Lawfulness Criteria in GDPR
GDPR defines six grounds for a processing activity to be lawful.
- Consent: a user gives you specific consent to process data for specific purposes like taking consent for sending the newsletter
- Contract Requirements: processing is necessary for the contract to be executed or to get into the contract like processing home address for delivering goods ordered
- Legal Obligations: processing is necessary for a legal obligation like KYC for opening bank account
- Vital interest: processing is necessary for protecting vital interest of an individual like processing parent’s data to protect vital interests of a child
- Public task: processing is necessary for a public interest task laid down by the law or exercising official authority laid down by the law
- Legitimate interests: processing is necessary for the purposes of legitimate interests of the organization like preventing fraud on your website
Out of the above six, Consent, Contract and Legitimate interests are more relevant to your organization.
Consent
For consent to be used as a legal basis, you should meet all the following criteria:
- You should be able to demonstrate that the user has given consent. A good practice is to save records of consent along with the privacy notice
- If consent is part of a larger declaration, it should clearly be distinguishable from other information
- Withdrawal of consent should be as easy as giving consent. For example, if you collect consent via a checkbox, but consent withdrawal requires users to email or fill a form then it will not be lawful. A good practice is to build a Preference center where users can withdraw consent easily
- Finally, consent is valid only if it’s freely given. This means consent is valid only if the user has a choice and can freely decide to say yes or no.
GDPR sets very high standards of consent and for it to be valid it has to be:
- Freely given: For consent to be freely given, users should have a real choice of saying no. If you make consent a condition for getting service then it’s not a freely given consent. Also, in cases where there is a power imbalance between you and the user, consent wouldn’t be considered as freely given. An example of a power imbalance is employer/employee relationship.
- Specific: If your processing activity has multiple purposes, user should be given an option to consent to each purpose separately. This is also known as granular consent.
- Informed: User should be provided information in a clear and plain language about the identity of your company, purposes of processing and right to withdraw consent at any point. Technical jargons, legal terms or confusing language should not be used while giving information
- Given by positive action: Should be a clear affirmative action, passive consent via pre-checked boxes, inactivity will not be valid consent.
Contract requirements
For processing activities necessary to deliver a contractual service or for a user to enter a contract.
While it may seem tempting to add a lot of processing activities as a part of terms of use/ online contract, it is important to note that you have to pass the “necessity test” for each processing activity. Merely adding a processing activity as a part of a contract doesn’t make it lawful, it has to be necessary for delivering the contractual service which the data subject asked for. Some examples of processing activities where you cannot use contract as the legal basis:
- Service improvement: This processing activity is not necessary for provisioning the service hence contract wouldn’t be a legal basis. Legitimate Interest or Consent can be an alternative legal basis.
- Fraud prevention: Legitimate Interest or Legal obligation can be used for a legal basis
- Personalization: In some cases where the expectation of data subject is it to be part of the service you can use the contract as a legal basis. In most of the cases, personalization is used for increasing engagement and is not necessary for performing a contract, and contract is not the legal basis that can be used. For example, an e-commerce site uses last viewed products by a user to suggest new products on the website. This is not necessary for giving the e-commerce service and hence contract cant be used as a legal basis.
Legitimate interests
Legitimate interest is the most flexible legal basis that you can use. However, you need to consider the interests and rights of the data subject, especially where the data subject is a child. Before you choose to use legitimate interest conduct an assessment to check if the individual’s right overrides your interests. This is also referred to as the balancing test. ICO has great guidelines on legitimate interest.
Vaibhav is the founder of privado.ai and a CIPM certified privacy professional.