7. Description of Lawful Basis for Processing
For each processing operation, you will have to define which lawful basis for processing is the most appropriate. For many research operations, like interviews and survey activities, consent would be the appropriate lawful basis. For other processing, like observations of public spaces, collecting data subjects contact information, data scrapping from public sources or acquiring contact details using snowballing techniques, you may rely on legitimate interest (GDPR art 6(1)(f)) or public interest (GDPR art 6(1)(e)). It is also possible to further use data collected for other purposes, if that further data reuse is for scientific research purposes (GDPR art 5(1)(b)).
In order to secure legitimate consent, the planned process should ensure that data subject’s consent is:
- Freely given. Data subjects must be presented with an actual choice and not coerced with negative consequences. To be truly freely given, data subjects must have real choice, should not feel compelled to give consent and should endure no negative consequences if they do not give (or withdraw) their consent. In general, any element of inappropriate pressure or influence upon data subjects (which may be manifested in different ways) which may prevent them from exercising their free will, shall render their consent invalid.
- Specific: The requirement that consent be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. Consent thus should only be given to specific actions, instead of a broad consent to the use of data.
- Informed: Data subjects must understand the full scope of data collection and its use before making the decision to consent. It should be made clear that consent is being requested, and for what specific purposes. Information about the process must be given before asking data subjects for their consent, and you should try to find the best way to provide information to data subjects that would ensure they become properly informed.
- Unambiguous and an affirmative action: The GDPR is clear that consent requires a statement from the data subjects or a clear affirmative act, which means that it must always be given through an active motion or declaration. It must be obvious that the data subjects has consented to be part of the specific process. While most surveys are nowadays taking place online, where consent can directly be recorded electronically, it can also be orally given if the survey is taking place in person. Data subject’s signatures are very rarely needed – or even appropriate – to record data subjects’ consent. A checkbox (or even a signed statement from the researcher collecting the consent) is in most cases enough to record their consent.
- Can be revoked: Consent should be as easy to withdraw as to give. In most cases, this is achieved by including the contact information of the person responsible for the survey, which will be used by data subjects who would like to inform them of their request of consent withdrawal.
You can read more about assessing legitimate consent here.
In order to ensure legitimate interest is properly used, you need to perform a three-step test. When required in the steps below, you can refer to information already provided elsewhere in this privacy scan, like data minimisation measures, description of processed personal data and the preliminary risk assessment, to avoid duplication of efforts.
Step 1: A legitimate interest is identified (purpose test). The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits (see the list below). The pursued interest must be lawful, clear and real. This means that: (1) it is not contrary to EU or Member State law, (2) it is clearly and precisely articulated and (3) it is real and present, and not speculative nor hypothetical. Possible examples of legitimate interest may include:
- process personal data for marketing purposes
- the scientific, historical or statistical research interest of the controller or a third party
- have a safe and healthy life or protect property in a threatening situation
- protect the private sphere of individuals
- prevent infringements of a personality or property right;
- litigate and/or institute, exercise or substantiate a legal claim
- investigating and ending transgressive behavior in working relationships
- prevent fraud, scams or other unlawful conduct
- hold someone liable for damage
- inform existing customers about similar, proprietary products or services after a purchase
- properly secure and protect computer systems
- fulfil duties of care for employees and/or customers
- meet all (care) obligations that you have on the basis of, for example, the Dutch Civil Code
- behave in accordance with what is customary in society according to unwritten law
Step 2: The necessity of the processing is identified (necessity test). The processing must be necessary and proportionate to achieve your legitimate interest.
- To assess if the processing is necessary, you should consider if there is another way of achieving your legitimate interest. If (1) there is no other way, or if (2) the alternative would require a disproportionate effort, then the processing can be regarded as necessary.
- To assess if the processing is proportionate, you should consider the interference that the process will bring to their fundamental rights to privacy and data protection. To assess this interference, you need to consider the (1) scope (How many persons would be affected?), the (2) extent (What type of data would be processed? For how long?) the (3) intrusiveness (Is data of a sensitive nature, of children or vulnerable people being processed? Is surveillance involved? Would the process allow precise conclusions to be drawn about private lives of individuals? Would data subjects have a reasonably expectation on the processing, or would they be suprised by it? Is profiling or automated decision-making involved?) of the interference, and if applicable, the (4) control that data subjects have on the processing (is it possible for data subjects to opt-in or opt-out?). The lower the interference on the privacy of data subjects, the more likely the processing is proportionate.
You can refer to steps 1, 3 and 4 of the privacy scan in your explanation addressing the necessity of the process.
Step 3: The interests of the data subjects do not override the Controllers’ Legitimate Interest (balancing test). You must balance your interests against the interests of the individuals. Individual’s interests are likely to override your legitimate interests if they would not reasonably expect the processing to take place (unpleasant surprise), or if it would cause unjustified interference to their rights and freedoms. When making this balancing test, you should consider the nature of the interests, the impact of processing on individuals, and any safeguards which are or could be put in place to reduce this impact:
- Assessing the nature of the interests: Do individuals have a reasonable expectation that the processing will take place? Are you planning on processing special categories of personal data, or personal data of children? Does the processing add value or convenience, for you and/or for the individual? If there may be harm because of the processing, is it unwarranted?
- Assessing the impact of processing: What are the positive or negative impacts on your project, the individual, any third party or to the general society, if the processing takes place? What would be the impacts if the processing does not take place? What would be the likelihood and severity of that impact? Is it justified? Can the status of the individual (employee, student, etc) lead to a potential power imbalance? Does the processing involve profiling or data mining, publication or disclosure of personal data to a large number of people? Is the processing a large scale? You can also refer to the preliminary risk assessment that you will conduct in point 11.
- Assessing the safeguards: What measures are or could be in place to protect the individual, or to reduce any risks or potentially negative impacts of processing? As with the previous point, you can refer to the measures/safeguards that you will identify when conducting the preliminary risk assessment in point 11 below.
Implemented safeguards are key in ensuring the balancing test is in favour of your interests. In particular, when the pursued interest is hard to balance against a processing with a large impact (like personalised marketing and consumer profiling), implementing effective safeguard like ensuring data subjects are properly informed and can easily use their right to object to the process (i.e., by having an easy opt-out mechanism) may bring back the balancing test in favour of your interests.
Keep in mind that when processing personal data relating to children, or processing special categories of Personal Data, special care should be taken with the balancing test, as this may give additional weight to the rights of the individual.
We will limit our discussion below to the use of public interest (Art. 6(1)(e), also known as public task) that is based on the public interest vested in Utrecht University as the controller, as laid down in the Higher Education and Scientific Research Act (The “Education Act”- Wet op het hoger onderwijs en wetenschappelijk onderzoek), where the interest of Utrecht University in conducting scientific research has been officially recognized.
The education Act does not contain specific provisions (per Art. 6(3)) to adapt the application of rules of the GDPR: It does not specify the general conditions of the processing; the types of data which are subject to the processing; the data subjects concerned; the purpose limitation; storage periods; etc.
Therefore, in order to properly use this lawful basis, we need to demonstrate that the processing is respecting the application of rules of the GDPR by assessing the processing necessity and proportionality, and by ensuring that the data subject’s interests do not override the controller’s interest in conducting the specific processing.
Necessity and proportionality of the processing
- To assess if the processing is necessary, you should consider if there is another way of achieving your purpose. If there is no other way, or if the alternative would require a disproportionate effort, then the processing is necessary.
- To assess if the processing is proportionate, you should consider the interference that the process will bring to their fundamental rights to privacy and data protection. To assess this interference, you need to consider the scope (how many persons would be affected?), the extent (what type of data would be processed? for how long?), the intrusiveness (is data of a sensitive nature, of children or vulnerable people being processed? is surveillance involved? Would the process allow precise conclusions to be drawn about private lives of individuals? Would data subjects have a reasonably expectation on the processing, or would they be suprised by it? Is profiling or automated decision making involved?) of the interference, and if applicable, the (4) control that data subjects have on the processing (is it possible for data subjects to opt-in or opt-out?). The lower the interference on the privacy of data subjects, the more likely the processing is proportionate.
You can also refer to previous steps of the privacy scan in your discussion to justify the necessity of the process
The interests of the data subjects do not override the controllers’ interest
The interests of data subjects are likely to override your interests if they would not reasonably expect the processing to take place (unpleasant surprise), or if it would cause unjustified interference to their rights and freedoms. To make this assessment, you should consider the nature of the interests, the impact of processing on individuals, and any safeguards which are or could be put in place to reduce this impact.
- Assessing the nature of the interests: Do individuals have a reasonable expectation that the processing will take place? Are you planning on processing special categories of personal data, or personal data of children? Does the processing add value or convenience, for you and/or for the individual? If there may be harm because of the processing, is it unwarranted?
- Assessing the impact of processing: What are the positive or negative impacts on your project, the individual, any third party or to the general society, if the processing takes place? What would be the impacts if the processing does not take place? What would be the likelihood and severity of that impact? Is it justified? Can the status of the individual (employee, student, etc) lead to a potential power imbalance? Does the processing involve profiling or data mining, publication or disclosure of personal data to a large number of people? Is the processing a large scale? In this discussion, you can also refer to the preliminary risk assessment conducted in step 11.
- Assessing the safeguards: What measures are or could be in place to protect the individual, or to reduce any risks or potentially negative impacts of processing? As with the previous point, you can refer to the measures/safeguards that you will identify when conducting the preliminary risk assessment in step 11 below.
If you are processing personal data relating to children, or special categories of Personal Data, special care should be taken with the balancing test, as this may give additional weight to the rights of the individual.
Previous: Description of How Data Subjects Can Exercise Their Data Subject Rights | Next: Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment