What are the lawful basis for processing personal data?

Under the Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (UK GDPR) if a business (i.e., a controller) wants to process personal data about a person (e.g., customer, client, prospective client, supplier or employee etc) it can only do so if it can satisfy at least one of the following six lawful basis under Article 6 (in no particular order):

1. Consent – the data subject whom the personal data is about has consented to the processing (but see below – this isn’t always the best basis to use)
2. Contract – processing is necessary for the performance of a contract which the business has with the data subject, or to take steps to enter into a contract
3. Legal obligation – processing is necessary for compliance with a legal obligation to which the business is subject
4. Vital interests – processing is necessary in order to protect the vital interests of the data subject or another person
5. Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business
6. Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

If the personal data that the business wants to process falls within a special category of personal data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation), in addition to having a lawful basis from Article 6 it must also satisfy at least one of the following conditions from Article 9:

1. Explicit consent – the data subject has given explicit consent to the processing
2. Employment, social security or social protection laws – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the business or of the data subject in the field of employment and social security and social protection law, in so far as it is authorised by domestic law, or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
3. Vital interests – processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent
4. NFP – processing is carried out by a not-for-profit with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
5. Public – processing relates to personal data manifestly made public by the data subject
6. Legal matters – processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity
7. Public tasks – processing is necessary for reasons of substantial public interest and is authorised by domestic law
8. Medical purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to a contract with a health professional (provided that the personal data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under domestic law or rules established by a national competent body of the UK)
9. Public health – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy or
10. Archiving, research or statistical purposes – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the UK GDPR) and is authorised by domestic law.

What satisfies consent?

Under the UK GDPR, consent is defined as: 

‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’

Furthermore, businesses must be able to demonstrate that consent was given and this could include the data subject ‘ticking a box when visiting an internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent’.

The UK GDPR therefore places a much higher threshold on the requirement for consent than under previous data protection laws, meaning that it is likely to be much harder to obtain, and therefore not a ground businesses should use unless there is no other appropriate lawful basis.

ICO guidance states ‘consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.’ You can read the ICO’s guidance on consent here. The Article 29 Working Party has also provided guidance on consent (read here) (the European Data Protection Board replaced the Article 29 Working Party on 25 May 2018 and it has adopted this guidance).

What does ‘necessary’ mean?

No definition is provided in the UK GDPR but the ICO gives some guidance including:

In relation to a contract: ‘‘Necessary’ does not mean that the processing must be essential for the purposes of performing a contract or taking relevant pre-contractual steps. However, it must be a targeted and proportionate way of achieving that purpose. This lawful basis does not apply if there are other reasonable and less intrusive ways to meet your contractual obligations or take the steps requested. The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests’.

In relation to a legal obligation: ‘Although the processing need not be essential for you to comply with the legal obligation, it must be a reasonable and proportionate way of achieving compliance. You cannot rely on this lawful basis if you have discretion over whether to process the personal data, or if there is another reasonable way to comply. It is likely to be clear from the law in question whether the processing is actually necessary for compliance’.

In relation to legitimate interests: ‘‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result’.  

Fines

If a business processes personal data (including special categories of personal data) without a valid lawful basis, the ICO can issue a fine under the UK GDPR which is the greater of £17.5m (€20m) or 4% of your businesses total worldwide annual turnover in the preceding 12 months.

What should businesses do now?

Hopefully all businesses will have done these already, but if you have not (or you have but not for a while), you should:

1. Audit your use of personal data (including special categories of personal data) to assess what lawful processing grounds you currently rely on and whether they remain valid under the UK GDPR.
2. Review and update internal and external policies/procedures to ensure that your lawful basis are justified and properly explained.
3. Train staff so that they are aware of which lawful basis you will be relying on for the purposes of the UK GDPR, in particular when consent should and should not be used.

If you would like any further guidance on these lawful processing grounds, or the UK GDPR generally, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.