Skip to content

Legal Basis for Processing Personal Data under GDPR with MVMCloud Analytics

Disclaimer: This text was written by digital analysts, not lawyers.

The purpose of this text is to explain what a legal basis is and which one you can use with MVMCloud Analytics to comply with the GDPR (General data Protection Regulation). This work comes from our interpretation of the following web page from UK Privacy Commission: ICO . It cannot be considered professional legal advice. Therefore, as GDPR, this information is subject to change. GDPR may also be known as DSGVO in German, BDAR in Lithuanian, RGPD in Spanish, French, Italian, Portuguese and LGPD in Brazil.

The golden rule of GDPR is that you need to have a legal basis for processing personal data. Please note that it is possible not to process personal data with MVMCloud Analytics. When you do not collect any personal data, you do not need to determine a legal basis and this text does not apply to you.

“If no legal basis applies to your processing, your processing will be unlawful and violate the first principle.”

Source: ICO, based on article 6 of the GDPR.

To process personal data in MVMCloud Analytics you need:

  1. Define a legal basis;
  2. Document your choice;
  3. Inform your visitor about this in a privacy notice.

Please note that if you are processing special category data (ethnic origin, politics, religion, trade union membership…) or criminal offense data; Extra responsibilities apply and we will not detail them in this text.

There are 6 different legal bases, all defined in article 6 of the official GDPR text:

  1. Consent: the data subject has given consent to the processing of their personal data for one or more specific purposes;
  2. Contract: processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract;
  3. Legal obligation: processing is necessary to comply with a legal obligation to which the person responsible for the processing is subject;
  4. Vital interests: processing is necessary to protect the vital interests of the data subject or another person;
  5. Public function: processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority;
  6. Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party; except when such interests override the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular when the data subject is a child.

As you can see, most of them are not applicable to MVMCloud Analytics. As ICO is mentioning in their documentation:

“In many cases, you are likely to have a choice between using legitimate interests or consent.”

To make this choice, the ICO has listed on its website different questions that you should keep in mind:

  • Who benefits from the processing?
  • Would individuals expect this processing to occur?
  • What is your relationship with the individual?
  • Are you in a position of power over them?
  • What is the impact of processing on the individual?
  • Are they vulnerable?
  • Are some of the individual concerns likely to conflict?
  • Can you stop processing at any time upon request?

From our perspective, “legitimate interests” should generally be used as:

  • The processing benefits to the website owner and not to a third-party company;
  • A user expects to have their data maintained by the website itself;
  • MVMCloud Analytics provides several features to show how personal data is processed and how users can exercise their rights;
  • As the data is not used for profiling, the impact of processing personal data is very low.

If you are processing personal data that may pose a risk to the end user, obtaining consent is the correct legal basis for us.

What rights can a data subject exercise?

Depending on the legal basis you choose for processing personal data with MVMCloud Analytics, your users may exercise different rights to:

Information Access Exclusion Portability Contest Withdraw Consent
Legitimate Interests X X X X
Consent X X X X X
  • Right to be informed: Whatever legal basis you choose, you need to inform your visitor about this in the privacy notice.
  • Right of access: As described in article 15 of the GDPR. Your visitor has the right to access the personal data you are processing about him. You can exercise your right directly on the “GDPR/LGPD Tools” page in your MVMCloud Analytics;
  • Right to exclusion: Means that a visitor can request that you delete all their data. You can exercise your right to erase directly on the “GDPR/LGPD Tools” page in your MVMCloud Analytics;
  • Right to portability: Means that you need to export the data concerning the individual in a machine-readable format and provide your personal data. You can exercise your right directly on the “GDPR/LGPD Tools” page in your MVMCloud Analytics;
  • Right to object: This means that your visitor has the right to refuse the processing of their personal data. To exercise this right, you must implement the opt-out feature on your website;
  • Right to withdraw consent: Means that your visitor can withdraw consent at any time. We've developed a feature to do just that. You can find out more by opening the “Privacy > Request consent” page in your MVMCloud Analytics;

Document your Choice

After choosing the legal basis “Legitimate Interests” or “Consent”, you will have some obligations to comply with. According to interpretation, “legitimate interests” means writing more documentation, “consent” means a more technical approach.

What should I do if I am processing personal data with MVMCloud Analytics based on “Legitimate Interests?

The ICO provides a checklist for “Legitimate interests” , Below we highlight some points:

  • Check whether legitimate interests are the most appropriate legal basis Document and justify why you chose this particular legal basis.
  • Understand your responsibility to protect the individual's interests You need to take all measures to protect the privacy and security of your users' data. Carry out a legitimate interests assessment (LIA) and keep a record of it to ensure you can justify your decision. This document is made up of a set of questions about these 3 main concerns: 1) purpose, 2) need, 3) balance.
  • Purpose
    1. Why do you want to process the data – what are you trying to achieve?
    2. Who benefits from the processing? In what way?
    3. Are there broader public benefits to processing?
    4. How important are these benefits?
    5. What would the impact be if you couldn't go ahead?
    6. Would the use of the data be unethical or illegal in any way?
  • Need
    1. Does this processing really help increase this interest?
    2. Is this a reasonable way to do this?
    3. Is there another less intrusive way to achieve the same result?
  • Balance
    1. What is the nature of your relationship with the individual?
    2. Is any of the data particularly sensitive or private?
    3. Would people expect you to use their data in this way?
    4. Are you happy to explain this to them?
    5. Are some people likely to object or find it intrusive?
    6. What is the possible impact on the individual?
    7. How big of an impact could this have on them?
    8. Are you processing children's data?
    9. Are any of the individuals vulnerable in any other way?
    10. Can you adopt any safeguards to minimize the impact?
    11. Can you offer a tracking opt-out form?
    12. Identify relevant legitimate interests.
    13. Verify that processing is necessary and that there is no less intrusive way to achieve the same result.
    14. Carry out a balancing test and make sure that the individual's interests do not override legitimate interests.
    15. Use individuals' data in ways they would reasonably expect, unless you have a very good reason.

As mentioned previously, using “Consent” instead of “Legitimate Interests” is more technical but less time-intensive. terms of documentation. As well as for “legitimate interests”, the ICO is providing a checklist for “consent” which is divided into 3 main categories: 1) Consent Request, 2) Consent Registration and 3) Consent Management.

  1. Consent request
    1. Check whether consent is the most appropriate legal basis for processing;
    2. Make the consent request prominent and separate from your terms and conditions;
    3. Ask people to opt-in. Do not use pre-checked boxes or any other type of standard consent;
    4. Use clear, simple language that is easy to understand;
    5. Specify why you want the data and what you will do with it;
    6. Give individual ('granular') options to separately consent to different purposes and types of processing;
    7. Name your organization and any third-party controllers that will rely on consent;
    8. Tell people they can withdraw their consent;
    9. Ensure that individuals can refuse to consent without prejudice;
    10. Avoid making consent a precondition of a service;
    11. If you offer online services directly to children, ask for consent only if you have age verification measures in place (and parental consent measures for younger children).
  2. Registration of consent
    1. Keep a record of when and how you obtained the individual's consent;
    2. Keep a record of exactly what you said to them at the time.
  3. Consent Management
    1. Regularly review consents to verify that the relationship, processing and purposes have not changed;
    2. Have processes in place to update consent at appropriate intervals, including any parental consent;
    3. Consider using privacy dashboards or other preference management tools as a good practice;
    4. Make it easy for individuals to withdraw their consent at any time and disclose how to do so;
    5. Act on withdrawals of consent as quickly as possible;
    6. Do not penalize individuals who wish to withdraw consent.

Inform your visitor about this in a privacy notice

Privacy notices are an important part of the GDPR process.

A basic rule is that if you do not process personal data, you do not need to show any privacy notice. But if you are doing this, such as processing full IP addresses, a privacy notice will be required at the time of data collection. Please note that personal data they can also be hidden, for example, in page titles or page URLs.

Here is a translation of what the ICO says about the privacy notice:

You must provide information to individuals including: your purposes for processing their personal data, your retention periods for this personal data and with whom it will be shared. We call this 'privacy information'.”

When you collect personal data from the individual you relate to, you must provide privacy information to them at the time you obtain their data.

Please note that a privacy notice is different from a privacy policy.

The privacy notice must include:

  1. The reasons why you are processing the personal data;
  2. For how long;
  3. Who are the different parties you will share them with.

Therefore, whatever legal basis you are using (explicit consent or legitimate interest), you will need have a privacy notice if it collects personal data.

MVMCloud Analytics has an integrated form to ask for visitor consent the moment they arrive on your website. This is a facility additional form we offer, but you can choose not to use it and implement your own form.

Consent request