Establishing A Lawful Reason For Processing Personal Data

Published on Sep 23, 2021

Over several articles, we've been writing about different tips for implementing GDPR. In the series, we're focussing on how to conduct a GDPR audit. This is an activity all organisations should be familiar with, not just at the outset but in an ongoing capacity in the drive for optimum data compliance. In our last article we looked at data mapping and discovering what personal data your organisation holds, why it's retained, along with where and how it's being stored.

Now we're turning our attention towards establishing the lawful basis for processing personal data you hold. The processes outlined herein will also be of benefit when commencing a new project, as part of a data protection impact assessment (DPIA), and when implementing appropriate organisational measures to ensure data protection by design and default.

The starting point is that unless one of the conditions set out in Article 6 of the GDPR is met, the processing of personal data is illegal. And if you are processing special categories of data, Article 9 lists an additional ten exemptions of which at least one is required along with an Article 6 condition to enable lawful processing. Five of these exemptions involve further requirements to be satisfied under Schedule 1 of the Data Protection Act 2018.

Now, before you throw your hands up in the air and curse the day regulations were ever invented, let us reassure you that once you understand the requirements, developing policies and procedures to ensure compliance is relatively straightforward. And, if you focus on creating a culture of data protection and privacy compliance throughout your business, lawful processing will become second nature.

Article 6 and the legal basis for processing personal data

Under Article 6 at least one of the following must apply for the processing of personal data to be lawful:

  • You have obtained consent from the data subject.
  • Processing personal data is necessary for the performance of a contract.
  • Processing is required by the Controller in order to fulfil a legal obligation.
  • The vital interests of the data subject or another natural person are at stake.
  • Processing is required for the controller to carry out a task in the public interest or to execute official power vested in him.
  • Processing is required for the controller's or a third party's legitimate interests, unless those interests are outweighed by the data subject's interests or basic rights and freedoms that need personal data protection - particularly if the data subject is a minor.

Contrary to popular belief, businesses will often rely on several legal bases for different processing activities being carried out across individual departments. While consent is one of the more commonly used purposes, it is not always required or appropriate. For example, it is essential to process personal data for the performance of a contract or a legal obligation to ensure that normal operations can continue. In the same way, vital interest provides the lawful basis to hold emergency contact information of employees or customers.

For the remainder of the article, we will examine consent and legitimate interests in closer detail as these are the two lawful bases that cause the most confusion. We're also going to look at the soft opt-in rule under privacy and electronic communications regulations (2003).

Obtaining Consent

To clarify the definition of consent, we need to look at Article 4 (11), which states:

  • ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

You also need to be aware of Article 7 which sets out the conditions for obtaining consent, and what that means in practice:

  • Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

In short, keep a record of where and how consent was given.

  • If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

Don't obfuscate or bury requests for consent, be transparent and open, or else it may not count.

  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

You must provide clear and unambiguous information about how to withdraw consent when first requesting permission to process the personal data. Ensure you explain how to make such a request and include details within your privacy information. Additionally, you can create an internal procedure to manage the data subject's withdrawal of consent under the GDPR so that staff knows how to handle the request efficiently.

  • When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia [among other things], the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Requiring consent should not be used as a pre-condition for making a purchase or accessing a service, especially if the data isn't strictly necessary. Moreover, where personal information is required to deliver a solution, product, or service, the more appropriate legal basis for processing personal data would likely be the performance of a contract.

Your policies and procedures around obtaining consent should be drafted with Article 7 in mind. While considering the above for marketing communications, it is also worth looking at the soft opt-in rule under PECR.

The Soft Opt-In Option

Under the Privacy and Electronic Communications Regulations (PECR), you cannot send marketing emails, texts, or, in some circumstances, make calls, for example, where someone has registered with the telephone preference service (TPS) unless you have their consent. That said, PECR does provide what is known as a soft opt-in for electronic mail.

Essentially, this means that if someone has made a purchase or expressed an interest in making a purchase online (the ICO defines this as negotiating for a sale in its direct marketing guidance) and has given you their email, you can assume they will not object to receiving information or communications about similar products. You must, however, offer them a clear opportunity to opt-out when you acquire their information in the first place and in every communication you send after that.

In the specific situation of including marketing content within newsletter emails, the law has recently been clarified. There are no longer any grey areas when it comes to the sorts of information that may be distributed to a newsletter readership. We wrote about the legal ruling to provide certainty to marketers and business owners about what they can or cannot include in their newsletter communications.

Legitimate Interest

Although there are many applications where using legitimate interests may be appropriate, determining to use legitimate interests is a more complex process than for other legal purposes. For many businesses, this can be off-putting, but it doesn't need to be so.

Businesses can rely on legitimate interests as a reason to process personal information where they can demonstrate the decision-making balances the interests of the controller and the rights of data subjects.

If you are planning to use legitimate interests, you will need to conduct a Legitimate Interests Assessment (LIA). This is a light touch risk assessment. Although it is not a mandatory requirement, it is difficult to meet the GDPR accountability requirement without it.

Although there is no standard format for conducting an LIA, the ICO recommends following the below three-part test:

  1. The purpose test (identify the legitimate interest);
  2. The necessity test (establish if the processing is necessary); and
  3. The balancing test (consider the individual’s interests).

For the purpose test, consider why you want to process the data and what you are trying to achieve. You will need to take into account who benefits from the processing, whether this includes the wider public, and if so, how exactly. Conversely, what would be the impact of not processing the information?

Next, the necessity test looks at whether the processing is necessary for the purpose. Examine how your interests are furthered and if the processing is a reasonable means for securing those interests, or could a less intrusive way achieve the same result.

Lastly, the balancing test is intended to help you decide whether the data subject's interests override the legitimate interest. Here you will need to consider your relationship with the data subject, the types of data being processed, and whether it is special category data or children's data. If asked, would you be comfortable explaining why you are using personal data for the purpose in question, and would people think it is reasonable? You should also consider the impact on the individual, whether they are vulnerable in any way and what safeguards can be implemented to mitigate or minimise the impacts.

Several EU GDPR recitals (47, 48, 49, and 50) provide examples of types of processing that could be necessary for the legitimate interest of a controller. These include fraud prevention, network, and information security, indicating possible criminal acts or threats to public security. The Government Data Quality Hub recently published details of a legitimate Interests Assessment it performed using the ICO’s template.

Having the right combination of skills and experience

Establishing the lawful basis for processing personal data is a great example of why the data protection officer or lead should possess a thorough understanding of privacy laws combined with the experience of how the business operates. It is for this reason, we recommend implementing a long-term GDPR training, learning, and development programme to ensure that employees with data protection responsibilities develop their privacy skills alongside knowledge of the business and the industry sector.

The next step

Once you have established the lawful basis/s for processing personal data you hold, the next steps are to review your external notification and transparency documentation and create or review internal policies and procedures. We will cover all these steps in our next article.

To find out more about data protection and privacy law training, please email us at or call 0370 04 27701.

Click your chosen course below to see our next available courses dates

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.