The European Union's General Data Protection Regulation introduces several new rights for the individual data subject. The first of these rights is the right to be informed. This refers to the right of those whose data is being collected to know exactly why they must provide this data; how long this data will be stored; and for what purposes it will be used (legal basis). In this edition of our GDPR Overview series, we will talk a little about what "legal basis" means in respect to the individual's right to be informed.
What is a legal basis?
You may also want to consider including your legal basis for processing data upon the collection of said data. Include the reason(s) you are asking for this data to be provided and for what purposes you intend to use it. By providing your legal basis outright and informing your clients, you are helping to assure transparency in the collection and processing activities and reassure your clients that you will be held accountable should there ever be a data breach or any other issue that would cause the data to become vulnerable.
There are six possible legal bases that can be used when processing personal data:
1. If the individual provided their consent
If the individual from whom you are collecting personal data has given you explicit permission to process the data, then you have a legal basis for processing. Explicit consent means the individual fully understands the purpose their data is being collected for and how you will use this data before providing their consent.
The individual must be aware they are giving their consent, meaning if they are submitting a form with their contact information or other personal data, checkboxes indicating consent cannot be automatically pre-checked. This enables you to be sure their consent is freely and knowingly given.
Speaking of providing consent, whenever you complete a form from the SimplyCast Team, underneath the email field you will see a message saying "By entering your email address, you agree to receive email updates and promotions." This means that by providing your email address, SimplyCast has your explicit consent to send you email communications.
As well, if SimplyCast did not already have your contact information and opt-in consent, you would have been asked to confirm your email address in an email sent to the address you provided. This is known as "double opt-in." Double opt-in prevents someone from signing up with a random email address or on behalf of someone else. By having to confirm your consent and email address in an email reduces the chance that anyone will be opted in or subscribed against their will, further protecting personal information.
2. It is necessary to fulfill a contract with the individual
If you have a contract between you and an individual and fulfilling the terms of said contract requires you to process the individual's personal information, then you have a legal basis for processing should there be no other reasonable way to meet the terms. In this case, a "contract" does not necessarily need to be a formal signed document in order for this legal basis to be legitimate. A contract is any agreement that can hold up under the requirements of contract law, whether written down or not.
This legal basis can also be claimed before entering into a contract with an individual if they require you do something before the contract can be solidified, such as providing a quote for example. However, this does not apply if the individual does not specifically request the preemptive step before entering into the contract or if the request comes from a third party.
3. It is necessary to comply with the law
If you must collect and process an individual's personal data in order to comply with any common law or statute, then you may have legal basis for processing. This legal basis does not apply to contractual obligations between you and an individual. The processing of the data must also be necessary in order to comply with the legal requirements. Should you use this legal basis, you must be able to specify the legal provision that requires you to collect the individual's information or at least provide a reference to where the legal obligation can be found.
An example where this legal basis can be claimed is if a court order mandates that you must collect and process certain personal information for a particular purpose. Failure to comply with this order will cause you and your business to break the law so to speak, therefore you are able to claim legal basis to comply with the law as the purpose for which you are processing the collected information.
4. It is necessary to protect vital interests
If the collection and processing of data is necessary in order to protect the life of an individual, then you have a legal basis for processing the data. This legal basis is generally only used in cases of life or death when the individual cannot reasonably consent to the disclosure of personal information necessary to saving their life. This basis does not necessarily apply to health data or other special category data (sensitive data such as genetic or some bio-metric data) if the individual can provide and refuse consent. For example, if an individual refuses to consent to having their data processed for a planned medical procedure, you cannot then claim vital interests as a legal basis instead.
This legal basis can also be used if the processing of an individual's personal data will protect the vital interest of another individual. Although rare, this circumstance could occur if the processing of a parent's information will help save the life of their child, for example.
5. It is necessary to perform a (lawful) task in the public interest
If you are a public authority, or an organization that carries out tasks in the interest of the public, then you may be able to claim legal basis for processing. This legal basis covers processing on the exercise of official authority, which can include public functions that are judiciary, parliamentary, or governmental, for example.
In order to be able to rely on this legal basis, the task or function of the data processing must be clearly based in law and you should be able to refer to the applicable law or statute for justification purposes.
6. It is necessary if your organization has a legitimate interest for processing the data
If you are able to prove that your collection of personal data will have minimal impact on an individual's privacy and that you will be using this data in ways they can reasonably expect, you may be able to claim legal basis for processing. Legitimate interests can be commercial (e.g. marketing), individual (benefits an individual), or societal (benefits a larger group) and can be either be in your own interest or that of a third party.
When using this legal basis, it is extremely important that you weigh your interests against those of the individual whose data you are processing. The interests of the individual will likely supersede your own "legitimate interest" if they would not reasonably expect the processing or if would have any adverse effect on them.
While this legal basis is the broadest in terms of applicability, it must be noted that it is not always the most appropriate one. For example, public authorities such as governments cannot use "legitimate interests" when they are carrying out tasks as a part of their job. They should instead claim the "task in the public interest" basis. Only if they must process personal data for a reason unrelated to their public function can they claim "legitimate interests."
Justification leads to protection
In summary, essentially an individual's right to be informed means that upon collecting data from them you need to be up front and provide a justification for why their personal data is needed; how long you intend to store it for that purpose; and that you will not use this data for any purpose other than the one initially stated. The legal basis for processing should be provided to clients in a clear and concise manner, using plain language to ensure comprehension and enabling them to make an informed decision regarding whether or not they wish to divulge this data to you.
Next week in the GDPR Overview series…
In the next edition of the GDPR Overview blog series, we will be talking about the rights to access and have their personal information rectified upon request.