Lawfulness of processing

Overview:

Article 6 specifies the conditions under which the processing of personal data is considered lawful. The article provides six legal bases for processing personal data. The legal bases follows:

1. Consent : The data subject shall provide a clear, specific and unambiguous consent. This essentially means that the data subject has clarity and transparency on the data collected and the purpose(s) for processing the data before giving the consent.
2. Performance of a contract : The processing of personal data is necessary for fulfilling a contract requirement . Please look at the example given in the next section.
3. Compliance with legal obligations: Processing of personal data is required for compliance with a legal requirement or law of the land. 
4. Protection of vital interest : Processing is required to protect the vital interest of a data subject in a situation where they may not be in a situation to give consent.
5. Public interest or official authority: Processing of personal data is required to carry out an activity in public interest.
6. Legitimate interest: Processing of personal data is to pursue a legitimate interest of the organization or a third-party. The interest should not override the fundamental right, freedom of the data subject.

Implementation Guidance

1. Ensure that the legal basis is identified for data processing. There should be clarity on the legal basis and shall be documented.
2. Implement Privacy Policy/ Privacy notice to communicate the legal basis of processing
3. Implement consent mechanisms and ensure that data subjects can exercise the mechanism. This includes the provision to modify or withdraw the consent. Another important point is to give absolute clarity to the data subject on the data that is collected, why it is required and how it will be used. Maintain proper documentation as well.
4. Ensure that contracts are drafted with clarity on the details of processing like how the data is collected , why it is collected and how it will be processed. The context may also mention how the data processing is essential to meet the contract requirement. This will bring more clarity for the data subject.
5. If the processing is done on the requirement of a legal process, ensure that this is clearly identified and documented. This should be communicated to the data subject a well.
6. While processing data on vital interest, ensure that it is based on an emergency and life and death situation of an individual.
7. If the data is processed in public interest, ensure that the purpose is identified and the processing is required to meet the objectives.
8. While processing data based on legitimate interest, ensure that the organisation does a proper assessment to ensure that the legitimate interest does not supersede the fundamental rights of the data subjects.

Compliance Checklist

1. Privacy Policy
2. Consent Mechanism (policy and procedure)
3. Logs (consent)
4. Contract/Data processing Agreement Template with clauses on the legal bases and purpose of processing
5. Documentation of the legal basis identified. (This can be as part of the Privacy Notice, Privacy Policy or Contract/Data processing Agreement)

Examples and Use Cases

1. Online shopping website collect personal data and email ID, but clearly communicates to the customer that the same will be used for marketing purposes. They also provide a choice of consent for that.
2. A tech gadget website collects email addresses from its customers and asks for their consent to send them information about newly launched gadgets via email.
3. The HR department of an organisation regularly updates the record to ensure that the data is up-to-date and accurate.
4. An online shopping portal implements Multi Factor Authentication (MFA)  to provide additional layer of security
5. A dental clinic collects only the necessary information from the patients to perform the treatment.

Legal text

[Add legal text here]

Additional Resources

[Add links to additional resources here]