Under the GDPR, a business that determines how personal data are processed can only begin activities that involve the processing of personal data if at least one of the following legal grounds apply:
- The individual has given consent to the processing of his or her personal data for one or more specific purposes (an example is when an individual agrees to receive marketing emails from you);
- Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract (an example is when individuals buy items on line, they need to use the individuals’ addresses in order to deliver the items) ;
- Processing is necessary for compliance with a legal obligation to which the business is subject (an example is when you need to use an individual’s personal data to pay employment taxes);
- Processing is necessary in order to protect the vital interests of the individual or of someone else (an example is when the emergency room of a hospital accesses the medical records of an unconscious individual);
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business (an example is when the business processes payments from individuals for a governmental agency, it will have access to individuals’ personal data);
- Processing is necessary for the purposes of the legitimate interests pursued by the business or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child (an example is when a business decides to provide workers compensation insurance to its employees; it is in the interests of both the individuals and the business for this benefit to be provided and the risk of using personal data to do so is very low) .
There is no significance to the order of these legal grounds; one ground is not preferable to another one. However, consent, contract and legitimate interests are the most common legal grounds used, and they will be explained in the next several blogs.
All the legal grounds except consent are subject to the requirement that the processing be “necessary” for a particular purpose or in order to do a particular thing. “Necessary” means the processing of personal data must be essential for the purpose pursued by the business. Is there another way of achieving the objective? If there isn’t another way or if there is another way but it would require disproportionate effort, then processing is necessary. If there are multiple ways of achieving the objective, then the least intrusive means of processing the personal data is necessary.
This blog is the 17th in a series of blogs that describe and explain the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: How to get consent from individuals to process their data?