You have clearly agreed to process your personal data for a specific purpose. An organisation may ask for your consent to process your personal data. They must provide you with all the information you need about that specific processing activity. The information must not be ambiguous and it must be clear to you what specific use of your personal data you are consenting to. Of course, you must be able to give your consent freely. The organization must not force or induce you to give your consent. You can revoke your consent at any time. For children, consent must sometimes be given by their parents or guardians. ☐ We have included information about the purposes of the processing and the legal basis for the processing in our Privacy Policy. Carolyn Thurston Smith, Policy Officer at the Law Society of Scotland, explains the legal basis for Article 6 of the General Data Protection Regulation (GDPR). You must include information about your legal basis (or your bases if more than one applies) in your privacy policy. According to the transparency provisions of the UK GDPR, the information you must provide to individuals includes: However, the university must carefully consider its basis – it is the controller`s responsibility to be able to demonstrate the legal basis for the particular purpose of the processing.
If the new purpose is very different from the original purpose, would be unexpected, or would have an undue impact on the individual, it is generally unlikely to be compatible with your original purpose of data collection. You can then only proceed if you obtain specific consent for the new purpose, or you can refer to a specific legal provision that requires or authorises the new processing in the public interest (in which case your new legal basis is a legal obligation or public task). The processing of personal data is necessary for the performance of a task carried out in the public interest and the task or function has a clear legal basis. In this case, there is no specific law that dictates what personal data an organization must specifically process, but the task that an organization performs is defined in a law. For example, a school has a public mission to educate children, or a local government may use camera surveillance in public places because it has the task of ensuring public safety and order. They should not take a one-size-fits-all approach. No base should always be considered better, safer or more important than the others, and there is no hierarchy in the order of the list in the UK GDPR. If your goals change over time, or if you have a new goal that you didn`t originally expect, you may not need a new legal basis as long as your new goal is compatible with the original goal.
You may need to process the same personal data for different purposes. Each of these purposes must have a valid legal basis (not necessarily the same legal basis). This basis applies where the processing of personal data is necessary for the performance of a task or function carried out in the public interest or in the exercise of official authority vested in the controller (e.g. public authority). ☐ We have examined the purposes of our processing activities and selected the most appropriate legal basis(s) for each activity. If you process special category data, you must provide both a legal basis for the processing and a special category for processing in accordance with Article 9. You must document both your legal basis for processing and your special category so that you can demonstrate compliance and accountability. Even if it could have initially relied on legitimate interests, the company cannot do so later – it cannot change its base if it realized that the basis initially chosen was inappropriate (in this case, because it did not want to provide real continuous control to individuals). It should have made it clear to individuals from the outset that the processing was carried out on the basis of legitimate interests.
Letting the person believe that they had a choice is inherently unfair when that choice is irrelevant. The Company must therefore stop processing if the individual withdraws consent. The GDPR requires all controllers and processors to have a valid legal basis for processing personal data. Where processing is based on a legal obligation or a task carried out in the public interest or in the exercise of official authority, the parameters shall be determined by Union or national law of the Member State concerned. You must determine your legal basis before you start processing personal data. It`s important to get it right the first time. If, at a later stage, you discover that the basis you chose was indeed inappropriate, it will be difficult to simply switch to another.