The EDPB requires controller to specify the legal basis for the respective data processing. Whereas, the wording of Art. 6 GDPR leaves the option to refer to one or to several legal basis, the EDPB is more restrictive. According to the EDPB the controller shall choose one specific legal basis prior to the start the processing activity. Once the processing activity was started a “swapping“ from one legal ground to another legal ground is prohibited. Since the EDPB has the authority to provide the binding interpretation of GDPR,1 controllers shall follow this narrow interpretation.
Priciple of Lawfulness derives from EU Charter
Any data processing requires a legal basis.2 That derives from the principles of lawfulness.3 In that respect, GDPR is in line with Art. 52 Charter. Art. 52 Charter states:
“Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law…“
Since the Right to Data Protection is one of the Rights and Freedoms of the Charter, the principle of Art. 52 Charter similarly applys to the Right to Data Protection. As consequence, Art. 5 and Art. 6 incorporate the Principle of Lawfulness into GDPR accordingly.
Interpretation of EDBP
However, the wording of Art. 6 GDPR leaves the option to document one or several legal basis:
“Processing shall be lawful only if and to the extent that at least one of the following applies:…“
In contrast, the interpretation of the EDPB is more restrictive. The Article 29 Working Party – the predecessor of the EDPB – gave a first hint to this restrictive interpretation of Art. 6 GDPR. In its guidelines on transparency the Article 29 Working Party required that „the legal basis relied upon under Art. 6 must be specified“.4 These guidelines were published in 2017 and revised in 2018 shortly before GDPR came into force. However, this wording was hidden in the annex of the guidelines.
The EDPB published its opinion in May 2020 in a stronger way.5 Since the guidelines are focussed on consent, nevertheless, the statement of the EDPB is of general nature and applies for any legal basis:
“Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely. The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose.“
It follows, the swapping of a legal basis – after the legal basis has been documented by the conroller – is prohibited according to the EDPB.
Documentation of legal basis
The question arises, where to document the legal basis? The controller shall document the legal basis in both, the records of processing activities and in the information to the data subject.
Whereas, the wording of the record activities pursuant Art. 30 GDPR does not mention the legal basis:6 How can a controller show its compliance with GDPR according to the Accountability-Principle without documenting the legal basis in the records of processing activities?7
Sofar, more than one legal basis are available in principle, the controller shall choose the legal basis which fits best in a legal sense. The other legal basis may be additionally documented in the records of processing activities. Nevertheless, the controller can not leave it open upon which legal basis the controller will rely.
Eventually, the controller shall publish solely one specific legal basis in the information to the data subject.8 Otherwise, the data subject will not be in the position to check, whether or not the respective processing of his data is justified.9 Without the knowledge of this key information the data subject has no option to use the respective rights – like the right to compensation and liability.10
Assessment
The interpretation of the EDPB is more restrictive than the wording of Art. 6 GDPR. However, the interpretation of the EDPB is in line with the systematic interpretation of the GDPR.
The Accountability-Principle, the Principle of Transparency and the protection of the interest of the data subject are prohibiting the swapping of legal basis.
According to the Accountability-Principle, the controller has the burden to proof that a legal basis is available. Therefore, the controller shall document the legal basis accordingly. The preferable documentation shall take place in the records of processing activities. The controller shall be transparent to the data subject which specific legal basis the data processing is based upon in the information according to Art. 13 and Art. 14 GDPR. Solely, when a specific legal basis is documented in the information to the data subject, the data subject will be in the position to check whether or not the data processing is lawful. Similarly, the DPA can audit the lawfulness of the processing by checking the records of data processing activities of the controller.
Whereas at first glance, the interpretation of the EDPB seems to be too restrictive, eventually, prohibiting the swapping of the legal basis is in line with a systematic approach to the key principles of GDPR.
1 Pursuant Art. 70 GDPR.
2 Pursuant Art. 6 GDPR.
3 Pursuant Art. 5 (1.) (a) GDPR.
4 Article 29 Working Party, WP260 rev.01, Guidelines on transparency under Regulation 2016/679, Adopted on 29 November 2017, As last Revised and Adopted on 11 April 2018, page 35.
5 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, Adopted on 4 May 2020, page 25, paragraph 121.
6 Pursuant Art. 30 GDPR.
7 U.a. Bitkom, Das Verarbeitungsverzeichnis ,Verzeichnis von Verarbeitungstätigkeiten nach Art. 30 EU-Datenschutz-Grundverordnung (DS-GVO), S. 17.
8 Article 29 Working Party, WP260 rev.01, Guidelines on transparency under Regulation 2016/679, Adopted on 29 November 2017, As last Revised and Adopted on 11 April 2018, page 35.
9 Requiring to specify the data recipient: Andreas Rohner/Gerald Trieb; Right of Access: Austrian Court requires to inform which specific data being transferred to any individual recipient; DPOblog.eu; December 30, 2020.
10 Article 82 GDPR.