It is crucial to protect all customers when processing their personal data, which is why the GDPR has issued six bases to rely upon. For businesses, three main elements are consent, legal obligation, and legitimate interest of the individual.
Data Protection Executive
As well providing protection, the GDPR also enables individuals to have more control over the use of their personal data, allowing them to choose whether or not companies can process their data.
To offer consent, a statement will usually be presented in writing or electronically. This can be reflected through website cookies and the requirement to give consent through the means of accepting, rejecting, or managing the website’s processing.
2. Legitimate Interest
Legitimate interest is the most flexible of the GDPR’s lawful basis for processing personal user data. Generally, it applies when an organisation uses personal data in a way that the data subject would expect. To rely on this, a three-part test dubbed ‘the balancing test’ can be followed.
- Identification of a legitimate interest.
- The processing of personal data must be necessary to achieve to provide the service.
- The processing must be compared to the rights, freedoms, and interest of the individual.
3. Legal Obligation
The processing of an individual’s data is also necessary for compliance with common law or statutory obligations. This follows Article 6(3) of the GDPR which requires UK or EU law to be laid down before relying on the process. Examples of the requirement for a legal obligation is shown within employee data disclosed with the HMRC, regarding salary.
What does this mean to ARM?