GDPR toolkit


Legitimate grounds

Are you sure that your processing activities are lawful?

What you need to know.

If you store personal data, this must be based on one of the “legitimate” grounds provided in the GDPR, of which the most relevant are consent, the performance of a contract, compliance with a legal obligation and pursuit of a legitimate interest.

Consent is generally seen as the most important ground, but the threshold for consent as a legitimate ground is quite high: it must be freely given, specific, informed and unambiguous. Freely given presumes that no imbalance exists between the parties, such as for example in an employment relationship. In an employment context, you can often rely on the other grounds.

You need your employee’s bank account number and salary information in order to pay his/her salary. You have such obligation as part of the employment contract; which is therefore your legitimate ground. You will also need to send information for social security purposes to the government, which is a legal obligation for every employer and therefore serves as your legitimate ground. If you have a whistle-blower system in your company in order to detect fraud, this may be regarded as a legitimate interest. A legitimate interest is only accepted as a legitimate ground if that interest is not overridden by the privacy interests of the data subjects, which requires a balancing exercise.

What you need to do by 25 May 2018.

First of all, you should ensure that all of your use of personal data is based on a legitimate ground. Along the lines of the example above, you will among other have to verify whether the use of personal data of customers is (strictly) necessary for the performance of the customer’s contract or whether you have to use another legitimate ground, for example, consent or your company’s legitimate interest.

If you use consent for a certain processing activity, you should verify whether that consent was obtained according to the requirements set forth by the GDPR. If not, you should prepare to ask the data subject for consent again. If a processing activity is based on a legitimate interest, you should do a balancing exercise between your interest in using the personal data and the privacy interest of the data subject.

Further, although you are not obliged to include the legitimate grounds in your data register, this is nevertheless recommended for accountability purposes. Questions regarding “processing activities”, the “data register” and “accountability”? Keep an eye out for our next Countdowns!

Please consult our website or contact one of our team members if you have questions or require more information: