Professional Documents
Culture Documents
As is the case under the Data Protection Act (DPA), the processing of personal data must fall within one
of six specified conditions. Thedifferences in the commonly used consent and legitimate purpose
conditions under the GDPR are shownbelow.
DPA GDPR
The data subject has given his consent to The individual has given consent to the
Condition
Consent
The processing is necessary for the Processing is necessary for the purposes of the
purposes of legitimate interests pursued legitimate interests pursued by the controller
Legitimate Purpose
disclosed, exceptwhere the processing fundamental rights and freedoms of the data
is unwarranted in any particular case subject which require protection of personal
by reason of prejudice to the rights and data, in particular where the data subject
freedoms or legitimate interests of the is a child. Thisshall not apply to processing
data subject carried out by public authorities in the
performance of their tasks
Meaning of consent The Article 29 Working Partys (A29WP) previous
guidance on consent under the Data Protection
The concept of consent in the GDPR is stricter than Directive (Directive) supports this interpretation.
in the DPA, setting out more onerous requirements In that guidance, the A29WP considers whether
in relation to both the content of consent and the a social network service could require users to
way in which it should be obtained. consent to certain processing as a condition to
providing the service. The A29WP concluded that
Where processing is based on consent, companies users should be put in a position to give free and
must be able to demonstrate that consent was specific consent to any processing which goes
given by the individual to the processing of the beyond what is necessary to deliver the service.
personal data. The GDPR defines consent as:
Processing of personal data: consent and legitimate interests under the GDPR 2
There should, therefore, be a specific choice consent requirements, butcommunicating this to
as to which purpose the individual consents to, individuals in a way they can understand may not
ratherthan there being an all-inclusive consent to be a straightforward task.
data processing for multiple purposes.
Consent must be unambiguous
Processing of personal data: consent and legitimate interests under the GDPR 3
The following table illustrates whether the consent in various scenarios would meet the requirements of
unambiguous and/or explicit consent.
At an event sign-in, participants are informed that Yes, consent may be given verbally. However,
the organisers would like to use their registration the organisers may wish to consider how the
details for specified types of profiling and are asked consent can be documented with greater
(verbally) whether they consent to such processing certainty, particularly in light of the GDPRs
accountability requirements
Employees are informed that photographs will Yes, consent may No, whilst
be being taken in a section of the building during be inferred from consent may be
a particular time and that such photos will be employees actions in inferred from the
included on the companys intranet. Employees, going to the areas of employees actions,
having been so informed, decide to go to the area the building in which it cannot be said to
in which photographs are being taken photographs are being be explicit
taken during the
relevant times
A social media website requires users to provide No, the GDPR is clear that inactivity cannot
certain personal data in order to participate on the constitute consent. This is consistent with the
site. The site contains a notice, accessible in the no doubt analysis: ongoing use of the site
privacy section, indicating that, by using the site, may indicate consent to the processing, but
users are consenting to their data being processed may also mean users have not read the notice.
by third parties to deliver them marketing As there is doubt as to users intentions,
information ongoing use of the site cannot constitute
unambiguous or explicit consent
An online retailer offers the opportunity to opt-out No, as is the case under ICO guidance, the
of certain processing by unticking a pre-ticked box GDPR is clear that consent cannot be obtained
during the order process through pre-ticked boxes
Processing of personal data: consent and legitimate interests under the GDPR 4
Right to withdraw consent
Children and consent
The GDPR formalises the accepted position under
the DPA that individuals have the right to withdraw The DPA does not expressly address the
their consent to processing. The GDPR makes it privacy of children, although non-binding
clear that withdrawal may occur at any time and guidance from various organisations sets
individuals should be made aware of this right out standards for the collection of data
before giving consent. Companies will also need from children in some circumstances.
to ensure that it is as easy to withdraw as to give Forexample, the Home Office Task Force for
consent. In practice, companies will likely need Child Protection has suggested that social
to allow individuals to withdraw their consent networking services should put in place
through the same medium as it was obtained procedures to ensure children under the age
and make the withdrawal process clear from the of 13 are not able to access services, andthe
outset. It is worth highlighting that the right of Information Commissioner suggests that
withdrawal is considered a necessary aspect of parental consent would normally be required
consent:ifthe withdrawal right does not meet the before collecting personal data from children
GDPRs requirements, then consent will not have under 12.
been validly obtained.
Under the GDPR, the processing of personal
The Legitimate Interests Condition data of a child below the age of 16 in
relation to the offering of digital services
To the relief of many companies, the changes will only be lawful where consent has
to the legitimate interests condition are less been given by the person holding parental
significant than those introduced for the consent responsibility. Companies are to make
condition. As is the case under the current regime, reasonable efforts to verify such parental
the legitimate interests of the company or a consent, making use of available technology.
third party may be outweighed by the individuals The GDPR does allow Member States to
fundamental rights and freedoms. The GDPR adds lower the age limit (provided it is 13 or
that this is particularly the case in respect of a more) at which parental consent is required.
child and companies should, therefore, ensure that However, to the extent that this leads to a
this balance has been considered and documented less harmonised approach, this may present
when relying on the condition for processing data challenges for companies as website/app
relating to children. operators may need to implement additional
jurisdictional specific procedures to account
However, as highlighted in the comparison above, for variable age limits.
the wording of the GDPR does not exactly track
the form of the condition set out in the DPA. Outside the context of digital services,
Ingeneral, a companys assessment of the balance theGDPR requires that particular attention
between their legitimate interests and the must be paid to the clarity and accessibility
interests of the individual will not change under of information provided to children in
the GDPR, but companies will need to carefully relation to the processing of their data.
consider how that assessment is documented and Italso anticipates that sector specific codes
ensure it reflects the reformulation. In particular, of conduct will continue to be relevant in
under the DPA a company could rely on their protecting the interests of children.
legitimate interests taking precedence except
Processing of personal data: consent and legitimate interests under the GDPR 5
where the processing would be unwarranted by the company when making their assessment
reasons of prejudice to the individuals rights, of interests. In general, the more specific and
freedoms or legitimate interests. In contrast, restrictive the context of collection, the more
underthe GDPR (as is currently the position limited an individuals reasonable expectations
under the Directive), a company must consider will likely be. Companies should, therefore, ensure
all interests of the individual (and not just this consideration is documented as part of the
legitimateinterests) without reference to an balancing assessment, discussed further below.
unwarranted prejudice threshold.
When will a company be able to rely on the
In its guidance on the legitimate interest condition, legitimate interests condition?
the A29WP makes it clear that the reference
to individuals interests, rather than legitimate As a preliminary matter, it should be remembered
interests, implies a wider scope to the protection that, like all of the conditions with the exception
of individuals interests and rights. Even individuals of consent, the legitimate interests condition is
engaged in illegal activities should not be subject necessity-based. That is, the condition may be
to disproportionate interference with their rights. relied upon only to the extent that the processing
However, this does not mean that an individuals is necessary for the purpose of the companys
questionable, illicit interests should prevail over legitimate interests. Therefore, before relying on
those of the company. Instead, the purpose of the the condition, companies should consider whether
balancing is to prevent disproportionate impact a less invasive form of processing would be
on the individual: where a company has important available to achieve the same ends.
and compelling interests they may justify even
a significant intrusion or other impact on the The GDPR and the previous A29WP guidance is clear
individual. Asthe GDPR mirrors the formulation in that the assessment of whether the legitimate
the Directive, this guidance will also be relevant in interests condition can be relied upon must be
interpreting theGDPR. carried out on a case-by-case basis. However, by
way of illustration, the table below sets out a
Unlike the DPA, the GDPR also requires companies number of examples of how the assessment might
to consider the reasonable expectations of be made inpractice.
the individual, based on their relationship with
Intra-group transfer of Yes the GDPR acknowledges that Interests of the company likely to
employee/client data companies may have a legitimate prevail as: (i) reasonable to assume
for administrative interest in processing data in employees/clients would expect
purposes (within the thisway their data to be processed by the
EEA) group, rather than a particular
entity; and (ii) companys interests
appear compelling with there being
little impact on the individual
Processing of personal data: consent and legitimate interests under the GDPR 6
Proposed processing Legitimate interest? Balance assessment
Market research Likely the GDPR acknowledges If the companys interests cannot
transferring customer that companies may have a be described as legitimate,
data to a third party legitimate interest in market this condition may not be relied
data-mining specialist research activities. However, upon, even if the individual has no
processor the companys interest will competing interests. The company
not be legitimate if: (i) it is will need to consider whether in its
not clear enough to apply the particular circumstances customers
balance assessment; or (ii) it is would expect that transfer and
onlyspeculative processing and whether that
processing is likely to have a
disproportionateimpact
Direct marketing Yes the GDPR acknowledges Interests of the company likely
promoting special that companies may have a to prevail as: (i) reasonable to
offers to an existing legitimate interest in direct assume customers would expect
customer via post marketingactivities a business to attempt to promote
its products using basic details
(subject to the customer not having
indicated they do not wish to
receive marketing materials); and
(ii) whilst the companys interests
are not particularly compelling,
there is relatively little intrusion
into customers privacy or other
disproportionate impact. A company
could strengthen this assessment
by ensuring customers are given
clear means to opt-out of any
suchmarketing
Safeguards and the right to object will continue to be relevant under the GDPR,
though, as noted above, behaviour which was
In its discussion of the balancing assessment, previously best practice is often now formally
the previous A29WP guidance noted that in some required. For example, under the GDPR, individuals
circumstances it may be possible to tip the have the right to object to any processing
balance in favour of the company through the undertaken pursuant to the legitimate interests
use of enhanced safeguards in relation to the condition at any time. Once an objection has been
proposed processing. These could include increased made, the company must be able to demonstrate
transparency, a general and unconditional right to compelling legitimate grounds for the processing
opt-out of the processing and the use of technical that overrides the interests, rights and freedoms of
and organisation measures to strictly limit the the individual.
scope of processing. It is likely that these factors
Processing of personal data: consent and legitimate interests under the GDPR 7
extensive, specific obligations around the type
Legitimate Interests: ICO guidance example of information to be provided to individuals and
the time at which it is provided. In the context of
The ICO previously illustrated the balancing processing grounds, the GDPR providesthat:
of interests by giving the example of a
customer who has stopped making payments [At the time when personal data are obtained,
under a hire-purchase agreement. The controllers shall inform the data subject of:]
customer has moved house without notifying
the finance company and the ICO considers the purposes of the processing for which the
whether the companys legitimate interests personal data are intended, as well as the legal
in recovering the debt enable it to disclose basis forprocessing;
the customers personal data to a debt
collection agency, notwithstanding that where the processing is based on [the
the customer has not consented to the legitimate interests condition], the legitimate
processing and that the customer may prefer interests pursued by the controller or by a
to avoid paying thedebt. thirdparty;
The ICOs conclusion is that whilst the The requirement to inform individuals of the
customers interests may differ from those of legal basis for the processing (and the legitimate
the finance company, passing the customers interests pursued, if applicable) is new to the
details to the debt collection agency could GDPR and may prove challenging for companies to
not be called unwarranted. Under the comply with.
GDPR, it seems likely that the conclusion in
this example would be the same. However, Whilst most companies will have a sound legal
the controllers analysis will now need to basis for their processing activities, the extent to
make clear that: which this is documented may be more limited.
Moreover, as acknowledged in A29WP guidance, the
in its view, the customer reasonably choice of the most appropriate processing ground
expected that their details might be used is not always obvious and in some transactions a
for the purpose of debt collection; and number of legal grounds could apply. As a result,
companies may have been tempted, in the past, to
the customers interests are not seek blanket consent to ensure the processing
dismissed for being illegitimate, but are is covered. Going forward, this should not even be
not compelling enough when balanced considered an option and companies will need to
against the controllers important spend some time assessing which grounds they are
interests in recovering its debts to tip relying on.
the balance in theirfavour.
Clearly, providing this information at the time of
data collection will also prevent companies from
Transparency later relying on a ground if it was not described
at the time. This may be particularly relevant
The general transparency principle requires that when companies may seek at a later date to rely
any information and communication relating to the on the legitimate interest condition for further
processing of data (particularly the information processing: under the GDPR, a legitimate interest
relating to the identity of the company which is will not justify processing unless it has been
the datacontroller and the purposes of the described to the individual, either at the time or in
processing) should be easily accessible and easy a notice provided before processing on reliance of
to understand. The GDPR then sets out more the interest commences.
Processing of personal data: consent and legitimate interests under the GDPR 8
Demonstrating compliance Conclusion
In addition to the six processing principles, Some of the changes introduced by the GDPR to
companies will, as a general matter, also be the consent and legitimate interests conditions
required to demonstrate how they have complied merely reflect current best practice under ICO
with those principles (the accountability and A29WP guidance, whilst others are more
principle). The GDPR provides limited direction on significant changes. Whether or not best practice
how a company should demonstrate compliance is currently followed, companies should consider
and we expect further guidance to be issued by reviewing the basis on which they process data
the European Data Protection Board. However,as to ensure that their position is future proofed.
a starting point, the GDPR does indicate that This could involve, for example, ensuring that
compliance may be demonstrated by the adoption the form of consent obtained from individuals
of internal policies and measures which promote today will continue to be valid under the
data protection by design and data protection GDPR to allow processing to continue after the
by default, together with adherence to any implementationdate.
approved codes of conduct and maintaining records
of processing activities. Perhaps more significantly, the GDPRs requirement
that individuals be informed of the legal basis for
processing will mean that companies will need to
have a clear analysis of what basis is being used in
different circumstances. Privacy and information
notices will likely need to be amended accordingly
to ensure this information is appropriately
conveyed, and it may make sense to combine
this process with a review to ensure notices
are sufficiently clear and easy to understand,
being another focus of the GDPR. Engaging with
the process early should help companies with
compliance with a number of the broader aims of
the GDPR, such as demonstrative accountability
and achieving data protection by design.
September 2016
OSM0008747_v05