Lawful basis for data capture / processing
Article 5 of the GDPR sets out the legal requirements for the capture and processing of personal data. In all cases personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What is lawful processing? Processing conditions for personal data
For processing to be lawful under the GDPR it needs to be covered by one of the “conditions for processing”. Businesses need to identify the condition upon which they are relying for the processing of personal data and clearly document this. There are six processing conditions which could apply:
- Data subject has given their consent
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- Processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. This processing condition cannot be used in relation to processing carried out by public authorities in the performance of their duties.
Processing conditions for special categories of data
Where the personal data falls within one of the ‘special categories’ more stringent processing conditions apply:
- Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement (the Data Protection Act 2018 also requires the controller to have an appropriate policy document in place in these circumstances)
- Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
- Processing relates to personal data manifestly made public by the data subject
- Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
- Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards (the Data Protection Act 2018 also requires the controller to have an appropriate policy document in place in these circumstances)
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
The GDPR contains a transparency principle which sets out details of the type of information which should be provided to data subjects regarding the collection and processing of their data. This information includes:
- the details of the data controller
- the purpose for which the personal data is being processed
- the processing condition which is being relied upon for that processing
- where the data controller is relying on the legitimate interests processing condition, details of the legitimate interests being pursued by the data controller or a third party.
This information needs to be given to the data subject when the personal data is collected. The transparency obligation applies regardless of the processing condition which is being relied upon. For more information on how this information should be provided see the Privacy policies / information notices page.
Complying with this transparency obligation could prove to be challenging for businesses particularly as they may want to rely on a legitimate interests basis in order to further process personal data which was originally collected under a consent basis. Businesses should consider what purposes they will be using information for, and seek to reflect all of those purposes in their privacy notice. If a further use is subsequently discovered, an additional privacy notice may be required in order to comply with the transparency obligation.