Not just like that. You may only process personal data if there is a legal basis for doing so. In privacy jargon, this is called “grounds for lawful processing”. Fortunately, there are quite a few grounds for processing. We list them here, and give some explanation on the most common ones.
At least one of the following grounds for processing must be present when you want to process personal data:
- Consent of the person concerned;
- Necessity for the agreement to which the data subject is a party;
- Necessity for compliance with a legal obligation of the controller;
- Necessity to protect the vital interests of the data subject or of another person;
- Necessity for performing a task of public interest or for exercising public authority vested in the controller;
- Legitimate interest.
It seems only logical: the processing of personal data can be based on the consent of the person concerned. But is it that simple?
First of all, the person giving consent must understand what exactly he is consenting to. In other words, the consent must be informed. This means that the controller must provide the person concerned with full, clear information beforehand, worded in an understandable language.
Secondly, the consent must be specific, meaning that the data subject gives his or her consent to the processing of their data for a specific purpose. The person responsible for processing will therefore have to explain for what purposes the data will be collected. Data processing for multiple purposes will only be valid if the data subject has given their consent for each of those purposes.
Thirdly, the consent must be free. The person concerned must have a genuine choice to refuse or accept.
Finally, the consent must be unambiguous. This implies that the person concerned must perform a clear positive act that removes any doubt about their will to consent. Such a positive act can be a written or verbal statement, but also a specific action such as ticking a box on a website.
In the case of a pre-checked box, for example, there is no active act, so that consent will not be validly given.
Necessary for the agreement
You can process the personal data of a co-contractor insofar as this is necessary for the performance of the agreement. It is therefore important that the person concerned is a party to the agreement! If this is not the case, you will have to rely on another ground for processing (e.g. consent or legitimate interest). This ground for processing must be applied strictly, because it only allows the processing of the personal data that are really necessary for the normal execution of the agreement. This will depend from contract to contract.
When, by way of example, a customer buys goods online, the seller will only be allowed to process those data that are necessary to deliver the goods and to guarantee payment. In this case, these will be the customer’s name, address and bank card details.
Even if no contract has been concluded as such, this ground for processing can be invoked for certain processing already during the pre-contractual phase. This is subject to the condition that the data subject requests, i.e. on his/her own initiative, that certain measures be taken already.
An example is when a potential customer requests a quotation for the provision of a service. Then the personal data that are necessary for this purpose may be processed. The party responsible for processing will therefore not be allowed to process the potential customer’s data for direct marketing purposes on its own initiative during the pre-contractual phase.
It is very popular to invoke the legitimate interest. However, it is not so obvious to invoke this ground for processing: three conditions have to be fulfilled!
First of all, you as the person responsible for processing, or a third person, must have a legitimate interest. In other words: a good reason. That interest cannot be merely hypothetical; it must be a clear, existing and present interest. Your interest must also be justified: this means that you must pursue it in a way that is consistent with both the data protection rules and other relevant regulations.
Examples of legitimate interests: data processing to prevent fraud, to ensure the network and information security of a company’s IT systems, or under certain conditions for direct marketing purposes.
Secondly, the processing of personal data must be truly necessary for the realisation of this legitimate interest. And this is often where the shoe pinches. If there are less far-reaching ways to achieve your legitimate interest, then there is no necessity and you won’t be able to fall back on this legal basis of legitimate interest.
Thirdly, there must always be a weighing of interests: you must therefore weigh your interest (or that of third parties) against the interest of the person concerned. An important rule of thumb here is to check whether the person concerned can expect your processing of personal data.
In this weighing-up, you will also have to take into account the “weight” of your legitimate interest as data controller on the one hand and the impact of the processing on the rights and freedoms of the data subject on the other.
So you can only invoke this legal ground if the interests of the person concerned do not outweigh your own.
When, for example, you are going to make data public (make them accessible to a large number of people) or when you are processing a large quantity of personal data, then the impact on the rights of the person involved could be say heavy. However, by taking additional measures, you can reduce the impact.
It’s not at all the case that we can process personal data because we think it’s useful and we don’t have a bad intention. On the contrary: each processing of personal data deserves and requires a thorough reflection: is there a legal basis present? And what would that be?
The answer is not always easy. If you need advice on this, you can always contact us at email@example.com.
Written by Larissa De Keyser, Trainee theJurists, Duygu Öztürk CIPP/E, Privacy Chair theJurists and Kris Seyen, Partner theJurists