Understanding Different Lawful Bases

Hosted by Phil Brining, Jasmine Harrison and Joe Kirk

Beyond Consent

Data Protection Made Easy Podcast – Episode 123: Beyond Consent: Understanding Different Lawful Bases

Welcome to the Data Protection Made Easy Podcast, the UK’s number 1 privacy podcast, where we dive deep into the world of data protection and privacy. In this week’s episode, titled “Beyond Consent: Understanding Different Lawful Bases,” we explore the various lawful bases for processing data. While we touch on consent, we mainly focus on the performance of a contract as a lawful basis for processing personal data.

Episode Highlights

This Week’s News

  1. 1.1 Facebook Launches Subscription Similar to Twitter:
    In recent news, Facebook has launched a subscription service similar to Twitter. Users can now pay £10 a month for verification, which provides extra features like two-factor authentication. However, this move raises questions about penalizing users’ security provisions who cannot or choose not to pay for two-factor authentication. Read more
  2. 1.2 Ministers Calling for Facial Recognition Technology in Police Body Cams:
    The government is considering deploying body-worn facial recognition cameras for the police force. This raises concerns about the extent to which surveillance society will go and the implications it has for privacy officers. We also discuss the recent announcement by South Wales Police about using live facial recognition technology in Cardiff during the Beyonce concert. Read more
  3. 1.3 EDPB Issues Guidance on Data Protection for Small Businesses:
    The European Data Protection Board (EDPB) has released a comprehensive data protection guide specifically tailored for small businesses. The guide provides valuable information and includes brilliant videos. Check it out! Read more
  4. 1.4 Tennessee and Montana Enact Privacy Laws in the US:
    Tennessee and Montana have become the latest states to enact privacy laws in the United States. However, the growing number of state privacy laws may lead to fragmentation, similar to what we experienced in the EU with the Data Protection Directive. The need for federal standardization in privacy laws may become necessary in the future. Read more
  5. 1.5 Saudi Arabia Changing Privacy Laws:
    The Kingdom of Saudi Arabia is making changes to its current Personal Data Protection Law (PDPL) to align with EU and international data protection standards. The amended PDPL will come into force in September 2023, with a one-year grace period for controllers to achieve compliance. Key changes include provisions for transfers, reliance on legitimate interests, and addressing the role of the Data Protection Officer (DPO) and data breaches. Read more
  6. 1.6 OECD Publishes Paper on Privacy Enhancing Technologies (PETs):
    The OECD has published a paper on Privacy Enhancing Technologies (PETs). PETs are digital technologies and approaches that allow the collection, processing, analysis, and sharing of information while protecting the confidentiality of personal data. Read more

Understanding Different Lawful Bases

In this episode, we dive deeper into the lawful bases for processing personal data beyond consent. While consent is widely known and used, it is not always the most appropriate or reliable basis for data processing. We explore other lawful bases outlined in the General Data Protection Regulation (GDPR) and discuss their significance in different scenarios.

  1. 2.1 Performance of a Contract:
    The performance of a contract is a lawful basis for processing personal data when it is necessary for fulfilling contractual obligations or pre-contractual measures. We examine the criteria for relying on this lawful basis and discuss its implications for data controllers and processors.
  2. 2.2 Legitimate Interests:
    Legitimate interests can serve as a lawful basis for processing personal data when the interests or rights of the data subject are not overridden by the controller’s legitimate interests. We explore the three-step test for determining legitimate interests and provide examples of how this basis can be applied.
  3. 2.3 Legal Obligations:
    Processing personal data may be necessary for compliance with legal obligations imposed on the data controller. We discuss the types of legal obligations that can serve as a lawful basis and emphasize the importance of understanding and fulfilling these obligations.
  4. 2.4 Vital Interests and Public Task:
    We touch briefly on the lawful bases of processing personal data to protect vital interests and for the performance of a task carried out in the public interest or in the exercise of official authority.
  5. 2.5 Consent as a Last Resort:
    While consent is an essential lawful basis, we highlight its limitations and discuss why it should be used as a last resort when other lawful bases are not applicable.

Listener Questions

In this segment, we address some listener questions related to the lawful bases for data processing. We provide clarification on specific scenarios and offer practical guidance on determining the most appropriate lawful basis for processing personal data.

Tip of the Week

We conclude the episode with a valuable tip for privacy officers and data protection professionals. This week’s tip focuses on conducting privacy impact assessments (PIAs) and the importance of considering the lawful bases for processing personal data during the assessment process.

That wraps up the highlights from this episode of the Data Protection Made Easy Podcast. We hope you found the discussion on different lawful bases insightful and gained a better understanding of when to go beyond consent in data processing. Join us next week for another exciting episode!

Register for next week’s episode of the Data Protection Made Easy Podcast.