As we’ve seen in the previous installment of this guide, lawfulness, fairness, and transparency are core GDPR principles.
But what makes data processing “lawful” according to the GDPR?
The Regulation distinguishes between two categories of personal data: non-sensitive personal data, on the one hand, and sensitive personal data, on the other.
In this installment, we’ll focus on non-sensitive personal data to help you understand when and how you can process it in a lawful, GDPR-compliant way
Not All Processing is Allowed
Before we start, it’s important to clarify one notion: under the GDPR, data processing is forbidden unless explicitly allowed.
As a result, you need to have a valid, GDPR-sanctioned legal basis if you want to process (and we’ve seen how extensive this notion is) someone else’s personal data.
These legal bases are found in Articles 6 and 9 of GDPR. The first provision deals with non-sensitive personal data, and today we’re going to look at it in depth.
(If you’re interested in knowing more about Article 9 and sensitive personal data, check out our blog post.)
Legal Bases for Processing Non-Sensitive Personal Data
According to Article 6, data controllers can process non-sensitive personal data when at least one of six legal bases applies (overlaps are common).
The legal bases are:
- The necessity for the performance of a contract;
- Legal duties of the controller;
- Vital interests of the data subject or of another natural person;
- Public interest and exercise of official authority;
- Legitimate interests pursued by the controller (or by a third party);
According to article 6(1)(a), processing non-sensitive personal data is lawful if «the data subject has given consent to the processing […] for one or more specific purposes.»
The notion of consent is further clarified by Article 4(11), according to which consent is «any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.»
The basic idea is pretty simple: if someone wants you to process their personal data, that processing is lawful.
There are, however, some caveats.
First, to be valid, consent must satisfy the conditions enumerated by Article 4(11): it has to be free, informed, specific, and unambiguous.
Secondly, several conditions (listed in Article 7) must be met to obtain valid consent.
Finally, additional rules are implemented when the data subject is a child aged 16 or younger.
Necessity for the performance of a contract
If you’ve ever made an online purchase, you’ll know that you’ll be asked to enter a few data: your name, surname, address, and credit card number.
All those are personal data. So can the eCommerce owner lawfully process them? Yeah, because they are necessary for the performance of the contract.
The rule doesn’t just apply to online shopping.
According to article 6(1)(b) GDPR, processing personal, non-sensitive data is lawful when such processing is «necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.»
Keep in mind, however, that this legal basis only applies when the data is indeed required for the performance of the contract. The processing is unlawful if it isn’t, and there’s no other legal basis the controller can rely upon.
Legal Duties of the Controller
It’s a basic tenet of both law and common sense that if you are required by law to do something, you cannot face adverse consequences for actually doing it.
As a result, the GDPR regards processing activities as lawful when they are, to quote Article 6(1)(c), “necessary for compliance with a legal obligation to which the controller is subject.”
The provision applies to data controllers working in both the private and public sectors.
Article 6(3) clarifies that the legal obligation can originate in EU or Member State law.
The GDPR recommends that such law be specific, detailing “the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures.”
There are several cases where the legal basis for processing personal data is a controller’s legal obligation.
Business owners, for instance, process their clients’ personal data every time they invoice them: they are required to do so for tax purposes.
Similarly, they must process their employees’ personal data for social security, taxation, and (occasionally) security purposes.
Vital interests of the data subject or those of another natural person
Article (6)(1)(d) states that “processing is necessary in order to protect the vital interests of the data subject or of another natural person.”
For example, your medical team can lawfully process your blood type (personal data) in case of emergency surgery.
It’s unlikely that a data controller acting in the private, non-medical sector will be able to rely on this legal basis. If it’s your case, remember that you’re allowed to process only the personal data enabling you to protect the vital interests at play.
Public interest and exercise of official authority
Article 6(1)(e) of the GDPR provides that processing is lawful when it’s “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 6(3) also applies in cases where the legal basis is public interest. Consequently, the basis for the processing must be laid down in either EU or Member State law
Finally, data controllers can lawfully process personal data when it’s “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
To do so, however, data controllers must satisfy a three-step test.
First, they have to ensure that their interest is, indeed, legitimate.
Recital 47, GDPR, offers examples of legitimate interests, but it shouldn’t be considered exhaustive. Any interest, in principle, can be legitimate.
Secondly, controllers must guarantee that the data they intend to process is necessary to pursue their legitimate interests. If there’s another, less intrusive way to achieve the same result, they should opt for it.
Finally, controllers must ensure that their legitimate interest is not overrun by the data subject’s fundamental rights and freedoms. This balancing exercise is to be conducted on a case-by-case basis.
Processing Non-Sensitive Personal Data: a Few Words in Conclusion
Article 6 lists several legal bases allowing data controllers to lawfully process non-sensitive personal data. Controllers can rely on one or more of these legal bases.
Keep in mind that it is not enough to have a legal basis to invoke.
Processing activities should always respect all GDPR principles. The lawfulness of processing is only one aspect of GDPR compliance.