GDPR stipulates that “processing shall be lawful only if and to the extent that at least one of the following (conditions) applies”. It then lists six conditions, in short:
- Compliance with a legal obligation on the controller
- Protecting the vital interests of the subject or another natural person
- Carrying out a task in the public interest
- Legitimate interests of the controller
With the exception of consent, the conditions all provide that the processing must be “necessary” to meet the purpose. This means that if there is an alternative means of achieving the objective of the processing which does not involve processing personal data, the processing is not “necessary” and the relevant condition cannot be taken as applying.
Consent is the most difficult of the conditions and should usually be considered as a last resort, if no other condition applies. There are weaknesses in consent as grounds for lawful processing, not least that it is revocable by the subject leaving the controller without a condition for lawful processing. GDPR states that consent should be a freely given, unambiguous, revocable, positive indication of agreement. This means that situations where consent is obtained under any kind of pressure, for example in an employer/employee situation where the bargaining powers are unequal, will seriously undermine its validity. The ICO also maintains that consents should be reviewed periodically, they are not expected to continue in force indefinitely. We published an earlier article on consent here.
So what other lawful bases are applicable?
Contract and pre-contract
Processing is necessary either to fulfil a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract is another condition for lawful processing. So HR administration, payroll and benefit provision would involve processing necessary to fulfil the contract of employment with an employee.
However in other situations the contract basis can still fall short. Consider a situation where processing is necessary to fulfil a contract with a client company. It will involve administration and communication with the client company employees but the contract is not one to which the employees are a party, so the controller is not able to rely on the contractual condition to establish lawful processing for administration of the contract and routine communication with its client.
Also how far does the contractual condition apply in complex relationships like that between an employer and employee?
Steps preparatory to entering into a contract of employment applies as a lawful basis once a prospective employee has been selected from interview. This will cover sending out the employment contract and job offer but does it cover advising any recruitment agency involved? Can that be said to be steps taken at the request of the data subject prior to entering into a contract?
In addition, during employment some processing is necessary to fulfil the contract with the employee data subject, for example paying salaries and arranging employment benefits. Does this also extend to providing training? Personal and professional development? Are the records generated by those activities processed lawfully as part of the contract of employment? Probably, so long as the beneficiary is the data subject. It could also cover vetting of the employee by regulatory authorities as, without their approval, the employee will not be able to fulfil the contract of employment.
Compliance with a legal obligation
Processing necessary to comply with a legal obligation of the controller is reasonably straightforward except that this excludes contractual obligations presumably on the basis that contract could otherwise be used to circumvent the lawful processing requirements. The condition covers statutory, other legal and regulatory obligations but the ICO advises that controllers should be able to point to the legal authority requiring the processing. For example, employee personal data may be processed to meet legal requirements around monitoring and promoting equal opportunities and diversity in the workplace. Sharing payroll data with HMRC is another statutory duty, so is disclosure to the Courts, the Home Office in connection with right to work and the Child Support Agency.
There are limits to the application of this condition for lawful processing when organisations are seeking to comply with best practice rather than a strict legal requirement, for example monitoring the protected characteristics is not completely necessary for compliance with anti-discrimination legislation.
Protecting the vital interests of the data subject or another natural person will only apply in restricted circumstances. The Recitals to GDPR explain that it is intended to apply where someone’s life or health is at significant risk. How far this might be taken in the context of housing, for example, is not yet clear but it could be argued that as the need for shelter is second in the hierarchy of needs, threats to shelter represent a threat to health in the longer term. So it might be possible to frame an argument allowing data processing in the context of activities to sustain a tenancy based on vital interests of the tenant and members of his or her household. This would apply for example where a landlord shares data with a third party, a charity perhaps which is not necessary to fulfil the tenancy contract but would be necessary to sustain the tenancy in the vital interests of those concerned.
Tasks carried out in the public interest
Carrying out tasks in the public interest is a lawful processing condition that applies only to public bodies.
Legitimate business interests
Processing necessary in the legitimate interests pursued by the controller or by a third party is designed to capture processing activity which does not meet any of the other conditions. It is qualified and only applies except where the legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Nevertheless it is useful in several contexts. For example when considering records of persons associated with the data subject where processing is to fulfil a contract with the data subject. In the employment context an employer may hold details on persons associated with the employee, such as members of their household, GP, solicitor etc, These records are required in the controller’s legitimate business interests.
The legitimate interests condition carries a further proviso, that the interests themselves have to be stated. In the example involving persons associated with an employee it might be to carry out the instructions of the employee, for example, to comply with a request to confirm salary in writing to a solicitor or landlord. It might be to provide pastoral support to the employee by understanding his or her home environment or to encourage the employee’s family to buy into the ethos of the employer by providing access to events or offers. It is the rights of those third parties that need to be factored in when relying on legitimate interests
Legitimate interests would also be used in situations where the contract condition falls short as described above. Fulfilment of a contract with a client company will involve processing personal data relating to its employees but the contract is not one to which the employees are a party, so the controller is not able to rely on the contractual condition to establish lawful processing for administration of the contract and routine communication with its client. This is where legitimate interests of the business would be specified as allowing it to service clients to fulfil its contractual obligations to them.
Marketing activity often relies on legitimate interests of the controller in promoting and expanding its business although consent to marketing is required where personal data of prospects is used to target marketing activity.
Legitimate interests might also be used as lawful grounds for data sharing that is incidental to the main data processing purposes for example research projects.
In the UK the ICO has provided that where organisations choose to rely on the legitimate interests grounds for lawful processing, they must undertake and document the legitimate interests involved and the safeguards in place for data subject rights. Guidance on the ICO website says:
“There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.”
Special category data
In addition to the lawful grounds for processing personal data there is another layer of conditions to meet if special category data is being processed. That is not the subject of this article but readers should be aware that special category adds another layer of complexity.
It is clear that identifying the appropriate lawful grounds for processing is a complex area and decisions made should be reviewed regularly to ensure that all the nuances and angles have been correctly identified. This is information that feeds directly into published Privacy Notices. It is no longer a hidden part of compliance but right out there in the open for anyone to pick up on.
We can help with reviews of all aspects of Privacy Notices and provide guidance on lawful grounds for processing. Give us a call to discuss what you need and we will provide a no-obligation quote.