Exercise of Official Authority and Tasks of Public Interest as Legal Basis
Article 6(1)(e) of the GDPR
Information about this legal basis
Exercise of Official Authority and Tasks of Public Interest
Exercise of official authority and tasks of public interest is a legal basis for the processing of personal data. Article 6(1)(e) of the GDPR states this legal basis. A company may process personal data if it is necessary for the performance of task carried out in the public interest. Or, in the exercise of official authority vested in the controller. It is primarily official authorities that process personal data based on this legal basis. However, both official authorities and businesses can use this legal basis. However, it is relatively rare to use for businesses. Therefore, a company should carefully analyze whether any other legal basis is more appropriate to use.
What is Performance of Tasks of Public Interest?
Both private companies, county councils, municipalities and official state authorities can carry out tasks that are of public interest. It is important that the task in question is based on the law or other statutes. If that is not the case, it can not be considered a task of public interest. In addition, collective agreements or decisions issued on the basis of applicable law may also contain other forms of statute.
There are, therefore, certain private operators carrying out tasks of public interest. Some industries that may be in the private sector and process personal data carrying out tasks of public interest are:
- School sector
- Healthcare sector
- Services and support for persons with disabilities
- Transport industry: air, public or rail transport.
If a company is not entirely sure that the processing meets the requirements for the performance of a task carried out in the public interest in accordance with the GDPR, the company should support the processing on a different legal basis.
What is Exercise of Authority?
In short, the exercise of official authority vested in the controller means that the state gives the controller the task of deciding over citizens. For example, making a binding decision regarding benefits and rights, or obligations and penalties. Please note that the exercise of public authority must be based on enacted laws or regulations.
Examples of the exercise of official authority
Grades: When a school or university grades its pupils/students as part of the rules that the country has. Then, exercise of official authority is the appropriate legal basis to use.
Issuance of degree: When universities award a degree to a student in accordance with the rules and regulations in place. Then, it is also an exercise of public authority that is relevant.
Building permits: When authorities issue building permits to the applicant in accordance with the law. Then, the exercise of public authority is the appropriate legal basis to use.
Objections by data subjects
A right that data subjects have under the GDPR is the right to object to the processing of their personal data. This also applies when the company conducts a processing of personal data based on this legal basis. In addition, the controller shall inform the data subject of this right. It should be done at the time or before the start of the processing.
If a company processes personal data on the basis of the exercise of official authority and tasks of public interest, and the data subject objects to the processing, the company must be able to prove that their interests outweigh the interests of the data subject.
Few companies can use the exercise of public authority and tasks of public interest as a legal basis
As mentioned above, there are not many companies that can use the exercise of public authority and public interest tasks as a legal basis for the processing of personal data. Examples of industries where companies can use it in certain situations are the school industry and the healthcare industry. However, that does not mean that such an undertaking can process all personal data based on that legal basis.
More information about the legal and lawful bases of the GDPR
Consent as a legal basis for processing personal data
Consent is a relatively common legal basis to support the processing of personal dat. But it is not always appropriate and in some cases even unlawful. In short, the legal basis consent means that a person accepts that a company processes their personal data for a specified purpose. It must be active consent in order to be valid. In addition, the consent must be voluntarily provided. An example of when it is not allowed to use consent as a legal basis, is when there is an unequal power relationship between the controller and data subject. For example, between an employer and an employee.