For all data processing, the data controller must be able to provide a legitimate reason for processing the given data. Proving the existing lawful basis for the specific data processing is a must. Therefore, in order for the data processing to be legitimate, the existence of one of the following lawful bases is absolutely necessary.
- Permission of the data subject
The most commonly used lawful basis for data processing is the permission of the data subject.
If the data subject gave his preliminary permission to process his personal data for one or more specific purposes, the data processing shall be considered legitimate. By the permission of the data subject, we mean: a voluntary, specific and clear statement from the legally well-informed data subject. The data subject must express his permission to process his personal data by the means of a statement or an act, which unequivocally expresses his permission.
Permission shall be considered voluntary, if the data subject is free to decide whether or not to consent to the processing of his data. This also stipulates, that the permission of the data subject shall not be considered voluntary if the data controller rejects performing under the contract referring to the missing permission for using his personal data, while such data is not essential for the performance. It is therefore of the utmost importance that the data subject has to have the opportunity to make a real decision regarding rejecting or granting his permission for processing his data. The circumstances for this real decision can only be established without external pressure and without any kind of discrimination.
The second requirement of a legitimate permission is its specific nature. This means that the permission of the data subject is granted only for a specific purpose. Therefore, if the data processing is needed for several different purposes, the data controller must obtain the permission of the data subject separately for each purpose. For example, if a company that maintains a webshop collects and manages the personal data of its users both for assessing the range and preferences of those users and for sending out newsletters via e-mail, then the company must request the permission of its users separately for both purposes.
It should also be emphasized that, before the data subject would decide on giving his permission for a data processing, he must be given adequate preliminary information, including the identity of the data controller, the purpose of data processing, the types of data to be processed and the possibility of withdrawing his permission. In any case, it is necessary to consider if any additional information is needed to be shared with the data subject to enable him to make a real decision whether to grant his permission for data processing or not.
Therefore, under the General Data Protection Regulations (GDPR), the permission of the data subject can only be considered legitimate if all of the above requirements are met. Permissions obtained before the date GDPR entered into force are only considered to be legitimate if they comply with the provisions of the GDPR. If the permission does not comply with the provisions of the GDPR, a new permission needs to be requested from the data subject in accordance with the Regulations.
We emphasize that in the event of a dispute, the data controller must prove that the above requirements stipulated by the GDPR were met and therefore the permission of the data subject is legitimate.
Although it seems to be the easiest for the data controller to seek the permission of the data subject, it is always recommended to examine whether the given case belongs to one of the other lawful bases mentioned below. The active involvement of the data subject is not always required, thus the difficulty of obtaining the permission of the data subject for each and every data processing purposes could even be avoided.
- – 3. Contractual and legal obligations
It serves as an appropriate lawful basis, therefore the data processing is considered legitimate if the data processing is required for the performance of a contract where the data subject is one of the contractual parties, or the data processing is necessary for the specific request of the data subject during the preparation phase of the contract.
A typical example is workplace data management. The permission of the data subject (employee) is not required, as the data processing happens to fulfill the Employment Contract (e.g. managing the employee’s bank account number to pay his salary) and due to the hierarchy of employment, the requirement of the permission to be voluntary is conceptually impossible.
Performance of the contract as a lawful basis may only be invoked, if the data subject is one of the contractual Parties, or the data processing is necessary for the specific request of the data subject during the preparation phase of the Contract. We emphasize that the definition of the lawful basis cannot be interpreted broadly. Therefore another lawful basis needs to be found for the data processing if it involves the processing of the personal data of a third person who is not amongst the Parties of the Contract. For example, regarding the data processing of the contact persons defined in a Contract signed between two companies, the lawful basis will not be the performance of the contract, rather the legitimate interest of the companies (see in point 4.).
Regarding the fulfillment of the legal obligations as a lawful basis, we refer to the previous example concerning workplace data management. As the personal data of employees must be forwarded to the competent authorities and accountants in order to fulfill tax and accounting obligations, the applicable lawful basis in this case will obviously be the ‘fulfillment of the legal obligations’.
- Legitimate interest
Sometimes the processing of personal data can neither be justified by a contractual-, nor by a legal obligation. However, data processing is still lawful if it is necessary for enforcing the legitimate interests of the data controller or a third party. Meanwhile if the rights of the data subject take precedence over the interest of the data controller, then the enforcement of legitimate interest may not serve as a lawful basis for data processing.
Thus, before starting any data processing, a so-called Balancing Test needs to be conducted which analyzes for example whether the purpose of the data processing can be achieved without processing any personal data, or with processing less personal data. The test shall identify the legitimate interests of the data controller besides all of the opposing interests and fundamental rights of the data subject, and after conducting the weighting, we shall determine whether data processing is legitimate or not.
In case a legitimate data processing is determined through the Balancing Test, the data subject must be fully informed of both the conducted Balancing Test and the circumstances of the data processing based on its results before the actual start of the data processing.
In addition to our example regarding the processing of the personal data of the contact persons mentioned in the previous point, examples of legitimate interests include workplace device monitoring for the security of the employer’s IT network or a camera system installed to protect the employer’s property and business secrets.
5-6. Public and vital interest
Finally, among the lawful bases for data processing, we only mention the special cases where either the vital interest of the data subject or the public interest makes it necessary and thus legitimates the data processing.
An example for the former is the data processing of a patient transported to a hospital in a life-threatening condition. In this case the identity and medical history of the patient can be checked, verified or viewed without his permission. In another example where the Medical Chamber initiates disciplinary proceedings against one of its member, the public interest may be invoked as a lawful basis for data processing.