To manage our relationship with you which will include: (a) Notifying you about changes to our terms; (b) Asking you to leave a review or take a survey; (c) To respond to refund requests and complaints;
Type of data
(a) Identity; (b) Contact; (c) Profile; (d) Preference;
Legal basis for processing including basis of legitimate interest
(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation; (c) Necessary for our legitimate interests (to keep our records updated, to study how customers use our products/services and to respond to you);
a fall back option to permit continued processing in the face of challenge by data subjects. In fact, as clearly stated by the Article 29 Working Party ruling, no lawful basis can be used as a fall back for any other. Despite this, numerous legal opinions have been published suggesting that you can apply multiple concurrent lawful bases provided you inform the data subject up front. In my (practical) opinion, this simply exacerbates the problem for both the data subject (by creating confusion) and the data controller (by opening the door to challenge). Ultimately, the purpose of the GDPR is to allow personal data processing while protecting the rights and freedoms of data subjects. So far since May 2018 we have observed that privacy notices are almost universally achieving the opposite, by making it hard for data subjects to establish exactly what processing is taking place and what the justification for it is. A common manifestation of this is assigning multiple lawful bases to excessively loosely defined and inadequately justified purposes. Regardless of whether this is down to intent, lack of attention or lack of understanding on the part of data controllers, it’s fundamentally in breach of the transparency obligation imposed by the GDPR, thus rendering the data controller non-compliant with the legislation. Consequently our advice is, first, to define your purposes to a level of detail that allows a single lawful basis to be assigned unequivocally to each purpose, second, to provide a robust and sufficiently detailed justification for each application of legitimate interest (not just three or four words of generality as in the example given here), and third and most importantly, never consider weasel ways to circumvent the requirements of the legislation in your own apparent interest, as these will always eventually backfire to your cost.