Legal Bases for Processing Data Under the GDPR

Co-author- Prajwala D Dinesh

In a significant move that has sparked widespread attention, WhatsApp, the popular messaging platform, has recently made a notable shift in its legal basis for processing personal data within the European region. The same got me thinking about the different use cases around Legal Basis for Lawful Data Processing.

To begin with, Article 6(1) GDPR generally prohibits data processing ("processing shall be lawful only if")?unless at least one of the six legal bases mentioned under (a) to (f) are the grounds for such processing operations.

Depending on the kind of data being processed and the specific circumstances surrounding the processing, it is imperative that each organisation bases its data processing on one of the following legal bases:

(a) Consent

Individuals can choose to waive their right of data privacy by providing consent for the processing of their personal data. However, the GDPR outlines specific conditions that controllers must adhere to in order to obtain "valid" consent. Consent must be given freely, with full awareness, for a specific purpose, and without ambiguity.

It's crucial to understand that silence, pre-selected options, or inactivity should not be considered as valid consent. For example, in the case C-673/17- Planet49, the Court of Justice of the European Union (CJEU) ruled that consent must be explicitly given through a clear and affirmative action. Not unchecking pre-ticked boxes was deemed insufficient to establish that consent was a "freely given and informed decision."

Additionally, Recital 43 and Article 7(4) of the GDPR address the concept of 'bundled consent,' which refers to situations where consent is made a prerequisite for fulfilling a contract. While such bundled consent is not automatically void, the law emphasizes that the importance of the contract should be taken into utmost consideration when linking it to consent.

(b) Contract

This legal basis applies when data processing is strictly and objectively necessary for the performance of a contract or to provide a service as stated in that contract.

However, it is essential that the contract involved is valid. Void contracts, which lack legal validity, cannot be relied upon as a basis under Article 6(1)(b) of the GDPR. For instance, if a Spanish controller and a French consumer have a contract that is valid in Spain but considered void under French law, it cannot serve as a legal basis under Article 6(1)(b) of the GDPR due to its lack of validity. It can also be argued that due to it being void in the concerned jurisdiction, it is not a “contract” in the first place, but merely a non-enforceable “agreement”.

(c) Legal obligation

The controllers may have legal obligations imposed by European and Member State laws to collect, store, and process personal information. Under Article 6(1)(c), these processing operations are considered lawful when they are necessary to fulfill such legal obligations. The obligation must originate directly from the law itself.

To understand this better, let's say there is a company called ABC Electronics, and it operates in a country with specific tax regulations. As part of these regulations, ABC Electronics is required to report certain financial data to the tax authorities on a regular basis. This reporting obligation is a legal requirement imposed on the company.

In this scenario, ABC Electronics can rely on Article 6(1)(c) of the GDPR to process personal data, such as employee salary information and financial records, necessary for fulfilling its legal obligation to report taxes accurately and on time. The data processing is considered lawful under GDPR because it is necessary for the company to comply with the legal obligation imposed by the tax authorities.

(d) Vital Interest

Data processing can also be considered lawful if it is essential to safeguard the vital interests of the data subject or another individual. The fundamental idea here is that the right to life holds higher importance than data protection, and in situations concerning the vital interests of the data subject, it is assumed that the data subject consents to the processing.

For instance, an organization, such as a school or a sports club, may collect and process emergency contact information of its members or students. In case of an accident or sudden medical issue, this data is used to inform the designated emergency contact and ensure the well-being and safety of the individual. The processing is necessary to protect the vital interests of the data subjects and complies with Article 6(1)(d) of the GDPR.

(e) Public Interest

This legal basis permits an organization to process personal information when it is necessary "for the performance of a task carried out in the public interest" or "in the exercise of an official authority."

While this basis is primarily associated with official authorities or government entities, it can also extend to private organizations like professional associations if they exercise official authority or undertake tasks that serve the public interest.

(f) Legitimate Interests

This legal basis is applicable when data processing is necessary for the legitimate interests pursued by the data controller or a third party.

The ruling of the CJEU in Case C-13/16-?Rīgas laid a three-prong test for ascertaining whether?legitimate interests of the data controller do indeed exist for data processing, which entails:

·??????Determining the legitimate interest for data processing

·??????Ensuring that data processing is essential for the legitimate interests so identified.

·??????The rights of the individual are given a precedence.

Conclusion

In conclusion, understanding the legal bases for data processing under the GDPR is fundamental for organizations handling personal data. Adhering to these lawful grounds ensures compliance with the regulations and fosters trust among data subjects. The six legal bases offer clear guidelines for data controllers to process data responsibly and transparently. Organizations must carefully assess their data processing activities, aligning them with the appropriate legal basis, and conducting a factual analysis when necessary. By prioritizing data protection and respecting individuals' rights, businesses can navigate the complexities of GDPR while safeguarding personal information and maintaining ethical data practices.

Remember to prioritize data protection, adhere to GDPR guidelines, and conduct factual analyses when needed. Empower your organization to navigate GDPR complexities responsibly, protect personal information, and foster ethical data practices. Together, let's embrace the future of data privacy!

?#GDPR #DataPrivacy #Compliance #DataProtection

References-

·??????https://gdpr-info.eu/

·??????https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/

·??????https://edpb.europa.eu/sme-data-protection-guide/process-personal-data-lawfully_en