- First Page
- Last Page
What is a Lawful Basis and why do we need one?
Whilst the use of personal data expands, Data Controllers are still required to, in accordance with the first Data Protection principle of Article 5 of the General Data Protection Regulation (GDPR) to determine their ‘lawful basis’ in order to comply with the requirement that data must be processed fairly and lawfully.
Article 6 of the GDPR provides the Data Controller with a choice of six lawful bases to use, these are:
- Performance of a Contract;
- Legal Obligation;
- Vital Interests;
- Public Task;
- Legitimate Interests.
Whilst there are 6 you can use, there is no basis that is valued as better or more critical than another.
The main consideration to make when determining the most appropriate lawful basis to apply to the processing of personal data is to ensure that the Data Controller gets it right at the first time of determining. This is important because, once chosen, a Data Controller cannot switch to a different basis unless they have a good and valid reason. If ‘consent’ has been chosen as the lawful basis for processing the personal data, the change of lawful basis is even more difficult to swap from.
The lawful basis for processing personal data must be presented and communicated to the Data Subject at the time of data collection, or within 30 days if the data was received via a 3rd party. This information can be provided to the Data Subject in a number of ways, in the form of a privacy notice.
Special Category Personal Data, including:
- * Racial or ethnic origin
- * Political opinions
- * Religious or philosophical beliefs
- * Trade union membership
- * Genetic data
- * Biometric data
- * Health data
* Data concerning a person’s sex life or sexual orientation
and Criminal Conviction Data requires a further condition for processing from Article 9 or 10 of the GDPR.
We will be venturing into each lawful basis for processing in our future articles. In the meantime, if you need further support with the processing of personal data and the lawful basis for processing personal data, contact us on 0800 999 5550 or email me at email@example.com.
Tom Ward – Senior Data Protection Advisor.
Posted on 21st Apr 2020 07:49:48 by Matt
Tags: Data Protection.
In the modern digital age, the use of personal data is expanding in terms of volume and value. UK privacy law ensures the commercial use of personal data is fair when balanced with the rights of UK data subjects. Monitoring compliance with applicable privacy laws is a key responsibility of a Data Protection Officer (DPO) but does your organisation actually need a designated DPO? Let’s take a look at the facts…
Article 37 of the General Data Protection Regulation (GDPR) states that the controller of personal data must appoint a DPO on a mandatory basis if it meets one of the following criteria:
- The processing is carried out by a public authority or a public body (except for courts acting in their judicial capacity). Examples of this include: the governing body of a higher learning institution, an NHS trust or a county council.
- The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. An example of regular and systematic monitoring could include operating business CCTV or tracking online behaviour.
- The core activities of the controller or processor consist of processing on a large scale of special category personal data (Article 9) and personal data relating to criminal convictions and offenses (Aricle 10). This type of processing could, for example, be undertaken by health organisations, criminal record checking organisations or trade unions.
How do you know if the processing is large scale?
Although there is no definition given for ‘large scale processing’ in the GDPR or the Data Protection Act 2018, to decide whether processing is on a “large scale”, you should consider:
- * The number of data subjects concerned.
- * The volume of personal data.
- * The variety of personal data.
- * The duration of the data processing.
- * The geographical extent of the processing.
Are you unsure whether you meet any of the above criteria?
Contact us on 0800 999 5550 or email me at firstname.lastname@example.org for a confidential discussion about your commercial processing activities.
Harry Ware - Senior Data Protection Adviser
Posted on 14th Apr 2020 09:53:50 by Matt
An introduction to our brand new and first ever podcast - The Diary of a DPO.
Introducing The Diary of a DPO podcast with Matt Bruce, CEO of Bruce & Butler - Data Protection and Information Security Specialists based in the UK.
Matt will give you an insight into the role of a Data Protection Officer whilst exploring new and emerging technologies and how they process personal data.
Believe me, the role of a Data Protection Officer (DPO) isn’t half as boring as it sounds.
It’s an increasingly important role and one that’s ever changing with the advancing pace of technological change, particularly with the emergence of Cloud, Big Data, Analytics and Artificial Intelligence (AI).
Ensuring the compliant, secure and ethical processing of personal data is now a top corporate risk with the consequences of getting it wrong terminal of organisations.
Check out our podcast on the following platforms:
- Apple Podcasts: https://podcasts.apple.com/us/podcast/the-diary-of-a-dpo/id1506468068?ign-mpt=uo=4
- Spotify: https://open.spotify.com/show/7h9XIpEJNZV4xHEVEVMnXZ
- AudioBoom: https://audioboom.com/channels/5022082
Posted on 14th Apr 2020 09:39:15 by Matt
- First Page
- Last Page