One of the more misunderstood aspects of GDPR has to be how companies can process personal data. This is covered in Article 6 of the regulation and even though there are 6 different scenarios allowing for the legal processing of personal data, the only one we are asked about on a regular basis is “Consent”. There is some justification for this given it is likely the most likely means for legal processing for most companies and the most transparent. That does not mean we should ignore or forget the rest. To give a bit of clarity and shed light on all 6 ways to legally process data we provide the following. It is each of the 6 justifications, a further description and an example of when that justification might be used.
1. “the data subject has given consent to the processing of his or her personal data for one or more specific purpose;”
Put this language together with Articles 7 and 8 you find that it requires something that is now being called “Specific Informed Consent”.
The consent part may be fairly straightforward except that it can no longer be passive consent or “opt out”. The data subject must actively respond in some way to show consent and the controller must be able to prove that consent to the regulator.
“Specific” means that there is no longer the ability to get blanket consent through one tick box at the end of a form or on a website. If relying on consent to process data, the controller must obtain consent for each use of the data.
“Informed” essentially means that the specific consent obtained must be explained in clear enough terms for the data subject to be able to reasonably understand what they are consenting to. One important aspect of this is the age at which a data subject can give consent. GDPR gives a general rule of 16 years of age for most general forms of consent with the ability of each Member State to choose an alternate age threshold not to be below the age of 13 years. The UK has chosen the age of 14 to conform with the previous data protection regime as well as other areas of law surrounding age of consent.
SCENARIO – A local political activist group wants to gain support for its latest project to preserve a building with historic significance. In order to show the success of their community outreach and show how many people support their cause they create a “Save the Site” petition to gather names and contact information from people in the community. The petition signature gatherers are given a script that explains what they are doing and that signing the petition and giving their information is completely voluntary. On the forms just under where the individual fills out their information is a sentence that says I agree to my data being shared with third parties for the purpose of confirming my support for this project. There is a tick box next to the sentence. If it is left unticked that person’s data will be put on a list of data to be pseudonymised before it is passed on. There are additional sentences the individual signing the petition will read that asks permission for different uses of the data such as statistical analysis and marketing and an individual tick box next to each.
2. “processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;”
If a controller enters into a contract with a data subject or reasonably anticipates entering into a contract with a data subject they may process personal data for the express purpose of performing the contract or obtaining pertinent information required prior to entering into the contract.
SCENARIO ONE – A law firm enters into a contract with a client in order to draw up their Estate Planning documents. In order to fulfil their contract with the client, the law firm must obtain and process data about the data subject.
SCENARIO TWO – A furniture retailer is offering a credit contract for the purchase of furniture. Before entering into a long-term credit contract with a customer they must be able to verify that the customer has the ability to repay the debt incurred. This requires the furniture store to process data of the data subject to determine their credit-worthiness before finalising a long-term credit contract.
3. “processing is necessary for the compliance with a legal obligation to which the controller is subject;”
What constitutes a legal obligation may not be entirely clear in all circumstances but there are some clear examples of when this reason will apply. Those include; in the course of a police investigation; on request from HMRC or pursuant to under court order.
SCENARIO – A local retailer has had their store broken into and robbed. Their cctv cameras were intentionally disabled by the robber or robbers. However, the store next door has cctv cameras that are likely to show the robbers approach and leave the scene. The police request the footage from the neighbouring stores in the course of the investigation. The stores are authorised to provide this footage even though it contains images of individuals as it is in compliance with a legal obligation.
4. “processing is necessary in order to protect the vital interests of the data subject or of another natural person;”
As with “legal obligation” above, it may not always be obvious what a vital interest is but there are certain situations that will clearly fall under this category. They would include; gathering medical data in order to provide medical care or gathering data during investigation of a criminal act.
SCENARIO – An individual attends a walk-in medical centre to seek medical attention for a persistent illness they believe to be a chest infection. In order to provide the appropriate medical care and advise the attending GP must gather personal data such as name and emergency contact as well as relevant medical history such as allergies to certain medications.
5. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
There are some similarities to the 4th reason above in terms of public interest but this one is not focused on the single data subject’s interest but the interest of the public at large. The authority to process data then must be shown to be for the public good. In addition, it also authorises processing on the data can come from an official authority that has been vested in the controller such as would be given to local authorities who must gather data to determine budget and spending priorities.
SCENARIO – A County Court Judge must determine the legitimacy of a claim brought before the court. In order to make an informed ruling the Court is vested with the official authority to gather data in order to perform its duties.
6. “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
This is often referred to as a “legitimate business interest” but it does not have to be a business in order to be a controller with a legitimate interest. The most important part to remember about this reasoning for collecting data is that the controller’s legitimate interest in processing the data cannot override the interests or the data subject. This is particularly important where the data subject is a child. A good measure of whether the legitimate interest does not override the interests of the data subject is if a reasonable person would expect that the data controller would be processing the data in the way they are processing it.
SCENARIO – An accounting firm is asked to process the payroll for a client company. The firm has a legitimate interest in collecting and processing the data and their doing so would be considered reasonable by the client as well as the employees whose data is being provided to the accountant in order to process their paycheques.