Defining the purpose and legal basis of data processing

Purpose of processing briefly explained

One principle of data protection is data minimisation. This means that only data that serves to fulfil a specific purpose should be collected. The privacy policy informs the user about this purpose, which can usually be defined very easily.

The basis for identifying a purpose should be your record of processing activities. Ideally, you have already defined which „categories of personal data“ you collect as part of a processing activity.

In Metasoul, the documentation is in tabular form, where you specify the purposes for which each category of data is processed.

Here are a few examples:

• If you collect email addresses to send marketing emails, the purpose of the collection may be, for example, „informing about news via email newsletter“.
• If your website host collects the IP address and user analyses in order to ensure the operation of the website and to be able to react accordingly in the event of errors, the purpose may be „website operation“.
• If the user has to register with you in an app in order to use your services, the purpose may be „providing the service“.

As you can see, a purpose can be defined relatively quickly and easily as long as you know why you are collecting personal data.

The legal basis is more difficult. Here there are GDPR Article 6, paragraph 1, predefined bases. At least one legal basis must apply for data processing to be „lawful“.

Choosing the right legal basis

Choosing the right legal basis is not always trivial. But don't worry, with the following instructions it should at least be easier.

As with the purpose of processing, you should determine the legal basis for each category of data. To do this, go through the following considerations sequentially. If one consideration applies, you have found the appropriate legal basis for the respective data category:

Consideration 1: Vital interests?

Does the life of the data subject depend on the processing of the data? This may be necessary in the case of medical emergencies or disaster relief, for example. If so, the legal basis is „protection of vital interests of the data subject“.

Consideration 2: Public interest?

Have you been „assigned“ a task that is in the public interest? Examples could be statistical surveys for the statistics office, the fulfilment of educational tasks (e.g. schools) or the organisation of elections or referendums. If so, the legal basis is „fulfilment of a task in the public interest“.

Consideration 3: Legal obligation?

Do you have a legal obligation to process personal data? Examples may be of a fiscal nature, such as the preparation of payroll accounting or the submission of tax returns. If a legal obligation makes the processing of personal data necessary, the legal basis is „fulfilment of a legal obligation“.

Consideration 4: Contractual relationship?

Do you have a contractual obligation or need to process personal data to initiate the conclusion of a contract? A contractual obligation can be, for example, the delivery of a purchased product (purchase contract) or the provision of a subscribed service. An employment contract also entails certain obligations to process employee data. Important: The contract as a legal basis only applies if the contractual partner is a natural person. Pre-contractual obligations arise, for example, when someone requests a quote or information on contract details is being clarified. Here, too, there is a „but“: the pre-contractual obligation only applies if the initiative comes from the data subject. „(Pre-) contractual obligations“ is the correct legal basis in the aforementioned or similar cases.

Consideration 5: Legitimate interest?

With the „legitimate interest“, it is possible to create a legal basis for oneself. The basic statement of this legal basis is

• if the interests of the person concerned are close to your interests, i.e. both want the same thing,
• or a basic expectation can be assumed,

then one can assume a legitimate interest in the processing of personal data.

Here are a few examples:

• A user who visits your website can assume that personal data required for the provision of the website or to ensure network security will be processed.
• When you order a pizza, the pizza delivery company has a legitimate interest in your data so that it can deliver the pizza at all. But they also have a legitimate interest in sending you advertising so that they can keep you as a customer.

It is important to note that, in addition to weighing up the interests, the protection of fundamental rights and freedoms also plays an important role.

We recommend the following procedure to determine whether the legal basis of the legitimate interest is appropriate:

• Identify legitimate interest: Consider whether you or a third party has a legitimate interest that justifies the processing of personal data. Reasons often arise if the data subject is a customer or if internal administrative tasks or the safeguarding of network and information security is affected.
• Determine the necessity of data processing: In the second step, check whether the processing of personal data is necessary to safeguard the legitimate interest. If there are alternative ways of achieving the objective, data processing is not permitted.
• interests of the data subject: Consider here what interest the data subject might have in the data processing and whether the data processing jeopardises the fundamental rights or freedoms of the data subject. Ask yourself whether the data subject would expect the planned data processing or would generally expect it or whether it is also in their interest. Finally, if there are reasons to do so, ensure that the „minimisation principle“ can be adhered to: Only minimally required data is processed and stored for the minimum necessary period of time.

Once you have answered all three steps in the affirmative with comprehensible arguments, select „Safeguarding the legitimate interests of the controller or a third party“ as the legal basis.

Consideration 6: Consent of the data subject?

If none of the legal bases mentioned so far have been suitable, the last remaining option is the consent of the data subject to the planned data processing. Here, too, there are some considerations and requirements to take into account:

• Is consent voluntary? Consent is only voluntary if the data subject has the opportunity to refuse.
• Is the data subject sufficiently informed? It must be explicitly clear to the data subject what the purpose of the data processing is and that consent can be withdrawn at any time.
• Is it possible to withdraw consent? This should be easily possible at a later date.
• Can it be proven that a data subject has given consent?
• Can it be ensured that processing only takes place after consent has been given?

Typical cases for consent are the well-known cookie banners or the use of photos of an event on a website.

If consent can be obtained as described above, „consent of the data subject“ can be selected as the legal basis.

The legal basis of consent is usually more complex to apply than it sounds. It should therefore only be used if no other legal basis fits.

If you have not yet found a legal basis, you should refrain from processing data. As the issue of the legal basis is complex, it may also make sense to seek professional help if you are unsure.

Conclusion

If personal data is processed, this should be done for a specific purpose and there should be a legal basis for the processing. While the purpose can be identified quite easily, determining the right legal basis is not a simple endeavour and involves many considerations. With a structured approach, it is easier to make the right choice, but it may make sense to seek professional help. The purpose and legal basis are documented in the record of processing activities.