Process personal data lawfully | European Data Protection Board (2024)

Process personal data lawfully | European Data Protection Board (1)

Your organisation may decide to rely on consent for the processing of personal data.

If a data controller uses consent as a legal basis for the processing of personal data, they must ensure that this consent is freely given, informed, specific and unambiguous. This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; and they need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

If the organisation has to process the data and cannot truly enable individuals to withdraw their consent, this is an indication that consent is not the appropriate legal basis of the processing, and there is a need to assess if another legal basis could be applicable.

Conditions for consent

Free

Consent is freely given when individuals are able to refuse and withdraw their consent with no risk of external pressure or negative consequences. Individuals must also have the right to withdraw their consent at any time; this process must be made easy for individuals to do (as easily as it was to provide it). Withdrawing consent must not affect the processing of the individual’s personal data that was done prior to this withdrawal, when consent was still valid.

For example, in principle, employees will not be in a position to freely provide consent to processing carried out by their employer, as employees may feel that they are unable to refuse their employer’s request.

Specific

For consent to be valid, it must also be specific to the processing purpose. This condition is closely related to the condition of informed consent: individuals must be informed of the specific purposes in a plain and easy to understand language, so that they have a clear idea for which purposes their data is being processed. This also means that if the purposes of the processing operation change or if additional processing operations are added, individuals should be asked for their consent again. Likewise, if a processing operation has multiple purposes, consent should be given for each of them.

For example, a streaming service collects their clients’ personal data to offer them tailored viewing suggestions. After some time, the streaming service decides to share their clients’ personal data with third parties so that they can send targeted advertising to the clients based on their viewing habits. As this is a new purpose, the streaming service will have to ask for their client’s consent.

Informed

When requesting consent from an individual, your organisation must ensure that this request is communicated to the individual in an intelligible and easily accessible form, using clear and plain language. Information should be given about the purposes, the identity of the controller, the categories of data, the recipients and the right to withdraw consent.

Unambiguous

For consent to be unambiguous, there should be a clear affirmative action (without pre-ticked boxes and made separately from applicable general conditions).

It is recommended to refresh the consent at appropriate intervals. In addition, you must be able to demonstrate that the individual whose data is processed has given their consent, for example through a written or signed declaration, or by a deliberate action like ticking a box.

Conditions applicable to children’s consent

As a data controller, you should take reasonable efforts to check the age of the individual.

Children aged 16 and above are considered as being able to give their own consent.

For children below the age of 16, your organisation must request consent from that child’s legal guardian or parent. In this case, you would have to take reasonable efforts to check that the person consenting on behalf of the child has the parental responsibility. Please note, however, that the GDPR gives EU Countries the possibility to, through national law, set the age of consent between 13 and 16, when services are provided via internet. Therefore, it is advised to check your national provisions on this matter.

When consent can be provided by children, the language used to communicate the information relating to the service should be adapted to their age.

Process personal data lawfully | European Data Protection Board (2)

In addition, you should try to collect the least amount of personal data necessary to perform the contractual service or for taking relevant pre-contractual steps. In particular, you cannot use the contract to artificially expand the categories of personal data or types of processing operations. Rather, you should ensure that there is a genuine mutual understanding of the contractual purpose, based on the expectations of an average individual when entering into the contract.

This legal basis may also apply to certain actions related to contractual warranty, and to certain actions that can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract.

This legal basis does not apply, however, if you wish to process an individual’s personal data for marketing purposes, fraud prevention, targeted advertising or any other purposes related to your organisation’s business model. In such cases, other legal bases may be available, such as consent or legitimate interest, provided that the relevant criteria are met.

Legislations may also impose the processing of personal data, even after the termination of the contract (for instance, to keep records for accounting purposes).

Naturally, the contract must also be valid under the applicable law.

The GDPR provides for another legal basis, namely: it is necessary for compliance with a legal obligation to which the data controller is subject.

This legal basis can be relied on where a processing operation is imposed on an organisation by EU or national legislation. More specifically, four conditions must be met:

  • the legal obligation must be defined by EU or national law to which the controller is subject;
  • these legal provisions must establish a clear and specific obligation to process that personal data;
  • these provisions must at least define the purposes of the processing;
  • this obligation should be imposed on the controller and not on the data subjects.

If these conditions are not met, the processing operation cannot be based on the legal obligation and another legal basis must be sought.

The GDPR provides for many different circumstances in which data controllers are legally obliged to process their customers’ or clients’ personal data. For example, employers usually need to process their employees’ personal data for social security purposes, or a business often needs to process their clients’ or customers’ personal data for tax purposes.

Processing data to protect the vital interests of an individual can be relied on only in rare and specific cases. This may be the case, for instance, if you need to process personal data to protect someone’s life. However, based on the GDPR, this legal basis is very limited in scope and can only be relied on in the case of emergencies.

In some specific cases, your organisation may be able to process individuals’ personal data for a task carried out in the public interest. In this case, the processing must have a basis in EU or national law. Its purpose must be determined in that legal basis or be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Therefore, this legal basis may be relevant, in particular, for processing operations by public authorities for the purpose of carrying out their tasks.

Your organisation may be able to process individuals’ data for matters of legitimate interests, provided that these interests (commercial, protecting your property, etc.) do not create an imbalance to the detriment of the rights and interests of individuals.

While the GDPR and relevant case law of the Court of Justice of the European Union (CJEU) provide for examples of legitimate interests, there is no exhaustive list.

However, you must ensure that this interest respects a certain number of requirements:

  • it must be lawful, clear, real and present;
  • the processing must be a necessary for pursuing this interest;
  • the legitimate interest must take into account the individual’s rights to data protection, which cannot be overridden. In the context of this requirement, the controller must weigh its legitimate interest and the interests or fundamental rights and freedoms of individuals and must also consider what they may reasonably expect. This balancing exercise must be made in light of the concrete conditions under which these operations are carried out.

Process personal data lawfully | European Data Protection Board (3)

Additional requirements apply if you intend to process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. These special categories of data are commonly referred to as “sensitive data”.

The processing of sensitive data is generally prohibited, except in the following specific cases.

Process personal data lawfully | European Data Protection Board (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6303

Rating: 4.8 / 5 (48 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.