The General Data Protection Regulation (GDPR) is the common legal framework for all organisations in the European Union that implement personal data processing. Since it came into force in 2018, the subject of compliance of personal data management with the principles of the GDPR has become an unavoidable part of the activity of every organisation’s departments.
In view of the fines imposed by the supervisory authorities and the impact on the image of organisations, compliance with the GDPR is a real issue of trust between organisations and their customers or constituents.
Among the various principles governing the processing of personal data, the GDPR lays down a fundamental principle which states that “personal data must be processed lawfully, fairly and in a manner which is transparent to the data subject”. This condition of lawfulness of personal data processing means that for such processing to be compliant, it must be associated with a lawful basis; that is, the lawful basis authorising the organisation to carry out the processing of personal data as defined by the Data Protection Authority.
Any processing carried out without a lawful basis is de facto unlawful. Furthermore, the choice of a lawful basis has very specific consequences, since each lawful basis meets specific conditions of validity and conditions the exercise of individuals’ GDPR rights over their personal data. Data controllers will then be responsible for documenting their choice of lawful basis and referencing it in their register of data processing operations and in the various information media made available to data subjects (information notices, privacy policy, etc.).
The GDPR provides for 6 different lawful bases on which personal data processing may be based, namely:
- Consent ;
- Contract ;
- Legitimate interests ;
- Legal obligation;
- Task in the public interest;
- Protection of vital interests.
The GDPR also provides for 10 exceptions authorising the processing of so-called “sensitive” data. The exceptions authorising the processing of sensitive data are illustrated by the Data Protection Authority.
Discover our advice on how to better identify the lawful basis for your personal data processing.
How do you identify the lawful basis for processing personal data?
In practice, certain lawful bases are encountered more frequently than others. The “classic” activities of an organisation that require personal data to be handled are often associated with consent, contract, legitimate interest or compliance with a legal obligation, whereas processing based on a public interest mission, the safeguarding of vital interests or special grounds authorising the processing of sensitive data are rarer.
The most common bases
Consent
Consent is the most obvious lawful basis for personal data protection. By making the lawfulness of processing subject to the prior collection of consent from individuals, the organisation offers individuals the choice of formally authorising it to process their personal data. However, in order to be valid, consent must be obtained in accordance with the conditions set out in the GDPR:
– It must be freely given; consent must not be coerced or influenced;
– It must be specific to a single processing operation and for a given purpose;
– It must be informed, which means that the individual must be given a certain amount of information;
– It must be given by a declaration or any other act expressing this agreement.
Certain activities are clearly identified as requiring prior consent, such as sending commercial prospecting emails to consumers or depositing cookies to personalise the advertising presented on the site visited.
Admeet solutions enable you to obtain valid consent from your users via cookie banners and to store proof of cookie consent in the event of an audit or complaint.
Contract
The GDPR provides that certain processing operations may be based on the lawful basis of “contract”, which means that the use of personal data is necessary to perform a contract between the organisation and the data subject. This lawful basis arises when the processing of personal data is essential to provide a product or service. For example, when a person makes online purchases using their bank card or to organise the delivery of the product.
The GDPR requires organisations to mobilise this lawful basis by checking that the processing carried out is strictly necessary for the performance of the contract. In other words, the organisation could not deliver a service or supply a product without this particular processing of personal data.
Legitimate interest
Where an organisation wishes to carry out processing of personal data which cannot be subject to a contract or the consent of the data subject, it may base such processing on the lawful basis of its “legitimate interest”. This interest is considered legitimate provided that it is :
– lawful ;
– sufficiently clearly determined; and
– specific.
It is the responsibility of the organisation to document the analysis of the balance between the rights and freedoms of individuals and the legitimacy of its interest and the necessity of the processing, as soon as it wishes to base this processing on the lawful basis of legitimate interest. This lawful basis is frequently used for the processing of personal data relating to information system security or for the deployment of online anti-fraud measures.
Legal obligation
Finally, the organisation may simply be obliged to process personal data in order to comply with a legal obligation to which it is subject. This lawful basis can only be invoked if :
– a legal text under European or national law defines the purposes of the processing;
– the processing is necessary to fulfil this obligation from the point of view of the organisation, in a sufficiently clear and precise manner.
For example, this lawful basis is often found for the processing of personal data relating to human resources management.
Specific lawful bases
Task in the public interest
The public interest mission is the lawful basis that mainly concerns the processing of personal data carried out by public authorities and concerning their users (or certain private bodies contributing to public service missions). In order to invoke the lawful basis of the public interest mission, a regulatory text must set out the conditions for the processing (law, decree, act of a local authority, etc.). By way of example, the CNIL bases the processing of personal data relating to its mission to monitor organisations on the lawful basis of the public interest mission.
Protection of vital interests
Safeguarding vital interests is the last lawful basis provided for in Article 6 of the GDPR. In order for processing to be based on this lawful basis, the controller must ensure that:
– the processing is necessary to save the life of the data subject;
– that the data subject is not in a position to consent to the processing.
By its very nature, the lawful basis of safeguarding vital interests is frequently encountered in the treatment of unconscious persons implemented by healthcare establishments.
Exceptions authorising the processing of sensitive data
In addition to the 6 lawful bases provided, it should also be borne in mind that the processing of sensitive data is subject to a different lawfulness regime. Article 9 of the GDPR states that, for example, the processing of health data or data relating to a person’s political orientation is prohibited in principle. However, by way of exception, the processing of sensitive data is permitted under certain conditions listed in the GDPR.
For example, sensitive data may be processed provided that:
- the individual has given his or her consent;
- or that the processing is carried out in the course of the legitimate activity of an association or non-profit organisation;
- or that the individual has voluntarily made the information public, etc.
The existence of these exceptions to the prohibition on processing sensitive data should not be confused with the principle of lawfulness: these exceptions are not legally considered as lawful bases.
What are the consequences of choosing a lawful basis?
The definition of the lawful basis for the processing of personal data is an important moment in the life of the processing operation, as this lawful basis defines the regime for exercising the rights of individuals with regard to their personal data.
Managing requests for GDPR rights
The GDPR confers rights on data subjects with regard to their personal data and sets out the procedures for exercising these rights. Data subjects may therefore ask the data controller for access to their data, rectification, erasure, restriction of processing or data portability.
However, the data controller is not obliged to respond systematically to these requests to exercise their rights. Certain lawful bases make the exercise of certain rights conditional.
For example, when processing is carried out on the lawful basis of a legal obligation, the data subjects cannot exercise their right to object to the processing or request the portability of the data.
Conversely, a data controller may respond favourably to a request for data portability only if the processing is carried out on the lawful basis of contract or consent.
Another example: when processing is carried out on the lawful basis of a contract, as the data subjects are parties to the contract, they cannot exercise their right to object to the processing, as this would amount to suspending performance of the contract.
Consequently, data controllers must pay particular attention when defining the lawful basis for a processing operation, since this choice has consequences for the rights of the data subjects concerned by the processing operation. At the same time, the absence of a lawful basis has consequences for the controller itself.
The risk of unlawful processing
The processing of personal data without any lawful basis is considered to be unlawful and exposes the controller to the severe penalties provided for by the GDPR. A breach of the principle of lawfulness of processing exposes the controller to the risk of a fine imposed by the supervisory authority of up to €20 million or up to 4% of the total annual worldwide turnover for the previous financial year (whichever is greater).
It is important to note that while the absence of a lawful basis is a breach of the principle of lawfulness, failure to comply with the conditions of validity of a lawful basis is also a breach of the principle of lawfulness. In this respect, the CNIL penalised an organisation that had organised a commercial canvassing campaign by email, without being able to demonstrate that it had validly obtained the consent of the individuals concerned by this campaign. It should be noted that particularly unlawful processing is considered to be a criminal offence likely to give rise to criminal liability on the part of those responsible for the processing in question.
Admeet’s application enables you to easily identify the lawful bases for personal data processing, thanks to the numerous cases of application and examples, and to draw up exemplary legal documentation for your personal data processing.