Article 6 of the GDPR - Lawfulness of processing

Companies, authorities and institutions that process personal data are obliged to check the planned processing for its lawfulness in accordance with Article 6 of the General Data Protection Regulation (GDPR). Even before the European General Data Protection Regulation came into force, the "prohibition with reservation of permission" was regulated by the German Federal Data Protection Act, and even at that time it applied that the handling of personal data was generally excluded. In order to allow handling of personal data, a controller must prove a so-called permission condition. If the handling of personal data is provided for in a company, an authority or an institution, it must be checked which permissive circumstance exists and whether the data processing is thus enabled in accordance with Art. 6 DSGVO. Basically, with regard to the processing of personal data, a distinction must be made between different categories - if special categories of personal data are involved, then Article 9 of the GDPR must be observed, as it were. For most companies from the manufacturing industry or from the service sector, these special categories are negligible. If working with special categories of personal data, it is advisable to contact the data protection experts of heydata to check all legal concerns in detail.

In everyday life, reference is often made to a required consent in order to continue to enable cooperation. If consent is insisted upon, this is in many cases due to the fact that the content of Article 6 GDPR is not known and the insistence on consent is due to ignorance of the legal situation. If you look at Article 6, you will find other, often appropriate, legal bases that allow the processing of personal data. This can be, for example, an existing contractual relationship. Since within Article 6 of the GDPR consent is listed as a possible legal basis right at the beginning, it is not surprising that the article is interpreted in such a way that consent is inevitable as a legal basis and must be evaluated as a prerequisite. The other options are often no longer taken note of in everyday life.

In order to carry out an examination of the legal grounds under Art. 6, it is useful to carry out the lawfulness of a processing of personal data in a certain order.

The items listed should be worked through and a test is completed if any of the items apply.

1. Protection of vital interests (Art. 6(1)(d))
2. Preservation of a public task (Art. 6(2)(e))
3. Law/legal obligation (Art. 6 para. 1 letter c)
4. Contractual relations with the data subject (Art. 6(1)(b))
5. Weighing of interests (Art. 6(1)(f))
6. Consent (Art. 6 para. 1 letter a)

If an element of permission is to be checked, the points should be checked in this order. The first two points will not often apply in everyday life, but must be observed for the sake of completeness.

The protection of vital interests, which is addressed in Article 6(1)(d) of the GDPR, describes situations where the life of a person is acutely threatened. In this case, all reasonable measures may be taken to protect the person. This article rarely applies to companies and public authorities, but should be observed in principle.

Looking at Article 6 (1) (e) of the GDPR, a company will notice that this description is often not applicable to its own situation. The target group of this point are data controllers who have been assigned a task that is in the public interest or involves the work of public authority. As an example, the police service can be mentioned here. In individual cases, however, Article 6 (1) (e) may also apply to a service provider - this is the case for car repair shops that perform a sovereign task and offer exhaust emission tests.

In the area of companies, public authorities and institutions, Article 6 (1) (c) often applies, since this area describes legal obligations that cannot be fulfilled without processing personal data.

As examples, one can name the following situations:

• As an employer, you are obliged to report the new employee to the health insurance company. In this case, the personal data may be used in the area of processing. The same applies to the processing of necessary data in the areas of tax and social security contributions.
• Employers are obliged to comply with the legal requirements regarding maximum working hours. These requirements are regulated in the Working Hours Act. In order to meet these requirements, employees' times must be recorded and thus processed.
• In order to curb money laundering and exclude income from illegal sources, companies that have a certain responsibility with regard to monetary transactions are given a legal basis. Insurance companies and banks are particularly worthy of mention here.
• Furthermore, an employer is legally obligated to remunerate the work of an employee and to document the payment. In order to transfer the wage properly, the money must be transferred to a known account - the Minimum Wage Act must also be observed here. In order to make a payment, the employer may request the bank details of the person concerned and document the working hours.

In order to fulfill contractual relationships or to support the initiation of contractual relationships, the processing of data and information is necessary in many cases and is permissible for this reason. The term "contract" should not only be evaluated in terms of national or European law. The term "contract" also applies in this case if two parties enter into an agreement - this can also be verbal. As an example of such an agreement, an appointment can be mentioned.

If one wants to refer to the term "contract" on a legal basis, a prerequisite is that the data subject is a contractual partner. If one speaks of "pre-contractual measures", an initiative of the data subject must have been recorded. A presumed interest does not constitute a legal basis and therefore does not apply to advertising.

These operations often fall under the contractual justification ground, so consent is not required:

• During an application process, the data received may be processed. The selection process falls within the scope of "pre-contractual measures".
• Within an employment relationship, the employer may collect working hours in order to fulfill the contract. At the same time, the working hours may be used to determine and pay the earned wages.
• If a private person contacts a company, the contact data may be received and a use is given. Often data of a private person is given in the area of online shopping and the received contact data and bank information may be used to perform the corresponding service and delivery.

If one wishes to refer to a balancing of interests as a legal basis, some facts should be evaluated and considered:

• The interest of a data subject must be clearly recognizable and a processing of data is in the interest of the controller. It must be recognizable that both sides pursue the same intention.
• If a data subject can assume that data will be processed (expectation) and is informed, this constitutes a legal basis.

It is important that the responsible party has taken high protective measures. In order to be able to accurately assess a balance of interests, it makes sense to contact the experts at heydata to carry out a precise assessment.

Consent is often not required and often not useful because consent can be revoked. Responsible parties should note the following points:

• Consent may not be coerced.
• The consent must pursue a specific goal. It must be voluntary and the data subject must be informed about the right of revocation. A subsequent revocation must also be processed immediately.
• The controller must be able to demonstrate that legitimate consent was obtained.
• No processing takes place without consent.
• Processing may not be linked to other measures if this is not necessary.

Article 6 of the General Data Protection Regulation (GDPR) specifies the lawfulness of the processing of personal data. There are various legal bases that can apply to data processing, not just consent. The legal bases should be examined in a specific order, starting with the protection of vital interests and the safeguarding of public tasks, followed by legal obligations, contractual relationships, a balancing of interests and finally consent. The use of consent is not always required and can be revoked. It is important that consent is voluntary, specific and revocable. Alternatively, other legal bases such as legal obligations, contractual relationships or balancing of interests can be used. If there are questions about the lawfulness of data processing, it is advisable to consult data protection experts. By observing the applicable legal bases, companies and institutions can ensure that they comply with data protection regulations.