Article 6(1)(e) of the GDPR
Exercise of Official Authority and Tasks of Public Interest as legal basis
Exercise of official authority and tasks of public interest is a legal basis for the processing of personal data. Article 6(1)(e) of the GDPR states this legal basis. A company may process personal data if it is necessary for the performance of task carried out in the public interest. Or, in the exercise of official authority vested in the controller.
Mainly official authorities use this legal base
It is primarily official authorities that process personal data based on this legal basis. However, both official authorities and businesses can use this legal basis. However, it is relatively rare to use for businesses. Therefore, a company should carefully analyze whether any other legal basis is more appropriate to use.
What is Exercise of Official Authority?
In short, the exercise of official authority vested in the controller means that the state gives the controller the task of deciding over citizens. For example, making a binding decision regarding benefits and rights, or obligations and penalties. Please note that the exercise of public authority must be based on enacted laws or regulations.
Examples of the exercise of official authority
When a school or university grades its pupils/students as part of the rules that the country has. Then, exercise of official authority is the appropriate legal basis to use.
When universities award a degree to a student in accordance with the rules and regulations in place. Then, it is also an exercise of public authority that is relevant.
When authorities issue building permits to the applicant in accordance with the law. Then, the exercise of public authority is the appropriate legal basis to use.
What is Performance of Tasks of Public Interest?
Both private companies, county councils, municipalities and official state authorities can carry out tasks that are of public interest. It is important that the task in question is based on the law or other statutes. If that is not the case, it can not be considered a task of public interest. In addition, collective agreements or decisions issued on the basis of applicable law may also contain other forms of statute. There are, therefore, certain private operators carrying out tasks of public interest.
- Some industries that may be in the private sector and process personal data carrying out tasks of public interest are:
- School sector.
- Ethnic origin.
- Services and support for persons with disabilities.
- Transport industry: air, public or rail transport.
If a company is not entirely sure that the processing meets the requirements for the performance of a task carried out in the public interest in accordance with the GDPR, the company should support the processing on a different legal basis.
Objections by data subjects
A right that data subjects have under the GDPR is the right to object to the processing of their personal data. This also applies when the company conducts a processing of personal data based on this legal basis. In addition, the controller shall inform the data subject of this right. It should be done at the time or before the start of the processing.
If a company processes personal data on the basis of the exercise of official authority and tasks of public interest, and the data subject objects to the processing, the company must be able to prove that their interests outweigh the interests of the data subject.
Few companies can use the exercise of public authority and tasks of public interest as a legal basis
As mentioned above, there are not many companies that can use the exercise of public authority and public interest tasks as a legal basis for the processing of personal data. Examples of industries where companies can use it in certain situations are the school industry and the healthcare industry. However, that does not mean that such an undertaking can process all personal data based on that legal basis.
More information about the legal and lawful bases of the GDPR
Legitimate interest pursuant to Article 6(1)(f) of the GDPR
Another legal basis for the processing of personal data is “Legitimate interest”. A company may consider that their interest is higher and that the fundamental freedoms and rights and interests of the data subject do not override and require the protection of personal data. In order to reach this conclusion, the company must carry out a Legitimate Interest Assessment (LIA). Examples of when companies may have a legitimate interest are to prevent fraud, or carry out direct marketing by email to previous customers.