Consent as a basis for processing data - Part 2

Last week I started tackling the topic on consent and some of the legal bases for processing. This week I will conclude on this subject.

Sometimes you can rely on legitimate interest instead of consent as a reason for processing. Recording staff and customers in appropriate locations by CCTV security system is an example where you couldn’t practically ask everyone entering a building for consent and it wouldn’t be appropriate.

To use legitimate interest as your basis for installing and using a CCTV system, first you would need to conduct a ‘legitimate interest balancing test’ to check if your processing (CCTV monitoring) will infringe on the data subjects’ privacy rights. If it turns out from the balancing test that your planned new CCTV system will infringe on their privacy (i.e. by having CCTV cameras in a lavatory area) then there is no further legal basis for that action. If your balancing test (e.g. CCTV at a reception area) turns out that it is not going to intrude negatively on their privacy rights and you have proven a legal basis of legitimate interest (for protection of property, staff, security reasons) you still need to clearly notify (inform) the people affected of what you are going to do with their data at the onset. Therefore you need clear notices in place to inform those affected of the processing, what reason you are doing it for, who the controller is and how they contact you to obtain their data or activate on their other privacy rights. Remember you can only use the data as detailed so if you notice says “CCTV is for security purposes” then using it to check when staff clock in and out of work would not be allowed or appropriate.  

Some tips if using consent as the legal basis;

  • Make sure it’s the right legal basis – think if you really need to do it (i.e. would consent being withdrawn be detrimental to the service provision and what other basis may be better for all the stakeholders affected)

  • Make sure it is informed.  In other words the person (data subject) knows what they are consenting to. Language should be clear and concise. Your privacy statement should be clear as well on what you do with data processed by consent.

  • Don’t deviate in processing from what you said you would use it for without consulting the data subject, for any changes you may need to seek new consent.

  • Make sure it is freely given – the data subject shouldn’t be pressured to give consent (employer – employee consent scenarios might be hard to argue consent was freely given as the employer has an upper hand)

  • Make sure it’s a clear opt-in to something rather than an assumed consent by their participation or an opt-out.

  • Record the preferences – Keep it up to date on your database and follow their most recent preference for consent (if they change their consent from phone to email, then communications should be by email only!)

  • Written confirmation of consent is always best

  • Always detail that consent can be removed at any time.

  • Don’t ask for blanket consents to contact other organisations on behalf of the data subject “just for the sake of it”.


Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedure. For further details please call us at Enguard on 0818 252 052 or email We would love to hear from you!

Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers. 

Kenneth BakerComment