Though the focus here is on religious organisations, the content may well be universally applicable to other not-for-profit organisations.
With regards Article 6 (lawfulness of processing), it is generally understood that ‘legitimate interests of the controller’ is the lawful basis used in most of the religious organisation’s processing of personal data – and here we’re not referring to special categories of personal data (Article 9) – which we discuss later. But there are many instances where other lawful bases might apply. So, it’s important to identify the correct lawful basis (or bases) and also, what the implications might be of using (or not using) a particular lawful basis.
A. LEGITIMATE INTERESTS of the controller
Collecting and holding the personal data (contact details etc.) of the organisation’s members and others in regular contact with the organisation is in the legitimate interest of the organisation because it needs this information, e.g. to enable it to keep in touch with such people and provide support as appropriate to the functions of the organisation. In this context, you do not need to obtain the consent of organisation members and regular attenders to hold their personal data.
Remember that a legitimate interest impact assessment is required – in other words:
Is the use of the personal data necessary to achieve your organisation’s legitimate interests i.e. is the proposed use of the personal data the only way to achieve the intended result?
Is it clear from a balancing test that the legitimate interests of your organisation are not overridden by the interests, fundamental rights or freedoms of the individuals whose data is being used?
Is the use of personal data reasonably anticipated by the individual concerned? Would an individual expect your organisation to use their information in the way that is being proposed? and,
How securely will the personal data be kept within the organisation? For example, it will not be made available to the general public by leaving printed copies available to pick up in the organisation’s foyers or publishing on websites or in social media.
Keep a record of all legitimate interest impact assessments.
This lawful basis is NOT appropriate if:
The interests, fundamental rights or freedoms of the individual whose data is being used, override the organisation’s legitimate interests
The affected data subject is a child – while this lawful basis can still be used, there is a greater burden to demonstrate that the balance of the legitimate purposes against the interests, rights and freedoms of the individual, favours the organisation’s legitimate interests
The proposed use of the data is outside the ‘reasonable expectations’ of the individual i.e. they would not understand why their personal data is being used in this way
There is a less intrusive way to achieve the same result
The proposed use is high-risk and likely to cause harm (and is not outweighed by the legitimate interests)
Examples of activities where this lawful basis might apply:
Collecting membership information to be shared amongst members only e.g. lists of the women’s and men’s fellowships
Communicating details of organisation services and other activities to members or those in regular contact with the organisation
Ensuring volunteers know when they are volunteering by contacting them and displaying lists on the noticeboard. Consider how much information is required to achieve the intended purpose and whether safeguards can be put in place to protect volunteers’ privacy e.g. not displaying personal data where it can be seen by the general public
Publicising fundraising activities by communicating with members or those in regular contact with the organisation via the post.
This lawful basis has the following implications in terms of the individual’s rights.
Firstly, the right to object.
Individuals have the right to object to the use of their personal data where legitimate interest is being relied upon. This means that the organisation would need to stop using the data unless they can:
(1) Demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the individual) OR
(2) Require the data in order to establish, exercise or defend legal rights.
Secondly, the right to restrict any relevant processing while an objection is being considered.
B. The data subject has given CONSENT
Can you obtain freely given consent to process an individual’s personal data e.g. is the organisation member, relative, employee etc. fully informed as to why their consent is necessary and based on this, are they happy to give their consent?
To be valid under GDPR, consent must be:
Unambiguous – it must be clear that consent has been given. If the organisation is unsure (whether an individual has given their consent or not) the consent is not unambiguous. The individual will need to be asked to confirm whether they are happy to consent.
Freely given – the individual must be offered real choice as to whether to give their consent or not.
Specific – it must be given to use of personal data for a specific purpose. General or blanket consent is insufficient.
Informed – the individual giving consent must be given clear information in plain language (written or spoken) about why the organisation wants the consent and what purpose it will be used for. The individual needs to understand that they are being asked to give consent, the request needs to be obvious and separate from other terms and conditions e.g. not included as part of the terms and conditions in a licence agreement or lease.
Positive – consent must be expressed by the organisation member, relative or employee etc. (data subject) by a positive action e.g. by ticking a box or saying they were happy for their information to be used for a particular purpose.
If the purpose changes, consent will need to be confirmed for that new purpose, unless of course, another lawful basis becomes relevant.
Where else is consent important?
Firstly, to legitimise the use of special categories of personal data i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
In addition to establishing a lawful basis (Article6), the organisation needs to satisfy one of the conditions under Article 9 of the GDPR – of which Article 9(2)(d) is likely to be most relevant. Essentially, the organisation can process sensitive personal data in the course of its legitimate activities – with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes, only. However, an alternative condition under Article 9 will need to be found if the individuals are not members or former members or are people with whom the organisation is not in regular contact.
Note that consent will be required before special category personal data may be shared with a third party.
Secondly, consent is also important within direct marketing activities. In particular, the EU’s e-Privacy Directive (soon to be ‘Regulation’) which provides rules for consent over electronic direct marketing. Consent required for automated calls, emails and texts and then opt-out for live calls (or legitimate interests if the individual is not registered with a do-not-contact type of service). There is also the provision for what is called the ‘soft opt-in’, which essentially is an opt-out approach when dealing with people whose contact details you obtained during a sale or negotiations for a sale – i.e. no need for opt-in when dealing with these individuals. CAUTION: a donation cannot be interpreted as a sale. Read more on fundraising here.
This lawful basis is appropriate if...
Real choice is being offered - the organisation member, relative, employee etc. has a genuine choice as to whether to give their consent. This means they can decide not to give consent and the organisation would not be able to use the data anyway under a different legal basis e.g. ‘contractual’ under the employment contract.
The organisation wants to use personal data for a particular purpose and there is no other lawful basis on which to justify the use of personal data e.g. making relevant personal data available to third parties by leaving copies in organisation’s foyers.
This lawful basis is NOT appropriate if...
Consent is difficult to obtain. This is a sign that consent is not appropriate and an alternative lawful basis should be found.
Consent is a pre-condition e.g. consent is being asked for as a pre-condition to services being carried out under a contract.
Consent cannot be freely given e.g. if a lay employee feels compelled to consent to use of their personal data “otherwise their employment will be terminated”. Employers must take extra care to show that consent has been freely given in an employment context and to avoid over-reliance on consent. Would another lawful basis, say legitimate interests or contractual be more appropriate?
This lawful basis has the following implications in terms of the individual’s privacy rights:
Individuals can withdraw their consent and request the deletion of their data; (the right to erasure or to be forgotten). Individuals must be informed of this right, offered easy ways to withdraw their consent and told how to do it. Organisations must ensure that systems are in place to act on withdrawals of consent without delay.
The right to request the transfer of personal data to a third party (data portability) applies where this lawful basis is being relied upon. It is however difficult to see how this could be used in the context of the religious organisation.
Wherever possible the organisation is encouraged to rely on another lawful basis. In part, this is due to an individual’s right to withdraw consent – which renders any further processing under this lawful basis, unlawful.
Read more on Managing Consent here.
C. Necessary for the performance of a CONTRACT
This means the organisation needs to use an individual’s personal data to do something that individual wants them to do under a contract or before entering into a contract with them (e.g. letting them know whether certain facilities are available to use and how much it will cost).
This lawful basis is NOT appropriate if...
There is no contractual obligation requiring use of the personal data in the way intended e.g. the existence of an agreement for a group to use the organisation’s hall could require use of personal data to invoice the group leader for the usage fees but not to contact them about the organisation’s events. However, an alternative lawful basis could be identified for that purpose e.g. legitimate interests and/or consent depending on the circumstances.
It is not necessary to use the personal data in the way intended i.e. although there is a contractual obligation to do something, the organisation can achieve the same result without using the personal data.
Examples of where this lawful basis might be used.
Pay employees and make pension contributions to lay employees (employment contracts)
Manage bookings and the allocation of facilities with third party user groups
Invoice third party users of organisation premises
Manage relationships with outsourced cleaning services
D. Necessary for compliance with a LEGAL OBLIGATION
Are you under a legal obligation to use the personal data in a certain way e.g. to provide personal data to certain regulatory authorities? Is the processing necessary to fulfil the legal obligation; in other words, can it not be fulfilled without using the personal data?
Note that the right to erasure (sometimes referred to as the right to be forgotten, to have personal data removed or amended), the right to data-portability (request the transfer of personal data to a third party) and the right to object, do not apply where this lawful basis is relied upon.
Examples of where this lawful basis might apply:
Keeping records of marriages
Keeping records of and supplying information to revenue/customs authorities
Carrying out and keeping records of right-to-rent checks when entering into residential tenancies
Completing tax returns
E. Necessary to protect the VITAL INTERESTS of a data subject
Where it is necessary to use the personal data to protect the vital interests of the individual, (or another person (such as a child of the individual)) in a life-or-death situation. It is unlikely that this lawful basis would be used during regular operations. However, it’s possible that it could be used in the event of an emergency.
F. In the PUBLIC INTEREST
necessary for the performance of a task carried out in the public interest or in the exercise of official authority” - Article 6(1)(e)
In other words, it’s necessary to carry out a specific task in the public interest which is laid down by law or by a public body exercising its official authority laid down by law. It appears unlikely that this lawful basis may apply on a daily basis. However, a Member State could perhaps have particular regulation around the processing of say, ‘safeguarding information’ – and could engage the organisation to process this information “in the public interest / public task”. Of course, depending on the circumstances, the organisation could just as well rely on legitimate interests or legal obligation to achieve the same purpose.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018