Lawful processing

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.

It is important that you determine your lawful basis for processing personal data and document this.

This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.

The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1)(c) and (e):

“(c) processing is necessary for compliance with a legal obligation”;

“(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

These provisions are particularly relevant to public authorities and highly regulated sectors.

The tables below set out the lawful bases available for processing personal data and special categories of data.

Lawfulness of processing conditions
6(1)(a) – Consent of the data subject
6(1)(b) –  Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is  necessary to protect the vital interests of a data subject or another person
6(1)(e) –  Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.

 

Conditions for special categories of data
9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
9(2)(b) – Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
9(2)(c) –  Processing is  necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
9(2)(d) – Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
9(2)(e) – Processing relates to personal data manifestly made public by the data subject
9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
9(2)(g) – Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
9(2)(i) – Processing is  necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.

Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Next steps for the Article 29 Working Party

According to its workplan, the Article 29 Working Party will publish guidelines on consent in 2017.

Next steps for the ICO

We have published our draft consent guidance for public consultation. The deadline for responses has now passed. We will analyse the feedback received and feed this into the final version which is due for publication in the summer.

Children’s personal data

The GDPR contains new provisions intended to enhance the protection of children’s personal data.

Privacy notices for children

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

Online services offered to children

If you offer an ‘information society service’ (ie online service) to children, you may need to obtain consent from a parent or guardian to process the child’s data.

The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’ – but note that it does permit member states to provide for a lower age in law, as long as it is not below 13.

‘Information society services’ includes most internet services provided at the user’s request, normally for remuneration. The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles.

Parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.

Next steps for the ICO

The ICO is working on the issue of children’s personal data and we aim to publish output from this in 2017.