Your guide to choosing a GDPR Legal Basis

People often ask us if you need consent to comply with GDPR. In fact, consent is just one legal basis for processing personal data. Here, we share notes from our GDPR experts on choosing the right legal basis for data processing.

Background: What is a legal basis and why it matters.

GDPR is intended to protect the personal data of all EU citizens. It starts from the concept that everyone has a right to privacy (this is also enshrined in the European Convention on Human Rights). Under GDPR, a company, organization, or official entity can only “process” your personal data if they have a legal basis to do so.

Processing data is a very broad term covering accessing data; storing data (on paper or electronically); deletion or alteration of data; or transmitting data. Basically, any possible operation that involves that data. Personal data is anything that can identify a living individual. This can include names, physical addresses, email addresses, location data, DNA or biometric data, and much more.

Legal bases

Article 6 of the GDPR defines 6 legal bases for processing of personal data. At least one of these must apply before you are allowed to process the data. But note, data that is more sensitive needs a different legal basis (see below).

1. If you have the consent of the user. Here, the user must consent to the specific purpose and scope of the processing.
2. To meet a contractual necessity. For instance, a company can pass your contact details to a logistics company if it’s necessary to facilitate delivery of an item you purchased.
3. In order to comply with a legal obligation. For instance, employers are often obliged to check the immigration status of a member of staff.
4. To protect the vital interests of the data subject. This might apply in the case of someone who is unconscious after an accident.
5. If the processing is in the public interest or is related to an official task performed by a public authority. For example, tax authorities are allowed to request access to many of your private rec
6. If you have a legitimate interest in processing the data. This basis can only be used if it doesn’t breach the fundamental rights and freedoms of the data subject (especially if the subject is a child).

Special categories of data

Before we get into the details of which legal basis you can use as a company, let’s unpick one other concept. Namely sensitive personal data, which is defined in GDPR article 9 as “special categories of data”. This is data on:

“racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

This matters because processing of this data is banned by default.

Fortunately, there are a number of legal bases you can rely on to process this data:

1. With the explicit consent of the data subject. This means the subject is informed exactly which data is being processed, what the data processing is for, and has to explicitly acknowledge and consent to this.
2. If this processing is necessary for an employer to meet the obligations of employment and social security, and social protection laws (and subject to appropriate safeguards)
3. To protect the vital interests of a data subject who is physically or legally unable to give their consent
4. Foundations, trade unions and not-for-profit organisations are allowed to process certain special categories of data related to their own current or former members.
5. If the data has clearly been made public by the data subject (for instance, if they posted about their health on social media).
6. For the establishment, exercise of, or defence of legal claims or by a court acting in a judicial capacity.
7. If there’s a substantial public interest subject to various protections under EU and national law.
8. In order to allow an employer to assess the medical and physical capabilities of an employee or applicant.
9. For the purposes of public health, for instance, to prevent serious threats to health from infected people crossing borders. (Note, including this was very prescient of the authors of the GDOR in light of the subsequent Covid-19 pandemic).
10. For archiving data for public interest, scientific, or historical research.

Choosing a basis for data processing

Choosing a suitable legal basis as a company requires several steps. The simplified flow chart below may help.

‍

The first step when choosing a basis for data processing is to decide whether the data falls under Article 9 as a “special category” of data. For digital health companies, this means working out which data is and isn’t sensitive. This can be quite challenging and it definitely pays to talk with an expert.

For the sensitive data, you need to check whether one of the additional legal bases from Article 9 applies. If not, then you will need the explicit consent of the user

You then repeat this for any data that isn’t covered under Article 9 and choose a suitable Article 6 legal basis.

Finally, you need to do the required documentation (especially a proper privacy policy) and put in place any required mechanisms. For instance, if you are relying on consent, you need to create suitable consent language, ensure it is displayed correctly in your app, and put in place consent logging to prove that users did indeed provide consent.

‍