If you process data in the European Union or about EU residents, you will normally have to follow the General Data Protection Regulation (GDPR). The most fundamental point of the GDPR is that you can only process personal data under a particular set of conditions known as a legal basis.
In this guide we'll run through the different legal bases, help you decide which applies, and explain how to communicate this to customers.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The Basics of the GDPR
The GDPR is a European Union regulation, meaning it has automatic legal effect in all European Union member countries. (At the time of writing it also has effect in the United Kingdom through its national laws.)
The GDPR covers processing personal data:
- Processing means any use of data, including collecting it or sharing it
- Personal data means any data that relates to an individual that is, or can be, identified
The GDPR applies if you process personal data in one of three scenarios:
- The personal data relates to somebody in a European Union country
- You have a presence in the European Union (such as a base or branch office)
- The processing physically takes place in an EU country. For example, Facebook has a data processing center in the Republic of Ireland
The Lawful Basis System
Some data laws work on the principle that any processing is legal unless expressly forbidden. The GDPR works the other way round: processing personal data is only legal where a specific condition applies.
These conditions are called lawful bases and you must decide which applies before you can process personal data.
It's not enough to simply pick a relevant lawful basis. Instead you must also designate a purpose (reason) for processing that is compatible with the lawful basis. The processing must be necessary to achieve this purpose. It's not enough that the processing simply makes your work easier.
The six lawful bases are as follows:
- Legal obligation
- Legitimate interests
- Public task
- Vital interests
For most businesses, either consent or legitimate interests will be the most common bases that apply, but we'll break down all six in this guide.
While the GDPR does allow consent as a lawful basis for processing, the consent must meet several conditions.
Next, the consent must be active. This means you cannot use an opt-in system where you assume consent unless the person says otherwise. They must signal the consent through a positive action such as ticking a box or clicking a button.
The consent must also be unambiguous. Court and regulatory rulings have clarified that this means you can't use pre-ticked checkboxes or toggles set to consent because there's too much risk that somebody clicks through by accident. Similarly, you can't class somebody scrolling down a page as a signal of consent.
Finally, consent must be reversible. The GDPR gives people the right to withdraw consent later on (and to know how to do so). Once they withdraw consent, you must stop processing the data.
Social Media Today makes sure consent is active and unambiguous. Users must tick a box, type in their email address and click a button before they subscribe:
Amnesty International lists the purposes of its process. The consent it gathers based on this statement would not cover processing for any other purpose:
You can use the contract basis in three main scenarios:
- You have a contract with somebody and you need to process their personal data to comply with the contract. For example, you may need to use somebody's address to ship a product they bought.
- You have a contract with somebody and you need to process their personal data to help them comply with the contract. For example, you may need to use somebody's credit card details to take payment for a purchase.
- You need to process personal data for a purpose that may lead to establishing a contract. The most common example is using somebody's detail to prepare a quote or estimate for a potential order.
Remember that this basis only covers processing that is necessary for the contractual reason. It doesn't cover other uses such as keeping track of somebody's interests so you can send them personalized marketing messages.
This basis applies if the processing is necessary to meet a legal requirement other than a contract. This could be an explicit law, a more general obligation or a specific court order.
Dealing with the tax authorities is a good example. Tax laws may require you to tell tax officials how much you pay your staff so that they know how much tax to collect. This counts as processing the employee's personal data, but would be covered by the legal obligation basis.
Compared with some lawful bases, the legal obligation basis has a little more flexibility. The processing doesn't necessarily have to be the only way you can meet the legal obligation. Instead, it must be a "reasonable and proportionate" way to meet the legal obligations.
Usually this means that in practice you don't have any choice about whether to process the personal data because there isn't a reasonable alternative way to meet the legal obligation.
Many of the ways businesses use personal data will come under the legitimate interests basis. However, you must understand what it is and when it applies. You cannot simply assume that this basis applies to any processing.
Legitimate interests can theoretically cover any processing that helps your interests, those of a third party, or those of society as a whole. However, just because processing falls into this description, you can't automatically use the basis.
Instead, you must be able to say what the legitimate interest is, prove that the processing is necessary to achieve the relevant task, and prove the legitimate interest outweighs any negative effect on the person's privacy rights. You'll usually need to carry out an assessment to check this is the case.
This statement by Werfen UK demonstrates the three parts to such an assessment:
The UK's Information Commissioner's Office advises that processing is most likely to meet these requirements where it's something people would reasonably expect you to do and where it isn't intrusive or harmful.
For example, keeping track of website visits to detect potential cyberattacks would usually meet the threshold, as would using cookies for a virtual shopping cart on an online store. A charity selling the email addresses of supporters to a marketing company would likely not meet the threshold.
This applies if your processing is necessary to:
- Carry out a task set out in law as being in the public interest, or
- Exercise authority based on a law
It's rare that a private business will be able to use the public task basis. In most cases it applies where a public body (such as a government department or agency) is doing something it is legally required to do. That might be because a specific law says it must do something, or because it's a key part of its statutory functions.
The processing must be necessary to carry out the task. That doesn't have to mean it is the only way to carry out the task. Instead, it means there is no other way to do it that has less effect on people's privacy.
This basis applies where processing the personal data is necessary to protect somebody's vital interests: in simple terms, to protect their life.
Note that the person the data is about and the person whose vital interests you are protecting may be different people. In some cases, it could involve the vital interests of a large group of people such as in an epidemic or natural disaster.
The most common use of this basis is where somebody needs emergency medical treatment and cannot provide consent to data processing. For example, emergency room staff may need to access medical records to check on details such as blood type or allergies.
You can't normally use the "vital interests" in a situation where somebody is capable of providing consent, even if they refuse to do so. In most cases you should only use "vital interests" where no other lawful basis is available.
Documentation and Notification of a GDPR Lawful Basis
As noted, you must decide which lawful basis applies before you process data (which includes collecting it in the first place.) Once you've picked a lawful basis for a particular processing activity, you cannot usually switch to a different basis later. For example, if you process data based on the consent basis, and the person withdraws consent, you cannot continue processing by relying on the legitimate interests basis.
You should always document the lawful basis you rely on when you start processing data. This documentation will help your case if data regulators in an EU country investigate an allegation that you have breached GDPR.
Remember that the lawful basis you select will cover processing the data for a particular purpose, which you must tell the person about. The processing must be necessary to achieve this purpose.
The Linklaters Privacy Notice covers both the purposes and legal bases under which it processes data. It might need to clarify exactly which applied to a particular case of processing if it wasn't clear from the context:
Sometimes you can use the same data for a new purpose and cover it by the original lawful basis. You can only do this where the new purpose is "compatible" with the original purpose. That means the new purpose is broadly similar to the original purpose, doesn't increase the risk of harm to the person's privacy, and is something the person could reasonably expect to happen.
The big exception to this principle is that you can never process data for a different purpose based on the original consent. You must always get fresh consent before using data for a different purpose.
The IIED details the purposes for processing where it relies on the consent basis. It would need fresh, specific consent to use this data for any other purpose. Without this fresh consent it would have no lawful basis to process the data for the other purpose:
The GDPR sets out two situations where a lawful basis alone is not always sufficient to carry out processing. These are special category data and criminal offence data.
Special Category Data
Special category data is data about (or revealing):
- Biometric data that identifies somebody
- Ethnic or racial origin
- Genetic data
- Philosophical or religious beliefs
- Political opinions
- Sexual orientation
- Trade union membership
The precise rules on special category data vary slightly from country to country. Broadly, you can process the data if your legitimate basis is consent (which must explicitly apply to the sensitive data) or vital interests.
If you use any other legitimate basis, you can only process the data if one of the following applies:
You will process the data while carrying out legal authority or responsibility relating to:
- Social security or protection
- Health or social care
- Public health
- Archiving, research or statistics
- Anything else involving substantial public interest
- You are a not-for-profit organization
- The person made the data public themselves
- The processing relates to a legal claim or judicial act (such as giving evidence in court)
Criminal Offence Data
This covers any information relating to criminal offenses. As well as convictions, it also covers allegations and investigations.
You can only process criminal offence data where you have a lawful basis and you are doing the processing through official authority or under a specific law.
Let's recap what you need to know about the lawful basis system in the GDPR.
- The GDPR applies when you process personal data in or about someone in the European Union.
- Under the GDPR, it's illegal to process personal data without a lawful basis. You must designate a lawful basis and a purpose for processing before you collect or use personal data. The processing must be necessary to achieve the purpose.
- The six lawful bases are consent, contract, legal obligation, legitimate interests, public task, and vital interests.
- Consent must be informed, active, unambiguous, specific and reversible. It only covers processing for the stated purpose, not any other use of the data.
- The contract basis covers processing that's necessary for you to fulfil a contract, help the other party fulfil the contract, or prepare to establish a contract.
- Legal obligation covers processing that is a "reasonable and proportionate" way to comply with a law, court order or other legal requirement (except a contract).
- Legitimate interests involves processing that helps achieve somebody's interest (your own, someone else's or society's). However, you can only use this basis where you can prove the legitimate interest outweighs the privacy rights of the person the data is about.
- Public task usually involves processing by a public body that's necessary for a required task.
- Vital interests means processing that will help protect somebody's life. It's usually only appropriate if no other lawful basis (such as consent) is available.
- When choosing a lawful basis you must also decide the purpose for which you will process the data. You can only rely on this lawful basis to process the data for another purpose where it is reasonable to do so and where the two purposes are very similar. You can never do this with consent: you always need fresh consent to use data for a different purpose.
- Some sensitive data is classed as "special data" under GDPR. If your lawful basis is contract, legal obligations, legitimate interests, or public task, you can only process personal data in specific limited circumstances.
- If you process personal data about criminal offenses, you must not only have a GDPR lawful basis, but must also be acting under official authority or following a law.