Last week I wrote about the EU’s new General Data Protection Regulation (GDPR) consumer-friendly approach to personal data collection and storage.
This regulation, which went into effect earlier this year, requires that companies only collect, store, or process personal data when there is consent or when it is necessary. Companies are often surprised at the broad definition of “necessary” under the regulation. Often, they do not need an individual’s consent to collect, store or process their personal data.
The GDPR provides five lawful bases outlining when it is “necessary” to process someone’s data. If your use falls into one of these five categories, then you do not have to worry about obtaining, or losing, consent.
Article 6(1)(b): Contracts
If the processing is “necessary for the performance of a contract” to which the individual is a party, or if the individual requested the company to do something prior to entering into a contract, the processing is necessary and therefore lawful under GDPR.
Here are some transactions that would fall under this category:
- Paul purchases a t-shirt from an online store, which creates a contract between Paul and the store. The store needs to collect data from Paul, including his shipping address and payment information, in order to complete the contract and hold up its end of the deal.
- Karen is having brochures printed for her office, and contacts a printing company for a quote. The printing company needs to collect Karen’s email address to send her the official quote. If Karen decides to work with the printing company, the company will need additional information in order to complete the transaction.
Contractual obligation will cover many transactions. However, an important part of the GDPR is that the data is collected for a specific and limited purpose, and that collection is limited to what is necessary for the original purpose. If you want to continue to use the customer’s information for marketing purposes after the transaction has completed, you may need to find a different lawful basis.
Article 6(1)(c): Legal Obligation
If a legal obligation requires you to process an individual’s information, you must do so.
Examples of legal obligation include:
- A court order requiring a business to turn over information on an individual
- A financial institution noticing suspicious account activity that could be money laundering reports this activity under relevant criminal statutes
- Businesses collecting and reporting required information about their employees to relevant government agencies.
As these examples demonstrate, a company’s legal obligations to collect, distribute, or otherwise process personal data are typically spelled out in statutes, regulations, or court orders.
Article 6(1)(d): Vital Interests
The GDPR requires disclosure of personal data in situations when it is necessary to save someone’s life. This typically refers to sharing medical records between doctors, hospitals, and emergency rooms. Sharing information about the patient is permitted, but it is also permitted to share information about parents in order to save a child’s life.
Rule 46 of the GDPR also considers “protecting an interest which is essential” to the life of individuals to fall under this category, such as if processing data is necessary for emergencies, like fighting disease outbreaks, recovering from natural or man-made disasters, or other humanitarian emergencies.
However, it is also clear from the rules that if another lawful basis is available, someone controlling personal data should operate under that basis. Operating under a vital interest basis should be used only as a last resort.
Article 6(1)(e): Public Task
You are allowed to process data if doing so is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority.”
If you work for a government agency, it is often necessary to process personal data. For example, immigration officials working at airports must process data of people at border crossings. This differs from the “legal obligation” basis, in that the data processing activity does not need to be specifically listed in a statute or regulation. However, there must be a clear source of law you can point to when processing data under the public task basis.
Additionally, organizations that are not specifically government agencies but serve a public function may also operate under the public task legal basis. If a private company is charged with parking meter enforcement by a city, then that company may collect data on illegally parked vehicles. If a private company has been hired by a city to test water after a potential contamination, they are permitted to act under the public task legal basis.
Article 6(1)(f): Legitimate Interests
The GDPR also allows a company to process personal data when it is in a company’s legitimate interests to do so, as long as the interest is not outweighed by the interests or fundamental rights in an individual’s data.
This is the broadest of the categories with the most room for interpretation. Although this basis may seem flexible, it is not meant to be a free-for-all. As a company, you should ask:
- Are you pursuing a legitimate interest?
- Is the data processing necessary for this purpose?
- Do the individual’s interests override the legitimate interest?
Legitimate interests include using employee and client data for, marketing, IT security, or fraud prevention. For example, a credit card company might monitor its customers data to prevent identity theft. An email server may analyze incoming mail to weed out spam or potential viruses. Companies can also use information within the realm of “legitimate interests,” meaning that sending mail or emails out to former and current customers can be lawful.
Even though it might be easy to say that every data processing activity falls under the “legitimate interest” lawful basis, your company should not rely on this category as a catch-all. Instead, carefully review your data processing activities to ensure you are operating under the necessary basis that best matches your intentions.
This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.