🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR and legal bases: Understand everything about safeguarding vital interests

Home GDPR and legal bases: Understand everything about safeguarding vital interests

Safeguarding vital interests... What does this legal basis consist of? What treatment can be implemented on this basis?

Sit comfortably with your favorite snack, we'll explain everything to you in 5 minutes!

The answer to the quiz "In which sector is the legal basis "safeguarding vital interests" most often used?? "

To introduce the subject, we offered you a quiz on April 5 on our LinkedIn page, asking you which sector used the legal basis "safeguarding vital interests" most often.

Well done! Out of 161 voters, 93% of you have "The health field?‍⚕️". Indeed, safeguarding vital interests is most often used in the field of health.

The 6 legal bases provided for by the GDPR

Safeguarding vital interests is one of the 6 legal bases provided for by the GDPR. Choosing your legal basis is mandatory for data processing to be lawful. This also determines the rights that the persons concerned will be able to avail themselves of for the processing in question. The rights will not be the same depending on the base chosen. This is one of the following 6 legal bases:?

We are in the process, during our blog articles and our 1 minute episodes to understand everything, of presenting and explaining in detail each of these legal bases. Follow us so you don't miss anything. Next week we will discuss the public interest mission!?‍?

Understand the legal basis for safeguarding vital interests?

Safeguarding vital interests is therefore one of the legal bases provided for by the GDPR. Its use is limited to certain data processing activities. It is mainly used by health establishments. This is, for example, the hypothesis in which a hospital processes the data of a patient who requires emergency care. The person, if unconscious, cannot consent to the processing of their data. However, this treatment is necessary for its management. The hospital must treat the person and act quickly to save them. The establishment still processes the person's data, without their consent for their file to be created and them to be treated. The data concerned will be, for example, their last name, first name, age, etc. To process this data, the establishment may use the protection of vital interests as a legal basis.

But in this context, the hospital is also required to process health data. A distinction must be made between the legal basis "safeguarding vital interests" and the processing of health data. With regard to health data, the GDPR in principle prohibits their processing due to their sensitive nature. This provision is provided for in article 9 of the GDPR according to which: " The processing of [...] health data [...] is prohibited. "

However, the second paragraph of Article 9 lists exceptions to this principle. In certain situations, the processing of health data may actually be implemented by the data controllers concerned. Safeguarding vital interests is one of these exceptions which makes it possible to process so-called sensitive health data. This provision provides that processing can be carried out on this basis under two conditions:?

  • The processing is necessary to protect the life of a person or third party,
  • The data subject is physically or legally incapable of giving consent.

Thus the legal basis for processing is the safeguarding of vital interests. This is also the exception for treating health data as sensitive data

Under what conditions should the safeguarding of a vital interest be chosen as a legal basis?

The recital 46 of the GDPR provides that data processing is considered lawful when it is necessary to "protect an interest essential to the life of the data subject or that of another natural person".

1st criterion: the need for treatment?

The necessity criterion is applicable to all processing of personal data. The GDPR requires that processing be necessary to achieve a predefined purpose. This means that the data controller cannot achieve the aim pursued without carrying out the processing.

The way in which the processing is carried out is also taken into account in the assessment of compliance with this criterion. That is to say, the data controller must choose the most suitable and least intrusive way of processing data for the person.

Thus, to return to the example of caring for an unconscious patient, the data controller must above all justify that the treatment is absolutely necessary to care for the person. To do this, the processing of data, and particularly sensitive data, must be minimized and secure. To find out more about the principle of minimization, find our article dedicated to this subject !

2nd criterion: protection of a person's life?

To apply the protection of a vital interest as the legal basis for processing, the data controller must justify that the processing is necessary to save the person. For this legal basis to be applicable, the person's life must be at stake.

This may be directly from the data subject or a third party.

3rd criterion: lack of consent?

The person must not be able to consent to the processing of their data. If so, the applicable legal basis would be consent. Note that consent is also an exception provided for in paragraph 2 of Article 9 of the GDPR. When the person consents to the processing of their health data, the processing can be carried out. In the absence of consent, provided that the above criteria are met, the safeguarding of vital interests may be the legal basis for the processing.

Article 9 paragraph 2 specifies that it may be a physical inability to give consent, this is the example of the person being taken care of while unconscious, but also a legal one. Legal incapacity can be linked to the age of the person, this is the case of the unemancipated minor. Adults may also be incapacitated due to their physical or mental state.

Safeguarding vital interests can be coupled with safeguarding a public interest. Recital 46 of the GDPR gives the example of processing necessary for humanitarian purposes (monitoring epidemics and their spread, natural disasters, etc.).

What are the consequences for personal rights?

Where processing is based on safeguarding vital interests, certain rights cannot be exercised by data subjects. They will probably not be able to object to the processing of their data. As explained previously, the person has no other choice but to have their data processed since they are not in a position to act.

On the other hand, the right to data portability cannot be exercised. Indeed, this right can only be exercised if the processing is based on consent or a contract. We'll tell you more in future articles!

The data controller must inform individuals that they will not be able to exercise these rights in an internal and/or external confidentiality policy.

Data Comply One (formerly Mission RGPD) facing the safeguarding of vital interests

Are you having trouble knowing which legal basis to choose? You don't have the time you need to devote to managing your compliance? Our articles are not enough for you to manage everything?

Do not panic! ✅ With MRGPD, you have many useful document templates for your GDPR compliance. Among these documents you will find internal and external privacy policy templates. You can download them and adapt them to your organization's situation.

Save time with a pre-filled compliant document!

Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject