Data processing legal bases

The European Regulation (Article 6) provides that the processing of personal data must be based on a legal basis.

The data controller is obliged to assess which is the most suitable legal basis with respect to the treatment he intends to implement. This means that he is not free to choose the legal basis he prefers, but must comply with the conditions laid down by the GDPR with reference to the characteristics of each of the bases indicated in art. 6 and always be able to demonstrate the correctness of the choice made.

In detail, the legal bases are 6:

 

1) Consent

The consent of the interested party authorizes the processing of data. Consent must be specific, i.e. linked to a specific purpose . If the processing is based on consent, the data controller must provide the information and guarantee data portability .

However, the "consent" is not considered reliable, in the sense that it is difficult to decide what to do in a "specific, informed and unambiguous" way.

This is why there are many cases in which the legal basis of the processing is different from consent.

When the processing is based on the consent of the interested party, the owner must always be able to demonstrate (Article 7.1 of the Regulations) that the interested party has given his consent).

The validity of the same exists if:

  • the interested party has been informed about the processing of personal data (articles 13 or 14 of the Regulation);

  • it was expressed by the interested party freely, unequivocally and, if the processing pursues several purposes, specifically with regard to each of them.

The consent must ALWAYS be revocable.

It is necessary to verify that the request for consent is clearly distinguishable from other requests or declarations addressed to the interested party (article 7.2), for example within the forms.

Tacit or presumed consent is not allowed (for example, by presenting boxes already ticked on a form).

When the processing concerns "particular categories of personal data" (Article 9 of the Regulations), the consent must be "explicit"; the same applies to consent to decisions based on automated processing (including profiling - article 22).

The consent does not necessarily have to be "documented in writing", nor is the "written form" required, even if this is a method suitable for configuring the unambiguousness of the consent and its being "explicit" (for the particular categories of data referred to Article 9 of the Regulations).

 

In summary, the consent must be:

1. Unequivocal:

it can also be implicit (but not tacit), provided that there is no doubt about the fact that the data subject, with his / her behavior or actions, wanted to give his / her consent Consent must always be explicit when processing data details or in the case of automated decision-making processes (see profiling).

2. Freely manifested:

in giving his consent, the interested party must be able to make a deliberate and conscious choice, without suffering deception, threats or blackmail and there must be no fear that, by not giving his consent, he could suffer negative consequences. In this regard, article 7 states that: in assessing whether consent has been freely given, the utmost consideration is taken of the possibility, among others, that the execution of a contract, including the provision of a service, is conditioned the provision of consent to the processing of personal data not necessary for the execution of this contract 

3. Specific:

the purposes for which consent is requested must be specified and if there are more purposes this must be expressed for each of them. Even in the event of changes made after consent, the consent of the interested party must be requested.

4. Informed

it is necessary to give the interested party all the information necessary for the processing of his data (information with the relative rights), and he must also be informed on what does not give consent entail.

5. Verifiable

the data controller must always be able to demonstrate that the data subject has given his consent for that specific treatment.

6. Revocable

at any time the consent must be able to be revoked by the interested party. Revoking consent must be as simple as giving it. The interested party is not required to explain why he withdraws his consent and in this case the treatment is interrupted.

For minors under 16, consent must be provided by those who exercise parental authority.

 

2) Fulfillment of contractual obligations

Processing is lawful if it is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same. The disclosure is obviously required, and data portability must be guaranteed.

 

3) Data controller's  legal obligations

In the case of data processing necessary for the fulfillment of obligations arising from law, regulation or legislation must not consent, you should not provide portability of data, but you must provide the 'information, which must indicate the legal basis of the treatment . In this case the purpose must be specified by law.

 

4) Vital interests of the data subject or third parties

Processing is permitted if it is necessary to safeguard the vital interests of the data subject or of another natural person, such as in the case of a road accident or if the data subject is physically unable to give consent. require the consent, you should not ensure the portability of data , but it is necessary to provide l 'information , which must indicate the legal basis of treatment.

 

5) Legitimate overriding interest of the owner or third parties to whom the data are communicated

When the processing is necessary for the pursuit of the legitimate interests of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, in particular if the data subject is a minor. You do not need permission, you should not provide portability of data, but you must provide the 'information , which must indicate the legal basis of the treatment.

 

6) Public interest or exercise of public authority

The treatment required for the execution of a task of public interest or in the exercise of public authority of which is invested with the holder of the treatment it does not require consent, nor should ensure the portability of the data, but it is necessary to provide l 'information , in which is the legal basis of the processing.

The purpose must be specified by law.