Even though the GDPR came into force in 2018, however, many organizations are still not fully compliant with it. Following our first article 6 things you need to know about GDPR, in which we explain when it is applicable, who needs to comply with it, and more, we will now dive deep into the legal bases companies have for processing data. Don’t miss it!
The General Data Protection Regulation of the European Union has brought a new approach to the way companies deal with personal data, requiring from them much more transparency and accountability. Even though the GDPR came into force in 2018, however, many organizations are still not fully compliant with it. It was to help them in this journey that our XCure team has created this special series about data protection law.
Following our first article 6 things you need to know about GDPR, in which we explain when it is applicable, who needs to comply with it, and more, we will now dive deep into the legal bases companies have for processing data. Don’t miss it!
According to the principle of lawfulness brought by the GDPR, organizations can only process personal data if they have a legal ground to do so.
The documentation stating the basis chosen is used to prove to the supervisory authorities that the processing is indeed necessary. This is extremely important, because if a company can achieve the desired purpose without having to collect and use personal data, it will not be allowed to process it.
It is important to note that legal grounds cannot be changed without a strong justification, so organizations should be careful to select the right option from the start. While most companies focus on obtaining consent from subjects in order to be able to process personal data, that is not the only legal basis defined in the Regulation. In fact, there are six of them:
The legal bases for processing affect the rights held by data subjects, meaning that organizations will have very concrete effects depending on their choices in this regard.
If the basis for processing is consent, for example, in certain circumstances data subjects will have the right to request that the company erases their data (right to erasure) or transfers it to another organization (right to portability). Neither of these rights exist, on the other hand, when the processing is based on a legal obligation. We have summarized these impacts on the table below.
Right to erasure | Right to portability | Right to object to the processing | |
Consent | Yes | Yes | No, but data subjects can withdraw their consent |
Contract | Yes | Yes | No |
Legal obligation | No | No | No |
Vital interests | Yes | No | No |
Public task | No | No | Yes |
Legitimate interests | Yes | No | Yes |
A company processing personal data without having a legal basis is commiting a very serious offense under the GDPR and can be subjected to a hefty fine. For such a violation, the fine is of up to €20 million, or 4% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher.
Before your company processes personal data of subjects in Europe, it needs not only to have a determined legal basis, but also to document this decision properly. This process can be challenging, but with XCure’s Privacy Management Tool, you can easily map, document and maintain the requirements of the data protection regulation in your organization. Try it now for free and become compliant with the GDPR!
Contact XCure team, if you want more information or presentation about the Privacy Management Tool.