GDPR Information Series #4: Lawful Basis for Processing

Share on facebook
Share on google
Share on twitter
Share on linkedin

“Lawful Basis for Processing” is the fourth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the first advantage globe icon icon which will highlight specific information regarding potential impact to First Advantage screening processes.

Why is a lawful basis important under GDPR?

Data controllers (i.e. you, the customer) need to have a valid basis for processing personal data. As discussed in our prior article “Demonstrating Compliance under GDPR,” there are several valid bases for processing personal data under the GDPR.

The GDPR prescribes six lawful bases:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

first advantage globe icon Recall that in our GDPR Basics article, employers who want to run a background check on a prospective employee who is located in the EU (aka a ‘Data Subject’) will qualify as ‘Data Controllers’ under GDPR. Data Controllers must determine what their lawful basis for processing personal data is based on their unique circumstances.

Has consent changed under GDPR and is it appropriate in the employment context?

The definition of “consent” has changed from “freely given, specific and informed” to “freely given, specific, informed and unambiguous.” What does this mean in practice? The practical effect of the changes means that consent must now be given by a statement OR a clear affirmative action indicating that the data subject agrees to the processing of his/her personal data.

Notwithstanding this new clarification, the European Data Protection Board (EDPB), both independently and as successor to the Article 29 Working Party, has provided guidance on this topic several times both pre- and post-GDPR. Employers are cautioned that consent is not an appropriate lawful basis for use in the employment context: “Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal.”1

https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030

Which lawful basis is appropriate for background screening then?

Although First Advantage cannot assist clients with making this decision and strongly recommends that each client work with its legal counsel to select the appropriate lawful basis, First Advantage sees ‘legitimate interests’ used most frequently by EU-based organisations (bullet 6 above).

first advantage globe icon In practice, most EU clients select ‘legitimate interests’ as their lawful basis for processing personal data. If your organisation chooses to rely on consent as your valid basis for processing your candidate’s data, you will need to be able to demonstrate that your candidates have affirmatively and ‘freely given’ their consent to the processing of their personal data for employment screening purposes. Data Controllers may not assume consent by the candidate as a result of their inaction or rely on pre-checked boxes or forms that do not require acknowledgment and signature by the candidate. The EDPB has opined that consent can be freely given “when it will have no adverse consequences at all whether or not [the data subject] give[s] consent.”

How should the Consent Form be handled if consent is not the appropriate lawful basis?

First Advantage can provide a sample ‘Privacy Notice’ as an example of how a notice may be structured for background screening purposes. It is intended only as educational material / best practices guidance. The sample Privacy Notice is provided to clients in its entirety and if a client desires to use this language in whole or in part, they may modify their existing forms to suit their business including inserting an appropriate lawful basis for background screening where indicated (if applicable).

If consent is not the appropriate basis for the client’s processing of personal data (per the client’s legal team’s analysis), then this sample Privacy Notice demonstrates an example of language that can be used to inform the data subject of the client’s lawful basis for processing the data. The notice can be provided to the data subject on the First Advantage system prior to data entry.

What happens if the data subject withdraws their consent or objects to the processing?

Technically, withdrawal of consent may only be exercised by a data subject who originally gave consent to the processing in the first place. Data subjects who have instead been presented with a privacy notice that identifies an alternative lawful basis may still attempt to stop the processing of the background check; however this would generally be an ‘objection to processing’ and not a withdrawal of consent.

first advantage globe icon How we can help you

First Advantage will always notify you as the Data Controller if a candidate contacts us with either a ‘withdrawal of consent’ or an objection to the continued processing of the background check. We will place a hold on the processing of the case and await your instructions regarding how you wish to proceed.

Next in the GDPR Information Series…“Data Subject Rights”

 

About First Advantage

First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.

Information Content Notice

Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorised to provide your organisation with legal advice because First Advantage is not a law firm.

The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.

Please share this document with legal counsel familiar with your organisation and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organisation’s preparation for GDPR compliance.

Current as of June 2020
© 2020 First Advantage Corporation