The objection may or may not stand, but it must be acknowledged and answered in due course. Organizations sometimes assume that they need to obtain consent from data subjects to process their data. This may seem like an insurmountable administrative burden, but obtaining and managing consent is not mandatory for all activities involving the processing of personal data. In fact, consent is only one of many legitimate purposes for processing personal data.
Here is an overview of the six legal bases for processing recognized by the GDPR: In order for an organization to use consent as a legal basis, data subjects (i.e. you and me) must consent to the processing of their personal data. They must be free to decide whether or not to give their consent. In particular, in some cases, you can always consider consent or legitimate interests, depending on the type of processing and your relationship with the individual. There is no absolute prohibition for authorities to use consent or legitimate interests as a legal basis, although there are some restrictions. For more information, see the page with instructions specific to each legal basis. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests, fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. The data subject has given the organisation permission to process his or her personal data for one or more processing activities.
Consent should be voluntary, clear and easily revocable, so organizations should exercise caution when using consent as a legal basis. For example, the age of automatically checked consent boxes is coming to an end due to the GDPR. The GDPR requires that any organization that processes personal data has a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, performance of a contract, legitimate interest, vital interest, legal obligation and public interest. First, most organizations ask if they need consent to process data. The answer is, not necessarily. As I mentioned earlier, consent is only one of six legal bases for data processing. When using consent, you should know that consent must be given freely and clearly, and that it must be as easy to withdraw consent as it is to give consent.