| Posted by Miks Ulmanis
Every hero requires a formidable villain. Similarly, each data processing activity requires an appropriate legal basis under Article 6 GDPR.
In simple words, a legal basis means a lawful reason to use personal data. Under the GDPR, there are six reasons that you can use. If you don’t have a valid reason, you can face hefty fines.
Take Grindr, a dating app for the LGBTQ community, for example. It paid a €6.5 million fine in Norway because it disclosed location data to advertisers without a legal basis.
In this article, we will explain the legal bases described in Article 6 GDPR and show you how to select the most appropriate legal basis.
You can carry out a myriad of processing activities where personal data is involved. For example, you can collect credit card details to receive payments or you can ask for email addresses to send marketing emails.
When you do these, you must identify an appropriate legal basis under Article 6 GDPR.
For instance, imagine that you decide to use a YouTube plugin on your website to display video content. When your visitors watch these videos, YouTube places cookies on visitors’ devices and collects personal data such as their device information and their viewing behaviour. This is a data processing activity and therefore, you need a lawful basis under Article 6 GDPR before you can embed this plugin on your website.
Article 6 GDPR sets out six separate legal bases that you can rely on. Among these six bases, three of them are highly relevant for businesses: ‘Consent’, ‘Legitimate Interests’ and ‘Contractual Necessity’.
Let’s go through each and show you when you can use them with real-life examples.
“the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”
(Article 6(1)(a) GDPR)
While consent is a widely used legal basis, Article 6 GDPR sets a high bar for valid consent.
To fulfil this high bar, you must ensure that consent fulfils the following four criteria:
Freely given: Individuals must have a genuine choice to accept or reject the processing of their data. Otherwise, their consent will not be valid and you will end up processing personal data unlawfully.
For example, if you bundle strictly necessary cookies and tracking cookies on your cookie banner, user consent will not be valid. This is because they don't have a free choice in accepting or rejecting different cookies separately.
Indeed, the French Data Protection Authority published guidance on this matter and stated such consent will be unlawful.
Specific: Individuals must give their consent for each specific processing activity separately.
Informed: You need to provide individuals with all information related to the use of their data. This includes your business’s identity, the types of data you collect and your use of data for specific purposes.
Unambiguous: You need a clear and affirmative act by individuals for valid consent. For example, pre-ticked boxes are not clear acts so such consent would not be valid.
Remember that each individual can revoke his or her consent at any time. Meaning, you will lose your legal basis to process their data. Therefore, you must carefully consider if this is a suitable legal basis or you must choose a more appropriate one.
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”
(Article 6(1)(f) GDPR)
Alongside consent, legitimate interests is one of the most common legal basis.
A legitimate interest is a need to process personal data to carry out tasks related to your business activities. For example, you may want to have CCTV in your office. In this case, your legitimate interest could be the security of your property.
To rely on this basis in a GDPR-compliant way, you need to satisfy the following conditions:
The balancing test is the most critical step. When one of the following exists, individuals’ interests may override your interests. In such cases, you won’t be able to rely on legitimate interests:
GDPR provides examples where you can rely on legitimate interests:
“processing is necessary for the performance of a contract…”
(Article 6(1)(b) GDPR)
You can only rely on this basis if the processing of data is unavoidable for the performance of a contract between you and the individual.
For example, you may need your customers’ postal addresses or credit card information. Collection and use of this data are strictly necessary for you to fulfil your contractual obligation – to complete the deliveries and to receive payments. Therefore, you can rely on contractual necessity.
On the other hand, you do not have a contractual necessity after the delivery and payment. If you store address or credit card details after the transaction has been done e.g. for upselling or future purchases, you must find another legal basis, such as consent.
“processing is necessary for compliance with a legal obligation to which the controller is subject;”
(Article 6(1)(c) GDPR)
You can rely on this basis when you are under a legal obligation to process data under the applicable law. For example, when you receive a job application, you need to verify applicants’ right to work in your country. In this case, you can rely on this basis to justify the collection and use of ID documents.
“processing is necessary in order to protect the vital interests of the data subject or of another natural person;”
(Article 6(1)(d) GDPR)
Vital interests mean things that are essential for someone’s life – life and death situations.
This only applies in emergency situations such as when an individual is unconscious and needs medical help.
“processing is necessary for the performance of a task carried out in the public interest…”
(Article 6(1)(e) GDPR)
This basis will only apply in limited circumstances. The EU Member States decide the tasks that are carried out in the public interest and lay them down in their laws.
There is no better or superior legal basis and all six bases are equal. So, if there is no hierarchy between the legal bases, how do you choose the correct one?
You need to follow these two steps to determine the right basis:
Step 1: Is the processing necessary to achieve the purpose? Are there more reasonable and less intrusive ways?
“If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.”
For instance, let’s say you plan to use AI-powered cameras in your store to count the number of visitors per day. In this case, you must prove that these cameras are necessary to achieve your goal. Otherwise, you will have to find another method.
This is because these cameras may collect data about people’s faces.
If you can find a method for counting store visitors without recording people’s faces, then the collection of this data would be unnecessary. Therefore, you should not even start this activity.
Step 2: If you decide the processing of personal data is necessary, you should choose a legal basis based on the following factors:
What is the context of the processing? What personal data do you collect and would individuals reasonably expect that their data would be processed in that way?
What is your purpose for processing personal data?
Would obtaining consent satisfy GDPR standards such as ‘freely given’, ‘unambiguous’ and ‘affirmative’?
You should select the most appropriate basis on a case-by-case basis.
In most circumstances, you will have to choose between ‘Consent’ and ‘Legitimate Interests’. This is because it will be fairly obvious if the other four bases apply.
When you are choosing between consent and legitimate interests, you should consider the following factors (the list is not exhaustive):
For instance, if you share precise user location data with advertisers, this may present a high risk to individuals. In this case, consent will be more appropriate.
Article 6 GDPR applies to the processing of all personal data. However, there are special categories of personal data (sensitive data) that require a higher degree of protection.
Therefore, Article 9 GDPR sets out additional requirements for the collection and use of sensitive data.
The use of sensitive data may have a more profound impact on an individual. When you collect, use and process sensitive data, you must satisfy these two requirements together:
Put simply, if you intend to process sensitive data you need a higher barrier to pass: Firstly, you need to have a legal basis under Article 6 GDPR. Secondly, you must meet one of the special conditions in Article 9 GDPR.
Some of the conditions set out in Article 9 GDPR include, but are not limited to:
A clinic provides one-one therapy sessions for people with psychological disorders.
Patients must disclose their medical history with the therapists before sessions. This includes previous diagnoses and reports.
This health data is a special category of data under Article 9 GDPR.
The clinic can rely on the following legal grounds under Article 6 & 9 GDPR:
If your users/customers don’t know the legal basis, they can’t exercise their legal rights under the GDPR.
This is because their rights will be different depending on the legal basis you choose. To illustrate, individuals do not have the ‘Right to Data Portability’ when you rely on Legitimate Interests to process personal data. However, you could request one service provider to transfer your data to another one if the legal basis is ‘Consent’ or ‘Contractual Necessity’.
Other Ligalio blog posts you may be interested in: