We still get many questions regarding when it is legal to process personal data and if companies always have to collect consent to be able to process the data. We will therefore describe in this article the six legal grounds you can base your personal data processing on to make sure that your processing is legal.
There are six legal grounds within GDPR that states when an operator can process personal data. The legal grounds are stated in article 6 GDPR. It is enough that you base your processing of personal data on one of these. Of course, it takes more than a legal ground for the processing to be legal. For example, you shall also follow certain principles, see our Swedish blogpost about this. However, it is always important to have a clear knowledge about the legal grounds.
The first legal ground mentioned in article 6 GDPR is consent. We have a previous article about how consent should be applied on our Swedish webpage where we state that consent is not always the best legal ground for processing of personal data. This is due to the fact that the data subject has to be able to withdraw the consent and that the consent always have to be voluntarily given. The voluntary aspect makes consent complicated in a relationship where one party has a lot of power, e.g. a public authority or an employer, and the other party does not have the same amount of power. For public service, consent is therefore basically never usable.
Many people think that you always need consent to be allowed to process personal data. This is not true! If you can base your processing on one of the other legal grounds mentioned below, it is most of the times better to do so. You only need one legal ground, and it is not necessary to have consent in most situations.
A consent shall always be freely given by the data subject, you shall inform about the data processing and it should be clear that it is based on consent. It shall also be possible for the data subject to withdraw his or her consent. If you were to collect consent from a child it is important to think about that the child has to be older than 13 years old to be able to independently give you his or her consent in regards to, for example, social media. It is more difficult to set out an age limit in other contexts. The Swedish Data Protection Authority (Datainspektionen) have stated that children under the age of 15 generally cannot give a consent on their own. You always have to make an assessment on a case to case basis and the age of the child and maturity should be taken into account.
If you decide that consent is the legal ground most suitable for you, you should always document the following:
a) Who has given his or her consent,
b) When the consent was given,
c) How the consent was given, and
d) What information was given to the data subject prior to the consenting.
The documentation can easily be done within our tool for recording of processing activities, GDPR hero. You can read more about it here.
Contract is the second legal ground mentioned within the GDPR. In many cases, processing of personal data is necessary for the performance of a contract. It can for example concern contact information and delivery address to the costumer. What is of importance here is to know who you are entering into a contract with and that all data being processed is necessary for the fulfillment of the contract or entering into the contract.
Bear in mind! If a natural person is a party of the contract, the legal ground for processing of his or her data is ”contract”. If it is a company that is party of the contract you cannot use this legal base, see more about this under legitimate interest assessment.
3. Legal obligation
In certain situations, organizations do not only have the possibility to process personal data, but also an obligation to do so. If it is stated in a legislation that certain data shall be saved, the organization in question is obliged to follow this legislation. It is often specified in the law how long a certain type of data shall be saved. GDPR prevails over Swedish national legislation but does at the same time open up for special provisions within Swedish legislation. In Sweden, collective agreements are seen as equal to provisions of law in this matter.
Examples of laws that poses legal obligations are:
- The Swedish bookkeeping law (Bokföringslagen), within this law it is stated that accounting information shall be saved for seven years after the calendar year when the financial year was ended.
- The Swedish archive law (Arkivlagen), which demands that public documents shall be archived for the functioning of the principle of public access to official records.
4. Vital interests
This legal ground is possible to use when the data subject cannot give his or her consent, for example in the situation when that person is unconscious. This legal ground shall be used only in exceptional cases. The Swedish Data Protection Authority recommends that you only process personal data based on this legal ground if you have no other way of solving the situation.
5. Public interest or in the exercise of official authority
Public sector will probably use the legal ground public interest or in the exercise of official authority as a base for its processing of personal data. Private operators will generally not be able to use this legal ground, unless they perform a task of public interest e.g. as a private school or private healthcare provider.
Exercise of official authority means that an authority wield power over an individual, that is to say that the authority adopts a decision which either favor or burden the individual. One example could be that a teacher grades a student or that an authority grants financial assistance. Official authority in this context can be both on state and municipal level, as well as private operators such as private schools and private healthcare providers.
Information of public interest shall be established within a legislation, other provision, collective agreement or a decision that has been made based on one of these. Example of information of public interest is school, healthcare and public transportation. Other examples of public interests are sports facilities that the municipal freely have decided to operate.
6. Legitimate interest
Legitimate interest is the last legal ground of article 6 GDPR. To be able to apply this legal ground the data controllers’ interests have to override the data subjects’ interests. The processing of personal data also has to be necessary for the purpose of the processing. You have to make this decision on a case by case basis. If a data subject is surprised that you process his or her data, this is an indication that your interest of processing the personal data do not override the interests of the data subject.
A typical situation when legitimate interest can be used is in customer relations which are B2B. If a company, X, enters into a contract with another company, Y, the contractual relationship is between those two companies. The processing of personal data that occurs regarding the employees of X and Y for the fulfillment of the contract could therefore not be based on the legal ground contract. Instead, this processing can be based on legitimate interest.
Other examples of when legitimate interest can be used is when personal data has to be processed to hinder fraud or for direct marketing.
It is, in this case as well, important to document your assessment. That proves that you have made a legitimate interest assessment before processing the data and demonstrates how you came to that result. This is an important part of your liability and you have to prove that you comply with the GDPR.
Public authorities should be very careful in using this legal ground. They cannot use it when they process personal data to perform their tasks.
We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email email@example.com or phone 046 – 273 17 17.
Are you interested in our tool for recording of processing activities? Book a free demo here.