Lawful Bases for Personal Data Processing
The European Union’s (EU) General Data Protection Regulation (GDPR) provides six lawful bases for processing personal data of natural persons (data subjects) located in the EU:
- The data subject has given specific consent.
- It is necessary for purposes of the legitimate interests pursued by the controller or by a third party and is not overridden by the interests or fundamental rights and freedoms of the data subject (particularly where the data subject is 16 years of age or younger).
- It is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- It is necessary for compliance with a legal obligation.
- It is necessary in order to protect the vital interest of the data subject or another natural person.
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the use of consent as a lawful basis for data processing, consent must often be obtained if “special category” data is being collected from a data subject. When collecting data under one of the other five lawful bases, a data subject must be provided with an explicit privacy notice.
Processing “Special Category” Data
Under the GDPR, personal data is considered to be special category data where it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a data subject’s sex life or sexual orientation.
As is relevant to the University, special category data cannot be processed unless data subject consent is obtained, or: (1) it is necessary to carry out rights and obligations of the data subject or processor in employment; (2) the data subject is physically or legally incapable of consenting and the processing is necessary to protect the vital interests of the data subject or another natural person; (3) the data has already been manifestly made public by the data subject; (4) it is necessary for the establishment, exercise, or defense of legal claims; (5) it is necessary for specified public health reasons; (6) it is necessary for health-care related reasons, including assessing the work capacity of an employee, and those individuals involved in processing the data have duties of confidentiality; or (7) it is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistic purposes – and appropriate safeguards are in place.
When a Privacy Notice is Required Under the GDPR
An explicit privacy notice is generally required for any lawful processing of personal data under the GDPR where the lawful basis for that processing is not the consent of the data subject. If a privacy notice is required, it must be provided: (1) when personal data is collected from residents of the European Union (EU); (2) when initial contact is made with an EU resident whose personal data was obtained indirectly, or within one month of obtaining the data, whichever comes first; or (3) prior to using data for a purpose other than the one originally stated when that data was collected.
An explicit privacy notice is not required when: (1) it would be impossible, or involve a disproportionate effort; or (2)Â the data subject already has the required notification information.
Elements of Privacy Notice
When Boise State University is collecting personal data directly from a data subject located in the EU, a GDPR-compliant privacy notice must include all of the following elements:
- Name and contact information of the University department collecting information.
- The purposes for which the personal data is being collected and the lawful basis for processing.
-
- If the lawful basis utilized is that the processing is necessary for the legitimate purposes of the controller or a third party you must identify what the legitimate purpose is.
- The entities, or categories of entities, the personal data will be shared with.
- Whether personal data will be transferred internationally and, if so, what safeguards will be employed.
- The length of time personal data will be retained or the criteria that will be used to make this determination.
- The rights of the data subject to:
-
- Request access, correction, or erasure of their personal data.
- Take a copy of their data (data portability).
- Object to the processing of their personal data.
- File a complaint.
When Boise State University has received personal data from a third-party, rather than directly from the subject data, a GDPR-compliant privacy notice must include all of the above elements in addition to:
- The categories of personal data it has received.
- Notification of where the personal data was obtained, and whether that source is publicly accessible.
Template for Privacy Notice
Boise State University
[Insert University Department Name]
Notification for Collection and Use of Personal Data
You are notified that by [describe your process, for example: completing this form, continuing through this process, signing up for this service, etc.], Boise State University is collecting certain data about you. [Department Name] is collecting data in order to [process your application for, sign you up for, and/or provide the service, event, or program described].
Boise State may also use this data to comply with its legal obligations. Data records will be maintained consistent with Boise State University Policy 1020 – University Records, Archives, and Publications, or for the duration of your relationship with Boise State. Data records will be accessed by those who have a legitimate Boise State-related business need to access them. [ADD IF RELEVANT: Explanatory language regarding third parties that information may be shared with, such as “In order to provide you with this service we may provide your personal data to third-party vendors when necessary to the provision of service. These third-party vendors shall be required to protect your personal data through adequate and reasonable means.”]
[ADD IF RELEVANT: Some of your data may be processed by automated decision-making. [insert additional information about the logic involved, and the significance or consequences of such processing]]
For additional information, to request access to or a copy of your personal data, or to request certain data be removed or corrected, you may contact [insert name, title, and contact information of designated employee in Boise State University Department providing notice].
If your data protection related questions or concerns are not addressed after contacting [the organization area to which you provided data], you may also contact Boise State’s Office of Institutional Compliance and Ethics at (208) 426-1258 or complianceandethics@boisestate.edu. You also have the right to lodge a complaint with your supervisory authority in the EU.
When Consent Must Be Obtained Under the GDPR
The University must obtain consent from a data subject prior to processing their personal data where no other legal basis is available, including situations where the personal data is special category data and none of the exceptions to consent are present.
Elements of Consent Form
When the University is using consent as the legal basis for processing personal data of a data subject located in the EU, it must ensure that it retains a record of the signed consent form (whether signed electronically or physically). The consent form should include the following information, using clear and plain language:
- Name and contact information of the University department collecting information.
- The purposes for which the personal data is being collected
- The entities, or categories of entities, the personal data will be shared with.
- Whether personal data will be transferred internationally and, if so, what safeguards will be employed.
- The length of time personal data will be retained or the criteria that will be used to make this determination.
- The rights of the data subject to:
- Request access, correction, or erasure of their personal data.
- Take a copy of their data (data portability).
- Object to the processing of their personal data.
- Withdraw their consent.
- File a complaint.
Note that where the University is seeking to collect personal data from a data subject who is under 16 years of age it must obtain the consent of the data subject’s parent or legal guardian.
Template for Consent
Boise State University
[Insert University Department Name]
Consent for Collection and Use of Personal Data
You hereby consent to Boise State University collecting your personal data through [describe your process, for example: completing this form, continuing through this process, signing up for this service, etc.]. [Department Name] is collecting data in order to [process your application for, sign you up for, and/or provide the service, event, or program described].
Boise State may also use this data to comply with its legal obligations. Data records will be maintained consistent with Boise State University Policy 1020 (University Records, Archives, and Publications), or for the duration of your relationship with Boise State. Data records will be accessed by those who have a legitimate Boise State-related business need to access them. [ADD IF RELEVANT: Explanatory language regarding third parties that information may be shared with, such as “In order to provide you with this service we may provide your personal data to third-party vendors when necessary to the provision of service. These third-party vendors shall be required to protect your personal data through adequate and reasonable means.”]
[ADD IF RELEVANT: Some of your data may be processed by automated decision-making. [insert additional information about the logic involved, and the significance or consequences of such processing]].
For additional information, to request access to or a copy of your personal data, to request certain data be removed or corrected, or to withdraw this consent you may contact [insert name, title, and contact information of designated employee in Boise State University Department providing notice]. Â If you choose to withdraw your consent at a later date this will not change the fact that your personal data was legally processed up to that point.
If your data protection related questions or concerns are not addressed after contacting [the organization area to which you provided data] you may also contact Boise State’s Office of Institutional Compliance and Ethics at (208) 426-1258 or complianceandethics@boisestate.edu.
[INCLUDE IF COLLECTING DIGITAL SIGNATURE:  By submitting, I acknowledge and agree that I have read, understood and execute this document with full knowledge of its legal significance and sign this Consent, freely and voluntarily. I further hereby consent to and authorize the use of electronic means to enter into, deliver, and evidence consent. I acknowledge and agree that consistent with Idaho Code § 28-50-107, as amended from time to time, the electronic signature executed in conjunction with the electronic submission will be legally binding. If signing on behalf of a child under 16 years of age, I hereby acknowledge that I am signing on behalf of myself and my spouse, partner, parent, co-guardian, or any other person who claims that child as a dependent.]