In the last article, we saw that GDPR has set in place some principles related to data processing. One of those principles was concerning the lawful processing of personal data. Let us in detail go through the provisions of Section 6 which speaks about the lawfulness of processing data
Article 6 of the GDPR states as follows-
- “Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
- Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
- The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
- Union law; or
- Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. 4The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
- Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.”
An explanation to the above would be as follows:
The processing of the data shall be lawful only if at the minimum one of the following conditions are complied with:
- Consent:
The data subjects should have been made aware of the various purposes for which their data is being processed and only once they have given permission can it be said that the data is lawfully processed. However, in point number 4 there is a possibility that data can be processed for a purpose for which the data subject’s consent shall not be taken. In such cases, the following factors must be considered:
- Whether there is a link between the original purpose of the data being processed and the new purpose
- The context in which the data has been collected and the relationship between the data subject and the controller. (Recital 43 talks about free consent which mentions that there must not be an imbalance between the data subject and the controller. If there is an imbalance then there is no consent)
- The kind of personal data that is being processed- sensitive or related to criminal offences
- The consequences of the further data processing
- If any safety measures are being taken by the data controller such as encryption or pseudonymisation
2. Performance of a contract:
The processing shall be lawful in order to perform a contract or to comply with the data subject’s request prior to entering into a contract.
3. Legal obligation:
In order to fulfill a legal obligation, the processing is required. As per recital 45, it is not necessary that a statute must have been passed in the Parliament but it should have a basis in the Union or Member State law. The Member States can provide for the purpose of the data to be processed and set their own regulations.
4. Protection of vital interest of the data subject:
The processing shall be lawful not just for commercial interest but also for the larger public interest. For instance, the data can be processed to monitor the health of individuals in times of an epidemic or during the course of a natural or man made disaster.
5. Public interest or exercise of official authority:
As can be seen throughout the GDPR, processing for public interest or by an official authority is outside its purview since in the interest of national security, processing of personal data shall be done freely.
6. Fulfillment of legitimate interests:
When the interests of a data controller are legitimate, then the processing of data shall be lawful. However, these legitimate interests should not clash with the fundamental rights of the data subject, especially the fundamental rights of children.
The above is a succinct explanation as to what can be termed as lawful processing from the point of view of GDPR.