Legal grounds for the
processing of personal data :
consent or legitimate intrest

There are six legal grounds for processing of personal data:
(i) Consent, (ii) Performance of a contract, (iii) Compliance
with a legal obligation, (iv) Protection of vital intrests,
(v) Public interest of official authority and
(vi) Legitimate intrests.

There are six legal grounds for processing of personal data: (i) Consent, (ii) Performance of a contract, (iii) Compliance with a legal obligation, (iv) Protection of vital intrests, (v) Public interest of official authority and (vi) Legitimate intrests.

The most commonly used legal ground for the processing of personal data today is still the "consent" of the data subject.

According to a study of the CIPL (Centre for Information Policy Leadership) 90% of the controllers in general would still chose "consent" as the legal ground for the majority of their processing.

1. There are however a few elements that a company (the data controller) needs to pay attention to if he chooses to consider "consent" as a legal ground for its processing. 

Also the General Data Protection Regulation (GDPR) that will come into effect as of 2018 will complicate further use of the legal ground "consent": 

Even if the data subject has given his consent to the processing of his personal data, the company can only process the personal data that relate to the originally indicated purpose of the processing and these purposes must be explicitly explained to the data subject prior to the actual processing, and authorized by the data subject.

If the company relies on consent for processing, it needs to obtain for each new purpose of processing a new consent of the data subject, unless the company's later purpose of processing is compatible with the original purpose of processing.  The company should be able to demonstrate at all times that it has obtained a valid consent from the data subject.

Companies often ignore that. They consider that, once the data subject authorized the processing, that they can further process the data for other purposes without a new consent.  However for each processing activity, that is not compatible with the originally described purposes, consent should be obtained and the company must be able to demonstrate that it has obtained consent.

Consent has to be freely given, specific, informed and unambigiously.

The new GDPR sharpens the conditions that need to be met to have a valid consent: Consent should be freely given, specific, informed and unambigously.

The GDPR indicates that the consent must be "freely given".
This means that the service that the company offers for example is not conditional on consent. There may not be a clear imbalance of power between the data subject and the controller (for example, employee and employer relationship), and the consent must be as easy to withdraw as it was given. 

The consent must be "specific" for all purposes.
The consent must be "informed", which means that the data subject must be informed in clear and plain language of the purposes of the processing as well as of any compatible purposes for which his data may be processed.

The consent must be "unambigiuous", which means absolutely clear (affirmative action, opt-in, no pre-ticked box or silence). 

2.    Legitimate intrest as legal ground

Taken into account the strict requirements of "consent" in the GDPR, but also because companies most of the time have a genuine legitimate intrest in the processing of the data, the legal ground of "legitimate intrest" will become more important.

The law recognizes that a company or any third party to whom the data are discolosed, may have legitimate reasons for processing and its processing could therefore be legitimate when the processing is necessary to meet a controller or a third party's legitimate interests; the interests will be balanced against the individual's intrests (those interests of the company may not be overridden by the interests or fundamental rights of the individuals whose data are being processed). 

3.    Conclusion

However "consent" of the individual is still needed when a company wishes to process the data of an individual for direct marketing purposes, or when a controller wishes to process the data for purposes that go beyond the reasonable expectations of a data subject.

Consent and legitimate intrestes are only two of the six legal grounds of processing of personal data.  The legal grounds (i) Performance of a contract, (ii) Compliance with a legal obligation, (iii) Protection of vital intrests and (iv) the Public interest of official authority must be used when appropriate from the controller's or from the data subject's perspective.

19 December 2016

Griet Verfaillie - griet.verfaillie@peeters-law.be

Learn more about this topic: subscribe to our newsletter!

E-mail *