One of the key steps in preparing for the General Data Protection Regulation is to know why you are processing each set of personal data, and which of the six legal justifications applies: consent, contract, legal obligation, vital interest, public interest or legitimate interest. The Regulation significantly tightens the rules on when consent can be used, so data controllers may well have to look more closely at the other five. Each justification has different implications for when processing is allowed, the information you provide to data subjects, and the rights they can exercise, so the choice of the most appropriate one for each processing activity is likely to drive much of your subsequent compliance activity.
[Note that, as the Article 29 Working Party noted on page 8 of their Opinion on Consent, a single activity may involve a combination of justifications. For example on an interactive website such as this, the processing of user accounts required to post comments is “necessary for contract”; the processing of logs to detect misuse and security incidents is “necessary for a legitimate interest”; adding your name or a photo to the comment is by “consent”]
The Recitals to the Regulation contain quite a lot of information, and examples, of when each of the justifications is likely to be appropriate. This post attempts to gather that into a summary of the kinds of processing likely to be suited to each justification. In each case I’ve suggested a question as an initial check whether the justification is likely to fit your processing – these are just hints and carry no legal significance, nor are they the only questions you need to consider before making your choice.
Contract: covers processing that is necessary (i.e. there is no less intrusive way to perform the agreement) either for an existing contract to which the data subject is a party, or in preparation to enter into a contract at the data subject’s request. This includes exporting personal data where that is a necessary part of the contract. The EDPB has provided more detailed guidance on this basis. Note that in English law “contracts” are not limited to those on paper, so this justification is also likely to cover less formal agreements between a data subject and a data controller.
Q: “is this required to deliver an agreement with the individual?”
Legal Obligation: covers processing that is necessary to fulfil a legal obligation to which the data controller is subject. The obligation must be set out in EU or national law, must meet an objective of public interest and be proportionate. Examples include obligations in the fields of employment and social security, including those that require processing sensitive (now known as “special category”) personal data.
Q: “am I required to do this by law?”
Vital Interest: covers processing that is necessary to protect a vital interest (something essential to life) of the data subject or a third party. This can include necessary exports of personal data. If the data subject is capable (both in law and in practice) of giving consent to the processing, that justification should be preferred.
Q: “is this processing needed to protect someone’s life?”
Public Interest: covers processing (by both public and private bodies) that is necessary for some public interest. That interest must be set out in EU or national law, and any processing must be proportionate to it. The law may designate a particular data controller to carry out the function (“exercise of official authority”); this justification also covers other organisations that wish to share relevant information with those authorities. Examples include taxation; reporting crimes; humanitarian purposes; preventive or occupational medicine; public health; social care; quality and safety of products, devices and services; election campaigns.
Q: “is this processing needed for some legally-defined public purpose?”
Legitimate Interest: covers processing that is necessary for a legitimate interest of the data controller or a third party, provided that interest is not overridden by the interests and rights of the individual. The Article 29 Working Party provided detailed guidance on how to ensure this balance of interests is met. Processing is more likely to satisfy the balance if it is expected given the nature of the relationship between the individual and the data controller. This justification cannot be used when exercising official authority (use “necessary for public interest” instead). Examples include processing necessary to detect fraud or report criminal activity, to protect network and information security, for internal administration in a corporate group or not-for-profit organisation.
Q: “would this processing surprise or upset the individual, given our relationship?”
Consent: the only justification that does not include the word “necessary”. May therefore be used for data and processing that are not necessary, but should not be used for processing that is (use one of the “necessary” justifications instead). According to the Information Commissioner’s guidance consent is appropriate when the individual, not the organisation, is in control of processing. Individuals must have a genuine choice what (if any) personal data to provide and must be able to change their mind at any time. In particular consent should not be used where there is a clear imbalance in negotiating strength (employers and those exercising official authority are likely to have difficulty obtaining genuine consent), or when “consent” is made a condition of providing some other service (use “necessary for contract” instead).
Q: “is this processing truly optional for both the organisation and the individual?”