Does an organisation always need my consent?
No. Organisations don’t always need your consent to use your personal data. They can use it without consent if they have a valid reason. These reasons are known in the law as a ‘lawful basis’, and there are six lawful bases organisations can use.
What counts as a valid reason or 'lawful basis'?
The six lawful bases for using data are:
These are explained in detail below.
When can an organisation rely on my consent?
If an organisation wants to use this as the reason it is using your data, it needs to ask you for permission. It must ask you in a way that can be clearly understood, explains exactly what it will do, and is separate from its other terms and conditions. It needs to tell you all the organisations that will be relying on your consent and ask you to take an action to give your permission. This action has to be positive eg ticking a box. It cannot use pre-ticked boxes.
The organisation should give you a genuine free choice about whether to consent and they need to make you aware that you can take away your consent at any time.
Example
Company Z asks you if you would like to receive a newsletter by email from their partner company, Company Y. This is entirely optional but you decide you do want to receive Company Y’s newsletter so you tick the box provided on their online form. The lawful basis being used in this instance is consent.
If an organisation asks me to agree to something does this mean I’m consenting?
Not necessarily. There will be lots of times when you have given an organisation your data and they ask you to agree to something or give your permission for something that is unrelated to data protection consent. For example, you may agree to sign a contract with an organisation, or agree to terms and conditions but this doesn’t mean they will be using consent to process your data. Consent must be separate from other things.
Sometimes organisations have other legal or ethical reasons they have to get ‘consent’ to do something but this doesn’t mean they need consent to use your personal data.
Example
Your GP tells you they want to refer you to the care of a specialist doctor. So they don’t breach confidentiality, they have to have your consent to share your medical records. This is related to rules within the health sector.
However, this doesn’t mean your GP is using consent as the lawful basis to use your data. In this situation, public task, vital interests or legitimate interests are more likely.
Can organisations send marketing to me without my consent?
Yes, in some circumstances organisations might not need your consent to send marketing to you.
If organisations want to send marketing to you electronically (for example by email, text message, some phone calls) e-privacy laws may require them to have your consent.
However if e-privacy laws don’t require them to get your consent, or the marketing is by post, organisations may be able to use one of the other lawful bases instead.
Example
Last month you made a one-off donation to a charity and as part of this you gave them your address. The charity decides that it has a legitimate interest to process your address details to send you a fundraising letter by post. It believes that you would reasonably expect to hear from them and that the privacy impact on you is minimal but it includes details of how you can opt-out within the mailing. The charity relies on the legitimate interests basis to send the fundraising mailing to you.
What is the contract basis?
An organisation might use this reason if you have a contract with them, or because you have asked them to take certain steps before you start a contract with them.
Example
You buy a sofa from an online furniture store. As part of your contract with them, they agree to deliver the sofa. The store needs to use your address so they can deliver the sofa to you. Because using your address for this reason is necessary to fulfil the contract it uses the contract lawful basis.
What is the legal obligation basis?
An organisation might use this to comply with the law.
Example
Your employer needs to process your personal data to comply with its legal obligation to disclose employee salary details to HMRC. It relies on legal obligation to do this.
What is the vital interest basis?
An organisation might use this to protect your life or the life of someone else.
Example
You are admitted to the A & E department of a hospital with life-threatening injuries following a serious accident. Sharing your medical records with the hospital is necessary in order to protect your life, therefore it uses vital interests.
What is the public task basis?
An organisation might use this if it performs a task in the public interest or for its official functions.
Public authorities (eg local councils, government departments, NHS bodies etc) are likely to rely on this basis for a lot of the personal data they process.
Example
When HMRC receives your details from your employer it needs to use these to calculate your tax. HMRC has an obligation to use your data for tax purposes so it can use the public task lawful basis to do this.
What is the legitimate interests basis?
An organisation might be able to use your data for legitimate business interests.
Legitimate interests is likely to be used in situations where the organisation is using your personal data in ways you would reasonably expect and which are low-risk and won’t have a big impact on you, or if the organisation has a compelling reason for the impact.
You can object to the use of your data when the organisation is using this basis, which means the organisation has to think about whether they should be using your data and, if they decide to continue using it, give a very strong reason to justify why.
Example
Your sister is asked by her employer for the contact details of a relative in case she has an accident or becomes seriously ill at work. She gives her employer your contact details because she wants you to be her emergency contact.
Her employer considers that being able to contact you in an emergency is a legitimate interest as a responsible employer and that it’s also in the interests of both your sister and you that you’re told about the emergency.
As your contact details will only be accessed in an actual emergency and the impact of holding those details is very low, the employer decides that it can rely on legitimate interests to process your details.
How do I find out why an organisation is using my data?
Organisations must tell you why they use your data and what their valid reason or lawful basis is for this. You can find this information in their privacy notice. Their privacy notice must tell you:
- why they are using your personal data; and
- which of the six lawful bases is the reason they are using your data
Often organisations are processing your personal data for a variety of purposes so they may be relying on more than one lawful basis. However, all the bases they are relying on must be included in their privacy notice.