GDPR lawfulness of processing

 

The GDPR provides several legal bases for the lawful processing of personal data in accordance with its articles 5(1a) and 6
The CNIL, the French supervisory authority, defines the legal basis as follows:

 

The legal basis of a processing operation is what legally authorizes its implementation, which gives an organization the right to process personal data. It can also be referred to as the « legal basis » or « legal foundation » for processing.

 

Without an adequate legal basis for each processing operation, the processing of personal data is not lawful, and the controller is likely to be sanctioned by the supervisory authority in the event of an audit.

 

Article 5 – Principles relating to the processing of personal data

Personal data must be:
(a) processed lawfully, fairly and transparently with regard to the data subject (lawfulness, fairness, transparency);

 

There are 6 legal bases proposed by the GDPR
– Consent ;
– The contract ;
Legal obligation;
– Safeguarding vital interests;
– Public interest;
– Legitimate interests.

 

These 6 legal bases are the only legal bases proposed by the GDPR and there is no other possibility to make processing of personal data lawful.

Article 6 specifies the conditions of what GDPR calls lawfulness of processing, and lists in detail the different existing possibilities. The 6 legal bases are listed in its paragraph 1(a>f)

 

Article 6 Legality of processing

1. Processing shall be lawful only if and insofar as at least one of the following conditions is met
(a) the data subject has consented to the processing of his/her personal data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject
(c) processing is necessary for compliance with a legal obligation to which the controller is subject
(d) processing is necessary to protect the vital interests of the data subject or of another natural person
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.
Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing for the purpose of complying with paragraph 1(c) and (e), by determining more precisely the specific requirements applicable to the processing as well as other measures to ensure lawful and fair processing, including in other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1(c) and (e) shall be defined by:
(a) Union law; or
(b) the law of the Member State to which the controller is subject.
The purposes of the processing shall be defined in that legal basis or, in the case of the processing referred to in paragraph 1(e), shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions to adapt the application of the rules of this Regulation, inter alia general conditions governing the lawfulness of processing by the controller; the types of data that are subject to processing; the data subjects; the entities to which personal data may be disclosed and the purposes for which they may be disclosed; purpose limitation; retention periods; and processing operations and procedures, including measures to ensure lawful and fair processing, such as those provided for in other specific processing situations as set forth in Chapter IX. Union or Member State law shall serve a public interest objective and be proportionate to the legitimate objective pursued.

4. Where processing for a purpose other than that for which the data were collected is not based on the consent of the data subject or on Union law or the law of a Member State which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, shall take into account, inter alia
(a) whether there is a link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller
(c) the nature of the personal data, in particular if special categories of personal data are processed pursuant to Article 9 or if personal data relating to criminal convictions and offences are processed pursuant to Article 10
(d) the possible consequences of the proposed further processing for the data subjects
(e) the existence of appropriate safeguards, which may include encryption or pseudonymization.

 

To illustrate the application of Article 6 and the different choices offered as legal bases, I will propose two simple examples.

The first example would be the case of a processing necessary for the execution of a contract, the legal basis of the consent is in this case not the most judicious choice, nor the most logical. That is why in this case the choice of the legal basis would simply be « the performance of a contract ».

The second example would be for a processing serving the subscription to a newsletter, the most logical choice would be the consent, because no other legal basis would be appropriate. The legal basis for processing for the performance of a contract, as in the first example, would obviously not be the best choice.

It is very important to check that the legal basis is adequate to the situation, because not only is it the only way to make the processing lawful, but it is also an important piece of information that must be included in various documents in your accountability file.

The lawfulness of the processing goes much further and is much more complex than the choice of the legal basis.
But it is an important point to take into account, and a carefully considered choice to make. Some processing is purely and simply forbidden, even if there are exceptions provided by the GDPR. I will surely talk about it in a future article.

I invite you to contact a GDPR consultant or a DPO for more information and help for the implementation of your compliance.

Christian

!%$789Kl