6. Legal grounds for processing data
Chapter 6
Under GDPR, you are obliged to have a legal ground for each and every data processing activity and purpose.
One of these legal grounds is consent. If you are unsure if any of the other legal grounds apply (more on this later), asking for consent is uncomfortable, but the safest way to go. So a simple, but definitely not optimal approach would be to adding a separate consent checkbox to each form where you gather customer data. However, this is not always necessary. For example, your contact forms most likely do not need a consent checkbox, contrary to what a lot of people seem to believe and what some other GDPR plugins recommend. And as you probably know, adding unnecessary form fields usually reduces conversion, so from a business perspective, it makes sense to avoid adding additional checkboxes if possible.
So first of all, let’s go over the other legal grounds so that you would have an idea of what else you can use instead of having to ask for consent.
Fulfilling a contract
First of all, fulfilling a contract is a legitimate legal ground for processing data.
GDPR Art. 6(1)(b): Processing is lawful if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
For example, this could apply to contact forms if someone contacting you does it to purchase a product or service from you.
Law
If you are legally obliged to do something, then obviously GDPR cannot prohibit you doing that.
GDPR Art. 6(1)(c): Processing is lawful if processing is necessary for compliance with a legal obligation to which the controller is subject.
For example, if a customer orders something from your online store, it’s likely that you must store the invoices for a time period.
Legitimate interest
There is also one magical keyword: legitimate interest. There are some cases where processing customer data probably counts as your legitimate interest. If this is the case, you don’t necessarily need to ask for consent.
The most useful example of this is direct marketing. Some of it might actually be covered by “legitimate interest.” For example, in the situation where a customer has purchased something from you, it could be argued that sending that customer ads about products similar to the one they purchased is your legitimate interest.
(Indrek’s note: Please be aware that this doesn’t mean you can just send any kind of ads to your customers. Using the “legitimate interest” concept is advanced lawyer-wizardry. We don’t recommend using it without the help of a lawyer because if you are unaware of the precedents or misunderstand something, you might be fined.)
Read more about legitimate interest here.
Consent
There are some more things you need to know about consent.
GDPR Art. 4 states that consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Let’s deconstruct the meaning of this.
“Freely given” means exactly what it says. For example, you can’t force your customers to give consent by doing trickery such as giving them checkboxes saying “I accept the terms & conditions and want you to send me advertisements” and if they don’t check it, they can’t use your services.
“Specific” means that you have to ask for each consent specifically and separately. You need one checkbox per each processing purpose you’re asking consent for.
“Informed” means that you need to explain in a clear and easily understandable way what the data subject is consenting to.
“Unambiguous” basically means “clear” again. Consent has to be asked separately from the presentation of other information.
“Clear affirmative action” means that the data subject has to do something specific to show that they consent to something. This means that consent checkboxes may not be pre-ticked.
Processing sensitive data needs explicit consent.
Explicit consent is also required for transferring personal data outside of EEA without the adequacy decision (GDPR Art. 45), appropriate safeguards (approved codes of conduct/binding corporate rules, approved certification mechanism – see Art. 46) or approved corporate rules.
And the tough part – the data subject has the right to withdraw any consent they have given at any time. We’ll show you how to add this functionality to your WordPress site in the next chapter.
How to ask for consent
When asking for consent, you need to display the following information:
Bring out what you want to do;
Bring out what is the purpose of doing that;
Bring out who you share data with and give their contact info;
Give the duration of the period of processing (or the duration of the activity);
Provide a link to withdraw consent;
Provide a link to other relevant info (e.g. right to complain to supervisory authority);
Make sure the data subject can’t give consent by default (no pre-ticked checkboxes!)
Yes, that’s quite a lot! From a legal perspective, the safest way is to display all this information in your forms.
However, it’s likely that you can get away with displaying just one line of text, something like this:
And when a customer clicks on the “More information” link, you open up a modal with all the additional information you need to display. Something like this:
Again, from a legal perspective it’s not a completely bulletproof solution, so use it at your own risk.
We’re adding a simple modal integration with the more popular contact form plugins in April – stay tuned!
Tracking & withdrawing consent
Your visitors need to be able to withdraw each consent they’ve given. The GDPR Framework provides tools to track each consent your visitors have given and allows them to withdraw consents separately on the Privacy Tools page. Read more on how to set up this functionality in the next chapter.