The GDPR – What is Lawful Processing of Personal Data?

The GDPR – What is Lawful Processing of Personal Data?

The General Data Protection Regulation (GDPR) will take effect as of 25 May 2018, replacing the current statutory data protection regime of the Data Protection Act 1998 (DPA).

Controllers and processors of personal data within EU Member States will be subject to the GDPR and should be aware of the various changes to data protection law that will come about when the GDPR comes into force. One area of change will be the rules for determining when a subject’s personal data may be processed lawfully. Article 6 of the GDPR makes the processing of personal data lawful only where one (or more) of the following six grounds have been met:

  1. Consent

The first ground is that the data subject has given consent to the processing for one or more specific purposes.

The GDPR sets a high bar for the obtaining of lawful consent. The definition of consent is set out in GDPR Article 4 and requires consent to be given freely, be specific, informed and unambiguous. Consent can be given by way of a statement or affirmative action.

Prior to the GDPR the most common method of providing consent was by way of tick-boxes. Whilst this is still permitted, certain practices such as inferring consent in the absence of a specific objection or the use of a pre-ticked box will no longer constitute valid ways of obtaining consent. Obtaining consent for a variety of processing purposes will also be invalid without clarifying the extent of the consent. Further, any obtaining of consent in a consumer context must now also comply with the Unfair Terms in Consumer Contracts Regulations 1999,  which require, inter alia, contractual terms to be fair on consumers in order to be binding.

Further, in order for consent to be validly obtained there must be a balance in the negotiating power between the party providing consent and the data controller or processor. This may not be the case where consent is being given to an authority such as an employer or public body.

For there to have been lawful and valid consent, the data subject must be able to identify the data controller and understand how the data is going to be processed. Lawful consent cannot be provided if the data subject has no practical choice or cannot refuse consent or withdraw it at any time. The GDPR provides that withdrawing consent should be as easy as giving consent.

Children cannot provide consent and must be aged 16 or over, with parental consent required for anyone younger. Reasonable efforts must be taken to ensure that, where consent is provided by the parent, it is genuine.

The burden of proof in a dispute lies with the data controller who must show that consent was validly obtained. Accordingly, it is advisable for data processors that, once consent has been obtained, it is regularly confirmed, reviewed and updated.

  1. Performance of a Contract

The second ground for lawful processing is where the processing is necessary for the performance of a contract or where it is necessary in order to “take steps” at the request of the data subject before entering into a contract. It should however be noted that processing data in the performance of a contract will only be lawful if it is “necessary”.

  1. Compliance with a Legal Obligation

The third ground is where personal data is processed in order to comply with a legal obligation. The legal obligation does not have to be enshrined in legislation or statute, but must be a clear legal obligation having regard to the laws of that Member State or the EU.

  1. Vital Interests of the Data Subject

The fourth ground is where personal data in order to protect the vital interests of the data subject or another individual. “Vital interests” will include interests essential for the life of the data subject or processing data for humanitarian purposes and, in particular, cases where a disaster has struck.

  1. Public Interest 

The fifth ground is where the processing is necessary for the purpose of performing a task that is in the public interest or in the exercise of official authority vested in the data controller. For example, a local authority using personal data to collect council tax. In order to rely on this ground there must be a basis for it in the law of that Member State or the EU.

  1. The Legitimate Interests of the Data Controller

Finally, processing personal data will be lawful where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the processing does not override the fundamental rights and freedoms of the data subject. A key question here will always be what constitutes a “legitimate interest”. European Parliament explains that the reasonable expectations of data subjects based on their relationship with the data controller will be a key consideration. Examples are provided by the GDPR of data processing activities that may be lawful under this ground, for network and information security or for the prevention of fraud.

This ground is not available to public authorities, who are expressly prohibited from relying upon this ground, as well as any party dealing with children (as a child’s interests will always override the interests of a data controller).

Under the GDPR, data controllers and processors will be committing an offence if they do not avail themselves of one or more of the above grounds when processing personal data. In preparation for the GDPR, firms should therefore audit their processes to ensure that each and every instance of data processing correlates with a lawful pupose.

To discuss anything you have read above with one of South Bank Legal’s data protection solicitors, please get in touch for a confidential discussion.