Article 4: Lawful Data Processing: Legal Bases for Processing Data

OTL LawNo CommentsCategories: Article, Contract, Nigeria, OTL Law x Nexa Advisory series

Welcome again to another article in the Nexa Advisory & OTL Law Data Protection Knowledge Management Series. We are moving quickly from the introductory concepts into the technical aspects of data protection. This week, we’ll be discussing the legal bases for processing personal data, building on the principles of data processing we discussed last week. This discussion moves us into the rules of lawful processing and compulsory data protection obligations.

If you recall from our last article, one of the principles of data processing is lawfulness. This means that data controllers must have a legal basis for processing personal data. In this article, we will discuss these legal bases in detail and explain how data controllers can incorporate these into their processing operations for compliant processing.

This is also one of my favourite data protection topics to discuss with Nigerian privacy enthusiasts because it helps debunk the myth that consent is the strongest pillar of data processing or that every processing operation requires consent. At the end of this article, you will see why consent is actually the least desirable legal basis for processing.

For personal data to be processed lawfully, it must be based on any of the following legal bases (or grounds) of processing:

  1. consent of the data subject,
  2. a contractual relationship between the data subject and the controller or processor,
  3. compliance with a legal obligation of the controller,
  4. protection of the vital interests of the data subject or a third party,
  5. performance of a task in the public interest,
  6. legitimate interest of the controller.

Consent

Consent means that a data subject has given clear permission for their data to be processed for a specific purpose. Both the GDPR and the NDPA require that consent must be freely given, specific, informed, and unambiguous. Where processing is based on consent, the controller must be able to demonstrate that consent was obtained. However, consent is often seen as the most volatile and weakest ground for processing because it can be withdrawn at any time, and withdrawal must be as easy as giving consent. For this reason, regulators frequently advise controllers to avoid over-reliance on consent unless it is absolutely necessary.

Another important point is that consent may be interpreted as not freely given if there is a clear imbalance of power between the parties. For example, in an employment relationship, an employee may feel pressured to give consent to their employer even if they do not really want to. In such situations, consent may not be considered valid.

The NDPA-GAID provides more clarity on situations where consent must be used as a legal basis. These include direct marketing, processing of sensitive personal data, and the processing of children’s data. For these activities, no other ground of processing will suffice.

Controllers should also remember that consent must always be documented. If challenged, it is the responsibility of the controller to prove that valid consent was obtained.

Contract

Personal data may be processed where it is necessary to enter into or perform a contract with the data subject. This does not mean that any data processing linked to a contract is automatically lawful. Rather, the processing must be strictly necessary for the performance of the contract or for pre-contractual steps taken at the request of the data subject. For example, if a customer orders goods from an online store, the store needs the customer’s name, address, and payment details to deliver the product. These are necessary for fulfilling the contract. However, using the same data for unrelated profiling or targeted advertising would not fall under this ground, as it is not necessary for the contract itself.

The NDPA and NDPA-GAID adopt the same approach: processing must be necessary and proportionate to the performance of a contract. Where the purpose can be achieved without processing personal data, this ground should not be used.

Legal Obligation

Controllers may process personal data where it is necessary to comply with a legal obligation. For example, financial institutions are often required by law to retain transaction records for a fixed number of years for tax or anti-money laundering compliance.

This ground is particularly strict: the legal obligation must be laid down in law. It cannot be based on company policy or internal practices. The governing legislation must also respect the fundamental rights and freedoms of the data subject.

Vital Interests

Processing may also be justified where it is necessary to protect the vital interests of the data subject or another person. This is usually limited to matters of life and death or situations of grave danger. For example, if a hospital shares a patient’s medical records with another hospital in an emergency where the patient is unconscious and unable to consent, this would be justified on the basis of vital interests.

The NDPA-GAID also frames vital interests narrowly. It should only be used where processing is essential to protect someone’s life, health, or safety, and where no other legal basis is available.

Public Interest

Both the GDPR and the NDPA recognise that personal data may be processed for the performance of a task carried out in the public interest or in the exercise of official authority. This ground often applies to public authorities or private entities carrying out delegated public functions. Examples include processing for public health surveillance, census exercises, or voter registration.

Legitimate Interest

Legitimate interest allows controllers to process data where it is necessary for their legitimate interests or those of a third party, except where such interests are overridden by the rights and freedoms of the data subject.

This ground gives organisations flexibility, but it must be balanced carefully. The controller must carry out a legitimate interest assessment (LIA), weighing their interest against the privacy rights of the data subject. For example, using CCTV cameras in a store to prevent theft may be justified under legitimate interest. However, excessive surveillance of employees without a clear purpose may fail this test.

Importantly, under both the GDPR and the NDPA, legitimate interest is never a lawful basis for processing sensitive personal data.

Special Note on Sensitive Data

Sensitive personal data (called “special categories of data” under GDPR) includes information on health, race, ethnic origin, religion or belief, political opinions, union membership, genetics, biometrics, and sexual orientation. Because of its sensitive nature, this category of data attracts stricter rules. Both the GDPR and the NDPA recognise that sensitive data requires higher protection, but their approaches differ.

Under the GDPR (Article 9): processing of special categories of data is prohibited unless one of several exceptions applies. These include:

  1. Explicit consent of the data subject.
  2. Processing necessary for carrying out obligations in the field of employment, social security, and social protection law.
  3. Processing necessary to protect the vital interests of the data subject or another person where the data subject is unable to consent.
  4. Processing by a not-for-profit body in the course of its legitimate activities.
  5. Processing of data manifestly made public by the data subject.
  6. Processing necessary for legal claims or courts acting in a judicial capacity.
  7. Processing necessary for reasons of substantial public interest, based on law.
  8. Processing for health or social care purposes.
  9. Processing for public health purposes.
  10. Processing for archiving, research, or statistical purposes in the public interest.

Under the NDPA and the NDPA-GAID, the position is narrower. Sensitive data may only be processed on the basis of explicit consent of the data subject, unless otherwise provided by law. The NDPA-GAID also highlights that direct marketing and children’s data fall within categories where consent is the only valid basis. Please note that explicit consent differs a little from the consent required to process other types of personal data. Explicit consent requires more information, more legal safeguards, and an even bigger opportunity to object to the processing at any point in time.

Controllers must always remember that legitimate interest can never be used for processing sensitive personal data. Where consent is relied upon, it must be explicit, unambiguous, and properly documented.

Conclusion

Lawful processing requires careful consideration of the appropriate legal basis. While the GDPR provides a range of options, Nigerian law under the NDPA and NDPA-GAID often require stricter reliance on consent, especially for sensitive data. Controllers should therefore avoid using consent where another, stronger legal basis is available and should document their decision-making process for accountability.

Short Test

Which of the following is not a valid legal basis for processing personal data?

  1. a) Consent
  2. b) Contract
  3. c) Convenience
  4. d) Legal obligation

True or False: Consent is always the strongest and most reliable basis for data processing.

Which legal basis applies when a hospital shares a patient’s medical data in a life-or-death emergency?

  1. a) Consent
  2. b) Vital interests
  3. c) Public interest
  4. d) Contract

Under the NDPA, which of the following activities requires consent as the legal basis?

  1. a) Processing of children’s data
  2. b) Direct marketing
  3. c) Processing of sensitive personal data
  4. d) All of the above

Bonus Question: Which principle requires controllers to document their reasoning when choosing a legal basis for processing?

We look forward to receiving your answers and comments. Stay tuned for our next article!