One company opted for consent-based processing and sought consent from individuals. A person then decided to withdraw their consent to the processing of their data, as is their right. However, the company wanted to continue processing the data and therefore decided to continue the processing on the basis of legitimate interests. The basis of the legitimate interest consists of three elements. It is useful to consider this as a three-part test. The organisation must: Personal data may be processed on the basis that such processing is necessary for the performance of tasks carried out by a public authority or a private organisation in the public interest. The “legal basis” is the basis for data processing under the GDPR. This means that if an organization wishes to process personal data, it is necessary to identify specific legal bases for processing. These public interest tasks must have a legal basis (i.e. be defined by law). It is primarily a legal function, but it may also represent other functions of public interest that have a constitutional, customary or non-statutory legal basis. If your goals change over time or if you have a new goal that you didn`t originally plan for, you may not need a new legal basis as long as your new goal is in line with the original goal.
You must therefore keep a record of the basis on which you rely for each purpose of processing and a justification of why you believe this to be true. There is no standard form for this, as long as you make sure that what you register is enough to prove that there is a legal basis. This will help you comply with the responsibility and will also help you draft your privacy notices. However, the university must carefully consider its basis – it is the responsibility of the controller to be able to prove which legal basis applies to the purpose of the respective processing. That basis shall apply where the processing of personal data is necessary for the performance of a task or function carried out in the public interest or in the exercise of official authority vested in the controller (e.B authority). “Compliance with legal obligations” remains a legal basis for the processing of personal data. You must determine your legal basis before you start processing personal data. It`s important to get it right the first time. If, at a later stage, you find that the basis you chose was indeed inappropriate, it will be difficult to simply move on to another. Even if a different basis could have applied from the outset, a subsequent change in the legal basis is likely to be inherently unfair to the individual and to result in breaches of accountability and transparency requirements. Legitimate interest is the most flexible legal basis for processing, but will not always be the most appropriate.
The principle of accountability requires that you can demonstrate that you comply with the UK GDPR and that you have appropriate policies and processes in place. This means that you can prove that you have correctly verified which legal basis applies to each processing purpose and that you can justify your decision. The legal basis for processing is also important because it has a significant impact on how an organisation responds to requests from data subjects. Certain rights may be granted if consent is the legal basis for the processing or if the performance of a contract is the legal basis for the processing. There are also other implications for the legal basis of the processing. For example, the processing of special types of data, including: race, ethnic origin, health data, biometric data and other sensitive information requires certain processing bases. Even if it could have originally relied on legitimate interests, the company cannot do so at a later stage – it cannot change its basis if it realized that the basis originally chosen was inappropriate (in this case, because it did not want to provide the individual with real continuous control). It should have made it clear to individuals from the outset that this was processing based on legitimate interests. To make individuals believe they had a choice is inherently unfair when that choice is irrelevant. The Company must therefore cease processing if the person withdraws his or her consent. Personal data may be processed on the basis that such processing is necessary for the conclusion or performance of a contract with the data subject.
Legitimate interest is, for example, something like a marketing activity. This is a processing activity that a data subject would normally expect an organisation to provide their personal data. However, if an organisation uses a legitimate interest as a valid legal basis for the processing, it must carry out a balancing test. Is the processing activity necessary for the functioning of the organization? Does the processing activity outweigh the objections or risks related to the rights and freedoms of a data subject? The contract is quite explicit. Public interest is a processing activity carried out by a government entity or organization acting on behalf of a government entity. Vital interest would be a rare occasion when data processing would be necessary to save someone`s life. The obligation of organisations to have a legal basis for each processing activity remains essentially unchanged. Member States may introduce additional legal bases for processing carried out in order to fulfil legal obligations (see Article 6(1)(c)) or to carry out tasks in the public interest (see Article 6(1)(e)).
Personal data may be processed on the basis that this is necessary to protect the “vital interests” of the data subject (this applies mainly to “life and death” scenarios). .