OC 11 sets out six ‘lawful bases’ for processing.
At least one of these must apply in order for data to be processed lawfully. Without a lawful basis, the controlling service does not comply with OC 11's principles of lawfulness and accountability, and the processing of the data concerned is unlawful.
So, it is very important!
Data can be processed if the data is necessary to enter into a contract or to perform a contract with the individual (example: contract of employment or association; registration for a event). This includes also processing of data necessary to decide if the contract can be concluded (e.g. eligbility verification).
2. Legal Obligation
If processing personal data is required to comply with an internal legislation or with CERN's legal obligations, then this is considered a lawful basis providing that:
- The legal obligation is identifiable in a specific provision or official guidance document
- Processing is necessary
3. Legitimate Interests
Legitimate Interest is arguably the most flexible lawful basis, but controlling services using it must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis, then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
Establishing a legitimate interest:
- What are the benefits for the controlling service, the individual and/or CERN?
- How important are the benefits?
- Is the interest ethical and lawful?
- Is the processing reasonable and proportionate?
- Does the processing benefit the legitimate interest?
Individuals’ interests vs. legitimate interest:
- Do the individual’s interests outweigh the legitimate interest?
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation, legitimate interest can be considered a lawful basis for processing.
4. Vital Interests
If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life, or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other special category data, if the individual is capable of providing their consent, even if they refuse to provide their consent.
If processing personal data is required
- for the purposes of maintaining the Organization’s archives,
- for scientific or historical research, or
- for the preparation of statistics
always subject to the relevant internal legislation and policies, then this is legal.
For a controlling service to use consent as a lawful basis, data subjects must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
Consent requests must be clear, unambiguous and separate from other terms.
Individuals must actively opt in by ticking a box, signing a document, providing an affirmative response to a verbal statement etc.
If a new purpose for processing arises, new consent must be requested from individuals.
Consent must be as easy to withdraw was to give.
Evidence of consent must be recorded (when, where and how it was given)