There are six legal grounds for processing of personal data: (i) Consent, (ii) Performance of a
contract, (iii) Compliance with a legal obligation, (iv) Protection of vital intrests, (v) Public
interest of official authority and (vi) Legitimate intrests.
The most commonly used legal ground for the processing of personal data today is still the "consent" of the data subject.
According to a study of the CIPL (Centre for Information Policy Leadership) 90% of the controllers in general would still chose "consent" as the legal ground for the majority of their processing.
There are however a few elements that a company (the data controller) needs to pay attention to if he chooses to consider "consent" as a legal ground for its processing.
Also the General Data Protection Regulation (GDPR) that will come into effect as of 2018 will complicate further use of the legal ground "consent":
These purposes must be explicitly explained to the data subject prior to the actual processing,
and authorized by the data subject.
If the company relies on consent for processing, it needs to obtain for each new purpose of processing a new consent of the data subject, unless the company's later purpose of processing is compatible with the original purpose of processing. The company should be able to demonstrate at all times that it has obtained a valid consent from the data subject.
Companies often ignore that. They consider that, once the data subject authorized the processing, that they can further process the data for other purposes without a new consent. However for each processing activity, that is not compatible with the originally described purposes, consent should be obtained and the company must be able to demonstrate that it has obtained consent.
The new GDPR sharpens the conditions that need to be met to have a valid consent: Consent should
be freely given, specific, informed and unambigously.
The GDPR indicates that the consent must be "freely given".
This means that the service that the company offers for example is not conditional on consent. There may not be a clear imbalance of power between the data subject and the controller (for example, employee and employer relationship), and the consent must be as easy to withdraw as it was given.
The consent must be "informed", which means that the data subject must be informed in
clear and plain language of the purposes of the processing as well as of any compatible purposes
for which his data may be processed.
The consent must be "unambigiuous", which means absolutely clear (affirmative action, opt-in, no pre-ticked box or silence).
Taken into account the strict requirements of "consent" in the GDPR, but also because
companies most of the time have a genuine legitimate intrest in the processing of the data, the
legal ground of "legitimate intrest" will become more important.
The law recognizes that a company or any third party to whom the data are discolosed, may have legitimate reasons for processing and its processing could therefore be legitimate when the processing is necessary to meet a controller or a third party's legitimate interests; the interests will be balanced against the individual's intrests (those interests of the company may not be overridden by the interests or fundamental rights of the individuals whose data are being processed).
However "consent" of the individual is still needed when a company wishes to process
the data of an individual for direct marketing purposes, or when a controller wishes to process the
data for purposes that go beyond the reasonable expectations of a data subject.
Consent and legitimate intrestes are only two of the six legal grounds of processing of personal data. The legal grounds (i) Performance of a contract, (ii) Compliance with a legal obligation, (iii) Protection of vital interests and (iv) the Public interest of official authority must be used when appropriate from the controller's or from the data subject's perspective.