GDPR basics: How can you legally process the personal data of EU residents?

The EU’s General Data Protection Regulation, a law outlining the rules for privacy and data protection that came into force in 2018, has upended the way many organizations do business — online and otherwise. Because it applies to anyone living in the European Union (and many other European countries) [[LINK TO WHO, WHAT, WHERE DOC]], and the EU represents an important marketplace, most organizations of any size in the U.S. have been forced to figure out how it will impact their business and operations.

For some, the GDPR is so intimidating they’ve decided to just cease actively doing business in the EU at all. After all, if you don’t actively market to EU residents, the GDPR doesn’t apply to you, and you don’t have to worry about it.

This seems a bit like cutting your nose off to spite your face, however. While the GDPR is a large block of text and can seem intimidating when you hear about the potential penalties for violation (4% of total annual revenues!?!), it’s based on fairly straightforward principles, and its authors tried to keep the law from being overly prescriptive in the way organizations need to comply with it.

How you comply isn’t that important. As long as you can demonstrate why you believe you are in compliance, you should be in the clear. Just point to the portion of the GDPR that allows you to do what you’re doing with personal data.

Ultimately, the GDPR provides six basic legal reasons for processing (a catch-all term that includes simple collection and storage) personal data. We’ll walk you through them and discuss how these methods of “lawful processing” work in practice. If you’d like to follow along, the basic language is contained in Article 6 of the GDPR.

Consent

This one seems so simple. You can legally process personal data if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” However, there’s a lot to unpack in just that short sentence.

First is the idea of “given consent.” The GDPR’s Article 7 has a lot to say about the conditions under which consent can actually be given and therefore valid. Further is the idea of “specific purposes — there is no such thing as blanket consent under the GDPR.

So, let’s look at how you must acquire consent in order for it to be considered legally valid (the GDPR’s Recital 32 is important here):

• A clear affirmative act: The person whose data you’re processing must actively do something to express their consent. This means a pre-checked box or text statement saying they give consent by continuing onward is not acceptable. Rather, it must be true that the person’s action “clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. … Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
  
  Note: For the GDPR’s “special categories of data” [[LINK TO ANCHORED TEXT BELOW - “SPECIAL CATEGORIES OF DATA”]] there is a further burden for consent that it be “explicit,” meaning that it must be completely unambiguous, such as a verbal confirmation or a manually provided signature of some kind — something beyond a checked box or clicked button.
  
• Freely given: If the person would suffer consequences for not consenting, then the consent is not valid. In fact, you can’t even make consent conditional for providing a service.
  
  One of the most common examples provided here is an employment situation. Because the European Union recognizes the power dynamic inherent in employment, the EU considers it impossible for an employee to freely give consent to an employer. Therefore, you can’t use consent as your legal basis for processing employee data.
  
• Informed and specific: In order for a person to freely give consent, they have to first be informed of exactly what they are consenting to: “When the processing has multiple purposes, consent should be given for all of them.” Further, the language presented to them at the time of consent must be in clear and plain language and must be in the language they naturally speak in the place where they are being marketed to.
  
  Note that “informed” also means informed of the identity of the “controller” (the organization that makes the decisions about how the data is processed; a “processor” is a service-provider who collects data on the controller’s behalf), with contact information. They also need to be informed of their rights under the GDPR [[LINK TO RIGHTS DOC]].
  
• Documented: As is clear in Recital 42, the burden of proof is on the organization processing the data, not the data subject. You must be able to demonstrate that you have, in fact, received consent for the processing you are conducting.
  
• Fair: This is a little nebulous, but Recital 42 and the GDPR’s “fairness” principle state that even if all the other conditions are met, if the deal being offered is not “fair,” then it is not legal. So, even if you’ve done all of the informing and documenting and gathering of consent with plain and clear language, if it’s a bad deal for the data subject, it’s not legal, regardless.
  
  An example of an unfair deal might be the requirement that a data subject fill out the data field even though that particular personal data isn’t necessary for providing the service in question. Don’t make someone give you a phone number unless you actually need that phone number to perform the service, for example.
  
• As easy to withdraw as to provide: It’s important to understand that consent is not a lifetime thing. The GDPR is very clear in Article 7 that consent must be as easy to withdraw as it was to provide. So, you must provide a mechanism for that withdrawal that is easy to find and easy to enact. At that point, you must stop the processing and delete the personal data you were processing (or save it for later, if that is the will of the data subject).
  

Performance of a contract (or contractual necessity)

Now that we’ve gone through the complicated rules around consent, most of the other legal bases for processing are a bit more straightforward.

Recital 44 is among the shortest and clearest of the GDPR’s statements: “Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.”

And you can read “contract” broadly; it can be the agreement to buy something from you online, an employee’s hiring agreement, etc. You don’t need to get further consent to process personal data if you need that personal data to do the thing a person has asked you to do.

So, you can process personal data to ship a product to someone, to pay someone, to provide cleaning services in their house, etc.

However, make note of the consent language: The personal data must actually be necessary for the performance of the contract. Don’t just ask for email and phone number of every customer if there’s no reason you would ever email or call them, for example.

Legal obligation

This one is fairly obvious: If a country in the EU has a law that says you have to process personal data in a certain way, then you’re okay to do it. There are a bunch of requirements for the countries in question as they formulate their laws, but that’s not your concern.

A grayer area concerns extra-jurisdictional law-enforcement requests. What if a U.S. law-enforcement body comes calling asking you to hand over the data of someone residing in the U.S.? You should probably call a lawyer. Don’t rely on something you found on the internet.

Vital interests

This is sort of a catch-all to ensure that data protection law doesn’t come before the health and safety of a person or people. If it’s possible someone will die or be seriously harmed unless you process their personal data or someone else’s personal data, and you can document that, then you’re legally allowed to process that data.

This might come up in a crisis situation — a missing person’s case, say, or during a natural disaster — or simply in a medical situation where the person in question is unconscious or otherwise unable to provide consent or sign a contract.

However, we caution against playing fast and loose with this one. The EU considers privacy a human right. Don’t be cheeky with your definition of vital interests.

The public interest and exercise of public authority

This is similar to the “vital interest” legal basis above: The GDPR links them together in Recital 46 and notes that processing personal data might be important for monitoring a pandemic or rescuing people after a natural disaster.

Maybe you’re a telecommunications provider, and you have the ability to identify phones that might belong to people in a pile of rubble. Of course it’s legal to pass that information on to authorities so that it can be used to save lives.

Further, if you are the actual police department or emergency services provider, you can process personal data in the interest of protecting people’s lives. And that legal basis might extend to certain vendors or contracted companies, with the public authority carve-out extended to those organizations.

Legitimate interests

This is the most amorphous and legally complex of the legal bases for processing, and we caution you to tread carefully here. The GDPR is not yet a “mature” law in the eyes of the European courts, and the definition of “legitimate interest” is likely to be refined for some time into the future.

However, the basic idea is this: If the processing of personal data is core to what your organization does, and the data subjects would not be surprised by that processing, then it’s probably legal.

Recital 47 gives this example: “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”

But just having a professional relationship doesn’t provide blanket legal basis. If it’s possible the data subject would be surprised by your further processing, that’s not allowed.

Legitimate interests also include the processing of personal data for things like fraud protection, network security, physical security, and other commonly understood things organizations have to do to protect themselves. For example, a security camera that only looks at property your organization owns and makes sure no one steals something from you is perfectly fine. However, companies have been fined for having security cameras that bleed out into a public space. That’s not okay.

Finally, Recital 47 also famously provides a carve out for “direct marketing” as something that “may be regarded as carried out for a legitimate interest.” However, guidance from authorities has made it clear that this direct marketing should be to people who would expect and would be within the relationship you already have with them.

If they have bought a couch from you, it’s legitimate to send them an email saying you’ve got a sale on ottomans. If they have never bought anything from you, harvesting their email from their Facebook account and sending them an email offer for ottomans is not going to fly.

Important caveat: Special categories of data

All of the above legal bases for processing personal data under the GDPR apply to “regular” personal data. However, Article 9 of the GDPR specifically calls out “special categories of data” (sometimes referred to as “sensitive data”) that you are not allowed to process at all unless certain conditions apply.

These special categories are outlined in Article 9 and a little bit in Article 10 (but you’re probably not doing criminal investigations):

• Data about racial or ethnic origin.
• Data about political opinions or party membership.
• Data about religious or philosophical beliefs.
• Data about trade union membership.
• Health data, including especially genetic data or biometric data.
• Data regarding a person’s sex life or sexual orientation.

You cannot process these categories of data in any way unless you have explicit consent (maybe requiring a signature or verbal confirmation; definitely more than a checked box) or meet these other specific criteria:

• In order to employ people and protect their rights and freedoms. You may, for example, need to process medical data for employees for a variety of reasons.
• You need to protect someone’s vital interests and they are completely incapable of providing consent (unconscious or missing, etc.).
• You are a non-profit or other organization that actually engages in political activity, or is a labor union, etc. Obviously, if you are a labor union, you can process the personal data of your members, for example.
• The data subject makes the information public in obvious fashion themselves. For example, if you’re a social media company and someone posts, “Hey everyone, I’m gay,” you can process that data on your servers. However, if you are not that social media company, don’t think that’s a blanket opportunity for you to harvest and process that data. “Public” is a relative term.
• You’re defending yourself from a legal claim or making a legal claim. For example, if a former employee sues you for something, you can process sensitive data about them if it proves you didn’t do what they said you did.
• The processing is required for the public interest and there’s absolutely no other way you can protect that public interest. If someone has monkey pox and is actively infectious and leaves your facility with the intention of spreading the virus, you can tell people about it.

In general, be very careful with these special categories of data and — for sure — think long and hard, and get legal advice, if you’re going to process them using the legitimate interests basis. If you’re a hospital, you can process health data based on legitimate interests. But it should be that obvious.

Finally, remember that the EU considers the GDPR a work in progress. It’s likely that court cases and enforcement actions, alongside white papers from the European Data Protection Board, will help to define exactly when and how you can process personal data. If you watch the news, follow the guidance of regulators, and never process the personal data of people in the EU unless you can demonstrate why you’re legally allowed to do it, you should be confident in your GDPR compliance.