An organisation must have what the GDPR calls a legitimate basis for collecting and/or using your personal data.
There are six possible bases. Any one of them can be used, and different bases can be used for different types of information.
Most of the six bases have an additional requirement attached to them – that using the data is necessary.
The bases are:
- Consent: you have given clear consent for the collection and use of your personal data for a specific purpose
- Contract: you have entered into a legal contract or asked the organisation to use the data before entering into a contract
- Legal obligation: the organisation must use the data to comply with another legal obligation
- Vital interests: the use is necessary to protect someone’s life
- Public task: the use is necessary for the organisation to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the use is necessary for the legitimate interests of the organisation or of a third party. This can be overridden if there is a good reason to protect the individual’s personal data.
The organisation should have determined in advance which basis it uses, by considering why it is using your personal information and the relationship between it and you.
Importantly, the organisation has a legal obligation to tell you which basis it has chosen. Most websites do this in their privacy notice. The lawful basis is important for you to know, because it determines which other rights you have in respect of the data about you.
If your data is being used without there being one of the lawful bases, then you can ask for it to be erased, and the organisation must comply.
What happens if the purpose changes?
The organisation can still use your personal data if the reason for collecting or using the data changes. However, the new purpose must be similar enough to the old purpose, and the lawful basis must stay the same.
However, if the basis is consent (as it is on many websites), then it is likely that you will have given consent for specific uses only. If the new use is not something you have consented to, then the organisation will have to ask you for consent again.
If the basis is not consent, then whether the new purpose is similar to the old purpose depends on the circumstances. These might include considerations about:
- the relationship between the two purposes
- the context of how the data was collected and whether it is reasonable that you would agree to the new use
- the sensitivity of the data
- the consequence to you of the new use
- how the data is protected
Lawful new purposes
The following are, however, lawful purposes for retaining information:
- archiving for the public interest
- scientific research
Even if the new use is legitimate, it also must be fair and transparent. As the subject of the data, you must be given information about how it is used.
An organisation doesn’t always have to seek your consent to use data about you. There may be another lawful basis.
However, if consent is the chosen basis, then you should be given full control over your data.
Consent requires an unambiguous, affirmative opt-in. Consent isn’t by default, or through inaction. It must be freely given. The request for your consent must be unbundled from other terms of service, clear, concise and specific.
It should be easy for you to withdraw your consent, and it should be easy to find out how to do this.
Your consent lasts until you withdraw it, or it is reasonable to assume that it no longer exists. The latter depends on the context of use.