Some of the General Data Protection Regulation’s requirements on data controllers apply no matter which legal basis for processing is being used. For example there are common requirements on information given to data subjects; breach notification and rights of access and rectification will normally apply to all personal data. However other requirements are specific to particular justifications. A previous post aimed to help organisations determine the most appropriate justification(s) for particular data processing activity. This one summarises the main differences – in particular to the information organisations must provide and the processes they must support – that arise from the choice of legal basis.
For further information I’ve linked to relevant guidance – either under the previous Directive or proposed for the Regulation – where I can find it.
Contract: Data subjects must be informed that providing the information is necessary for the contract, and of the consequences of refusal. The Data Controller must handle requests for data portability.
Legal Obligation: Data subjects must be informed that providing the information is a legal requirement, and of the consequences of refusal.
Vital Interest: The Data Controller must handle requests for human review of any automated decision making.
Public Interest: Data subjects must be informed of their right to object, based on their particular circumstances, to processing. The Data Controller must handle requests for human review of any automated decision making; they must have a process for reviewing objections to processing; they must also handle requests for restriction of processing while this review is taking place, and for erasure if the review concludes that there are no legitimate grounds to continue processing.
Legitimate Interest: Data subjects must be informed of the legitimate interest(s) that justify processing and of their right to object, based on their particular circumstances. The Data Controller must have processes to balance the interest(s) of the data controller against those of data subjects; they must handle requests for human review of any automated decision making; they must have a process for reviewing objections to processing; they must also handle requests for restriction of processing while this review is taking place, and for erasure if the review concludes that there are no legitimate grounds to continue processing.
Consent: Data subjects must be informed how to withdraw consent, and the right to erasure if they do so. The Data Controller must ensure that processes for giving and withdrawing consent satisfy the Regulation’s requirements (in particular that adult consent is obtained when relying on this basis to process a child’s personal data); they must keep records of when, how and to what consent was given; they must also handle requests for erasure when consent is withdrawn, and for portability.
