Beyond GDPR Consent: Other Categories for Lawful Processing of Data
Article 6 of the European Union’s General Data Protection Regulation provides for the lawful processing of data if the data subject has given consent for the specific purpose. However, consent is not the only legal basis for processing. There are five other options for organizations to choose from to enable lawful processing.
The other conditions for legal processing under the GDPR (beyond consent) are:
– necessary for the performance of a contract or prior to entering into a contract that the data subject has requested;
– necessary for compliance with a legal obligation;
– necessary in order to protect the vital interests of the data subject or of another natural person;
– necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
– necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights of the data subject which require protection.
This section is almost identical to the previous justification for lawful processing necessary for contracts. If an individual has entered into a contract with the controller or requested steps be taken prior to entering into a contract, then the controller can undertake “necessary” processing.
The definition of what is “necessary” is likely to be a source of contention in the future. The ICO has said that it “must be necessary to deliver your side of the contract with this particular person” and not simply “necessary to maintain your business model more generally.” It does not need to be “essential” to the purpose of the contract but must be “a targeted and proportionate way of achieving that purpose.”
The lawful basis does not apply if there are other reasonable and less intrusive ways to meet the contractual obligations or proceed toward contract formation.
The ICO has made clear that this section does not apply in certain third-party cases such as if you need to process one person’s details but the contract is with someone else, or if you take pre-contractual steps at the request of a third-party.
Recital 46 provides guidance on the vital interests section of Article 6. According to the Recital, processing of personal data is lawful “where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.” The paradigm case for processing based on the vital interest of the data subject would be in a hospital emergency room, where tests are crucial to the individual’s survival and thus consent is not required.
Processing based on the vital interest of another natural person is limited by this Recital to only where the processing cannot be based on another legal basis. So in order to process data on such a basis, it should largely be done only if consent is first denied or could otherwise not be obtained. Recital 46 notes that some processing may protect the vital interest of both the data subject and the public, such as monitoring epidemics or during humanitarian emergencies in the middle of natural disasters.
This subsection provides for the ability to process personal data lawfully in order to comply with a legal obligation imposed on the controller. It does not apply where reasonable compliance with the law is possible without processing the personal data. The decision to rely on this legitimate interest needs to be documented and the reasoning confirmed as sound. In most cases, this will mean that the controller can point to a specific legal provision or an appropriate source of legal guidance that sets forth the obligation to do so.
The ICO has said this basis is “most appropriate where you use people’s data in ways they would reasonably expect and which would have a minimal privacy impact, or where there is a compelling justification for the processing.” It is the most flexible, but also requires that the organization consider the person’s rights and interests as well.
The ICO has suggested a three-part test when considering processing on the basis of a legitimate interest:
– identify a legitimate interest;
– show that the processing is necessary to achieve it;
– balance the interest against the individual’s interests, rights and freedoms.
There must be records kept documenting the Legitimate Interests Assessment (LIA) to demonstrate compliance, and this includes details of the legitimate interest as well as that the same result could not reasonably be achieved through a less intrusive way.
What else is there to know about the other legal basis beyond consent?
The Article 29 Working Party has warned organizations not to start out using consent as the basis for processing and then to search for an alternative lawful purpose after the data subject revokes consent. It is clear from their guidance that they will look skeptically about switching the basis for processing and not honoring the individual’s withdrawal of consent.
If you decide that none of the other legal basis for processing will apply, consider using the Clarip enterprise consent management software and cookie consent manager. Call 1-888-252-5653 today to schedule a demo of the platform.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.