How to determine lawful basis for processing

Determining the lawful basis for processing personal data is a critical step in compliance with privacy regulations and laws.

Most notably, the General Data Protection Regulation (GDPR) outlines a limited number of lawful bases for such processing, although the specific number may vary depending on the applicable law.

Importance of Identifying Proper Lawful Bases

Choosing the right lawful basis is the first step before processing personal data, so it is very important to do it properly from the beginning.

Failing to do so can lead to unlawful processing, noncompliance with data subject rights, or insufficient organizational and technical data processing controls, even when other aspects of data handling are executed correctly.

What are the lawful bases for personal data processing?

There are six lawful bases prescribed by the GDPR (Article 6), and you will have to find out which one is the most suitable for the processing activity you are preparing to conduct:

1. Consent – the individual has given consent to the processing of their personal data for a specific purpose (mostly marketing activities)
2. Performance of a contract – if the processing is necessary for the performance of a contract with the individual in order to take steps at the request of the individual prior to entering into a contract
3. Legitimate Interest – if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (your company or your data processor), except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data.
4. Vital Interest– processing is necessary in order to protect the vital interests of the individual or another natural person (to protect someone’s life).
5. Legal Obligation – processing is necessary for compliance with a legal obligation. For example, tax laws or employment laws.
6. Public Task –  processing is necessary to perform a task in the public interest or for the exercise of the functions of official authority, and the task or function has a clear basis in law.

As a company or organization, you will most likely rely on four out of those six lawful bases since vital interests and public tasks are reserved for Public bodies.

Before you start…

The important thing to remember is that you must choose an appropriate legal basis before processing starts, and you can only choose one legal basis for each processing activity.

It may be possible that more than one basis applies to the processing if you have more than one purpose, but then you need to make this clear from the start.

Examine which option is the most appropriate considering all circumstances that could affect the individual because it is difficult and sometimes impossible to change it afterward.

• Selecting the Most Appropriate Legal Basis: Organizations should carefully evaluate the specific purpose of processing, the type of data involved, and the relationship with the data subjects to identify the most suitable lawful basis.
• Demonstrability of the Chosen Legal Basis:  It is imperative that organizations can demonstrate, both internally and to regulatory authorities, which legal basis they have selected for each data subject.
• Impact on Data Subject Rights: The chosen lawful basis significantly influences how an organization responds to data subject requests, such as the right to object, data portability, or erasure. Correctly distinguishing between legal bases for different data processing activities is essential.
• Special categories of data: Certain data, like information concerning race, ethnic origin, religion, trade union membership, biometrics, and health data, necessitate additional technical and organizational measures.

Selecting the Right Lawful Basis

Choosing the proper lawful basis will depend on the specific purpose of the processing and its context. There are three things you should focus on during this process:

• Purpose of processing:  Identify the specific reason or objective behind processing personal data.
• Type of personal data: Consider the sensitivity and nature of the data, which may require varying levels of protection.
• Relationship with the data subject: Evaluate the power dynamics in the relationship, especially in scenarios where one party holds significant influence. For example, employee/employer relationships. In situations where there is an uneven distribution of power, it is best to avoid consent as a legal basis for processing.

Determining Proper Lawful Basis: Asking the Right Questions

Sometimes, it can be beneficial to eliminate options that do not align with your purpose:

• Legal obligation – Are you processing this personal data to comply with the law?
• Performance of a contract – Do you have (or intend to have) a contract with the individual?
• Protecting someone’s vital interests – Are you a public body that processes personal data to save or protect someone’s life?
• Performing public tasks – Are you processing the data to carry out your official tasks or functions or other tasks in the public interest?

These four lawful bases will usually be quite obvious and fairly easy to detect. You could struggle more with consent and legitimate interest since they have a much wider context.

Consent and Legitimate Interest

Consent and legitimate interest require you to ask specific questions:

• Beneficiary of Processing: Who benefits from the processing?
• Expectations of Data Subjects: Are individuals likely to expect this processing?
• Power Dynamics: What is the power dynamic in the relationship with the data subject?
• Impact on Individuals: How does the processing affect individuals?
• Belonging to Vulnerable Groups: Does the data subject belong to a vulnerable social group?
• Ability to Stop Processing: Can individuals request the cessation of processing at any time?

Choosing legitimate interest means you are keeping control over the processing, but you also need to take responsibility for demonstrating that it is in line with data subjects’ reasonable expectations and wouldn’t have an unwarranted impact on them. Consent, on the other hand, means giving individuals full control over their data, enabling them to opt-out and keeping records of consent.

Considering Legitimate Interest

Legitimate interests stand out as the most versatile among the six lawful bases. However, it should not be used as a default basis for processing all data.

It is particularly valuable when the processing has minimal impact on the individual or when a compelling justification exists for the data processing.

When relying on legitimate interest, your processing will usually have to be ‘necessary’ for a specific purpose. This means you can’t achieve your purpose without the processing.

Unlike other bases that focus on specific purposes, you can consider legitimate interest for various scenarios if:

1. Clear Benefits: The processing is not mandated by law but offers clear benefits to the company or others.
2. Expected Data Processing: The individual can anticipate their data being processed in that manner.
3. Unlikely Objection: Providing full upfront control is not feasible or preferred, and obtaining consent requests is unnecessary, as the individual is unlikely to object.
4. Limited Privacy Impact: The impact on an individual’s privacy is limited.

Just remember, if there are high risks associated with this processing, and the processing poses significant risks to individuals’ rights and freedoms, a DPIA is likely necessary to assess and mitigate those risks. Ultimately, the decision to conduct a DPIA or LIA should be based on a careful evaluation.

Considering Consent

Consent is a complicated subject. Make sure to check the requirements for compliant consent in one of our previous blogs.

Consent is not superior or more significant than the alternatives, especially if obtaining consent presents challenges or limitations. Ask yourself if you need to give individuals the ongoing power to decide whether or not you process their data.

• Using consent as a prerequisite for accessing a service is unlikely to be the most appropriate lawful basis.
• For public authorities, employers, and other organizations with authority over individuals, relying on consent should be done cautiously.

Consent becomes suitable when you can genuinely provide individuals with the freedom to choose and control how their data is used, and you aim to establish a relationship of trust with them.

• Real Choice: The individuals have a genuine choice to opt-in or opt-out of receiving promotional emails, giving them control over how their data is used.
• Transparency: Clear information about the purpose of data processing and consent-seeking for specific purposes.
• Freely Given: Consent should be freely given without coercion or adverse consequences.
• Building Trust: Seeking consent builds trust and fosters a positive relationship with individuals.

Keeping Records of the Chosen Lawful Basis

GDPR, Article 5(2) requires that data processing be lawful, and organizations must be able to demonstrate compliance with the lawfulness requirement.

Having well-documented records serves as concrete evidence to the regulatory authority that the company has considered the legal requirements and has a legitimate reason for data processing, which can save you a lot of time and help avoid fines.

1. Accountability and Transparency: Maintaining records of a lawful basis demonstrates that your organization is accountable for its processing activities. Data Privacy Manager (DPM) plays a pivotal role in enhancing this accountability. By efficiently cataloging and tracking processing activities, the Data Privacy Manager (DPM) ensures that the chosen lawful basis for each activity is clearly recorded, offering concrete evidence that your organization has meticulously considered the legal requirements.

2. Legal Requirement: Organizations are obligated to prove that they have selected a proper lawful basis for each processing activity. Regulatory authorities may request these records during audits or investigations to ensure that you are processing data lawfully. DPM simplifies this process by centralizing all information about processing activities and ensures that you can readily provide these records in response to regulatory authority requests.

3. Data Subject Inquiries: Individuals have the right to inquire about how their personal data is processed. By keeping records in DPM, you can promptly provide any information to the data subjects who request it.

4. Data Subject Rights: The choice of lawful basis can impact data subject rights, such as the right to object or request data erasure. DPM helps ensure that you respond appropriately to data subject requests in accordance with the selected basis.

5. Data Protection Impact Assessments (DPIAs): DPIAs are mandatory for certain types of data processing activities that are likely to result in a high risk to data subjects. DPM provides templates for Data Protection Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) that you can link to each processing activity

6. Consent Management: If you rely on consent, you must be able to prove that individuals provided their consent, including additional information about consent collection.

Leveraging Data Privacy Software for Demonstrating Compliance

Managing and maintaining records of processing activities and their associated lawful bases can be a complex and resource-intensive task, especially for organizations with extensive data operations. This is where specialized data privacy software like Data Privacy Manager proves invaluable.

• Consent and Preference Management: Keep track of your records of consent, manage consents in real-time, and demonstrate your compliance at any time.
• Data Processing Inventory (ROPA) – Manage your data processing activities easily. Automating manual record-keeping tasks saves you time and resources while ensuring your data protection efforts comply with regulations.
• Assessment Automation (DPIA & LIA) – DPM provides templates for Data Protection Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) that you can link to each processing activity and have all documentation about conducted assessment in one place.
• Risk Management: Create your risk matrix and have a high-level overview of risks associated with each processing activity.