HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Legal Bases for Processing Personal Data Under GDPR

We are mere weeks away from the introduction of the General Data Protection Regulation (GDPR) and a number of groups are still confused as to the acceptable legal bases for processing personal data under GDPR. From May 25, 2018, onward, all personal data relating to individuals living in the European Union (EU) will be protected by the new law. Entities involved in processing the personal data of these individuals will be governed by the GDPR. Even groups located outside of the EU must comply with the regulation if they process the data of people based inside of the EU.

As part of the GDPR, personal data cannot be processed for any goal that an organization may just be curious about. As noted above, the acceptable reasons are causing some confusion. Article 6 of the Regulations, Lawfullness of processing, states that “[data] processing shall be lawful only if” the processing is being conducted for one of six legitimate reasons. These reasons include:

1. The person has provided active consent for their data to be processed for one or more specific purposes. There is no blanket permission and the person giving permission must agree to each specific purpose.

2. The personal data of an individual needs to be processed in order for them to enter into or fulfill the requirements of a contract.

3. The data controller is legally required or legally obliged to process the data.

4. The processing must be carried out so that an individual’s vital interests can be protected.

5. The data is being processed as part of a matter of public interest or due to obligations arising from the data controllers official authority.

6. The processing is required in the pursuance of the legitimate interests of the data controller or a third party. This must be weighed against the rights, freedoms, and interests of the data subject – the person who the data refers to. This determination is particularly important when dealing with the rights and freedoms of individuals who are children.

For data processing to be compliant with GDPR regulations, at least one of these conditions must be met. It is important to take into account that the Working Party guidance on Article 29, Processing under the authority of the controller or processor, notes that each processing activity should only be conducted on a single one of these bases and that the data subject must be informed of the basis, as per Article 13, Information to be provided where personal data are collected from the data subject.

Recording the Legal Bases for Processing Personal Data Under GDPR

Having identified a legal basis for processing, it is important that organizations then document which basis they have defined and used with each processing purpose. If sufficient documentation is lacking in this regard, regulatory authorities may find the group to be in violation of the GDPR. The penalties for this are quite severe, with the maximum fine for non-compliance amounting to either €20 million or 4% of annual global turnover, whichever is higher. The group may also find itself contending with further reputation damage among consumers following the violation.

The legal bases exist to try to protect individuals from having their data processed unnecessarily, maliciously, or indefinitely. Having to identify a legitimate reason to process data also helps organizations to justify the cost and effort of processing data by continually forcing them to question the necessity, allowing them to hone their strategies. This can create a beneficial system for individuals, whose data is protected, and organizations, who can become more efficient.