Under the GDPR there are six defined Lawful Basis that a business can rely upon for the processing or personal data.
The one you choose for each data processing activity will depend on the reasons for that processing. Although there is no hierarchy to which lawful basis you might use, there are some common rules you can follow that will help you select the most appropriate basis. You should however choose carefully as once you start processing data with one lawful basis in mind, is it very difficult to change that to a different lawful basis.
You also need to
- ensure that whichever lawful basis you choose, is not overridden by the individual's legal rights; and
- remember that a lawful basis does not necessarily entitle you to process that individuals data forever. Consent expires, legitimate interests change and what ireasonable must be considered.
1. Performance of a Contract
If the processing is necessary to enter into or "perform" a contract with a person (or their employer), then Performance of a Contract is likely to be the appropriate lawful basis.
- a prospective customer on your website, browsing your products or services and making an enquiry by telephone, email or a contact form, can be processed for the purposes of entering into a contract.
- arranging interviews with and/or selecting a prospective employee is also looking to enter into a contract of employment, so you are lawfully entitled to process most data for that purpose however see our guidance on Special Category Data if you are to use any information you process which could be used to negetively affect that individuals, for example, preculding them as a candidate.
- An employee is usually employed and has a contract of employment, so processing employee data can largely be covered by this lawful basis
- Completing a purchase made by a customer, including fulfiling the order, verifying delivery and administering warranties, returns or maintenance contracts.
These are not absolute rules and there may be other "contracts" you enter into which would be covered by this lawful basis. It is important however to remember that this lawful basis only applies where the the individual (or their employer) is entering into a contract with your business, so you entering into a contract with a supplier where you hold the contact information of an individual person, will not be performance of a contract.
2. Legitimate Interest
- This is probably the second most common lawful basis that a business will use and it can be applied with a degree of "flexibility" although you must always consider the individuals overriding rights.
A legitimate interest can be;
- in the interest of the data subject (the individual)
- in the interest of your business
- in the interest of another party
- you may use online forms to collect personal data of prospective customers providing you tell those individuals what information you collect and provide an opportunity to object to (opt out of) that processing, such as the collection of email addresses for email marketing. There are more complexities to this, but in principle Legitimate Interest can be used.
- processing cookies for security or functional purposes, where it is in the interest of the individual to have thier information maintained securely and without the functional element, the site or service would not function for them as intended.
- processing personal data on an individual employee of supplier in order to make a purchase, pay an invoice or otherwise benefit that supplier, is both in the interest of your business to make that purcahse, and in the interest of another party to receive that order. Such an activity would be reasonably expected by everyone involved.
- processing the personal data of a past customer in order to exercise a product recall would be in the legitimate interest of the individual, and potentially in your legitimate interest to prevent a future claim for faulty goods.
There are indeed many more scenarios where a Legitimate Interest exists and can be relied upon. Wherever you do however, you must conduct a Legitimate Interest Assessment before the processing takes place, which describes the processing, the legitimate interests involved, what other lawful basis you considered, why those other lawful basis were not appropriate and how the individuals rights will be complied with.
Consent if the lawful basis that most people have heard of and the one with the most contentious coverage.
You may have heard many so called "experts" saying that everything under GDPR has to have consent. This is simply untrue, however consent itself has to be given and cannot be assumed.
There is a clear definition in law of what constitutes consent, and if all the following are not met, that consent would be considered invalid and unlawful;
- It must be absolutely clear what an individual is consenting to so that they can make an informed decision as to whether to consent.
- It must be as easy to "withdraw" consent as it is to grant consent.
- Consent must be "given" by means of an explicit action, such as the clicking of a button, selecting of an option, ticking of a box or otherwise.
- An individual must not feel compelled to grant consent. If the individual would be unfairly disadvantaged by not granting consent, the consent if not freely given.
- There must not be an "imbalance of power" where an individual feels that they must give consent or suffer some consqeuence for not giving that consent
4. Vital Interest
For most businesses, this will only really come into play in an employment or health and safety context however that is not to say there will not be a Vital Interest in other scenarios.
A "Vital Interest" is where there is a significant risk to someone's life. For example, if you know that a person is considering self-harm, suicide, or has fallen from a ladder or otherwise seriously injured themselves and thier life is in danger, you can process their personal data in order to provide them reasonable assistance, such as calling emergency services, a doctor or family and friends.
5. Public Task
Not to be confused with the "Public Interest" basis of processing Special Category data, a Public Task is an activity carried out by or on behalf of a public body.
To rely upon this basis you must be able to demonstrate that the processing is;
- Necessary in the exercise of an official authority, such as functions which are set out in law (policing, health and social care etc); or
- to perform a specific task that is in a public interest set out in law
6. Legal Obligation
retention guide hereAlmost every business will process an amount of personal data as part of a Legal Obligation.
Businesses are legally requried to maintain accounting records, which will include details of customers and suppliers, so processing the personal data in an accounting context is a legal obligation. Likewise, if you have Employees, you'll likely process their personal data under your legal obligation to record and report on Benefits, Income Tax, National Insurance and Pension Contributions.
With the COVID-91 Pandemic in mind (and just to be clear, this is NOT what is currently legislated), in the event the UK government legislated that every retail or hospitality venue must by law collect the personal details of every guest or visitor, those establishments could lawfully collect and process that personal data for that specific purpose using the Legal Obligation lawful basis.
Finally, when considering a lawful basis, you must also consider your data retention obligations. For more information on retention, see our retention guide here.