Summary: A processing activity needs to rely on in one of the 6 GDPR-defined legal basis. The goal here is to describe which legal basis applies to each of the processing activities described in step 1, including the reasons why and how the specific legal basis has been properly and legitimately applied. The appropriate legal basis to apply to each activity depends on the purpose.

Each processing activity described in step 1 (surveys, interviews, etc.) requires having a legal basis. The GDPR has codified the reasons behind the use of personal data with the concept of legal (or lawful) basis. In other words, for a processing to be considered as necessary, it needs to rely on (at least) one of these ‘reasons’ – the legal basis.

There are only six of those legal bases in the GDPR: Contract, when the processing is necessary to fulfil a contract or provide a service. Legal obligation, when the processing is mandated by law (like salary reports to the tax office). Vital interest, when the processing is necessary to protect someone’s life. Public task/interest, when the processing has a ‘public interest’ or is based on the exercise of an official authority. Legitimate interest, where the processing is based on the interest of the controller (or another third party), which is balanced against the interest of (and potential impact on) data subjects. Lastly, Consent, when the data subject has freely given their permission. Follow this link for more information on which legal bases to apply for different processing activities.

The guidance below explains how to describe in Step 7 of the Privacy Scan the application of the legal basis of Consent, Public and Legitimate Interest, and Contract. For the proper use of Legal obligation and Vital interest, please contact the Geo Privacy Officer.

Consent

Consent as a legal basis reaffirms the right of data subjects to exercise their informational self-determination. Consent is appropriate when the processing activity is truly free and optional: when data subjects are truly free to accept or refuse participation, with no real or perceived consequences if they refuse. The requirements for the use of consent are discussed here in more detail. In particular, consent requires no (real or perceived) imbalance of power between controllers and data subjects – Consent is likely not suitable for processing where both data subjects and controllers are both members of the same organization, for example, if both are UU employees and/or students.

In step 7, when consent is used for a processing activity, use the template below in Step 7 to document that it is properly applied.

The lawful basis for processing [list here the relevant processing activity] is Consent. To ensure consent is legitimately obtained, we have ensured that it is:

• Freely given: As stated in step 2, there is no potential imbalance of power, nor inappropriate pressure or influence upon data subjects.

[Depending on the specifics of the processing activity, especially if there is some ambiguity or doubt, additional arguments may need to be provided here to properly demonstrate that consent is truly free. For example, by listing the organizational or technical measures that ensures consent is truly free. If these measures have been already described elsewhere in the privacy scan, then reference them by adding “as described in step x of this privacy scan” in this text]

• Specific: As shown in step 5, specific consent is requested for [purpose 1], for [purpose 2], and for [purpose 3].

[When a project may involve more than one processing operations with different purposes, data subject must be allowed to independently agree or refuse each one of them. For example, “Specific consent is requested for participating in the interview, and to allow the interview to be audio recorded”]

• Informed: As described in step 5, data subjects have been properly informed.

[As the description on how data subjects are informed has already been discussed in step 5, it is not necessary to repeat that here]

• Unambiguous and an affirmative action: As described in step 5, consent is collected and documented by [describe how consent is obtained]

[Signing a consent form is just one way to collect and demonstrate consent. Data subjects can give – and signal – their consent in other ways, like given their consent orally in person, or by checking a box in a survey. If this has not been fully discussed in step 5, then describe here how consent is specifically asked/collected, and how it is recorded. For example, “consent is orally collected by the researcher at the start of the interview, and recorded in the researcher’s research log book, using the consent template (link)”]

• Can be revoked: As described in step 5 and 6, data subjects can readily contact the project controllers to withdraw their consent.

[Adapt this sentence in case consent is revoked differently, as described in step 6.]

Public interest / public task

Public interest can be an appropriate legal basis for scientific research processing activities where it is not practical or feasible to directly and individually collect consent from data subjects – for example, when performing observations. It is also appropriate for other research and education-related activities like interviews and surveys, where a potential imbalance of power precludes the use of consent as a legal basis. The requirements for the proper application of Public interest as a legal basis are discussed here in more detail.

When public interest is used for a processing activity in step 7, use the template below to document that it is properly applied.

The lawful basis for processing [list here the relevant processing activity] is Public Interest. To ensure it is legitimately applied, we have ensured that:

• A legitimate public interest is identified: As stated in step 1, the processing activity has a clear scientific research interest.

[Depending on the specifics of the processing activity, there may be more than one interest – for example, an educational and scientific research. As it is expected that the interests are already explained in Step 1, it is not necessary to repeat those explanations here – unless there is something else that needs to be stated, that has not been discussed in step 1]

• The processing is necessary and proportional:

Necessary: As described in steps 1 to 4, the processing is considered necessary, as there are no other practical ways of achieving the stated purpose(s). [add additional explanation here as needed]

[To assess if the processing is necessary, it is necessary to consider if there is another way of achieving your purpose. Therefore, explain here why there is no other way, or there is no alternative that does not require a disproportionate effort. The thoroughness of these explanations depends on the scale and nature of the processing – more controversial or unexpected processing require more thorough explanations]

Proportional: As described in step 2 and 3, the scope, extent and intrusiveness of the interference on data subjects is kept to a minimum. [add additional explanation here as needed]

[To assess if the processing is proportionate, it is necessary to consider the interference that the processing of their data inflicts on data subjects – The lower the interference/disruption on the data or on the privacy of data subjects, the more likely the processing is proportionate. Scope relates to the size of the affected group – the number of affected people should be proportional to the purpose of the activity. Likewise, extent relates to the amount, nature and retention periods of the data involved. Intrusiveness relates to the level of disruption into data subject’s personal, familiar or professional spheres – How sensitive the processing is for data subjects, would they be surprised from it, or would the processing be considered unexpected or out of the ordinary? In particular, describe any control measures that ensures data subjects have or retain some level of control on the processing – for example, if participation is voluntary, if they can opt-in or opt-out, or if they are able to influence or change the way their data is processed]

• The balancing is positive: Considering the nature of the interests involved: [list, describe and compare both the controller’s and data subject’s interests in the processing – positive and negative]. And considering the risks (impact and safeguards) on data subjects derived from the processing: [describe the risks involved, referring to step 11 and 4 as necessary] and implemented safeguards [describe and/or refer to safeguards described in other steps like 4 or 11]. It is reasonably to expect that the interests of the data subjects do not override the controllers’ interest.

[This balancing step is another proportionality assessment. Whereas the first assessment looked into the intrusiveness of the processing, this assessment is focused on the interests and risks involved]

Legitimate interest

Legitimate interest can be an appropriate legal basis for processing activities where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”. While the public interest is mostly limited to research and education related interests, a wide range of interests are capable of being regarded as legitimate – event promotion, security and fraud prevention, marketing, product improvement, etc. The requirements for the proper application of Legitimate interest as a legal basis are discussed here in more detail.

The template to use when Legitimate interest is used for a processing activity in step 7, is the same one used for Public interest, as the assessment to determine necessity and proportionality is the same in both cases – except that instead of describing the scientific or educational interest, the pursued ‘legitimate’ interest (security, marketing, etc.) is described instead, and the term ‘public’ is removed from the template:

The lawful basis for processing [list here the relevant processing activity] is Legitimate Interest. To ensure it is properly applied, we have ensured that:

• A legitimate interest is identified: As stated in step 1, the processing activity has a [state and describe the interest here].

[As with Public interest, depending on the specifics of the processing activity, there may be more than one legitimate interest pursued. As it is expected that the interests are already explained in Step 1, it is not necessary to repeat those explanations here – unless there is something else that needs to be stated, that has not been discussed in step 1]

• The processing is necessary and proportional:

Necessary: As described in steps 1 to 4, the processing is considered necessary, as there are no other practical ways of achieving the stated purpose(s). [add additional explanation here as needed]

[This assessment is similar to the one for Public interest, so refer to those comments for guidance]

Proportional: As described in step 2 and 3, the scope, extent and intrusiveness of the interference on data subjects is kept to a minimum. [add additional explanation here as needed]

[Like above, this assessment is similar to the one for Public interest, so refer to those comments for guidance]

• The balancing is positive: Considering the nature of the interests involved: [list, describe and compare both the controller’s and data subject’s interests in the processing – positive and negative]. And considering the risks (impact and safeguards) on data subjects derived from the processing: [describe the risks involved, referring to step 11 and 4 as necessary] and implemented safeguards [describe and/or refer to safeguards described in other steps like 4 or 11]. It is reasonably to expect that the interests of the data subjects do not override the controllers’ interest.

[Likewise, this assessment is similar to the one for Public interest, so refer to those comments for guidance]

Contract

Contract is appropriate only when the processing activity is objectively and strictly necessary to provide a service, or for the performance of a contract. For example, collecting name and email is necessary to register people for an event – the event is the service provided, and processing the contact information of the person wanting to attend the event is strictly necessary to ensure they are properly registered. The requirements for the proper application of Contract as a legal basis are discussed here in more detail.

In step 7, when contract is used for a processing activity, it is necessary to document that it is properly applied. For example, by stating in step 7 the following:

The lawful basis for processing [list here the relevant processing activity] is Contract. To ensure it is legitimately applied, we have ensured that:

• A purpose is clearly identified in the context of a contractual relationship: As stated in step 1, the purpose is [state and describe the interest here].

[The contract or service may involve more than one purpose. As it is expected that the purposes are already explained in Step 1, it is not necessary to fully repeat those explanations here – unless there is something else that needs to be stated, that has not been discussed in step 1.]

• The processing is objectively necessary for the performance of the contract: As stated in step [xx], processing [state personal data to be processed here] is objectively and strictly necessary to [list and describe the way personal data supports the achievement of the purpose of the contract or service provided], as there are no other realistic, less intrusive alternatives to achieve the purpose. [add additional explanations if necessary]

[To assess if the processing is necessary, it is necessary to consider if there is another way of achieving your purpose. Therefore, explain here why there is no other way, or there is no alternative that does not require a disproportionate effort. The thoroughness of these explanations depends on the scale and nature of the processing – more controversial or unexpected processing require more thorough explanations. Likewise, the necessity of the data may have been already explained in step 3 and 4, so refer to those explanations instead, as it is not necessary to fully repeat those explanations here]

Previous: Description of How Data Subjects Can Exercise Their Data Subject Rights | Next: Description of Measures to Ensure Compliance By Processors and/or Joint Controllers