Identifying the legal basis that allows the processing

Assumptions

In order to comply with one of the principles of data protection, the lawfulness of the processing, there must be a legal basis established in order to process personal data. Thus, you will only be able to process them if any of the following conditions apply:

• Consent: you have the consent of the data subject. It must be valid: unequivocal, specific, informed and freely-given.
• Contract: that the processing of data is necessary to execute a contract in which the data subject is a party or to apply pre-contractual measures at their request.
• Legal obligation of the data controller: that the processing is necessary to fulfil a legal obligation of the data controller.
• Vital interests: that is necessary to protect the vital interests of the data subject or of the data of another person.
• Mission of public interest mission: that is necessary to fulfil a mission carried out in the public interest or in the exercise of public powers granted to the data controller.
• Legitimate interests of the data controller: that is necessary to satisfy the legitimate interests pursued by the data controller or a third party. This legal basis may be used to process the data as long as there are no interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular when he or she is a minor. It should be noted that this legal basis cannot be applied to processing carried out by public authorities in the exercise of their functions.

What if they are special data categories?

If the processing affects special data categories, which refer to specially protected data relating to health or sexual life, ideology, political opinions, etc., in addition to needing a legal basis from those regulated in the GDPR, one of the following conditions must be met:

• Consent: the processing is carried out with the explicit consent of the data subject, unless the law of the EU or the member state does not permit it.
• Labour obligations or rights: processing is necessary to fulfil obligations or exercise rights in the workplace, if authorised by EU or member state law, or a collective agreement.
• Vital interests: the processing is necessary to protect the vital interests of the data subject or a third party, if the data subject does not have the capacity to provide their consent.
• Non-profit entities: the processing is carried out in the scope of the legitimate activities of a non-profit entity with a political, philosophical, religious or trade union purpose and refers to current or former members of the entity, or people who maintain regular contact with the entity in relation to its purposes.
• Data already published: the processing refers to data that the data subject has made manifestly public.
• Claims: the processing is necessary to formulate, exercise or defend claims or when the courts act in the exercise of their judicial function.
• Public interest: the processing is necessary for reasons of essential public interest, based on EU or member state law.
• Healthcare: the processing is necessary for the purposes of preventive and occupational medicine, medical diagnosis and the provision and management of health care, provided that the processing is carried out by health professionals subject to professional secrecy or another person subject to the duty of confidentiality.
• Public health: the processing is necessary for reasons of public interest in the field of public health, based on EU or member state law.
• Archival, scientific or historical research, or statistical purposes: the processing is necessary for archival purposes in the public interest, scientific or historical research or statistical purposes, based on EU or member state law.

It should be added that the personal data relating to convictions and criminal offences, although not considered special data categories, can only be processed under the supervision of public authorities or when authorised by EU or Member State law, which must establish adequate guarantees for the rights and freedoms of the data subject.

Remember, that the GDPR has introduced new special data categories. Apart from the specially protected data already foreseen by the LOPD, which are now called “special data categories”, the Regulation includes two new ones: 

• Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample. 

• Biometric data: personal data obtained from a specific technical processing, relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of this person (facial images, dactyloscopic data, etc.).

Consent-based processing

When the legal basis of the processing is consent, the GDPR requires the data subject to give it by means of an unequivocal statement or their clear affirmative. For the purposes of the Regulation, pre-ticked boxes, tacit consent or inaction do not constitute valid consent.

• What happens to processing that is carried out on the basis of consent by omission?

These forms of consent are not compatible with the GDPR, as they are based on the inaction of the data subject. The GDPR also indicates that processing based on consent initiated before the application of the Regulation will continue to be legitimate, as long as this consent was given in the manner provided for by the GDPR itself, that is to say through a statement or active affirmative.

• In what situations does consent need to be explicit?

The GDPR foresees certain situations in which consent must be explicit. This additional guarantee affects the following cases:

1. Processing of special data categories
2. Adoption of automated decisions
3. International transfers

Although the differences between unequivocal consent, as defined by the GDPR, and explicit consent may seem hard to differentiate, there are situations in which consent can be unequivocal and given implicitly.  

• Consent of minors

In accordance with the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), minors may consent to the processing of their personal data from the age of 14, unless a law-enforcement rule requires assistance of the holders of parental or guardianship. In the case of children under the age of 14, the consent of the holders of parental authority or guardianship will be necessary.

In addition, the language used to inform them must be particularly comprehensible in the case of minors.