The extracts from the GDPR in recital 45 and in point (c) of Article 6(1) and Article 6(3) allow processing where it is necessary for compliance with a legal obligation under Union or Member State law. In this case, the natural person does not necessarily have to be a data subject, he can also be another natural person. Of course, it is not up to the controller to define what a vital interest is. We are talking here about life-threatening circumstances, where there is no other legal basis for processing, but where not processing personal data would essentially mean that someone would die if you did nothing and therefore would need to know certain things about the natural person who is at risk. The Data Protection Act 2018 states that `public authority` here means an authority under the Freedom of Information Act or the Freedom of Information (Scotland) Act – excluding local and local councils. If the controller has a legal obligation for which certain personal data must be processed, the processing is permitted. This compliance with a legal obligation for which processing is necessary and to which the controller is subject is also not new. Unlike the GDPR, the D-DPA (like the current DPA) does not require a controller or processor to rely on or provide a legal basis to process personal data. In other words, the processing of personal data is in principle permitted. This also applies to the processing of sensitive data, as long as the data is not passed on to third parties (see below). However, the processing of personal data must not unlawfully infringe the privacy of data subjects. A data breach exists in particular in the following cases: The third legal basis for lawful processing is compliance with legal obligations. A common example of the legal basis of « legal obligation » arises when a court or law enforcement agency orders a company to provide personal data as part of a judicial investigation or legal proceeding.
The second legal basis for lawful processing pursuant to Article 6 of the GDPR is the need to process personal data under contract. These guidelines emphasise that consent is one of the six legal bases for the processing of personal data, as summarised in Article 6. However, where a controller initiates activities related to the processing of personal data, it should be examined at the same time whether consent is the most appropriate legal basis for lawful processing or whether another processing could be better. Remember that when selecting consent for a particular processing activity, you must also comply with all rules and rights relating to consent. In certain circumstances, you may have to reject a data subject`s request because you are processing their personal data on the basis of a legal obligation. For example, the UK`s Proceeds of Crime Act 2002 (available here) requires financial institutions to report suspicious activity that may indicate money laundering. Legitimate interests already existed as a legal basis for the processing of personal data in the Directive, but the GDPR complements them in the form of provisions where it is NOT applicable. Article 6 clarifies that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. A first exception that already exists is when the legitimate interests or fundamental rights and freedoms of the data subject override the legitimate interests (including, of course, the fundamental rights of data subjects under the GDPR). However, with regard to the latter, unlike the Directive, the GDPR explicitly focuses on the case where the data subject is a child and parental consent is still required. In addition, the GDPR explicitly states that the legal basis of legitimate interest does not apply to the processing of personal data by public authorities for the performance of their tasks.
In addition to the legal obligation, legal bases include « consent » (you ask a person if you can process their personal data) and « contract » (you need to process personal data in order to fulfill contractual obligations or enter into a contract). The basic requirements for the effectiveness of valid legal consent are defined in Article 7 and further explained in recital 32 of the GDPR. Consent must be voluntary, specific, informed and unambiguous. In order to obtain voluntary consent, it must be given on a voluntary basis. The « free » element implies a real choice of the person concerned. Any element of undue pressure or influence that could influence the outcome of this decision will invalidate the consent. In doing so, the law takes into account a certain imbalance between the controller and the data subject. For example, in an employer-employee relationship: the employee may fear that his refusal of consent may have serious negative effects on his employment relationship, so that consent can only be a legal basis for processing in a few exceptional circumstances. In addition, a « tied selling ban » or a « binding or binding ban » applies.
Thus, the performance of a contract cannot be subject to consent to the processing of other personal data that are not necessary for the performance of this contract. If you have customers or users in the European Union, you must have a « lawful basis for processing » under the General Data Protection Regulation (GDPR). However, this does not apply to processing based on consent. Consent must always be specific and informed, and re-use of data for a new purpose would unfairly undermine the original consent. Typically, you will need a new consent that specifically covers the new purpose. If you get specific consent for the new purpose, you don`t have to prove it`s compatible. The data subject has given the organisation permission to process his or her personal data for one or more processing activities. Consent should be voluntary, clear and easily revocable, so organizations should exercise caution when using consent as a legal basis. For example, the age of automatically checked consent boxes is coming to an end due to the GDPR. For example, suppose a judicial authority orders you to disclose personal information in order to investigate a crime or administer justice.
In this case, you can invoke a « legal obligation » to communicate the personal data (as long as the order is valid and is not cancelled by professional secrecy). The EU General Data Protection Regulation (GDPR) makes clear that the processing of personal data is only lawful if (and to the extent permitted by applicable law). Any justification for processing provided by the controller beyond this scope has no legal basis and is considered unlawful. Extract from recital 45 of the GDPR: `It should also be for Union or Member State law to determine whether the controller responsible for the performance of a task carried out in the public interest or in the exercise of official authority should be a public authority or other natural or legal person governed by public law or, where it is in the public interest: including for health purposes such as public health and social welfare and the administration of health services by private law, such as a professional association`. This is a processing activity that a data subject would normally expect from an organisation to which he or she provides his or her personal data, such as marketing and fraud prevention activities. If legitimate interest is used as a legal basis for processing, the organisation must perform a balancing test: is this processing activity necessary for the functioning of the organisation? Does the processing outweigh the risks to a data subject`s rights and freedoms? If the answer to any of these questions is no, the organization cannot use the legitimate interest as a legal basis for the processing. There are many examples of these legal bases: employment records, accident reports for health and safety records, etc. The GDPR grants data subjects (individuals) certain rights in relation to their personal data.
These rights are not absolute. This is particularly evident when it comes to personal data collected on the legal basis of the « legal obligation ». Given all these facts, organizations acting as data controllers should conduct a detailed review of all their data processing activities. A legal basis must be established for each of them, as well as the maintenance of mandatory documentation for compliance purposes. Further information on the legal basis for the processing of personal data can be found here. First, the legal basis for the processing of personal data must be created before the processing begins. Organizations cannot start processing personal data and then go back and attempt to perform the contract, obtain consent, or assert a legitimate interest.