You must therefore keep a record of the basis on which you rely for each purpose of processing and a justification of why you believe this to be true. There is no standard form for this, as long as you make sure that what you register is enough to prove that there is a legal basis. This will help you comply with the responsibility and will also help you draft your privacy notices. The protection of the vital interests of a natural person is a fourth reason for lawful processing. FlyBe also provides another example of granular and informed consent. On its payment page, it offers an entire box dedicated to registering for data processing for email marketing. The GDPR requires that any organization that processes personal data has a valid legal basis for this processing activity. The law provides six legal bases for processing: consent, performance of a contract, legitimate interest, vital interest, legal obligation and public interest. First, most organizations ask if they need consent to process the data. The answer is, not necessarily.
As mentioned earlier, consent is only one of the six legal bases for data processing. If you use consent, you should be aware that consent must be given voluntarily and clearly and that it must be as easy to withdraw your consent as it is to give your consent. For any processing of personal data, it is important to determine the best legal basis, as also recommended by the guidelines of the Article 29 Working Party (European Data Protection Board) on consent from the end of November 2017. The verification of the best legal basis for the lawfulness of any processing activity begins before the actual processing. And, of course, as part of GDPR compliance, this means that you already have a list and mandatory registration of your personal data processing activities. Secondly, you must prove that the persons concerned have given their consent. This is where the « clear positive action » or written declaration referred to in Article 4 comes into play. Regardless of how you collect proof of consent, you must do so in a manner that is « in an understandable and easily accessible form with plain language. » This basis applies when it is necessary to process personal data in order to protect the life of a person. (This applies to all lives, not just the life of the person concerned.) On the contrary, the law requires you to identify and describe the appropriate legal basis for the processing of each important category of data, as well as the special categories of data referred to in Article 9. It is your responsibility to ensure that you can demonstrate which legal basis applies to the purpose of the respective processing. Meanwhile, one of the most well-known things about the GDPR is that it applies to data controllers and processors located both inside and outside the EU.
In addition to. If your goals change over time or if you have a new goal that you didn`t originally plan for, you may not need a new legal basis as long as your new goal is in line with the original goal. When reading Article 6(1), it is preferable to focus on « the extent to which at least one of the following applies » (emphasis added). Different aspects of the processing of personal data within a project might each require a different legal basis for processing – some parts of the consent, other parts of the public interest – but – the extent to which each applies – requires consistency with each individual legal basis for primary processing in any other compatible processing. Instead of giving more flexibility to the secondary processing of personal data already collected, Article 6(1) requires that any legal basis chosen for each part of the processing is effectively communicated to the data subjects and that the different legal requirements for each basis are complied with. Virgin Atlantic describes the exact mechanisms that data subjects can use to opt out of their marketing or communications: Fourth, consent must be given voluntarily. You cannot refuse your service because you have not given your consent to the processing of your data. As above, it also means that you can`t get them to agree. They need to know what they agree to, including whether you are collecting data on behalf of a third party and who that third party is. Whichever legal basis you choose, make sure it fully applies to your processing activities. Also, remember to keep the appropriate documentation, including adding the relevant provisions to your privacy policy.
The basic approach is the same. You should think about your goals and choose the foundation that suits you best. You can always use our legal base tool to help you. If the controller has a legal obligation for which certain personal data must be processed, the processing is permitted. Compliance with a legal obligation for which processing is necessary and to which the controller is subject is also not new. A rare treatment activity that might be needed to save a person`s life. This is most often observed in emergency medical situations. They should not take a one-size-fits-all approach. No foundation should always be considered better, safer or more important than the others, and there is no hierarchy in list order in the UK GDPR. The GDPR requires that all processors have a « legal basis » for any processing.
And collect email addresses like the sender above? It does not cut the mark on compliance. Although consent tends to be strongest because it is the most transparent and least intrusive, there is no real hierarchy. Each legal basis is as solid as the other, as long as you meet the requirements both in your reasoning and in your data processing. However, special rules also apply here. What has changed from the predecessor of the General Data Protection Regulation is that recital 45 states: « Where the processing is carried out in accordance with a legal obligation to which the controller is subject, or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should be governed by Union law or the law of the Member States. are based. Restriction on Union law or the law of EU Member States has consequences. This depends on your specific purposes and the context of the processing. You need to think about why you want to process the data and determine which legal basis is best suited to the circumstances.
You can use our handy interactive tool to help you. The legal bases for the processing are set out in Article 6 of the UK GDPR. At least one of them must apply when you process personal data: 5) For tasks carried out in the public interest or in the exercise of the powers conferred on the controller The legal basis for the processing is also important as it has a significant impact on how an organisation responds to requests from data subjects. Certain rights may be granted if consent is the legal basis for the processing or if the performance of a contract is the legal basis for the processing. There are also other implications for the legal basis of the processing. For example, the processing of special types of data, including: race, ethnic origin, health data, biometric data and other sensitive information requires certain processing bases. In addition, certain types of processing of personal data in such cases could serve not only the vital interests of the data subject or another natural purpose, but also the public interest, for example in the event of disasters, epidemics, etc., as set out in recital 46 of the GDPR. And that brings us to the next legal basis for lawful processing: public interest grounds as such. In other cases, you probably have a choice between using legitimate interests or consent.
You need to think about the broader context, including: The public task refers to the need to collect data in the public interest, for example during a task of a public authority. If you decide that you are a controller in relation to a particular category of personal data, you must determine whether you have a legal basis for the processing of such personal data and, if so, which one. Data collection involves obtaining raw data from available sources (including warehouses) before going through a « clean-up phase » for processing. During the cleaning phase, it is checked for errors and organized so that you only process high-quality (useful) data. This is a processing activity that a data subject would normally expect from an organisation to which he or she provides his or her personal data, such as marketing activities and fraud prevention. If a legitimate interest is used as the legal basis for the processing, the organisation must carry out a balancing test: is this processing activity necessary for the functioning of the organisation? Does the processing activity outweigh the risks to the rights and freedoms of the data subject? If the answer to any of these questions is « no », the organisation cannot use a legitimate interest as a legal basis for the processing.