Whilst it has always been a requirement under data protection to have a legal basis for processing personal data, under GDPR your business is required to be accountable for and transparent about your legal basis for processing personal data.
It is important to be aware that there is no one size fits approach when applying a legal basis to the personal data you process. It very much depends on what you do with the data and you need understand what you do with your data and why you process it so that you can select the most appropriate legal basis for your specific data processing requirements.
In terms of Covid-19 Return to Work, employers have obligations from a data protection and a GDPR perspective when completing their staff’s medical questionnaires/self-declaration before returning to the workplace. The Data Protection Commission have indicated that measures taken in response to Covid-19 involving personal data collected by employers must be necessary, proportionate, and relevant. Any measures taken should be informed by guidance and direction of the Public health authorities. To avoid a GDPR breach, employers should consider their privacy statements and data protection policies and procedures when conducting Covid-19 control measures such as medical questionnaires.
The six legal bases for processing are set out in Article 6 of the GDPR and your business must apply at least one or more of these when processing personal data:
Consent: this is where the individual has given clear consent for you to process their personal data for a specific purpose – see last week’s article on consent
Contract: this is where processing is necessary for a contract you have with the individual or supplier. For example, you could use this legal basis for a contract of employment.
Legal obligation: this is where the processing is necessary for you to comply with by the law. This does not include contractual obligations. For example, keeping employee records by law could come under this legal basis.
Vital interests: this relates to the processing that is necessary to protect someone’s life.
Public task: this could be used in relation to processing that is necessary to perform a task in the public interest or in an official functions, and the task or function has a clear bacx sis in law.
Legitimate interests: this is where the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
When you are choosing your legal basis, be sure that you selected the right one as you cannot change it unless you have a very strong reason to change it. One other new requirement is that you will need to include the legal basis for processing personal data within your privacy notices. If you are processing special category data (sensitive data) you will need to identify the lawful basis for general processing and an additional condition for processing this type of data. Finally, it is important to document and demonstrate why you have selected a specific legal basis for each data processing activity that relates to personal and / or sensitive data.
If you would like more information on GDPR or to discuss your requirements further please contact Emma at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our HR and Employment Law advice section on www.sfa.ie