What is legal basis under GDPR?
In a conversation the other day, I was trying to explain why some data couldn’t be collected and processed under “legitimate interests”. I wrote the following to try to outline the different types of legal basis that data can be collected or processed.
I thought these examples might be useful to help you decide how you are collecting and processing data. This is not legal advice, and you should consult professional advice if you have concerns. You should also read the formal guidance for the UK
Also massive props to Sunitha for being my guinea pig for all the examples. She’s a lovely human and doesn’t really deserve all these things to happen to her!
Sunitha goes to a website and puts her name and email address in to get access to a report on “data protection for you”, That was clearly active consent, and is covered under consent.
Sunitha’s data is passed by her employer to a HR firm so that they can process the HR data in order to pay her. Her employer has signed a contract with the HR firm, and that is a contractual exchange of data. Note that Sunitha doesn’t have to consent knowingly to the HR firm having the data, although she should be bound under a contract to her employer to let them do that.
Sunitha’s employer is required to take a photocopy of her passport (personal data) to prove to the Home Office that they believe that she has a legitimate right to work in the country. They are required by law to do this, and therefore they don’t need her consent or a contract to do so.
Sunitha is found unconscious at the side of the road. The security guard who finds her looks in her wallet and discovers where she lives and her name to give to an ambulance when it arrives. The guard believes that her life or wellbeing might be in danger, and as such he has her “vital interests”, and can access that data without consent, a contract, or legal obligation.
The Local Authority is inspecting Sunitha’s kitchen because she sells sandwiches on the side. They record that she is the owner of the kitchen and that it was clean. Her name and place of work are personal data, but the local authority can process that data because they are the official authority for maintaining food standards (as appointed by the Food Standards Authority). They don’t need consent, a contract, vital interest or legal obligation to do so.
Finally, Sunitha is an MP who has had her expenses sent to a major newspaper. The newspaper has scanned and put all of the expenses online to allow citizens to look for illegitimate expenses and flag them. The newspaper considers that as an investigatory journalistic organisation interested in the misuse of public funds, that there is value in processing the data and making it available online, and declares that it has a “legitimate interest” in Sunitha’s expense receipts without consent, a contract, vital interest, legal obligation or public task to do so.