AI Summarize

Share

Gone are the days where massive swathes of information could be collected, shared, and used for any numbers of reasons.

The GDPR goes into great detail about when and how personal information can be collected and processed. It also defines what a lawful basis is for collecting and processing personal data.

If you have customers or users in the European Union, you must have a "lawful basis for processing" under the General Data Protection Regulation (GDPR).

Having a valid lawful basis is a core requirement under the GDPR. You must carefully consider your lawful basis every time you collect, use, erase, or share EU consumers' personal information.

A quick list of other stipulations is as follows:

  • The data collected or processed must be proportional to the task at hand
  • The reason why data is being collected or processed must be disclosed
  • Only data needed to complete a task should be collected or processed
  • The collected data must only be held for as long as needed

Most organizations will need to rely on the lawful basis of "legal obligation" for certain uses of personal information. In this article, we'll help you understand when "legal obligation" applies, when it doesn't apply, and how to explain your use of this lawful basis in your Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



The GDPR's Lawful Basis for Processing

Let's start with a quick explanation of the GDPR's concept of a "lawful basis for processing."

The terms "legal basis" and "lawfulness" are used throughout the GDPR referring to when it is permissible to collect or process personal data.

The GDPR protects "personal information" ("personal data"), meaning any information relating to an identifiable person. This could mean anything from a person's name, their credit card number, to their internet browsing history.

"Processing" personal information means doing something to or with personal information. For example, collecting it, sharing it, storing it or deleting it.

In the eyes of the GDPR, a legal basis is a justifiable reason why a data controller is collecting or processing the data of an individual.

Examples include in order to complete tasks which individuals have signed up for, for marketing purposes to which individuals have given their consent, or for legitimate interests that benefit both the data controller and data subject.

People in the EU have a fundamental right to privacy. Under EU law, it's illegal to process personal information unless you have a good reason for doing so. This "good reason" for processing personal information is known as a "lawful basis for processing."

There are some general principles for choosing a lawful basis. For example:

  • If you need to process personal information to comply with the law, choose "legal obligation"
  • If you can offer someone a genuine, free choice as to whether to process their personal information, "consent" may be appropriate
  • If it is in your interests to process someone's personal information, and the person's right to privacy doesn't outweigh your interests, "legitimate interests" may be appropriate

What are the lawful bases?

Article 6 is perhaps the most important section of the GDPR covering lawful bases for the collection and processing of personal data. It cites six lawful bases for processing:

Illustration of the GDPR legal bases for data processing from GDPR Article 6

In it, we're given the requirements for lawful data processing, informed that Member States may introduce stricter requirements, informed of the authorities in such cases, and given guidelines for when data may be processed for additional purposes than those originally consented to.

Along with legal obligation, the lawful bases include "consent" (you ask a person if you can process their personal information) and "contract" (you need to process personal information to fulfill contractual obligations or enter into a contract).

Let's dive deeper into each of these sections.

Article 6 - Part 1: Requirements for lawful processing

Part 1 of Article 6 lays out the possible circumstances for when it is lawful to process personal data.

These circumstances are:

  1. When consent has been given by the data subject for a specific purpose
  2. When processing is necessary to perform or prepare for a contract with the data subject
  3. When there is a legal obligation
  4. When protecting the vital interests of the data subject or someone else
  5. For the public interest or when exercising official authority
  6. To carry out legitimate interests of the data controller or a third party where these interests do not infringe on the rights, freedoms, or interests of the data subject

If none of these conditions are met, data is not to be processed under the GDPR.

Point (a) is pretty straightforward.

GDPR Article 6 Section 1(a): Lawfulness of processing - Consent

For example, if a data subject consented to giving an email address to join a newsletter, the data controller has the right to use that email address to send the newsletter. The data controller obtained consent, then followed through with the task.

Point (b) refers to situations similar to point (a), but in these cases data processing is often implied and consent may not be specifically needed.

GDPR Article 6 Section 1(b): Lawfulness of processing - Contracts

For example, if an individual gives a phone number to the website of an attorney to be contacted about a potential case, the attorney has a right to use that phone number and contact the individual. This is because it is implied that this was the reason why the individual gave out their phone number.

Point (c) refers to situations where the data controller is legally obligated to provide certain information.

GDPR Article 6 Section 1(c): Lawfulness of processing - Legal obligation

For example, if a company is subpoenaed to provide documentation about an event, this could include information regarding an individual involved in the event. The data controller may be legally obligated by the court to process such data as it is relevant and necessary for the case.

There are, of course, requirements for when a legal obligation could require data processing and situations where the data subject's rights and freedoms would not permit such processing, but that topic would require an article in and of itself.

Point (d) may refer to situations such as data breaches or suspected fraud.

GDPR Article 6 Section 1(a): Lawfulness of processing - Protect vital interests

For example, if a company discovers suspicious behavior on a customer's account, it may be in the vital interest of that individual to take action to protect their account, personal information, or finances.

Data processing may be required to suspend the account, temporarily change a compromised password, and/or contact the customer about the situation. This would be permissible in the vital interest of that data subject.

Point (e) may refer to situations such as investigating a crime where it is in the public interest or by official authority that data be processed to track down a suspected culprit.

GDPR Article 6 Section 1(a): Lawfulness of processing - Public interest

For example, if an email is distributed which contains a phishing scam to steal private information from its recipients, it would be in the public interest to track down the sender of the email and determine their identity in order to stop the email from being further distributed or for information obtained to be unlawfully used.

Point (f) is the kludge in the GDPR which is "legitimate interests" of the data controller.

GDPR Article 6 Section 1(f): Lawfulness of processing - Legitimate interests

Essentially, this point is intended to cover unforeseen and unregulated instances where the data controller has a compelling reason to process data that is not covered by the previous points.

This is counterbalanced by the inclusion that the data controller's legitimate interests must be weighed against the rights, freedoms, and interests of the data subject.

For example, a company claiming "legitimate interests" as a lawful basis for sending marketing material to a former customer without first obtaining consent would not be a strong case as the former customer has rights to privacy and may or may not be interested in receiving those marketing offers.

However, an app developer contacting users to inform them of an update to the app that solves a newly discovered security issue would be a strong case, as a potential security flaw would be of interest to both the app developer as well as its users. This would be a good case for a company claiming legitimate interest as the lawful basis for processing data where prior consent was not obtained.

Article 8: Children and minors

Article 8 covers when it is lawful to process the personal data of children and minors.

GDPR Info: Article 8: Conditions applicable to child's consent in relation to information society services

Simply put, children under the age of 16 require a parent or guardian to give consent in place of the child. Individuals over the age of 16 are permitted to give consent on their own behalf under the GDPR.

Member States are given the authority to lower the age from 16 down to as low as 13, but not lower.

What if you don't have a lawful basis for processing?

Before you process personal information, you must establish a lawful basis unless the processing is covered by one of the GDPR's very narrow exemptions.

If you can't establish a lawful basis, you shouldn't process personal information.

Processing personal information without a valid lawful basis can lead to the highest fines available under the GDPR: up to 4% of annual worldwide turnover, or €20 million (whichever is higher).

Article 6 (1) (c) of the GDPR states that you may process personal information if it is: "necessary for compliance with a legal obligation to which the controller is subject."

EUR-Lex: GDPR Article 6 - Lawfulness of processing - Legal obligation highlighted

This means that you can process someone's personal information if you need to do so in order to comply with the law.

What are the relevant laws?

There doesn't necessarily have to be a specific law dictating that you process personal information in a given way. But there has to be a particular law dictating that you do (or don't do) something, and processing personal information must be the only way of doing it.

What about contract law?

You can only rely on law originating from a statute or legal decision (sometimes known as the "common law"). For obligations under contract law, you may be able to rely on the lawful basis of "contract" instead.

What about non-EU law?

The relevant law must be a law of the GDPR-covered country in which you are operating or the EU itself. If a country is not covered by the GDPR (for example, the U.S., Canada, or Australia), then its laws will not provide a lawful basis for processing.

The GDPR states that it must be "necessary" to process personal information for legal compliance purposes. The term "necessary" shouldn't be interpreted too narrowly.

If processing personal information is a "reasonable and proportionate" way for you to ensure legal compliance, then you might be able to rely on "legal obligation." Make sure that you have made an assessment and documented your decision.

The GDPR provides data subjects (individuals) with certain rights over their personal information. These rights are not absolute. This is particularly apparent when it comes to personal information collected under the lawful basis of "legal obligation."

Under some circumstances, you may need to refuse a data subject's request on the grounds that you are processing their personal information due to a legal obligation.

Here's how "legal obligation" impacts on the GDPR's data subject rights:

  • Right of access: The right of access functions normally regarding personal information processed under "legal obligation." You should still be able to provide a data subject with any personal information you have retained about them, regardless of the reason for which you have retained it.
  • Right to rectification: Rectification requests are also unlikely to be affected where personal information is processed under "legal obligation."
  • Right to erasure: You must not comply with an erasure request if you have a legal obligation to retain personal information.
  • Right to restrict processing: If you are legally obligated to process personal information in a given way, you will not be able to comply with a request to restrict your processing of that personal information.
  • Right to data portability: Data subjects do not have a right to data portability in respect of personal information processed under "legal obligation."
  • Right to object: Data subjects cannot object to your processing of their personal information if you are legally obliged to do so.

If you need to refuse a data subject request, you must explain your reasons for this.

The GDPR contains exemptions to its usual rules when personal data is required for "exercising or defending legal claims."

This means that if you need to use personal information in court, whether to pursue a claim against someone or defend against someone's claim, you might not need a lawful basis for doing so.

This activity is an exception to the GDPR's "lawful basis" requirements and is a separate concept from the lawful basis of "legal obligation."

Here are some examples of scenarios in which using the "legal obligation" lawful basis might be appropriate.

Payroll departments

A person's salary is personal information. People have a right to keep information about their income private. However, this right to privacy is not absolute.

Employers and human resources departments are legally obliged to provide payroll data to the tax authorities. They don't need to ask their employees for permission to do this. Indeed, it would not be appropriate to do so, as there is no meaningful way to object.

In this scenario:

  • The legal obligation is provided by tax authorities in their official guidance
  • The relevant type of personal information is "payroll data"
  • The method of processing is "sharing" (with the tax authorities)

An employer doesn't need to know which law provides the legal obligation to process payroll data with the tax authorities. It would be sufficient to show that it is following government advice.

Court subpoena

A common example of the "legal obligation" lawful basis arises where a court or law enforcement agency orders a company to provide personal information as part of a legal investigation or court case.

Suppose a legal authority orders you to share personal information to investigate a crime or administer justice. In that case, you can rely on "legal obligation" to share the personal information (so long as the order is valid and not overridden by professional confidentiality).

In this scenario:

  • The legal obligation is provided in a court order
  • The relevant type of personal information is whatever information is required by the court
  • The method of processing is "sharing" (with the court)

You must let people know that you may have to disclose their personal information in this way. We'll look at how you can do this in your Privacy Policy below.

Financial institutions

Financial institutions, such as banks, payment processors, and financial advisers, have extensive legal obligations to share personal information with law enforcement agencies where appropriate.

For example, under the UK's Proceeds of Crime Act 2002, financial institutions are required to report suspicious activity that might indicate money laundering.

In this scenario:

  • The legal obligation is stated in Section 7 of the Proceeds of Crime Act 2002 (and other relevant laws)
  • The relevant type of personal information is a person's name and other direct identifiers
  • The method of processing is "sharing" (with the National Crime Agency)

Updating Your Privacy Policy

The GDPR requires you to identify your lawful basis for processing personal information in your Privacy Policy. Note that you are likely to use several different lawful bases for processing different types of personal information.

Here's an example from the Financial Times:

Financial Times Privacy Policy: Data retention chart - Justification for Retention excerpt

The Financial Times' Privacy Policy identifies each category of personal information, examples of the type of personal information collected from this category, the retention period for this type of data, and the reason it is required to retain personal information for this period.

This approach might work if you are legally obligated to retain personal information for a given period.

Here's another approach from Complete Business Solutions:

Complete Business Solutions Privacy Policy chart with legal obligation highlighted

Complete Business Solutions provides the source of its personal information, the type of "process" that applies, and the purpose for processing personal information in each instance.

Many companies also include a general disclaimer in their Privacy Policy to make it clear that they might be required to share personal information with a court.

Here's an example from The Drum:

The Drum Privacy Policy: Disclosure of your information clause - For compliance with laws, regulations and legal requirements section - Legal basis highlighted

Penalties for failure to comply

Along with guidelines for the lawful collection and processing of personal data, the GDPR gives some guidelines about the potential fines and penalties for failing to comply.

The maximum penalty for breach of privacy laws has been increased under the GDPR to the higher of €20 million or 4% of annual global turnover. A fine of this magnitude would be reserved for only the most egregious breaches of privacy, but goes to show that it is vitally important to understand when it is and is not lawful to process the personal data of residents of the EU.

Article 82: Right to compensation and liability

Article 82 states that individuals who have suffered damages from from a breach of the GDPR are entitled to compensation from the data controller and/or processor.

GDPR Info: Article 82: Right to compensation and liability

While it does not go into detail about how much compensation could be required or give any examples of such a case, it simply states that this would be handled in court.

Summary

The GDPR requires that you have a lawful basis whenever you process personal information. "Legal obligation" is the correct lawful basis where you need to process personal information for legal compliance purposes.

Before you proceed:

  • Can you point to the legal obligation with which you are complying?

    • This could be a statute or guidance from an official government source

  • Can you explain why processing personal information is the only way for you to meet this legal obligation?

    • The processing must be necessary, or at least a "reasonable and proportionate" way to comply with the law

  • Have you updated your Privacy Policy?

    • You must notify data subjects of your lawful basis for processing personal information

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy