As we know, every data processing must be justified by at least one of the legal bases defined in the Data Regulation. In practice and in everyday life, they are also called legal bases or grounds for data processing. Without the application of an appropriate legal basis, data processing is unlawful.
There are six legal grounds: consent, performance of contract, legal obligation, public interest or official authority, protection of vital interests and respect for legitimate interests. The organization or manager must evaluate which of these bases is the most appropriate for each personal data processing. Without the application of an appropriate legal basis, data processing is considered illegal.
Although the Data State Inspectorate tells organizations both privately and in the public space about the legal basis for data processing, we still encounter situations where their application is not always clear on a daily basis. Without knowing the variety of legal bases and the prerequisites for their application, legal bases are chosen that do not correspond to the nature of the processing, thus not ensuring the respect of people’s rights as data subjects.
Therefore, this time, with the help of the Datin family and practical examples, we would like to talk about all the legal bases together in order to provide an insight into the conditions and limitations of their application.
In this explanation, we will list all the grounds for data processing, giving examples of when they apply to data processing.*
CONSENT
#1 Consent is applied as a legal basis for data processing when the processing is a voluntary choice of the individual, which was not facilitated by coercive circumstances and whose failure to provide does not result in negative consequences. This framework can often seem the simplest and most familiar, which is why organizations choose to apply it to most of their processing activities. However, consent should be considered as a basis for data processing in cases where other grounds cannot be met.
For example, Jānis Datiņš can apply consent in his sports club to get to know his customers better and build closer relationships with them, processing data not only for the fulfillment of specific contracts (which will be a separate basis for processing). The administration of the sports club is under the supervision of Jānis Datiņš. In order to offer special discounts to club customers on their birthdays, when applying for a sports club subscription, a separate consent to receive the customer’s holiday offer is required by processing the customer’s e-mail address and date of birth. Each subsequent e-mail containing an offer contains an “unsubscribe” link. After activating this link, the customer’s data is deleted from the list of receiving such offers.
This basis cannot be used in cases where there is an unequal relationship between an organization and a person, for example – between an employer and an employee.
| Take note! This will not be an appropriate basis in cases where data processing is necessary to fulfill a contract between the parties. In such cases, performance of the contract itself will be the legal basis, while consent may be the basis for additional processing activities. |
Consent must be demonstrable, clear (the person giving consent must be aware of what exactly he is agreeing to) and revocable at any time. A person may withdraw his consent even the next day. Withdrawal of consent on the one hand does not mean that data processing carried out on the basis of consent becomes illegal, but on the other hand it cannot harm him. It should be ensured that withdrawing consent is as easy as giving it.
PERFORMANCE OF THE AGREEMENT
It is not possible to conclude a contract if it does not include data about the persons to whom this contract applies. Therefore, when specific personal data (for example, name, surname, personal code and contact information) are an integral part of the contract, the processing of such data is justified by the need to conclude and execute the contract. This legal basis is applicable to contracts concluded within the framework of employment legal relations, contracts with clients, contracts where data processing of apartment owners will be carried out by a management company in the future, etc.
The son of the Datins family, Kārlis Datins, has decided to attend athletics training at a local sports school, so the parents need to sign a contract for receiving such services. When preparing the contract, the data of both Karlis as a learner and Karlis’ parents as contracting parties are obtained and included in the document.
LEGAL OBLIGATION
#3 Legal obligation is the legal basis that is applied when the organization does not process data by its own choice or necessity, but when it is obliged to do so because it is stipulated in some external normative act – directly.
In order for the accountant of the sports club to issue an invoice for visiting the gym, personal data of customers is required. Entering the customer’s name and surname in the invoice is required in accordance with Article 11, Part Five, Clauses 5 and 6 of the Accounting Law.
PROTECTION OF VITAL INTERESTS
#4 Protection of vital interests
Vital interests indicate the direct connection of data processing to human life and health. This legal basis can only be invoked for processing based on the vital interests of a natural person. So the use of this justification is very limited – the threat to life must be real and present, not possible. This type of processing can be justified both by the interests of a wider group of persons – society, and by the significant importance of the interests of a specific person. For example, when monitoring epidemics, or in cases where emergency aid is provided.
The grandfather of the Datins family, Valdis Datins, has gone on a long-awaited trip to foreign countries. Unfortunately, a coup is taking place in the country that Valdis is visiting, and the citizens of Latvia must be evacuated urgently. Knowing that Valdis is in this country and considering the potential threats to Valdis’ security, the Consular Department uses Valdis’ data (location, phone number) to contact him and ensure his evacuation.
PUBLIC INTERESTS
#5 Public interest or official authority
This legal basis applies if the processing of data is necessary to perform a task in the public interest or to exercise official powers established by EU or national law. Unlike cases where data processing is directly defined by law and is a legal obligation, in this case processing may be based on more general legal norms that define public interest, the tasks and powers of institutions.
This legal basis covers two situations and is applicable in both the public and private sectors.
- First, this applies when the controller has official authority or is performing a task in the public interest (but does not have to be under a legal obligation to process the data either). So – the processing must be carried out in order to exercise that authority or carry out the said task.
- Secondly, it refers to situations where the controller does not have official authority, but is requested to disclose data by someone else (a third party) who has such authority. Likewise, the manager may, on his own initiative, disclose data to a third party who has such official authority.
There is a bicycle shed near the Jānis Datiņš sports club, where Jānis has installed a video surveillance camera to protect the vehicles of customers left behind. Despite the security measures, one of the bikes has been stolen by a daring criminal. After notifying the police, the fitness club receives a request from the police to hand over the CCTV recording of the theft. Given that the police have the authority to request such data, the data (records) collected by the fitness club are provided to the police.
!For the application of this legal basis, a proportionality test must be carried out. This means that before processing, it is necessary to assess whether the proportionality between the public interest and the protection of personal data has been observed.
COMPLIANCE WITH LEGITIMATE INTERESTS
#6 Compliance with legitimate interests
Not only a person as a data subject has legitimate interests. The organization also has various interests, such as promoting and improving its commercial activities, bringing legal claims or defending against them. If the organization’s interests are commensurate with the person’s privacy, then the organization can process data based on this legal basis. In order to ensure proportionality, a balancing test must be carried out before the start of the processing to assess whether the benefit from the processing of personal data will be greater than the restrictions on human rights as a result of the planned processing. Accordingly, with the help of the test, the organization must make sure that the benefit of processing this data is more important than the threat to human rights. This legal basis cannot be applied by public administrations, as they do not have their own private interests.
In order to ensure high-quality customer service and provide evidence in case of disputes or uncertainties, the telephone conversations of Jānis Datins fitness club and its customers are recorded. Jānis starts such processing only after he has performed the balance test of the company and customers.
* A more detailed explanation of each of the legal grounds can be found under the link included in each of the headings of the legal grounds in this explanation.
https://www.dvi.gov.lv/lv/jaunums/dviskaidro-likumiga-datu-apstrade-tiesiska-pamata-piemerosana