Is my enterprise allowed to process personal data?

For any processing activity of personal data, it is required to identify one or more valid ground(s) under the GDPR – known as a ‘lawful basis’ – to justify the collection, use and other forms of processing of personal data.

In today’s business world, companies may conduct several processing operations for different purposes. This entails that SMEs may rely on different legal bases for their different processing activities. It is however not possible to rely on more than one lawful basis for the same processing activity.

Article 6 of the GDPR provides an exhaustive list of the possible lawful bases:

  • Contract

  • Legal obligation

  • Legitimate interest

  • Consent

  • (Vital interest)

  • (Task carried out in the public interest or in the exercise of official authority)

 

Since the first 4 grounds for lawful processing are the most common in the context of SME’s businesses, we will only further elaborate on these grounds.

 

Contract

When you need to process personal data to comply with your contractual obligations, you can rely on the lawful basis “contract”.

Some contractual obligations cannot be performed without collecting and processing certain personal data. This is often the case for SMEs, which process personal data of their customers, employees or suppliers in order to be able to carry out a contract with them.

 

Contract can also be used as a lawful basis by enterprises carrying out pre-contractual requests from potential clients (e.g., when a potential client asks a home repair company to provide a quote to paint his house). Only situations where requests originate from the potential clients and were not the initiative of the controller or any third party, are covered.

 

“Contractual necessity” should be interpreted strictly. This means that you must be able to demonstrate that processing personal data is objectively necessary for a purpose that is integral to the performance of the contract or for addressing the pre-contractual request (e.g. name of the contracting partner, contact data of a customer or client, delivery address etc.). On the contrary, processing which is useful, yet not objectively necessary, for performing the contractual service or for taking relevant pre-contractual steps will not be covered, even if it is necessary for your other business purposes.

 

Legal obligation

When you need to process personal data to comply with a legal obligation, you can rely on the “legal obligation” as legal basis for your processing activities.

 

The GDPR has also foreseen the possibility to justify your personal data processing activities in case you find yourself in a situation where processing is necessary for compliance with a legal obligation of the controller.

To be able to rely on this lawful basis, the obligation to process personal data must be imposed by EU law or the applicable national law of an EU Member State (including secondary legislation or a binding decision of a public authority) and must be mandatory.

Example:

A real estate agency processes personal data of its clients (name, date and place of birth, address) to conduct a client analysis in light of money laundering. Under the GDPR, real estate agencies can justify this personal data processing based on the legal obligation to which they are subject in the money laundering law.

 

Legitimate interest

Sometimes personal data processing is necessary to pursue legitimate interests of the enterprise (or a third party). Those legitimate interests can serve as a lawful basis for processing, provided that the interests and (fundamental) rights of the individual concerned are not overriding such interests.

A legitimate interest is a clearly articulated benefit to your enterprise, to third parties or to society, that results from processing personal data in a lawful way. It must concern a real and present interest that is expected in the very near future, ruling out interests that are too vague or speculative. An interest can be considered as legitimate if it is in accordance with the applicable EU and national law. 

When you decide to justify your personal data processing by relying on the legitimate interest ground, make sure to perform the 3-step assessment – or, the legitimate interest assessment (“LIA”).

Based on the accountability and transparency principles, it is necessary to document and keep records of the legitimate interest assessment. This allows you to prove you conducted a LIA and to justify your decision to rely on “legitimate interests” for your processing activities.

 

ICO’s LIA template

Principles relation to the processing of personal data

A common misconception is that "consent" is the main basis for data processing. Although it plays an important role, it is certainly not excluded that, depending on the context, other lawful bases are more appropriate. Because of the strict, cumulative requirements for valid consent under the GDPR, it is better to be cautious about the use of "consent" and to merely fall back on this when no other lawful basis is better suited.

 

Consent

You could be allowed to process personal data when the persons concerned have given you their consent to do this.

 

“Consent” in the sense of the GDPR presents individuals with real choice and control. It should put individuals in charge, build trust and engagement, as well as positively benefit your enterprise’s reputation.

For the consent to be valid it should be freely given, specific, informed, and unambiguous.

Time for action!

Draft an informed consent form.

An informed consent form is a document setting out specific information about the personal data processing you undertake and for which you want to obtain the individual’s consent.

 

All the information set out above should be included and all the requirements for obtaining valid consent should be considered in the drafting of this document.

Besides the 4 requirements for valid consent, it is of the utmost importance that your company can grant and accommodate individuals’ right to withdraw consent.

Special categories of personal data

Special category data is personal data that is deemed more sensitive, and hence, in need of more protection. Processing such data could create more significant risks to a person’s fundamental rights and freedoms (e.g. unlawful discrimination).

The GDPR lists 10 special categories of personal data:

  • Race

  • Ethnic origin

  • Politics

  • Religion

  • Trade union membership

  • Genetics

  • Biometrics (where used for id purposes);

  • Health

  • Sex life

  • Sexual orientation

Time for action!

  • It is very important to still check the national law of the country in which you are processing special categories of data, as the GDPR leaves room for Member States to introduce additional conditions and safeguards.

  • Due to the sensitive nature of these types of personal data, it is important to place special emphasis on data security! Appropriate technical and organisational measures should be put in place, such as access restrictions, encryption, etc.