The GDPR lawful bases for processing

Compliance with GDPR and the UK Data Protection Act 2018 requires that every instance of processing of personal data has a lawful basis, selected from a list of six alternatives (Article 6 of the GDPR). Only one lawful basis can be assigned to any given processing, and in most cases it is the context and purpose of the processing rather than its actual process detail that constrains the appropriate basis.

As defined in Article 6, the alternative lawful bases are:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Because selection of the lawful basis for processing constitutes a statutory undertaking, it’s very important to get it right. Changing a lawful basis after it has been publicly declared is difficult, costly, and open to challenge. However, for most businesses, there is a practical hierarchy of choices which is not represented by the order in which the lawful bases are listed in Article 6 of the GDPR. For a start, basis (e) is essentially reserved for government, law enforcement and national service provider agencies, so businesses have in general only five alternatives to consider unless they interface with such agencies.

At the top of the hierarchy comes basis (c): compliance with a legal obligation.
This basis overrides all other alternatives provided the data controller can identify the specific legislation that mandates their intended processing of personal data, and that the intended processing is absolutely restricted to the minimum required for compliance with that legislation. Compliance with taxation law when paying staff and fulfilment of checks under anti-money laundering, bribery and safeguarding legislation are typical candidates for this basis. However, any discretionary processing beyond the minimum strictly required by the relevant laws would not be covered. For example, processing to administer locally defined staff ‘perks’ not prescribed by employment law (such as bonuses or non-statutory extra leave) would not be covered by this basis.

The justification for processing on this basis is the demonstrable existence of the relevant statutory obligation, and the legitimate duration of processing will be defined by the requirements of the specific relevant legislation. Provided sufficient evidence can be supplied on demand, this basis is essentially immune to challenge.

Next in the hierarchy is basis (b): performance of a contract to which the data subject is a party.
This basis can be used wherever a contract is established or is to be negotiated between the data controller and the data subject at the data subject’s behest. The justification for the processing would be the demonstrable existence of the contract or evidence of the negotiations leading to it, and the legitimate duration of processing is the duration of the negotiation and any ensuing contract. The contract does not necessarily have to come to fruition, but processing should cease once it is established that the negotiation is not going to result in a contract. This basis can not be used where the data subject is not a ‘party to the contract’. For example a representative of a client company will be a data subject if their personal details are used in communicating with the company, but they are not a party to any contract between the data controller and the company as the company is a separate legal entity.

As the data subject will by definition be aware of any negotiation or contract with themselves, this basis is robust against challenge provided the data controller can show that all the processing is strictly necessary for the negotiation to proceed and for any contract to be effective. Processing that is not strictly essential to the data subject’s interest in the contract must not be subsumed under this basis.

Third in the hierarchy comes basis (f): legitimate interests pursued by the controller or by a third party.
This basis can cover a wide variety of purposes, but as it is potentially a catch-all that can be easily abused, it requires very well defined and clearly expressed justification for each specific purpose where it is applied. That means a clear statement of the purpose and its necessity, details of the processing including exactly what personal data is processed and why, and a clear statement of the retention criteria. Although convenient, legitimate interest is thus quite arduous to assign as a lawful basis for processing, and it is potentially much more open to challenge than the other bases discussed so far. This is particularly the case where the legitimate interest of a third party is relied on, as the data subject may be able to object to the interest, purposes or activities of the third party.

Then we come to the most widely discussed and misunderstood basis - (a): consent.
Many businesses have assumed that consent is a panacea that can be applied to all their processing, and in so doing have created for themselves a potentially huge, hazardous, continuing and completely unnecessary administrative burden.

Reliance on consent is mandatory in a limited number of cases - notably for any processing of the ‘special categories of personal data’ (Article 9 of GDPR and UK DPA 2018 Schedule 1), and for electronic direct marketing courtesy of the Privacy and Electronic Communications (EC Directive) Regulations 2003. In most other cases consent is only one of the options, and it is the most arduous basis to choose as it must be explicit, its application must be very specific and, as it can be withdrawn at any time, it requires continuous administration that can be prone to error.

Where consent is relied on, internal documentation must be able to demonstrate on demand that every instance of it is continuously compliant on all the statutory grounds (Article 7 of the GDPR). It is also significantly open to challenge because it must be ‘informed’. Consequently the completeness and clarity of privacy notices can be a basis for assertions of non-compliance.

The final alternative basis is (d): protecting the vital interests of the data subject or of another natural person.
This basis is applicable where consent would otherwise be required and the life or wellbeing of the data subject or other person is at risk, but the data subject is mentally or physically incapable of providing consent. It most obviously applies to, for example, hospital A&E departments, but it is often assumed to be irrelevant to business data protection management. In actuality, workplace accidents do happen, both to staff and visitors, so provision should be made for defining business purposes and personal data processing on this basis in order to lawfully provide any necessary personal information to emergency responders.

Mike Barwise
Director, BiR