GDPR toolkit

01
Throwback Thursday
02
Personal data
03

Legitimate grounds

Are you sure that your processing activities are lawful?

What you need to know.

If you store personal data, this must be based on one of the “legitimate” grounds provided in the GDPR, of which the most relevant are consent, the performance of a contract, compliance with a legal obligation and pursuit of a legitimate interest.

Consent is generally seen as the most important ground, but the threshold for consent as a legitimate ground is quite high: it must be freely given, specific, informed and unambiguous. Freely given presumes that no imbalance exists between the parties, such as for example in an employment relationship. In an employment context, you can often rely on the other grounds.

You need your employee’s bank account number and salary information in order to pay his/her salary. You have such obligation as part of the employment contract; which is therefore your legitimate ground. You will also need to send information for social security purposes to the government, which is a legal obligation for every employer and therefore serves as your legitimate ground. If you have a whistle-blower system in your company in order to detect fraud, this may be regarded as a legitimate interest. A legitimate interest is only accepted as a legitimate ground if that interest is not overridden by the privacy interests of the data subjects, which requires a balancing exercise.

What you need to do by 25 May 2018.

First of all, you should ensure that all of your use of personal data is based on a legitimate ground. Along the lines of the example above, you will among other have to verify whether the use of personal data of customers is (strictly) necessary for the performance of the customer’s contract or whether you have to use another legitimate ground, for example, consent or your company’s legitimate interest.

If you use consent for a certain processing activity, you should verify whether that consent was obtained according to the requirements set forth by the GDPR. If not, you should prepare to ask the data subject for consent again. If a processing activity is based on a legitimate interest, you should do a balancing exercise between your interest in using the personal data and the privacy interest of the data subject.

Further, although you are not obliged to include the legitimate grounds in your data register, this is nevertheless recommended for accountability purposes. Questions regarding “processing activities”, the “data register” and “accountability”? Keep an eye out for our next Countdowns!

Please consult our website or contact one of our team members if you have questions or require more information:

Laura Sente

senior associate
laura.sente@contrast.law

Have a look at our 'Privacy talk'

Privacy Talk
In the Picture - September 2023

Time´s up: obligatory amendment of articles of association for Belgian companies
Books

Burgerlijk wetboek / Code civil
Articles

Een overzicht van het nieuwe groepsvrijstellingsregime voor verticale overeenkomsten.
More News & insights

Log into your account

Forgot password? Not a member yet?

Forgot password?

Request a new password by providing your email address.

Log into your account

Password reset

Enter your new password.

Password registration

Enter a password to protect you personal pages.

Activate your account

Activate your account by providing your email address.

Thanks

You will receive an email with a link to enter a new password.

Close

Thanks

Your new password is successfully saved.

Close
Close

Cookies

This website uses cookies to improve your browsing experience and to better tailor the website to your preferences. For more information about cookies and the list of cookies used on this website, see our Cookie Statement.

Below you can indicate your cookie preferences:

ON

Essential cookies are cookies that are necessary for the correct functioning of the website (e.g., to avoid overload on the website, keeping it functional and accessible). These cookies can be placed without your consent.

ON

Functional cookies are cookies that are necessary to improve your browsing experience or to provide a functionality explicitly requested by you (e.g. remembering your settings). These cookies can also be placed without your consent.

Analytical cookies are cookies that collect information about how you use the website to improve search engine hits and the functioning of the website (e.g. we see how visitors move around the website when they are using it to ensure that visitors find what they are looking for easily). These cookies are only placed if you have given your consent.

Advertising cookies are cookies that collect information about your surf and search behaviour in order to offer you personalised advertising in ad spaces on websites based on your personal interests. These cookies are only placed if you have given your consent.

Social media cookies are cookies that make it possible to share certain features from the website on social media networks (e.g. Facebook). Furthermore, these cookies collect information about your surf and search behaviour on the website in order to offer you personalised promotions and advertising about our products on these social media networks. These cookies are only placed if you have given your consent. It is possible that these social media networks also use the information they collect through these cookies for their own purposes. You can find more information about this in the privacy statements of the respective social media networks.

   

You can always change these preferences via your Cookie preferences.