The legals for growing your company. Sorted.

Startup Guides Feb 8, 2020 4 min read

How to build your GDPR legal justification table

84225480 1234575850266773 8773269218104705024 N E1579790175462
Rob Winspear

What is a GDPR legal justification table?

Under the GDPR, you are required to explain to your customers which of the existing legal justifications made by the GDPR do you rely on in order that you can legally process each type of personal data that you collect from them.

We believe the easiest and best way to demonstrate this is through a table where you set out three columns: A left-hand column summarising the activity you or your customer undertakes that engages with personal data, a middle-column identifying what type of personal data does the activity gives rise to e.g. profile/identity/financial, and then a right-hand column which explains what legal justification you have relied on to process that type of personal data. There may be more than one legal justification that would be applicable for the kind of personal data you are collecting.

Here is an example by way of an extract of our own privacy policy table to illustrate how you need to build this table:

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
User visiting the public website for the first time (a) Technical

(b) Usage

(a) Legitimate Interest

We need to understand where you are logging in from so we know whether you can take advantage of our services, and what browser you are using so we can understand our customer demographic to help diagnose service provision issues, to keep our records up-to-date and analyse how customers use our services.

When a non-registered User uses our live chat support (a) Potentially identity/contact (depending on the contents of the conversation) 

(b) Technical

(b) Contact

(d) Marketing and communication

(a) Consent

We ask you for your email so we can easily get back in touch with you and connect the conversation history to an individual

It also allows us to register you as a User to be able to enter into a contract with you.

You must volunteer this information. We will not extract it from you without your consent

(b) Legitimate Interest

We need to understand where you are logging in from so we know whether you can take advantage of our services, and what browser you are using so we can understand our customer demographic to help diagnose service provision issues, to keep our records up-to-date and analyse how customers use our services.

….

If you would like to see our full privacy policy table, please visit our privacy policy on our public website here

By the time you are reading this article, you should have already identified what different types of personal data you collect when you were asked “What type of data does your company collect” in the “what does your company do” section of the document-builder.

To remind you of the different types of personal data, they are as follows:

  • Profile/Identity Data: data relating to first name, last name, gender, date of birth.
  • Contact Data: data relating to your phone number, addresses, email addresses, phone numbers.
  • Marketing and Communications Data: preferences in receiving marketing information and other information
  • Billing Data: debit and credit card information such as the name attached to your payment details and your billing address.
  • Financial Data: banking details e.g. your account number and sort code.
  • Transactional Data: details and records of all payments you have made for our services or products.
  • Technical Data: IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
  • Customer Support Data: This includes feedback and survey responses.
  • Usage Data: information about how people use websites, products and services.

The legal justifications you can rely on are as follows:

  • Consent: Certain situations allow you to collect your customer’s Personal Data, such as when they tick a box that confirms they are happy to receive email newsletters from you, ‘opt in’ services and when the customer enters their own details voluntarily
  • Contractual Obligations: certain information is required from a customer in order to fulfil your contractual obligations to them and provide them with the promised service.
  • Legal Compliance: Occasionally there is a legal requirement to collect and process certain types of data, such as fraudulent activity or other illegal actions.
  • Legitimate Interest: This is the broadest justification. You are entitled to process personal data to be able to meet your own legitimate interests – this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your customer’s rights, freedom or interests. Examples could be a customer’s address, so that you know where to delivery something to, or their name, so that you will have a record of who to contact moving forwards.

NB if you responded that you collect “special categories of data” remember that you will need to be able to show that you can rely on one of the “enhanced legal justifications” and not the ordinary ones listed above. For more information about those enhanced legal justifications please contact us.

Practical advice on how to complete this table

When you head back to the platform, you will be presented with the request “Please list an activity or time when you collect your customer’s personal data”. Here, you need to think of your first activity such as “when a user signs up to our service”. Once answered, you will then be asked to tick from a list of the categories of data you have previously identified as categories you collect the categories that arise when undertaking the activity you have defined. So, when a user signs up to your service, you will probably collect (at least) “Profile”, “Contact”, “Marketing and Communications” and “Technical” data. Once you have chosen your categories of data that apply to the activity, lastly, you need to choose what legal justification you are relying on when you collect those categories of data. You can choose more than one justification. You then have a freeform textbox to provide some short narrative about why you believe you can rely on the justification(s) you have chosen. Then, just repeat this process for every activity your company undertakes and once finished we will create a legal justification table within your privacy policy so you are fully compliant with GDPR!

Start your journey with us

  • Beulah
  • Brolly
  • Oddbox Transparent
  • Index Ventures
  • Seedcamp
  • Qured