6. Lawful basis for processing personal data

Under the GDPR, the processing of personal data is required to be on the basis of consent or one of the other bases laid down by law.

  1. The lawful basis for processing categories of personal data is required to be mentioned in the firm’s privacy notice and possibly when responding to a data subject request;
  2. Decision-making regarding the identification of lawful basis is required to be documented under the accountability principle; and
  3. Data subject rights can differ depending on the lawful basis of processing (e.g. if relying on consent as the lawful basis for processing, the data subject can request deletion of the data).

What are the lawful bases for processing of personal data?

The lawful bases are:

  • consent;
  • performance of a contract (or steps taken prior to entering into a contract);
  • compliance with a legal obligation;
  • to protect the vital interests of a person;
  • performance of a task in the public interest; and
  • the legitimate interests of the controller except where overridden by the data subject’s rights and freedoms.

Key elements on ‘legitimate interests’

  1. Public authorities cannot rely on legitimate interestas a lawful basis for processing of personal data.
  2. Where a firm relies on legitimate interests as its lawful basis for processing, it is required to mention this interest in the firm’s privacy notice. In addition, it must document the balancing test between the firm’s legitimate interest and the rights and freedoms of the data subject under the accountability requirements.

How to carry out the balancing test with respect to ‘legitimate interests’

The following is a non-exhaustive list of items for consideration in a ‘legitimate interests’ balancing test.

  • Is the processing necessary for the data controller’s intended purpose?

  • Would the data subject reasonably expect the processing to occur?

  • Is the processing to prevent fraud, for security purposes or direct marketing (each of these are mentioned in recitals 48-50 of the GDPR as being processing that may be carried out for a legitimate interest)?

  • Does the processing envisaged cause any disadvantage to the data subject?

  • Is the personal data relating to a child?

The balancing test analysis should be documented by the firm and reviewed periodically.

Special categories of personal data

Special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) may not be processed, and therefore there is no legitimate basis for processing such data, unless one of the exceptions in Article 9(2) of the GDPR applies.

The lawful bases most likely to apply to law firms  for the processing of special categories of personal data (there are others which may apply) are:

  • explicit consent;

  • for compliance with employment, social security or social protection law requirements;

  • to protect the vital interests of a person where the data subject cannot give consent; and

  • for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

S.47 of the Data Protection Act 2018 expands upon the GDPR ‘legal claims’ exception, which under the GDPR relates to contentious business only. Under Irish law, processing of special categories of personal data is also possible where necessary for the purposes of obtaining legal advice, or in connection with prospective legal claims and prospective legal proceedings or otherwise necessary for establishing, exercising or defending legal rights.

Remember: The lawful basis for processing personal data must be referenced in your firm’s privacy notice. Once the lawful basis has been identified and documented, update your privacy notice to include this information.

Lawful basis checklist

  • Review your processing activities to identify the lawful bases for the firm’s processing of personal data.
  • If you are relying on consent for any processing activities, please read Guidance 7 for further information.
  • Ensure your privacy notice includes the lawful bases for processing.
  • In the case where balancing tests or consideration of various aspects are required, make sure that these are documented.

Return to GDPR Guidance and templates >