The principle of vital interests, nestled within the legal bases for data processing, carries profound implications for data controllers and processors, intertwining ethical concerns with legal obligations. However, with this legal basis complex of the United Kingdom’s General Data Protection Regulation (UK GDPR) responsibilities arise which we would like to highlight for you.
Legal definition of vital interests
Article 6 (1) (d) of the UK GDPR provides following definition: “processing is necessary in order to protect the vital interests of the data subject or of another natural person”. Recital 46 of the UK GDPR defines vital interests as an interest which is essential for the life of the data subject or that of another person.
Thus, vital interests are very limited in scope and can only applied in matters of life and death. Therefore, other legal bases (e.g. consent or legitimate interests) could be the correct one before depending on the protection of vital interests.
Likelihood of application of vital interests
As indicated by the legal definition in recital 46 UK GDPR, the legal basis of vital interests is likely only to be applied for emergency medical care in case the patient’s personal data needs to be processed, like medical history, and the patient cannot give consent. Controllers, for examples doctors or hospitals, cannot use this basis for medical care that is already planned, like a doctor’s checkup or schedule procedures. In such cases other legal bases are to be used with priority.
However, the legal basis may apply even if the data subject is not subject to life-threatening circumstances. Thus, the processing of a person’s data may also be necessary if the vital interests of another person are threatened, like a parent giving a doctor their own or their child’s personal information to protect the well-being of the child.
Besides, according to the UK GDPR, the legal basis of vital interests also allows the processing of personal data in case of important grounds of public interest. If the processing serves both the data subject and the public, Art. 6 (1) (d) UK GDPR may be applicable. This is the case, for example, with a humanitarian emergency after a natural disaster on humanitarian grounds.
Anything else to consider
It is therefore obvious that this legal basis of vital interests should, first and foremost be used in cases with medical data. Medical data is defined under UK GDPR as special category of data where the legal bases of Art. 9 UK GDPR generally apply. Special prerequisites must be met to process special categories of data.
Therefore, relying on vital interests can only apply if the data subject is physically or legally incapable of giving consent, such as Art. 9 (2) (a) UK GDPR would require. This means explicit consent is more appropriate in many cases. Therefore, you cannot rely on protecting vital interests to process health data, even if the data subject refuses consent, for example to receive medical treatment easing or curing their condition.
Conclusion: only in urgent cases
As shown, the legal basis of protecting vital interests is only applicable for urgent and essential conditions that need to be met for a person’s life safety. Data controllers who need to rely on this legal basis should always weigh whether consent from the data subject or a parent or guardian would be possible, or overriding legitimate interests take precedence before protection of vital interests is invoked.