What is a Lawful Basis and why do we need one?
Whilst the use of personal data expands, Data Controllers are still required to, in accordance with the first Data Protection principle of Article 5 of the General Data Protection Regulation (GDPR) to determine their ‘lawful basis’ in order to comply with the requirement that data must be processed fairly and lawfully.
Article 6 of the GDPR provides the Data Controller with a choice of six lawful bases to use, these are:
- Performance of a Contract;
- Legal Obligation;
- Vital Interests;
- Public Task;
- Legitimate Interests.
Whilst there are 6 you can use, there is no basis that is valued as better or more critical than another.
The main consideration to make when determining the most appropriate lawful basis to apply to the processing of personal data is to ensure that the Data Controller gets it right at the first time of determining. This is important because, once chosen, a Data Controller cannot switch to a different basis unless they have a good and valid reason. If ‘consent’ has been chosen as the lawful basis for processing the personal data, the change of lawful basis is even more difficult to swap from.
The lawful basis for processing personal data must be presented and communicated to the Data Subject at the time of data collection, or within 30 days if the data was received via a 3rd party. This information can be provided to the Data Subject in a number of ways, in the form of a privacy notice.
Special Category Personal Data, including:
- * Racial or ethnic origin
- * Political opinions
- * Religious or philosophical beliefs
- * Trade union membership
- * Genetic data
- * Biometric data
- * Health data
* Data concerning a person’s sex life or sexual orientation
and Criminal Conviction Data requires a further condition for processing from Article 9 or 10 of the GDPR.
We will be venturing into each lawful basis for processing in our future articles. In the meantime, if you need further support with the processing of personal data and the lawful basis for processing personal data, contact us on 0800 999 5550 or email me at email@example.com.
Tom Ward – Senior Data Protection Advisor.