GDPR for employees

Brightdock

Lawful basis

Brightdock

What are the lawful bases for processing personal data?

As presented in the previous section,

an organisation must have a valid lawful basis when processing personal data. The basis that organisations use will depend on the purpose and their relationship with the individual.

Brightdock

The six lawful bases

The six lawful bases for processing personal data are:

  • Consent

  • Contract

  • Legal obligation

  • Vital interests

  • Public tasks

  • Legitimate interests

Brightdock

Consent

When personal data processing is based on consent, the data controller must gain the permission of the data subject. For the consent to be considered valid, it must have the following characteristics:

Freely Given - Consent is considered freely-given when it gives individuals genuine ongoing choice and control over how their data will be used.

Explicit - Consent must be clearly stated in words and easy to understand, requiring individuals a positive action to opt in.

Specific - Consent must clearly spell out the purpose, the type of personal data to be processed, and the name of the organisation and/or third-party controllers that are responsible for processing the data.

Brightdock

Organisations should consider the following actions when managing consent:

  • Ensure that individuals can show clear affirmation that they actively opt in, such as ticking an unchecked box, or clicking the 'I accept.' button. Using pre-ticked boxes or any default settings is a clear violation.

  • Keep records as evidence of the consent, including who consented, when, how, and what they were told.

  • Make it easy for people to withdraw consent should they choose to do so.

  • Review consents from time to time and refresh them if there are changes.

Brightdock

Contract

Personal data processing may exist on the basis that such processing is necessary in order to enter into or perform a contract with the data subject. Refer to the examples below:

PRE-CONTRACT 

During the sales process, the customer may request for a free trial first before signing up. Such instances require the individual's contact or credit card details and organisations may ask for these types of information.

NEW CONTRACT

Once the customer has agreed to sign-up, personal data processing is necessary to complete the contract.

Brightdock

Legal obligation

Organisations can rely on this lawful basis when it's necessary to perform personal data processing for compliance with a legal obligation. Refer to the examples below:

Employment Records

A government body requested for an employee's salary details.

Criminal Investigation

A court orders the processing of personal data to aid in a criminal investigation.

Fraudulent Bank Transactions

A bank has to process an individual's personal data to comply with its legal obligation to prevent fraud.

Brightdock

Vital interests

If it's necessary, personal data processing is permitted in order to save or protect an individual's life.

Example: An individual, who had an accident, is in need of emergency medical care and personal data processing is required for medical purposes.

Brightdock

Public tasks

Personal data may be processed on the basis that it is necessary in the exercise of official authority or for any organisation acting in the public interest to perform a task that has a clear basis in law.

This basis is most relevant to public authorities, but it can also apply to any organisation carrying out a specific task in the public interest.

For example, a private water company that carries out utility services to the public.

Brightdock

Legitimate interests

Personal data processing is necessary on the basis that the organisation or a third party has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or interests of the affected data subjects.

Brightdock

Opting to rely on legitimate interests means taking on extra responsibility for considering and protecting the people’s rights and interests. Hence, there's a need to conduct a three-part test, which involves:

  1. Identifying a legitimate interest
  2. Showing that processing is necessary to achieve it
  3. Balancing it against the individual’s interests, rights and freedoms

Brightdock

Refer to the following examples as to when legitimate interests can be used as basis for personal data processing:

Performing marketing activities with minimal privacy impact, and individuals would not be surprised or likely to object

Processing children's data while ensuring that their interests are protected, such as generating a list of children who already received a certain type of vaccine

Transmitting personal data within the organisation for internal operations, such as payroll

Made with Slides.com