Know your Legal Basis for Processing Data

5 years ago in May, the General Data Protection Regulation (GDPR) was enacted.  This meant that organisations were compelled to look at how they process personal data and personal information within, ensuring the data is processed lawfully, fairly and transparently.

Article 6 of GDPR requires that organisations can only process personal data if they have a legal basis to do so. GDPR provides 6 legal bases for processing:

1. Consent
2. Performance of a Contract
3. Legitimate interest
4. Legal requirement
5. Public interest

Organisations must record, and inform their data subjects, what their legal basis for processing data is. This is typically communicated in a Privacy Policy or Privacy Notice which is then brought to the data subject’s attention. It would also be recorded in a Data Protection Policy.

Understanding and acknowledging your legal basis is fundamental to ensure compliance with data protection legislation. It is therefore recommended that you regularly review your policies and procedures to ensure that you are up to date. Businesses are typically relying on historic policies which are now 5+ years old and likely out of date, especially if your business has grown and evolved over the years.

Whatsapp

Whatsapp for example recently updated their Privacy Policy on 17 July 2023 because of a sanction made against them by the Irish Data Protection commissioner, Ireland’s Data Protection authority, who determined the legal basis being relied upon by Whatsapp was not suitable.

As such, Whatsapp has moved to “Legitimate Interest” as its legal basis whilst it appeals the decision.

This is a good illustration of how other legal bases should be considered when it comes to processing data. Determining which legal basis is not always straightforward and specialist legal advice is often necessary across a range of cases.

Summary

Whilst Whatsapp may be appealing this decision, the above case example demonstrates how Data Protection authorities are starting to exercise the powers granted to them under the data protection legislation. Data protection authorities are not just there to deal with data breaches or complaints but are making an active effort in improving the way businesses process data.

Businesses may well believe they have covered off the applicable legal basis, but organisations should be regularly reviewing their Policies and Procedures to ensure they remain compliant.

Get in touch with a specialist data protection solicitor for expert legal advice and guidance or check out our data protection strategy services to help your business process data in a way which works for you and your customers.