Lawful basis for processing personal data : Gibraltar

On August 30, 2018 The Gibraltar Regulatory Authority published a guidance document entitled (6) Identifying the ‘Lawful Basis’.

The document provides clarification that organizations cannot rely on a legal basis that requires data processing to be “necessary” if it can reasonably achieve the same purpose without the need for processing. Most lawful bases require that processing is ‘necessary’. However, if you can reasonably achieve the same purpose without the processing, you will not have a lawful basis.

Before you begin processing, you must determine your lawful bases and document it. Your lawful basis for processing, as well as the purposes of the processing, should be included in your Privacy Notice. It is possible that more than one legal basis could apply… particularly in cases where processing takes place for more than one purpose.

Processing Special Category data

If you happen to be processing special category data you will need to identify:

  1. a lawful basis for general processing, plus;
  2. an additional condition for processing this type of data.

If you are processing criminal conviction data or data about offences you need to:

  1. identify both a lawful basis for general processing, and;
  2. an additional condition for processing this type of data.

Your Lawful Basis Checklist

(as provided by the Information Commissioner’s Office)

☐ Reviewed the purposes of your processing activities, and select the most appropriate lawful basis (or bases) for each activity.

☐ Check that the processing is necessary for the relevant purpose, and that you are satisfied that there is no other reasonable way to achieve that purpose.

☐ Document your decision on which lawful basis applies to help you demonstrate compliance.

☐ Include information about both the purposes of the processing and the lawful basis for the processing in your privacy notice.

☐ Where you process special category data, identify a condition for processing special category data, and document this.

☐ Where you process criminal offence data, identify a condition for processing this data, and document this.

Why is lawful basis for processing so important?

Under GDPR law you are required to process all personal data in a lawful, fair and transparent manner. Processing can only be lawful when you have a lawful basis under Article 6.  Also, in order to comply with the accountability principle in Article 5(2), you must be able to demonstrate that a lawful basis applies.

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Always remember – individuals also have the right to erase personal data which has been processed unlawfully.

Under Article 13 and 14 the data subject has the right to be informed. This means you must provide people with information concerning your lawful basis for processing. So, you must include these details in your privacy notice.

Source: Information Commisioner’s OfficeGRA guidance document

Are you 100% certain that you have a lawful basis for processing personal data?

Contact Peter Borner at The GDPR Guys for more guidance on this important aspect of GDPR compliance.

Leave a Reply