The choice of lawful basis depends upon:
Purposes
The context of processing
The data controllers should do following before the start of processing of personal data:
Identify the lawful basis
Document the lawful basis
If you find that your lawful basis is invalid under GDPR, this will lead to the breach of accountability and transparency principle.
2. Legal Basis of GDPR
www.seersco.com
The data controllers should do following before the start of processing of personal data:
• Identify the lawful basis
• Document the lawful basis
If you find that your lawful basis is invalid under GDPR, this will lead to the breach of accountability
and transparency principle.
The choice of lawful basis depends upon:
• Purposes
• The context of processing
3. Lawful Basis
www.seersco.com
GDPR stipulates six lawful bases.
• Consent
• Contract
• Compliance with a legal obligation
• Vital interest
• Public interest
• Legitimate interest
4. Consent
www.seersco.com
It means the individual is:
• Agreeing to, and permitting the collection and processing of his/her personal data.
• Consent is a weak basis for processing and organisations would not be able to rely on it quite
often
Consequences of choosing consent as the lawful basis:
• Right to withdraw consent at any time
• The data controller should have to demonstrate that the consent for the processing of
personal data was given by the data subject
5. Conditions for valid consent:
www.seersco.com
Consent is valid when it is
• Separate from other terms and conditions
• Actively given – no pre-ticked boxes or implied consent
• Granular, and applied to separate processing and purposes
• Verifiable – Organisations must keep audit trail to prove that they had obtained consent and
it was valid
• Easy to withdraw – just as easy as it was to provide
• No imbalance of power – not available to public sector or employer/ employee relationships
6. Consent of children
www.seersco.com
To provide information society service directly to a child:
• Data processing of a child shall be lawful where the child is at least 16 years old, and his or
her consent is obtained directly.
• Where the child age is below 16 years, processing is lawful only when the consent is given
and processing is authorised by the parents or guardians of the child.
Explicit consent:
• A written consent statement in printed form with signature on an electronically readable
format.
7. Contract
www.seersco.com
It is applicable when the data controller has a contract with the individual and you need to
process their personal data under contract obligation.
The contract should be between the:
• Data controller
• The data subject
8. Legal obligation:
www.seersco.com
Organisations can rely on this lawful basis when they are obliged to process the personal data in
order to comply with a common law or statutory obligation.
Organisations should identify:
• The specific legal provision
• An appropriate source of advice or guidance that clearly sets out your obligation
9. Vital Interest
www.seersco.com
Vital interest:
• Vital interest is the last choice. It is very limited in its scope.
• Organisations are likely to be able to rely on this if they need to process the personal data to
protect someone’s life
10. Public Interest
www.seersco.com
Public interest:
Data controllers can rely on this lawful basis if they are processing personal data ‘in the exercise of
official authority’.
Official authority includes:
• Public functions
• Powers or
• Specified tasks in the public interest that are stipulated by the law
11. Legitimate Interest
www.seersco.com
It means the stake that the organisation may have in collecting and processing of personal
data.
They can include:
• Commercial interests
• Individual interests, or
• Broader societal benefits
Legitimate interest is the most flexible lawful basis for processing
If the legitimate interest is chosen as the lawful basis, then there is an extra responsibility
for:
• Considering
• Protecting people’s rights and Interests.