Introduction
Generally, for personal data to be processed lawfully, one may presume that “lawfulness” implies that controllers and processors cannot do anything with personal data, which is unlawful in a very general sense. Hence, adhering to statutory and common law obligations, whether criminal or civil, would make processing lawful. And invariably, if processing involves committing a criminal offense, it will obviously be unlawful. Consequently, processing would be unlawful if it results in: a breach of applicable privacy laws; an infringement of copyright law; a breach of an enforceable contractual agreement; or a breach of industry-specific legislation or regulations; etc.
While the above is true, there is more to what the lawful processing principle under data protection law entails.
Art. 5(1)(a) of the GDPR and S. 2.1(1)(a) of the NDPR provide the lawfulness requirement as one of the principles of processing personal data. However, for the processing of personal data to adhere to this principle, specific grounds for the processing of data lawfully must be stipulated. They’re referred to as “lawful bases for processing”. There are six lawful bases for processing personal data, which will be discussed briefly.
Consent
The consent of the data subject. Based on its definition, there are 4 conditions necessary to fulfilling consent, they are;
- The consent must be specifically given in furtherance of a particular purpose. In the famous ‘Planet 49’ case, the controllers set up their lottery website, and participation in the lottery was possible only if at least the first checkbox was ticked. The court found that, for the purposes of the e-Privacy Directive, consent is “not validly constituted if the storage of information, or access to information already stored in a website user’s terminal equipment, is permitted by way of a checkbox pre-ticked by the service provider which the user must deselect to refuse his or her consent.” The indication of the data subject’s wishes must, be ‘specific’ in the sense that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.” In other words, presuming the data subject’s consent and ticking the checkbox beforehand, while allowing data subjects to withdraw consent by unticking the box fails this requirement.
- The consent must be freely given by the data subject and he must be free to withdraw the consent as well. There must be no adverse effect for not granting consent or seeking to withdraw it. For instance, where an employer requires the personal information of employees for the purpose of giving clients more information about its company through its website, employees granting ‘consent’ for their personal data to be uploaded on the company’s website, cannot be seen as giving valid consent if the employees consented in other to keep their jobs.
- The data subject has been appropriately informed about the scope of the consent he seeks to give and the mode of withdrawing same, and
- The consent must be unambiguous. The consent sought must be expressed clearly and the same must be clear to the data subject.
Contractual Obligation
Processing of the personal data must be necessary for the fulfillment of a contractual obligation to which the data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. If you read our posts last week, you know that we talked about how necessity is important when using any of these legal bases. It needs to be emphasized that the processing must be necessary. In other words, if the processing of personal data is required by a contract or agreement to which the data subject is a party, then the processing of that information will be legal; and consent will not matter. An example is when you order an online product, and the vendor needs to process your address to deliver it to you.
Legal Obligation
The processing is necessary for compliance with a legal obligation to which the Controller is subject. For a data controller to process data under this condition, the processing must be necessary for the fulfillment of a legal obligation, and it must be identifiable. Hence, where a law imposes an obligation to do an act that would ordinarily require the processing of personal data about individuals, the processing will be lawful.
Vital Interest
The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person. The condition is usually used where no other condition will suffice; life and death situations. Where the data subject is in no position to give consent, neither is there a contractual obligation, a legal duty nor is it in the public interest. A fine example is in a situation where a person is unconscious, having been involved in an accident, and may likely die if he is not operated on. The medical practitioner can process his medical history for the purpose of saving his life. However, this condition will not apply if there is a less intrusive way to save the life of the data subject without processing his personal data.
Public Interest
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official public mandate vested in the controller; There are two categories, first, there are private organizations carrying out a duty in the interest of the public. Second are public officers exercising the powers vested in them by law for the interest of the public. Under the first category, we have NGOs and other organizations that advance the public interest. Under the second category, we have public officers performing their public duties, e.g., police officers.
Legitimate Interest
It is important to note that this lawful basis does not exist under the NDPR. According to the GDPR in Art. 6(1)(f), a controller can rely on this bases where the processing is necessary for the purpose of the legitimate interest pursued by the controller, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection. Legitimate interest is more flexible, and unlike the other conditions for processing, it could apply to a broad range of circumstances. Therefore, there is an onus on the data controller to balance their legitimate interests against the interests of the data subject, taking into account each circumstance. Examples of legitimate interest commonly utilized include debt collection, employee monitoring for management and safety purposes, enforcement of legal claims, prevention of fraud, etc.
For legitimate interest to avail a controller, there is a three-part test that must be considered, they are;
- Purpose test – Is there a legitimate interest behind the processing?
- Necessity test – Is the processing necessary for that purpose?
- Balancing test – Is the legitimate interest overridden by the data subject’s interests, rights, or freedom?
Conclusion
The lawful bases discussed above are the possible reason under which personal data can be processed. Also, for processing to be lawful, any one of these bases may suffice. Hence, where a controller can conveniently process personal data using the contractual obligation lawful bases, seeking consent will be unnecessary. In fact, seeking consent may be unwise. On this note, it is important to have a data protection officer who will ascertain a proper lawful basis for processing for your business/organization, tailor your privacy notice to succinctly capture it, and not just list every lawful basis available under the law in your notices. At DPO Placement, we have a pool of professionals that can carry out your data protection needs expertly.
