Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely. The application of one of these six bases must be established prior to the processing and in relation to a specific purpose. As a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases. Nonetheless, it is possible to rely on more than one lawful basis to legitimise processing if the data is used for several purposes, as each purpose must be connected to a lawful basis. However, the controller must have identified these purposes and their appropriate lawful bases in advance. The lawful basis cannot be modified in the course of processing. Hence, the controller cannot swap between lawful bases.
Several sources of legal opinion have suggested that, despite this unambiguous ruling, the wording of the GDPR admits of multiple concurrently assigned lawful bases to a single purpose. However, although I am not a lawyer I can clearly see how this might both restrict the exercise of data subject rights and cause problems for data controllers. What is not so clear though is what real advantage it might offer a responsible data controller that would outweigh the problems. So lets' look at an extract from a typical ‘Privacy Policy’ to see what the issues are:Processing Purpose
To manage our relationship with you which will include: (a) Notifying you about changes to our terms; (b) Asking you to leave a review or take a survey; (c) To respond to refund requests and complaints;
Type of data
(a) Identity; (b) Contact; (c) Profile; (d) Preference;
Legal basis for processing including basis of legitimate interest
(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation; (c) Necessary for our legitimate interests (to keep our records updated, to study how customers use our products/services and to respond to you);
a fall back option to permit continued processing in the face of challenge by data subjects. In fact, as clearly stated by the Article 29 Working Party ruling, no lawful basis can be used as a fall back for any other. Despite this, numerous legal opinions have been published suggesting that you can apply multiple concurrent lawful bases provided you inform the data subject up front. In my (practical) opinion, this simply exacerbates the problem for both the data subject (by creating confusion) and the data controller (by opening the door to challenge). Ultimately, the purpose of the GDPR is to allow personal data processing while protecting the rights and freedoms of data subjects. So far since May 2018 we have observed that privacy notices are almost universally achieving the opposite, by making it hard for data subjects to establish exactly what processing is taking place and what the justification for it is. A common manifestation of this is assigning multiple lawful bases to excessively loosely defined and inadequately justified purposes. Regardless of whether this is down to intent, lack of attention or lack of understanding on the part of data controllers, it’s fundamentally in breach of the transparency obligation imposed by the GDPR, thus rendering the data controller non-compliant with the legislation. Consequently our advice is, first, to define your purposes to a level of detail that allows a single lawful basis to be assigned unequivocally to each purpose, second, to provide a robust and sufficiently detailed justification for each application of legitimate interest (not just three or four words of generality as in the example given here), and third and most importantly, never consider weasel ways to circumvent the requirements of the legislation in your own apparent interest, as these will always eventually backfire to your cost.
Mike Barwise
Director, BiR
31/08/2018