Possible legal bases for data processing under the GDPR
The GDPR contains all the possible bases for data processing activities. Article 6 of the GDPR contains six possible legal bases for processing personal data other than those belonging to the special categories of personal data (e.g. health, biometric or genetic data).
The Article 29 Data Protection Working Party (WP29) issued guidelines on consent on 28 November 2017 (WP259). A Q&A on the legal bases follows below.
1. What are the possible legal bases which may serve as grounds for processing personal data?
Under the GDPR, the possible legal bases which may apply are different in case of personal data and, respectively, special categories of personal data.
The possible legal grounds for processing personal data are as follows (Article 6):
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 9 of the GDPR, contains the possible legal grounds for the processing of special categories of data (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation).
2. May consent be used as legal basis for processing personal data within an employment context?
Under the settled practice of the Hungarian data protection authority and the WP29, consent may only serve as legal basis for processing in exceptional circumstances due to the dependency in an employment relationship. This is because consent may, by definition, not be voluntary (freely given) in an employment context. Consent can only rarely serve as legal basis in an employment relationship, and only when it is evident that the employee would purely “benefit” from the data processing in question and not be subject to sanctions for refusing to consent. In the authority's example, if the employer organizes a running contest for the employees and asks for the T-shirt size of the employees (which is personal data), then consent may serve as a valid legal basis for data processing.
In an employment context, instead of consent, typically, the performance of the employment agreement (e.g. payment of wage), the compliance with a legal obligation of the employer (e.g. taxation and accounting obligations), or the legitimate interest of the employer (e.g. use of CCTV) will serve as legal basis for the processing of the personal data of the employees.
3. What if the legitimate interest of the data controller may serve as legal basis for the processing of personal data?
In such cases, a so-called balancing test has to be undertaken before processing. Under the test, the data controller has to address certain issues, e.g. is there a way to satisfy the purpose of processing without processing personal data or by way of processing less personal data; what is the exact purpose and legitimate interest of the controller; how could the data subjects argue that the processing violates their rights and freedoms; and why does the controller’s legitimate interest override the interests of the data subjects.
If the balancing test results in the conclusion that the controller’s interests indeed have priority over those of the data subjects, the controller may begin processing (following giving complete information on processing to the data subjects and informing them also of the balancing test).
By way of example, if the employer wishes to use surveillance cameras at the workplace for the purposes of protecting its assets, business secrets, and/or human life or health, the employer’s legitimate interest may serve as legal basis for the processing of personal data via the cameras. Of course, there is a number of conditions which must also be fulfilled when using such cameras.
4. Is consent generally available as a valid legal basis for processing?
No. Data controllers must be very careful when deciding which legal basis may apply to the relevant processing activity. The controller always has to be able to present a valid legal basis for processing and consent should not be regarded as a default “jolly joker” basis for processing.
5. Is it always mandatory to give information to the data subject of the processing activities or is this only required when consent serves as a legal basis for processing?
The obligation to give information is independent of the legal basis for processing, i.e. the obligation to provide the data subjects with prior information about the data processing basically always applies and is a general obligation.
6. What are the characteristics of consent?
Under the GDPR, consent of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
As per the WP29, “freely given” means that the data subject must be in a position to freely give or refuse to give his/her consent. In other words, consent is freely given if there was no pressure of any kind on the data subject when he/she decides on giving consent. “Specific” means that a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. “Informed” means that prior information must duly be given when asking for consent.
It is worth noting that when it comes to a legal dispute about the lawfulness of consent, it is the data controller that must be able to demonstrate that it has duly obtained the consent.
7. Is there a difference between consent and explicit consent?
The GDPR uses the expression “explicit consent” when it comes to, for example, the processing of special categories of data (Article 9) or data transfer in the absence of adequate safeguards (Article 49).
Since a clear affirmative act is a pre-requisite for “ordinary” consent, the “ordinary” consent requirement is already raised to a higher standard. According to the WP29, “the term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.” This could take the form of, for example, a written statement or a two-stage verification process in an online environment.
8. Can a consent obtained prior to 25 May 2018 be relied upon after 25 May 2018?
The preamble (171) of the GDPR provides that
“…[w]here processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation…”
According to the WP29, “controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations…”
Controllers are required to review all consents (consent mechanisms) and assess if they are required to obtain them again. One may say that if the consents were obtained in line with Hungarian data protection laws and the requirements of the Hungarian DPA, one may come to the conclusion that controllers may not have to obtain the consents again. However, it is only future decisional practice that will show how preamble (171) will work in real life.
dr. Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.