LAWFUL BASES

 

What is a lawful basis for processing data?

The first principle of the General Data Protection Regulation (GDPR) requires us to process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if we have a lawful basis under Article 6 of the GDPR.

 

The requirement to have a lawful basis in order to process data is not new. It replaces and mirrors the previous requirements to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998 (DPA); however, the GDPR places more emphasis on being accountable for and transparent about the lawful basis for processing we rely on. 

There are six lawful bases for processing data under the GDPR, which are broadly similar to the old conditions for processing, although there are some differences. The six lawful bases for processing data under the GDPR are:

  • Consent – you have given clear consent for us to process your personal data for a specific purpose;

  • Contractual Obligation – the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract;

  • Legal Obligation – the processing is necessary for the Company to comply with the law;

  • Vital Interests – the processing is necessary to protect someone’s life.

  • Public Task – the processing is necessary to carry out a task in the public interest or for a public authority to carry out its official functions.

  • Legitimate Interests – the processing is necessary for the Company’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect Your personal data which overrides those legitimate interests.

All of the lawful bases, excluding consent, for processing data state the processing must be necessary. The processing being necessary does not mean it has to be essential, instead, it must be a targeted and proportionate way of achieving the purpose. Any of the six lawful bases will not apply if we can reasonably achieve the purpose by some other, less intrusive means.

 

The GDPR also classifies some data as special category data. The only special category data we process is personal data concerning health, the processing of which is prohibited under Article 9 of the GDPR, unless we can satisfy both a lawful basis and a special category condition for processing the data. 

Contractual obligation as a lawful basis for processing

 

We rely on contractual obligation as a lawful basis for processing personal data when you have a contract in place with us.

Article 6(1)(b) outlines using contractual obligations as a lawful basis for processing personal data by stating that the, “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

 

What this means is that we may process your personal data if we have a contract in place with you, or you have asked us to take steps before entering into a contract with you, and the processing of your personal data is a targeted and proportionate way of:

  • achieving one of our contractual obligations to you; or

  • achieving something that you have asked us to do before you enter into a contract with us.

An example of this would be if you asked us for a quotation to install a new boiler. We enter into a contract with the customer every time we install a new boiler, therefore providing a quotation for the installation of a new boiler is seen as a step taken on your request before you enter into a contract with us. If you choose to accept the quotation, then we will continue to process your personal data to fulfil our contractual obligations to you. This may include sharing your personal data with a third party (more information on who we may share your data with and under what circumstances is available here).

If we need to process any special category data in order to fulfil our contractual obligations to you, then we will rely on the special category condition outlined here.

Legal obligation as a lawful basis for processing

 

We rely on legal obligation as a lawful basis for processing personal data when we are required to process the personal data to comply with a common law or statutory obligation.

Article 6(1)(c) outlines using legal obligations as a lawful basis for processing personal data by stating that the, “processing is necessary for compliance with a legal obligation to which the controller is subject”.

What this means is that we may process your personal data if we have to comply with a common law or statutory obligation, and the processing of your personal data is a targeted and proportionate way of complying with our legal obligations.

 

An example of this would be if we had just undertaken some work for you, after which we issue you an invoice. For tax purposes, we are legally obligated to keep financial documents, which would include a copy of this invoice, for 6 years after the end of the tax year it was produced in. Therefore, we will store your name and address for this period, as this information is on the invoice.

If we need to process any special category data in order to fulfil our legal obligations, for example, if you are eligible for zero-rated VAT and we must store your eligibility form, which may have information concerning your health, with our tax records, then we will rely on the special category condition outlined here.

Legitimate interests as a lawful basis for processing

 

We rely on legitimate interests as a lawful basis for processing personal data when we have collected your data and need to process it in a way that we believe you would expect it to be processed, in order to carry out our routine activities that cannot be carried out in another reasonable and less intrusive way.

Article 6(1)(f) outlines using legitimate interests as a lawful basis for processing personal data by stating that the, “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedom of the data subject which require protection of personal data, in particular where the data subject is a child”.

What this means is that we may process your personal data if we are pursuing a legitimate interest, such as carrying out our routine activities, provided that there is no other reasonable and less intrusive way of pursuing them. The use of legitimate interests as a lawful basis for processing can be overridden if the processing is likely to have an impact on you, or your data is being used in a way that could be considered unexpected. If we have a compelling reason to continue to process your data, then the processing is permitted as long as the impact on you is minimal and justified.

An example of this would be if you asked us to undertake some work for you at your property. In order to undertake the work, we will need to process your name, address and phone number. This is part of our routine activities, and you would expect us to process your data in this way; there is minimal impact on your privacy.

If we need to process any special category data in order to fulfil our legitimate interests, then we will rely on the special category condition outlined here.

© 2018 by Flood&French Ltd.

  • b-facebook
  • Twitter Round
  • Google Places - Black Circle

Unit 1B, Holywells Retail Centre, Holywells Road, Ipswich, Suffolk, IP3 0DL

Reg No. 05364762 - VAT No. 883400134